PDA

View Full Version : For the Love of Jesus, please respond to this


ChrisLey
2010-07-20, 00:52
This is how it all started:

Now:

- Now I have a bunch of weird process autostarting whitch are
RAB82 Opened 3 times
wWy47R48 Opened 3 times

An galaxy.exe and mzrzrii.exe errors about a disk not being in the unit \Device\Harddisk1\DR3

AND NOW I run DDS and it only creates a DDS log, no attatch

If it helps for something I have already made that process before I have an ERUNT backup from like 3 days ago, when it all started
ChrisLey
2010-07-20, 00:53
DDS (Ver_10-03-17.01) - NTFSx86
Run by User at 17:40:18,06 on 19/07/2010
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.2.1252.34.3082.18.1983.1445 [GMT -5:00]

AV: ESET NOD32 Antivirus 4.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

============== Running Processes ===============

C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Archivos comunes\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Archivos de programa\Bonjour\mDNSResponder.exe
C:\Archivos de programa\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\User\Datos de programa\base64.exe
C:\Archivos de programa\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Archivos de programa\iTunes\iTunesHelper.exe
C:\Archivos de programa\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\WINDOWS\ZSSnp211.exe
C:\WINDOWS\Domino.exe
C:\Archivos de programa\PowerISO\PWRISOVM.EXE
C:\Documents and Settings\User\Datos de programa\base64.exe
C:\Documents and Settings\User\Datos de programa\mzrzrii.exe
C:\DOCUME~1\User\CONFIG~1\Temp\explorer.exe
C:\Archivos de programa\iPod\bin\iPodService.exe
C:\Documents and Settings\User\Datos de programa\galaxy.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\User\Configuración local\Datos de programa\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\User\Datos de programa\galaxy.exe
C:\Documents and Settings\User\Datos de programa\mzrzrii.exe
C:\Documents and Settings\User\Datos de programa\base64.exe
C:\Archivos de programa\KWorld Multimedia\TV Tuner Card Utilities\HMCP3XCtl.exe
C:\Archivos de programa\KWorld Multimedia\HyperMediaCenter\DTVR\Scheduled.exe
C:\Documents and Settings\User\Escritorio\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.hotmail.com/
uWindow Title = Windows Internet Explorer proporcionado por Windows uE
uDefault_Page_URL = hxxp://www.busca7.com
mDefault_Page_URL = hxxp://www.busca7.com
mStart Page = hxxp://www.busca7.com
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\archivos de programa\archivos comunes\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\archiv~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\archiv~1\micros~4\office12\GRA8E1~1.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\archivos de programa\java\jre1.6.0_01\bin\ssv.dll
BHO: Windows Live Aplicación auxiliar de inicio de sesión: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\archivos de programa\archivos comunes\microsoft shared\windows live\WindowsLiveLogin.dll
uRun: [Windows Firewall] c:\documents and settings\user\datos de programa\lsass.exe
uRun: [base64] c:\documents and settings\user\datos de programa\base64.exe
uRun: [HKCU] c:\windows\system32\winlog\Winlogon.exe
uRun: [Developer Operations Network] c:\windows\system32\devon.exe
uRun: [Center Agent] c:\archivos de programa\kworld multimedia\hypermediacenter\dtvr\Scheduled.exe
mRun: [egui] "c:\archivos de programa\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [QuickTime Task] "c:\archivos de programa\quicktime alternative\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\archivos de programa\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\archivos de programa\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\archivos de programa\archivos comunes\adobe\arm\1.0\AdobeARM.exe"
mRun: [ZSSnp211] c:\windows\ZSSnp211.exe
mRun: [Domino] c:\windows\Domino.exe
mRun: [PWRISOVM.EXE] c:\archivos de programa\poweriso\PWRISOVM.EXE
mRun: [HKLM] c:\windows\system32\winlog\Winlogon.exe
mRun: [Developer Operations Network] c:\windows\system32\devon.exe
mRun: [Microsoft Windows Hosting Service Login] c:\docume~1\user\config~1\temp\explorer.exe
mRun: [base64] c:\documents and settings\user\datos de programa\base64.exe
mRun: [Windefender] c:\windows\system32\Windefender.exe
mRun: [<NO NAME>] c:\documents and settings\user\datos de programa\mzrzrii.exe
mRun: [Windows Firewall] c:\documents and settings\user\datos de programa\lsass.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [Developer Operations Network] c:\windows\system32\devon.exe
dRun: [Windows Firewall] c:\documents and settings\user\datos de programa\lsass.exe
uExplorerRun: [Policies] c:\windows\system32\winlog\Winlogon.exe
mExplorerRun: [Policies] c:\windows\system32\winlog\Winlogon.exe
mExplorerRun: [base64] c:\documents and settings\user\datos de programa\base64.exe
StartupFolder: c:\docume~1\alluse~1\menini~1\progra~1\inicio\actual~1.lnk - c:\archivos de programa\eset\minodlogin\MiNODLogin.exe
StartupFolder: c:\docume~1\alluse~1\menini~1\progra~1\inicio\remote~1.lnk - c:\archivos de programa\kworld multimedia\tv tuner card utilities\HMCP3XCtl.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xportar a Microsoft Excel - c:\archiv~1\micros~4\office12\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\archivos de programa\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\archiv~1\micros~4\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\archiv~1\micros~4\office12\REFIEBAR.DLL
IE: {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - {552781AF-37E4-4FEE-920A-CED9E648EADD} - c:\archivos de programa\archivos comunes\microsoft shared\encarta search bar\ENCSBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\archiv~1\spybot~1\SDHelper.dll
DPF: {140E4DF8-9E14-4A34-9577-C77561ED7883} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.1.71.0.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\archiv~1\micros~4\office12\GR99D3~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\archiv~1\micros~4\office12\GRA8E1~1.DLL
mASetup: {818O5M4S-FU40-1ODP-BW2L-A7BC6U488O2G} - c:\windows\system32\windir\svchost.exe Restart
mASetup: {F9ED98D6-E7AC-7CA6-FA0D-07FFAF8EE36D} - c:\documents and settings\user\datos de programa\base64.exe
mASetup: {XQ881J2H-07YA-WRBN-4P25-XN85W68VYEVT} - c:\windows\system32\winlog\Winlogon.exe
uASetup: {F9ED98D6-E7AC-7CA6-FA0D-07FFAF8EE36D} - c:\documents and settings\user\datos de programa\base64.exe
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath -

============= SERVICES / DRIVERS ===============

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-3-19 107256]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2009-3-19 93848]
R2 ekrn;ESET Service;c:\archivos de programa\eset\eset nod32 antivirus\ekrn.exe [2009-3-19 731840]
R3 3xHybrid;3xHybrid service;c:\windows\system32\drivers\3xHybrid.sys [2010-6-10 674048]
R3 vvftav211;vvftav211;c:\windows\system32\drivers\vvftav211.sys [2010-6-15 480128]
R3 ZSMC30x;USB PC Camera Service ZSMC30x;c:\windows\system32\drivers\ZS211.sys [2010-6-15 1472000]

=============== Created Last 30 ================

2010-07-19 22:08:54 61440 ----a-w- c:\documents and settings\user\ModdedWinSock.exe
2010-07-19 22:06:51 61440 ----a-w- c:\docume~1\user\datosd~1\ModdedWinSock.exe
2010-07-19 22:06:46 61440 --sh--r- c:\docume~1\user\datosd~1\lsass.exe
2010-07-19 22:06:44 102400 --sh--r- c:\docume~1\user\datosd~1\galaxy.exe
2010-07-19 22:06:33 61440 ----a-w- c:\windows\system32\ModdedWinSock.exe
2010-07-19 22:06:11 102400 ----a-w- c:\docume~1\user\datosd~1\mzrzrii.exe
2010-07-19 21:56:33 535040 ----a-w- c:\windows\system32\Windefender.exe
2010-07-19 21:02:35 1303 ----a-w- c:\docume~1\user\datosd~1\data.dat
2010-07-19 21:01:57 458752 ----a-w- c:\docume~1\user\datosd~1\base64.exe
2010-07-19 20:41:47 3584 ----a-w- c:\docume~1\user\datosd~1\Application Updater.exe
2010-07-19 20:41:45 347144 ---h--w- c:\docume~1\user\datosd~1\1279572044.exe
2010-07-19 16:20:55 262144 ----a-w- c:\docume~1\user\datosd~1\llhcmyv.exe
2010-07-19 16:10:29 262144 ----a-w- c:\windows\system32\devon.exe
2010-07-18 02:25:42 0 d-----w- c:\archivos de programa\Cheating-Death
2010-07-18 02:23:32 0 d-----w- c:\archivos de programa\Counter-Strike 1.6
2010-07-18 02:20:48 0 d-----w- c:\docume~1\user\datosd~1\Xfire
2010-07-18 02:20:44 0 d-----w- c:\archivos de programa\Xfire
2010-07-15 22:38:14 0 d-----w- c:\archivos de programa\Safer Networking
2010-07-15 22:05:21 0 d-----w- c:\docume~1\alluse~1\datosd~1\Spybot - Search & Destroy
2010-07-15 22:05:21 0 d-----w- c:\archivos de programa\Spybot - Search & Destroy
2010-07-15 21:55:47 117760 --sh--r- C:\biriprg.exe
2010-07-14 23:09:09 333288 ----a-w- c:\docume~1\user\datosd~1\SQLite3.dll
2010-07-13 15:08:45 116224 --sh--r- C:\i8gcgmg.exe
2010-07-12 17:50:14 116736 --sh--r- C:\r3x0k.exe
2010-07-10 03:32:51 0 d-----w- c:\docume~1\user\datosd~1\BitTorrent
2010-07-10 03:32:47 0 d-----w- c:\archivos de programa\BitTorrent
2010-07-09 19:00:32 41872 ----a-w- c:\windows\system32\xfcodec.dll
2010-07-09 14:17:10 116224 --sh--r- C:\ggb6w.exe
2010-07-06 15:16:11 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-06 15:09:51 117248 --sh--r- C:\x3xh.exe
2010-07-03 17:34:49 0 d-----w- c:\archivos de programa\PowerISO
2010-07-03 17:24:01 0 d-----w- c:\archivos de programa\Tansee iPod Transfer
2010-07-03 13:25:57 117248 --sh--r- C:\g6jk.exe
2010-07-03 03:41:10 0 d-----w- c:\archivos de programa\SystemRequirementsLab
2010-07-03 03:14:28 0 d-----w- c:\archivos de programa\Steam
2010-06-24 21:44:04 0 d-----w- c:\archivos de programa\Bandoo
2010-06-23 16:13:41 117248 --sh--r- C:\eyruu.exe

==================== Find3M ====================

2010-07-19 22:39:43 1166557 ---ha-w- c:\docume~1\user\datosd~1\logs.dat
2010-07-19 22:28:37 7399 ---ha-w- c:\docume~1\user\datosd~1\Userlog.dat
2010-06-22 15:41:48 117248 --sh--r- C:\09lf.exe
2010-06-18 03:47:40 77520 ----a-w- c:\windows\system32\perfc00A.dat
2010-06-18 03:47:40 456588 ----a-w- c:\windows\system32\perfh00A.dat
2010-06-17 20:50:22 115712 --sh--r- C:\1gkbvsni.exe
2010-06-16 20:24:11 116224 --sh--r- C:\xcr.exe
2010-06-16 01:52:32 114688 --sh--r- C:\krwyrv0d.exe
2010-06-10 18:33:07 315392 ----a-w- c:\windows\HideWin.exe
2010-06-10 13:36:12 64695 ----a-w- c:\windows\BricoPackUninst.cmd
2010-06-10 13:36:12 5997 ----a-w- c:\windows\BricoPackFoldersDelete.cmd
2010-06-10 13:36:12 220160 ----a-w- c:\windows\system32\uxtheme.dll
2010-06-10 04:12:40 505128 ----a-w- c:\windows\system32\msvcp71.dll
2010-06-10 04:12:40 353576 ----a-w- c:\windows\system32\msvcr71.dll
2010-06-10 04:12:40 29480 ----a-w- c:\windows\system32\msxml3a.dll
2010-06-10 03:45:07 21900 ----a-w- c:\windows\system32\emptyregdb.dat
2010-06-03 02:41:44 3600384 ----a-w- c:\windows\system32\GPhotos.scr
2005-09-20 12:44:14 354429 --sh--r- c:\windows\system32\winlog\Winlogon.exe

============= FINISH: 17:40:34,56 ===============

NO ATTATCH
ChrisLey
2010-07-20, 00:54
SORRY FOR THE TRIPLE POST
:( seriusly
I though i had pasted the link

This how it all started: http://forums.spybot.info/showthread.php?t=58579
tashi
2010-07-20, 02:49
Hello ChrisLey,

Open topic: http://forums.spybot.info/showthread.php?t=58579


Please do not start more than one topic for the same computer, during the same period. It will either be removed, closed or merged with your original thread. "BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)

A newer infection is taking longer to analyze and remove, add that equation to this forum having received a high volume of requests for assistance, well you get the picture. :)

Waiting for help in the Malware Forum FOUR days or longer? (http://forums.spybot.info/showthread.php?t=1137)

Please don't post there until four days have passed. ;)

Best regards.