Virtumonde but different dll?

**charlye28** · 2007-08-06, 00:57

Hi, spybot has detected virtumonde in a dll named mmfipc.dll

I've looked for this dll around the forums but found nothing. Tried the vundofix.exe but I don't know if i should look for this dll.

How did I get infected? I usually use firefox but it shows me adware when I open iexplorer.

Thanks.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 0:50:34, on 6/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Cisco Systems\VPN Client\cvpnd.exe
C:\Archivos de programa\AVC Finger-sensing Pad Driver\FspadSvr.exe
C:\Tivoli\lcf\bin\w32-ix86\mrt\lcfd.exe
C:\Archivos de programa\Network Associates\Common Framework\FrameworkService.exe
C:\Archivos de programa\Network Associates\VirusScan\Mcshield.exe
C:\Archivos de programa\Network Associates\VirusScan\VsTskMgr.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nutsrv4.exe
C:\oracle\ora92\bin\omtsreco.exe
C:\WINDOWS\ProPatches\Scheduler\stSchedEx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\Picasa2\PicasaMediaDetector.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\VirtuaWin\VirtuaWin.exe
C:\Archivos de programa\VirtuaWin\modules\VWAssigner.exe
C:\Archivos de programa\VirtuaWin\modules\WinList.exe
C:\Archivos de programa\Mozilla Firefox\firefox.exe
C:\Archivos de programa\Network Associates\Common Framework\UdaterUI.exe
C:\Archivos de programa\Network Associates\Common Framework\McTray.exe
C:\Program Files\OverDisk\OverDisk.exe
C:\Archivos de programa\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O1 - Hosts: 128.92.1.2 ETHNODO2 ethnodo2
O1 - Hosts: 128.92.1.3 ETHNODO3 ethnodo3
O1 - Hosts: 128.92.1.4 ETHNODO4 ethnodo4
O1 - Hosts: 128.92.1.5 ETHNODO5 ethnodo5
O1 - Hosts: 128.92.1.6 ETHNODO6 ethnodo6
O1 - Hosts: 128.92.1.7 ETHNODO7 ethnodo7
O1 - Hosts: 128.92.1.8 ETHNODO8 ethnodo8
O1 - Hosts: 128.93.1.2 SWNODO2 swnodo2
O1 - Hosts: 128.93.1.3 SWNODO3 swnodo3
O1 - Hosts: 128.93.1.4 SWNODO4 swnodo4
O1 - Hosts: 128.93.1.6 SWNODO6 swnodo6
O1 - Hosts: 128.93.1.7 SWNODO7 swnodo7
O1 - Hosts: 128.93.1.8 SWNODO8 swnodo8
O1 - Hosts: 128.93.1.15 SWNODO15 swnodo15
O1 - Hosts: 128.90.0.34 ORAREMEDY oraremedy
O1 - Hosts: 128.90.0.208 INTRANET.IECI.ES intranet.ieci.es
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Archivos de programa\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: WebAssist - {85589B5D-D53D-4237-A677-46B82EA275F3} - C:\WINDOWS\WebAssist.dll
O2 - BHO: (no name) - {C6039E6C-BDE9-4de5-BB40-768CAA584FDC} - C:\WINDOWS\system32\tmp98.tmp.dll
O2 - BHO: (no name) - {f0d0997d-3408-4a39-ab92-f5c4b58895ab} - C:\WINDOWS\system32\mmfipc.dll
O4 - HKLM\..\Run: [NuTCSetupEnviron] C:\Archivos de programa\Rational\Rational Test\nutcroot\bin\ncoeenv.exe
O4 - HKLM\..\Run: [CCDoctorLogonTesting] "c:\Atria\bin\ccdoctor.exe" /LogonStartup
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Archivos de programa\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\vttrrs.dll",forkonce
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Servicio de red')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Global Startup: VirtuaWin.lnk = C:\Archivos de programa\VirtuaWin\VirtuaWin.exe
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\mmfipc.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\mmfipc.dll
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {4A3CBDDD-C4DC-4C38-B44F-704DAEF628AE} (PjAdoInfo3 Class) - http://10.228.137.37/projectserver/objects/pjclient.cab
O16 - DPF: {759FD3DE-F0EF-4A76-909C-88CF840D4173} (DmDragDrop Class) - http://localhost:9090/dco/wdk/native/WdkPluginCab.CAB
O16 - DPF: {89B8153D-C170-41D7-BB4B-CD4D63FE900C} (Pj11esnC Class) - http://10.228.137.37/projectserver/o...82/pjcintl.cab
O16 - DPF: {B1B47DEB-76C1-4701-9F19-5671101C3344} (PictureSelect.Selector) - http://www.revelaonline.com/class/Re...ureManager.cab
O16 - DPF: {B785FA3C-1DE9-4D20-8396-613C486FE95E} (AeatCtl Class) - https://www1.aeat.es/imagenes/comun/cactivex.cab
O16 - DPF: {BA2174B0-C012-11DA-A94D-0800200C9A66} (DmDragDrop Class) - http://documentum:1975/dco/wdk/native/WdkPluginCab.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = grupoeci.elcorteingles.corp
O17 - HKLM\Software\..\Telephony: DomainName = grupoeci.elcorteingles.corp
O17 - HKLM\System\CCS\Services\Tcpip\..\{3787471A-6F44-475F-B1D8-B928E127E071}: NameServer = 192.168.50.170,192.168.50.171
O17 - HKLM\System\CCS\Services\Tcpip\..\{5AC9E483-93DE-45C2-BE3B-733BD13A2191}: NameServer = 80.58.61.250,80.58.61.254
O17 - HKLM\System\CCS\Services\Tcpip\..\{EA032721-3D92-4450-8B90-A77BAD0D7744}: NameServer = 128.90.0.203,128.90.0.204
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = grupoeci.elcorteingles.corp
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = geci,eci.geci,ieci.geci
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = grupoeci.elcorteingles.corp
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = geci,eci.geci,ieci.geci
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = geci,eci.geci,ieci.geci
O20 - AppInit_DLLs: c:\windows\system32\ddcyxut.dll
O20 - Winlogon Notify: mmfipc - C:\WINDOWS\SYSTEM32\mmfipc.dll
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Archivos de programa\Ares\chatServer.exe
O23 - Service: IBM CICS Universal Client (CICSClient) - IBM Corporation - C:\Archivos de programa\IBM\IBM CICS Transaction Gateway\bin\cclserv.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Archivos de programa\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Servidor de applet JDBC de DB2 (DB2JDS) - International Business Machines Corporation - C:\Archivos de programa\IBM\SQLLIB\BIN\db2jds.exe
O23 - Service: Servidor de seguridad DB2 (DB2NTSECSERVER) - International Business Machines Corporation - C:\Archivos de programa\IBM\SQLLIB\BIN\db2sec.exe
O23 - Service: FspadSvc - Unknown owner - C:\Archivos de programa\AVC Finger-sensing Pad Driver\FspadSvr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM CICS Transaction Gateway (IBMCICSTransactionGateway) - IBM Corporation - C:\Archivos de programa\IBM\IBM CICS Transaction Gateway\bin\CTGSERVICE.EXE
O23 - Service: Servicio del iPod (iPod Service) - Apple Inc. - C:\Archivos de programa\iPod\bin\iPodService.exe
O23 - Service: Tivoli Endpoint (lcfd) - Unknown owner - C:\Tivoli\lcf\bin\w32-ix86\mrt\lcfd.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Archivos de programa\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Archivos de programa\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Archivos de programa\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NetOp Helper ver. 7.65 (2004342) (NetOp Host for NT Service) - Danware Data A/S - C:\Archivos de programa\NetOp Remote Control\HOST\NHOSTSVC.EXE
O23 - Service: NuTCRACKERService - DataFocus, Inc. - C:\WINDOWS\system32\nutsrv4.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: ServiceLayer - Nokia. - C:\Archivos de programa\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Shavlik Remote Scheduler Service (Shavlik Scheduler) - Shavlik Technologies - C:\WINDOWS\ProPatches\Scheduler\stSchedEx.exe
O23 - Service: Apache Tomcat (Tomcat5) - Apache Software Foundation - C:\Tomcat 5.0\bin\tomcat5.exe

--
End of file - 9277 bytes

**Shaba** · 2007-08-06, 11:05

Hi charlye28

1. Download combofix from one of these links:
Link1
Link2
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Post:

- a fresh HijackThis log
- combofix report
- vundofix report (if available)

**charlye28** · 2007-08-06, 12:46

Here's the combofix log. I'll post the hijack in the next post.

ComboFix 07-08-04.3 - "65555955" 2007-08-06 12:30:24.1 [GMT 2:00] - NTFS
Microsoft Windows XP Professional 5.1.2600.2.1252.1.3082.18.Verdadero
* Created a new restore point

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\DOCUME~1\655559~1.GRU\DATOSD~1\tmp94.tmp.exe
C:\DOCUME~1\655559~1.GRU\DATOSD~1\tmp98.tmp.exe
C:\WINDOWS\hosts
C:\WINDOWS\system32\dnb42d4d23.dat
C:\WINDOWS\system32\mmfipc.dll
C:\WINDOWS\system32\tmp98.tmp.dll
C:\WINDOWS\xhelper.dll

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_DOMAINSERVICE

((((((((((((((((((((((((( Files Created from 2007-07-06 to 2007-08-06 )))))))))))))))))))))))))))))))

2007-08-06 12:41 92,687 --a------ C:\WINDOWS\system32\C_2XEC.dll
2007-08-06 12:41 18 --a------ C:\WINDOWS\system32\dnb42d4d23.dat
2007-08-06 12:41 105,468 --a------ C:\WINDOWS\system32\sstts.exe
2007-08-06 12:28 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-06 00:21 <DIR> d-------- C:\VundoFix Backups
2007-08-06 00:01 <DIR> d-------- C:\Archivos de programa\Trend Micro
2007-08-05 22:45 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DATOSD~1\Spybot - Search & Destroy
2007-08-05 22:18 131,433 --a------ C:\WINDOWS\vttrrs.dll
2007-08-05 22:13 13,380 --a------ C:\WINDOWS\system32\ddcyxut.dll
2007-08-05 22:02 25,664 --a------ C:\WINDOWS\system32\1a5WEXsH.exe
2007-08-04 12:00 84,992 --a------ C:\WINDOWS\WebAssist.dll
2007-07-17 13:59 65,536 --a------ C:\DOCUME~1\655559~1.GRU\DwRegistry0.dll
2007-07-11 13:36 <DIR> d-------- C:\Archivos de programa\Windows Environment Variable Editor (WEVE) 1.5
2007-07-08 15:40 <DIR> d-------- C:\DOCUME~1\655559~1.GRU\Phone Browser
2007-07-08 15:39 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DATOSD~1\PC Suite
2007-07-08 15:32 <DIR> d-------- C:\DOCUME~1\655559~1.GRU\DATOSD~1\Nokia
2007-07-08 15:31 90,624 --a------ C:\WINDOWS\system32\nmwcdcls.dll
2007-07-08 15:31 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-07-08 15:31 <DIR> d-------- C:\DOCUME~1\655559~1.GRU\DATOSD~1\PC Suite
2007-07-08 15:31 <DIR> d-------- C:\Archivos de programa\PC Connectivity Solution
2007-07-08 15:31 <DIR> d-------- C:\Archivos de programa\DIFX
2007-07-08 15:30 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DATOSD~1\Installations
2007-07-06 15:36 <DIR> d-------- C:\DOCUME~1\655559~1.GRU\DATOSD~1\TVU Networks
2007-07-06 15:36 <DIR> d-------- C:\Archivos de programa\TVUPlayer

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-05 22:02 --------- d-------- C:\Archivos de programa\Picasa2
2007-07-03 23:08 --------- d-------- C:\DOCUME~1\655559~1.GRU\DATOSD~1\Skype
2007-07-02 23:38 --------- d-------- C:\DOCUME~1\655559~1.GRU\DATOSD~1\PDFcreator
2007-07-02 12:46 --------- d-------- C:\Archivos de programa\UltraEdit
2007-06-28 19:26 --------- d-------- C:\DOCUME~1\655559~1.GRU\DATOSD~1\vlc
2007-06-27 20:34 --------- d-------- C:\DOCUME~1\655559~1.GRU\DATOSD~1\Apple Computer
2007-06-27 12:48 --------- d-------- C:\DOCUME~1\655559~1.GRU\DATOSD~1\AdobeUM
2007-06-26 21:32 --------- d-------- C:\DOCUME~1\655559~1.GRU\DATOSD~1\Ahead
2007-06-22 16:04 --------- d-------- C:\DOCUME~1\655559~1.GRU\DATOSD~1\Help
2007-06-22 16:02 --------- d-------- C:\DOCUME~1\655559~1.GRU\DATOSD~1\Rational
2007-06-22 15:51 --------- d-------- C:\Archivos de programa\Rational
2007-06-22 15:16 --------- d-------- C:\Archivos de programa\IBM
2007-06-22 09:40 --------- d-------- C:\Archivos de programa\Archivos comunes\IBM
2007-06-21 16:31 --------- d-------- C:\DOCUME~1\655559~1.GRU\DATOSD~1\VirtuaWin
2007-06-18 16:47 --------- d-------- C:\Archivos de programa\7-Zip
2007-06-15 17:48 659 --ah----- C:\os642656.bin
2007-06-15 12:41 --------- d--h----- C:\Archivos de programa\InstallShield Installation Information
2007-06-15 12:40 --------- d-------- C:\Archivos de programa\Archivos comunes\Vbox
2007-06-14 10:33 --------- d-------- C:\Archivos de programa\Network Associates
2007-06-12 11:25 --------- d-------- C:\Archivos de programa\VirtuaWin
2007-06-10 01:53 --------- d-------- C:\Archivos de programa\VideoLAN
2007-06-08 16:15 --------- d-------- C:\Archivos de programa\Ares
2007-06-08 13:01 --------- d-------- C:\DOCUME~1\655559~1.GRU\DATOSD~1\Talkback
2007-06-08 12:46 7012 --------- C:\WINDOWS\system32\drivers\PMEMNT.SYS
2007-06-08 12:42 --------- d-------- C:\Archivos de programa\Archivos comunes\Tivoli
2007-06-07 12:07 --------- d-------- C:\Archivos de programa\Winamp
2007-06-07 10:47 --------- d-------- C:\Archivos de programa\Archivos comunes\Real
2007-06-01 16:21 14597 --a--c--- C:\WINDOWS\mozver.dat
2005-05-13 16:12:00 217,073 -csha-r C:\WINDOWS\meta4.exe
2005-10-24 10:13:58 66,560 -csha-r C:\WINDOWS\MOTA113.exe
2005-10-13 20:27:00 422,400 -csha-r C:\WINDOWS\x2.64.exe
2005-07-14 11:31:20 27,648 -csha-r C:\WINDOWS\system32\AVSredirect.dll
2006-12-07 11:12:16 56 -csh--r C:\WINDOWS\system32\C5B453062B.sys
2005-06-26 14:32:28 616,448 -csha-r C:\WINDOWS\system32\cygwin1.dll
2005-06-21 21:37:42 45,568 -csha-r C:\WINDOWS\system32\cygz.dll
2004-01-24 23:00:00 70,656 --sha-r C:\WINDOWS\system32\i420vfw.dll
2006-12-07 11:12:16 1,890 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys
2006-04-27 09:24:24 2,945,024 -csha-r C:\WINDOWS\system32\Smab.dll
2005-02-28 12:16:22 240,128 -csha-r C:\WINDOWS\system32\x.264.exe
2004-01-24 23:00:00 70,656 --sha-r C:\WINDOWS\system32\yv12vfw.dll

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{85589B5D-D53D-4237-A677-46B82EA275F3}]
2007-08-04 12:00 84992 --a------ C:\WINDOWS\WebAssist.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NuTCSetupEnviron"="C:\Archivos de programa\Rational\Rational Test\nutcroot\bin\ncoeenv.exe" [2002-04-25 16:13]
"CCDoctorLogonTesting"="c:\Atria\bin\ccdoctor.exe" [2001-09-25 03:44]
"Picasa Media Detector"="C:\Archivos de programa\Picasa2\PicasaMediaDetector.exe" [2007-08-05 22:36]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-20 14:00]

C:\Documents and Settings\All Users\Men£ Inicio\Programas\Inicio\
VirtuaWin.lnk - C:\Archivos de programa\VirtuaWin\VirtuaWin.exe [2007-06-12 11:25:09]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"RunStartupScriptSync"=0 (0x0)
"MaxGPOScriptWait"=300 (0x12c)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispAppearancePage"=0 (0x0)
"NoDispSettingsPage"=0 (0x0)
"NoDispCPL"=0 (0x0)
"NoDispBackgroundPage"=1 (0x1)
"NoDispScrSavPage"=1 (0x1)
"WallpaperStyle"=2

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSimpleStartMenu"=1 (0x1)
"NoDesktopCleanupWizard"=1 (0x1)
"NoActiveDesktopChanges"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\C_2XEC]
C_2XEC.dll 2007-08-06 12:41 92687 C:\WINDOWS\system32\C_2XEC.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=c:\windows\system32\ddcyxut.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 TivoliAP

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=GPO_Startup

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\1\0]
"Script"=\\grupoeci.elcorteingles.corp\SysVol\grupoeci.elcorteingles.corp\scripts\Configuracion\PROC\Politicas.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\2\0]
"Script"=\\grupoeci.elcorteingles.corp\SysVol\grupoeci.elcorteingles.corp\scripts\Configuracion\PROC\Politicas.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Menú Inicio\Programas\Inicio\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^Notes Minder.lnk]
path=C:\Documents and Settings\All Users\Menú Inicio\Programas\Inicio\Notes Minder.lnk
backup=C:\WINDOWS\pss\Notes Minder.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^VirtuaWin.lnk]
path=C:\Documents and Settings\All Users\Menú Inicio\Programas\Inicio\VirtuaWin.lnk
backup=C:\WINDOWS\pss\VirtuaWin.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Menú Inicio\Programas\Inicio\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CplBCL50]
C:\Archivos de programa\EzButton\CplBCL50.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Archivos de programa\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfeeUpdaterUI]
"C:\Archivos de programa\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Network Associates Error Reporting Service]
"C:\Archivos de programa\Archivos comunes\Network Associates\TalkBack\TBMon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Archivos de programa\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Rainlendar2]
G:\Rainlendar2\Rainlendar2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RAMpage]
"C:\Archivos de programa\RAMpage\RAMpage.exe" M=28 T=24 LG P="C:\Archivos de programa\RAMpage\RAMpageConfig.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShStatEXE]
"C:\Archivos de programa\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Archivos de programa\Java\j2re1.4.2_12\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
"C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1

R0 ENECBPTH;ENE Cardbus Patch Driver;C:\WINDOWS\system32\drivers\ENECBPTH.sys
R1 NaiAvTdi1;NaiAvTdi1;C:\WINDOWS\system32\drivers\mvstdi5x.sys
R1 NHostNT1;NetOp Driver 1 ver. 7.65 (2004342);C:\WINDOWS\system32\Drivers\NHOSTNT1.SYS
R1 PQNTDrv;PQNTDrv;C:\WINDOWS\system32\drivers\PQNTDrv.sys
R1 Tcpip6;Controlador de protocolo IPv6 de Microsoft;C:\WINDOWS\system32\DRIVERS\tcpip6.sys
R2 6to4;Servicio de ayuda de IPv6;C:\WINDOWS\system32\svchost.exe -k netsvcs
R2 CVPND;Cisco Systems, Inc. VPN Service;"C:\Archivos de programa\Cisco Systems\VPN Client\cvpnd.exe"
R2 CVPNDRVA;Cisco Systems Inc. IPSec Driver;\??\C:\WINDOWS\system32\Drivers\CVPNDRVA.sys
R2 FspadSvc;FspadSvc;C:\Archivos de programa\AVC Finger-sensing Pad Driver\FspadSvr.exe
R2 lcfd;Tivoli Endpoint;"C:\Tivoli\lcf\bin\w32-ix86\mrt\lcfd.exe"
R2 NetOp Host for NT Service;NetOp Helper ver. 7.65 (2004342);"C:\Archivos de programa\NetOp Remote Control\HOST\NHOSTSVC.EXE"
R2 NuTCRACKERService;NuTCRACKERService;C:\WINDOWS\system32\nutsrv4.exe
R2 PMEM;PMEM;\??\C:\WINDOWS\system32\drivers\PMEMNT.SYS
R2 Shavlik Scheduler;Shavlik Remote Scheduler Service;C:\WINDOWS\ProPatches\Scheduler\stSchedEx.exe /Service
R3 DNE;Deterministic Network Enhancer Miniport;C:\WINDOWS\system32\DRIVERS\dne2000.sys
R3 EMSCR;EMSCR;C:\WINDOWS\system32\DRIVERS\EMS7SK.sys
R3 ESDCR;ESDCR;C:\WINDOWS\system32\DRIVERS\ESD7SK.sys
R3 fspad;AVC Finger-sensing Pad Driver for Windows 2000/XP;C:\WINDOWS\system32\DRIVERS\fspad.sys
R3 NHOSTNT3;NetOp Driver 3 ver. 7.65 (2004342) (NHOSTNT3);C:\WINDOWS\system32\Drivers\NHOSTNT3.SYS
R3 RTL8023xp;Realtek RTL8139/810x/8169/8110 all in one NDIS XP Driver;C:\WINDOWS\system32\DRIVERS\Rtlnicxp.sys
R3 tunmp;Controlador de adaptador de minipuerto Tun de Microsoft;C:\WINDOWS\system32\DRIVERS\tunmp.sys
R3 vsbus;Virtual Serial Bus Enumerator;C:\WINDOWS\system32\DRIVERS\vsb.sys
R3 w29n51;Controlador de la Conexi¢n de red Intel(R) PRO/Wireless 2200BG para Windows XP;C:\WINDOWS\system32\DRIVERS\w29n51.sys
S2 BTSLBCSP;Bluetooth Port Client Driver;\??\C:\WINDOWS\system32\drivers\btslbcsp.sys
S3 actser;actser;C:\WINDOWS\system32\drivers\actser.sys
S3 CVirtA;Cisco Systems VPN Adapter;C:\WINDOWS\system32\DRIVERS\CVirtA.sys
S3 DKbFltr;Dritek HotKey Keyboard Filter Driver;C:\WINDOWS\system32\Drivers\DKbFltr.sys
S3 MSIRCOMM;Microsoft IR Communications Driver;C:\WINDOWS\system32\DRIVERS\MSIRCOMM.sys
S3 OracleOraHome92ClientCache;OracleOraHome92ClientCache;C:\oracle\ora92\BIN\ONRSD.EXE
S3 p2pgasvc;Autenticaci¢n de grupo de redes de mismo nivel;C:\WINDOWS\system32\svchost.exe -k p2psvc
S3 p2pimsvc;Administrador de identidad de redes de mismo nivel;C:\WINDOWS\system32\svchost.exe -k p2psvc
S3 p2psvc;Redes de mismo nivel;C:\WINDOWS\system32\svchost.exe -k p2psvc
S3 pepifilter;Volume Adapter;C:\WINDOWS\system32\DRIVERS\lv302af.sys
S3 PID_08A0;Labtec WebCam(PID_08A0);C:\WINDOWS\system32\DRIVERS\LV302AV.SYS
S3 PNRPSvc;Protocolo de resoluci¢n de nombres de mismo nivel;C:\WINDOWS\system32\svchost.exe -k p2psvc
S3 sdbus;sdbus;C:\WINDOWS\system32\DRIVERS\sdbus.sys
S3 Tomcat5;Apache Tomcat;"C:\Tomcat 5.0\bin\tomcat5.exe" //RS//Tomcat5
S3 vaxscsi;vaxscsi;C:\WINDOWS\system32\Drivers\vaxscsi.sys
S3 vserial;ELTIMA Virtual Serial Ports Driver;C:\WINDOWS\system32\DRIVERS\vserial.sys
S3 w22n51;Controlador Intel(R) PRO/Wireless 2200 Adapter;C:\WINDOWS\system32\DRIVERS\w22n51.sys
S3 WBSD;Winbond Secure Digital Storage (SD/MMC) Device Driver;C:\WINDOWS\system32\Drivers\WBSD.SYS

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc p2psvc p2pimsvc p2pgasvc PNRPSvc
mysee2 Mysee2_Runtime

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6aadb5c8-2002-11dc-ac25-000fb0929265}]
dismount\command- D:\syst\syst.exe /q /d
start\command- D:\syst\syst.exe /q background /e /m rm /v "sys"

Contents of the 'Scheduled Tasks' folder
2007-08-05 13:45:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Archivos de programa\Apple Software Update\SoftwareUpdate.exe
2007-08-05 22:02:02 C:\WINDOWS\Tasks\At1.job - C:\WINDOWS\system32\1a5WEXsH.exe
2007-08-05 20:02:06 C:\WINDOWS\Tasks\At10.job - C:\WINDOWS\system32\1a5WEXsH.exe
2007-08-05 20:02:06 C:\WINDOWS\Tasks\At11.job - C:\WINDOWS\system32\1a5WEXsH.exe
2007-08-05 20:02:06 C:\WINDOWS\Tasks\At12.job - C:\WINDOWS\system32\1a5WEXsH.exe
2007-08-05 20:02:06 C:\WINDOWS\Tasks\At13.job - C:\WINDOWS\system32\1a5WEXsH.exe
2007-08-05 20:02:06 C:\WINDOWS\Tasks\At14.job
2007-08-05 20:02:06 C:\WINDOWS\Tasks\At15.job - C:\WINDOWS\system32\1a5WEXsH.exe
2007-08-05 20:02:06 C:\WINDOWS\Tasks\At16.job - C:\WINDOWS\system32\1a5WEXsH.exe
2007-08-05 20:02:06 C:\WINDOWS\Tasks\At17.job - C:\WINDOWS\system32\1a5WEXsH.exe
2007-08-05 20:02:06 C:\WINDOWS\Tasks\At18.job - C:\WINDOWS\system32\1a5WEXsH.exe
2007-08-05 20:02:06 C:\WINDOWS\Tasks\At19.job - C:\WINDOWS\system32\1a5WEXsH.exe
2007-08-05 23:02:02 C:\WINDOWS\Tasks\At2.job
2007-08-05 20:02:06 C:\WINDOWS\Tasks\At20.job - C:\WINDOWS\system32\1a5WEXsH.exe
2007-08-05 20:02:06 C:\WINDOWS\Tasks\At21.job - C:\WINDOWS\system32\1a5WEXsH.exe
2007-08-05 20:02:06 C:\WINDOWS\Tasks\At22.job - C:\WINDOWS\system32\1a5WEXsH.exe
2007-08-05 20:02:06 C:\WINDOWS\Tasks\At23.job - C:\WINDOWS\system32\1a5WEXsH.exe
2007-08-05 21:01:06 C:\WINDOWS\Tasks\At24.job - C:\WINDOWS\system32\1a5WEXsH.exe
2007-08-05 20:02:06 C:\WINDOWS\Tasks\At3.job - C:\WINDOWS\system32\1a5WEXsH.exe
2007-08-05 20:02:06 C:\WINDOWS\Tasks\At4.job - C:\WINDOWS\system32\1a5WEXsH.exe
2007-08-05 20:02:06 C:\WINDOWS\Tasks\At5.job - C:\WINDOWS\system32\1a5WEXsH.exe
2007-08-05 20:02:06 C:\WINDOWS\Tasks\At6.job - C:\WINDOWS\system32\1a5WEXsH.exe
2007-08-05 20:02:06 C:\WINDOWS\Tasks\At7.job - C:\WINDOWS\system32\1a5WEXsH.exe
2007-08-05 20:02:06 C:\WINDOWS\Tasks\At8.job - C:\WINDOWS\system32\1a5WEXsH.exe
2007-08-05 20:02:06 C:\WINDOWS\Tasks\At9.job - C:\WINDOWS\system32\1a5WEXsH.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-06 12:41:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-06 12:43:21 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-06 12:43

--- E O F ---

**charlye28** · 2007-08-06, 12:54

Thanks in advance, there was no log generated by vundofix v 6.5.6.

how did this enter the computer ¿via iexplorer? was it a javascript? did I accept to install something in the explorer?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:44, on 2007-08-06
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Cisco Systems\VPN Client\cvpnd.exe
C:\Archivos de programa\AVC Finger-sensing Pad Driver\FspadSvr.exe
C:\Tivoli\lcf\bin\w32-ix86\mrt\lcfd.exe
C:\Archivos de programa\Network Associates\Common Framework\FrameworkService.exe
C:\Archivos de programa\Network Associates\VirusScan\Mcshield.exe
C:\Archivos de programa\Network Associates\VirusScan\VsTskMgr.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nutsrv4.exe
C:\oracle\ora92\bin\omtsreco.exe
C:\WINDOWS\ProPatches\Scheduler\stSchedEx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cmd.exe
C:\Archivos de programa\Picasa2\PicasaMediaDetector.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\VirtuaWin\VirtuaWin.exe
C:\Archivos de programa\VirtuaWin\modules\VWAssigner.exe
C:\Archivos de programa\VirtuaWin\modules\WinList.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\cmd.exe
C:\ComboFix\vfind.cfexe
C:\Archivos de programa\Mozilla Firefox\firefox.exe
C:\Archivos de programa\Trend Micro\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.ieci.geci:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.int;*.geci;128.*;documentum.*;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Archivos de programa\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: WebAssist - {85589B5D-D53D-4237-A677-46B82EA275F3} - C:\WINDOWS\WebAssist.dll
O4 - HKLM\..\Run: [NuTCSetupEnviron] C:\Archivos de programa\Rational\Rational Test\nutcroot\bin\ncoeenv.exe
O4 - HKLM\..\Run: [CCDoctorLogonTesting] "c:\Atria\bin\ccdoctor.exe" /LogonStartup
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Archivos de programa\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Servicio de red')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Global Startup: VirtuaWin.lnk = C:\Archivos de programa\VirtuaWin\VirtuaWin.exe
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\C_2XEC.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\C_2XEC.dll
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {4A3CBDDD-C4DC-4C38-B44F-704DAEF628AE} (PjAdoInfo3 Class) - http://10.228.137.37/projectserver/objects/pjclient.cab
O16 - DPF: {759FD3DE-F0EF-4A76-909C-88CF840D4173} (DmDragDrop Class) - http://localhost:9090/dco/wdk/native/WdkPluginCab.CAB
O16 - DPF: {89B8153D-C170-41D7-BB4B-CD4D63FE900C} (Pj11esnC Class) - http://10.228.137.37/projectserver/o...82/pjcintl.cab
O16 - DPF: {B1B47DEB-76C1-4701-9F19-5671101C3344} (PictureSelect.Selector) - http://www.revelaonline.com/class/Re...ureManager.cab
O16 - DPF: {B785FA3C-1DE9-4D20-8396-613C486FE95E} (AeatCtl Class) - https://www1.aeat.es/imagenes/comun/cactivex.cab
O16 - DPF: {BA2174B0-C012-11DA-A94D-0800200C9A66} (DmDragDrop Class) - http://documentum:1975/dco/wdk/native/WdkPluginCab.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = grupoeci.elcorteingles.corp
O17 - HKLM\Software\..\Telephony: DomainName = grupoeci.elcorteingles.corp
O17 - HKLM\System\CCS\Services\Tcpip\..\{3787471A-6F44-475F-B1D8-B928E127E071}: NameServer = 192.168.50.170,192.168.50.171
O17 - HKLM\System\CCS\Services\Tcpip\..\{5AC9E483-93DE-45C2-BE3B-733BD13A2191}: NameServer = 80.58.61.250,80.58.61.254
O17 - HKLM\System\CCS\Services\Tcpip\..\{EA032721-3D92-4450-8B90-A77BAD0D7744}: NameServer = 128.90.0.203,128.90.0.204
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = grupoeci.elcorteingles.corp
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = geci,eci.geci,ieci.geci
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = grupoeci.elcorteingles.corp
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = geci,eci.geci,ieci.geci
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = geci,eci.geci,ieci.geci
O20 - AppInit_DLLs: c:\windows\system32\ddcyxut.dll
O20 - Winlogon Notify: C_2XEC - C:\WINDOWS\SYSTEM32\C_2XEC.dll
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Archivos de programa\Ares\chatServer.exe
O23 - Service: IBM CICS Universal Client (CICSClient) - IBM Corporation - C:\Archivos de programa\IBM\IBM CICS Transaction Gateway\bin\cclserv.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Archivos de programa\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Servidor de applet JDBC de DB2 (DB2JDS) - International Business Machines Corporation - C:\Archivos de programa\IBM\SQLLIB\BIN\db2jds.exe
O23 - Service: Servidor de seguridad DB2 (DB2NTSECSERVER) - International Business Machines Corporation - C:\Archivos de programa\IBM\SQLLIB\BIN\db2sec.exe
O23 - Service: FspadSvc - Unknown owner - C:\Archivos de programa\AVC Finger-sensing Pad Driver\FspadSvr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM CICS Transaction Gateway (IBMCICSTransactionGateway) - IBM Corporation - C:\Archivos de programa\IBM\IBM CICS Transaction Gateway\bin\CTGSERVICE.EXE
O23 - Service: Servicio del iPod (iPod Service) - Apple Inc. - C:\Archivos de programa\iPod\bin\iPodService.exe
O23 - Service: Tivoli Endpoint (lcfd) - Unknown owner - C:\Tivoli\lcf\bin\w32-ix86\mrt\lcfd.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Archivos de programa\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Archivos de programa\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Archivos de programa\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NetOp Helper ver. 7.65 (2004342) (NetOp Host for NT Service) - Danware Data A/S - C:\Archivos de programa\NetOp Remote Control\HOST\NHOSTSVC.EXE
O23 - Service: NuTCRACKERService - DataFocus, Inc. - C:\WINDOWS\system32\nutsrv4.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: ServiceLayer - Nokia. - C:\Archivos de programa\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Shavlik Remote Scheduler Service (Shavlik Scheduler) - Shavlik Technologies - C:\WINDOWS\ProPatches\Scheduler\stSchedEx.exe
O23 - Service: Apache Tomcat (Tomcat5) - Apache Software Foundation - C:\Tomcat 5.0\bin\tomcat5.exe

--
End of file - 8394 bytes

**Shaba** · 2007-08-06, 13:08

Hi

"how did this enter the computer ¿via iexplorer? was it a javascript? did I accept to install something in the explorer?"

Impossible to say.

First, I would like you to upload this file to uploadmalware

C:\WINDOWS\SYSTEM32\C_2XEC.dll

Put to Comments and Further Info:

New Vundo file and these:

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\C_2XEC.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\C_2XEC.dll
O20 - Winlogon Notify: C_2XEC - C:\WINDOWS\SYSTEM32\C_2XEC.dll

After that:

Open HijackThis, click do a system scan only and checkmark these:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: WebAssist - {85589B5D-D53D-4237-A677-46B82EA275F3} - C:\WINDOWS\WebAssist.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\C_2XEC.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\C_2XEC.dll
O20 - AppInit_DLLs: c:\windows\system32\ddcyxut.dll
O20 - Winlogon Notify: C_2XEC - C:\WINDOWS\SYSTEM32\C_2XEC.dll

Close all windows including browser and press fix checked.

Reboot.

Open notepad and copy/paste the text in the quotebox below into it:

Code:

File::
C:\WINDOWS\system32\C_2XEC.dll
C:\WINDOWS\system32\dnb42d4d23.dat
C:\WINDOWS\system32\sstts.exe
C:\WINDOWS\vttrrs.dll
C:\WINDOWS\system32\ddcyxut.dll
C:\WINDOWS\system32\1a5WEXsH.exe
C:\WINDOWS\WebAssist.dll
C:\WINDOWS\Tasks\At1.job 
C:\WINDOWS\Tasks\At10.job 
C:\WINDOWS\Tasks\At11.job 
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job 
C:\WINDOWS\Tasks\At16.job  
C:\WINDOWS\Tasks\At17.job  
C:\WINDOWS\Tasks\At18.job  
C:\WINDOWS\Tasks\At19.job 
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job  
C:\WINDOWS\Tasks\At21.job  
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job  
C:\WINDOWS\Tasks\At24.job  
C:\WINDOWS\Tasks\At3.job 
C:\WINDOWS\Tasks\At4.job  
C:\WINDOWS\Tasks\At5.job 
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At7.job 
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job 

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6aadb5c8-2002-11dc-ac25-000fb0929265}]

Save this as "CFScript"

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

**charlye28** · 2007-08-07, 14:47

Thanks again

ComboFix 07-08-04.3 - "65555955" 2007-08-07 14:34:17.2 [GMT 2:00] - NTFS
Microsoft Windows XP Professional 5.1.2600.2.1252.1.3082.18.Verdadero
Command switches used :: C:\Documents and Settings\65555955.GRUPOECI\Escritorio\CFScript.txt
* Created a new restore point

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\1a5WEXsH.exe
C:\WINDOWS\system32\C_2XEC.dll
C:\WINDOWS\system32\ddcyxut.dll
C:\WINDOWS\system32\dnb42d4d23.dat
C:\WINDOWS\system32\sstts.exe
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job
C:\WINDOWS\vttrrs.dll

((((((((((((((((((((((((( Files Created from 2007-07-07 to 2007-08-07 )))))))))))))))))))))))))))))))

2007-08-06 12:28 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-06 00:21 <DIR> d-------- C:\VundoFix Backups
2007-08-06 00:01 <DIR> d-------- C:\Archivos de programa\Trend Micro
2007-08-05 22:45 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DATOSD~1\Spybot - Search & Destroy
2007-07-17 13:59 65,536 --a------ C:\DOCUME~1\655559~1.GRU\DwRegistry0.dll
2007-07-11 13:36 <DIR> d-------- C:\Archivos de programa\Windows Environment Variable Editor (WEVE) 1.5
2007-07-08 15:40 <DIR> d-------- C:\DOCUME~1\655559~1.GRU\Phone Browser
2007-07-08 15:39 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DATOSD~1\PC Suite
2007-07-08 15:32 <DIR> d-------- C:\DOCUME~1\655559~1.GRU\DATOSD~1\Nokia
2007-07-08 15:31 90,624 --a------ C:\WINDOWS\system32\nmwcdcls.dll
2007-07-08 15:31 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-07-08 15:31 <DIR> d-------- C:\DOCUME~1\655559~1.GRU\DATOSD~1\PC Suite
2007-07-08 15:31 <DIR> d-------- C:\Archivos de programa\PC Connectivity Solution
2007-07-08 15:31 <DIR> d-------- C:\Archivos de programa\DIFX
2007-07-08 15:30 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DATOSD~1\Installations

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-05 22:02 --------- d-------- C:\Archivos de programa\Picasa2
2007-07-06 15:37 --------- d-------- C:\Archivos de programa\TVUPlayer
2007-07-06 15:36 --------- d-------- C:\DOCUME~1\655559~1.GRU\DATOSD~1\TVU Networks
2007-07-03 23:08 --------- d-------- C:\DOCUME~1\655559~1.GRU\DATOSD~1\Skype
2007-07-02 23:38 --------- d-------- C:\DOCUME~1\655559~1.GRU\DATOSD~1\PDFcreator
2007-07-02 12:46 --------- d-------- C:\Archivos de programa\UltraEdit
2007-06-28 19:26 --------- d-------- C:\DOCUME~1\655559~1.GRU\DATOSD~1\vlc
2007-06-27 20:34 --------- d-------- C:\DOCUME~1\655559~1.GRU\DATOSD~1\Apple Computer
2007-06-27 12:48 --------- d-------- C:\DOCUME~1\655559~1.GRU\DATOSD~1\AdobeUM
2007-06-26 21:32 --------- d-------- C:\DOCUME~1\655559~1.GRU\DATOSD~1\Ahead
2007-06-22 16:04 --------- d-------- C:\DOCUME~1\655559~1.GRU\DATOSD~1\Help
2007-06-22 16:02 --------- d-------- C:\DOCUME~1\655559~1.GRU\DATOSD~1\Rational
2007-06-22 15:51 --------- d-------- C:\Archivos de programa\Rational
2007-06-22 15:16 --------- d-------- C:\Archivos de programa\IBM
2007-06-22 09:40 --------- d-------- C:\Archivos de programa\Archivos comunes\IBM
2007-06-21 16:31 --------- d-------- C:\DOCUME~1\655559~1.GRU\DATOSD~1\VirtuaWin
2007-06-18 16:47 --------- d-------- C:\Archivos de programa\7-Zip
2007-06-15 17:48 659 --ah----- C:\os642656.bin
2007-06-15 12:41 --------- d--h----- C:\Archivos de programa\InstallShield Installation Information
2007-06-15 12:40 --------- d-------- C:\Archivos de programa\Archivos comunes\Vbox
2007-06-14 10:33 --------- d-------- C:\Archivos de programa\Network Associates
2007-06-12 11:25 --------- d-------- C:\Archivos de programa\VirtuaWin
2007-06-10 01:53 --------- d-------- C:\Archivos de programa\VideoLAN
2007-06-08 16:15 --------- d-------- C:\Archivos de programa\Ares
2007-06-08 13:01 --------- d-------- C:\DOCUME~1\655559~1.GRU\DATOSD~1\Talkback
2007-06-08 12:46 7012 --------- C:\WINDOWS\system32\drivers\PMEMNT.SYS
2007-06-08 12:42 --------- d-------- C:\Archivos de programa\Archivos comunes\Tivoli
2007-06-07 12:07 --------- d-------- C:\Archivos de programa\Winamp
2007-06-07 10:47 --------- d-------- C:\Archivos de programa\Archivos comunes\Real
2007-06-01 16:21 14597 --a--c--- C:\WINDOWS\mozver.dat
2005-05-13 16:12:00 217,073 -csha-r C:\WINDOWS\meta4.exe
2005-10-24 10:13:58 66,560 -csha-r C:\WINDOWS\MOTA113.exe
2005-10-13 20:27:00 422,400 -csha-r C:\WINDOWS\x2.64.exe
2005-07-14 11:31:20 27,648 -csha-r C:\WINDOWS\system32\AVSredirect.dll
2006-12-07 11:12:16 56 -csh--r C:\WINDOWS\system32\C5B453062B.sys
2005-06-26 14:32:28 616,448 -csha-r C:\WINDOWS\system32\cygwin1.dll
2005-06-21 21:37:42 45,568 -csha-r C:\WINDOWS\system32\cygz.dll
2004-01-24 23:00:00 70,656 --sha-r C:\WINDOWS\system32\i420vfw.dll
2006-12-07 11:12:16 1,890 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys
2006-04-27 09:24:24 2,945,024 -csha-r C:\WINDOWS\system32\Smab.dll
2005-02-28 12:16:22 240,128 -csha-r C:\WINDOWS\system32\x.264.exe
2004-01-24 23:00:00 70,656 --sha-r C:\WINDOWS\system32\yv12vfw.dll

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NuTCSetupEnviron"="C:\Archivos de programa\Rational\Rational Test\nutcroot\bin\ncoeenv.exe" [2002-04-25 16:13]
"CCDoctorLogonTesting"="c:\Atria\bin\ccdoctor.exe" [2001-09-25 03:44]
"Picasa Media Detector"="C:\Archivos de programa\Picasa2\PicasaMediaDetector.exe" [2007-08-05 22:36]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-20 14:00]

C:\Documents and Settings\All Users\Men£ Inicio\Programas\Inicio\
VirtuaWin.lnk - C:\Archivos de programa\VirtuaWin\VirtuaWin.exe [2007-06-12 11:25:09]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"RunStartupScriptSync"=0 (0x0)
"MaxGPOScriptWait"=300 (0x12c)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispAppearancePage"=0 (0x0)
"NoDispSettingsPage"=0 (0x0)
"NoDispCPL"=0 (0x0)
"NoDispBackgroundPage"=1 (0x1)
"NoDispScrSavPage"=1 (0x1)
"WallpaperStyle"=2

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSimpleStartMenu"=1 (0x1)
"NoDesktopCleanupWizard"=1 (0x1)
"NoActiveDesktopChanges"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=c:\windows\system32\ddcyxut.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 TivoliAP

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=GPO_Startup

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\1\0]
"Script"=\\grupoeci.elcorteingles.corp\SysVol\grupoeci.elcorteingles.corp\scripts\Configuracion\PROC\Politicas.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\2\0]
"Script"=\\grupoeci.elcorteingles.corp\SysVol\grupoeci.elcorteingles.corp\scripts\Configuracion\PROC\Politicas.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Menú Inicio\Programas\Inicio\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^Notes Minder.lnk]
path=C:\Documents and Settings\All Users\Menú Inicio\Programas\Inicio\Notes Minder.lnk
backup=C:\WINDOWS\pss\Notes Minder.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^VirtuaWin.lnk]
path=C:\Documents and Settings\All Users\Menú Inicio\Programas\Inicio\VirtuaWin.lnk
backup=C:\WINDOWS\pss\VirtuaWin.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Menú Inicio\Programas\Inicio\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CplBCL50]
C:\Archivos de programa\EzButton\CplBCL50.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Archivos de programa\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfeeUpdaterUI]
"C:\Archivos de programa\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Network Associates Error Reporting Service]
"C:\Archivos de programa\Archivos comunes\Network Associates\TalkBack\TBMon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Archivos de programa\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Rainlendar2]
G:\Rainlendar2\Rainlendar2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RAMpage]
"C:\Archivos de programa\RAMpage\RAMpage.exe" M=28 T=24 LG P="C:\Archivos de programa\RAMpage\RAMpageConfig.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShStatEXE]
"C:\Archivos de programa\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Archivos de programa\Java\j2re1.4.2_12\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
"C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1

R0 ENECBPTH;ENE Cardbus Patch Driver;C:\WINDOWS\system32\drivers\ENECBPTH.sys
R1 NaiAvTdi1;NaiAvTdi1;C:\WINDOWS\system32\drivers\mvstdi5x.sys
R1 NHostNT1;NetOp Driver 1 ver. 7.65 (2004342);C:\WINDOWS\system32\Drivers\NHOSTNT1.SYS
R1 PQNTDrv;PQNTDrv;C:\WINDOWS\system32\drivers\PQNTDrv.sys
R1 Tcpip6;Controlador de protocolo IPv6 de Microsoft;C:\WINDOWS\system32\DRIVERS\tcpip6.sys
R2 6to4;Servicio de ayuda de IPv6;C:\WINDOWS\system32\svchost.exe -k netsvcs
R2 CVPND;Cisco Systems, Inc. VPN Service;"C:\Archivos de programa\Cisco Systems\VPN Client\cvpnd.exe"
R2 CVPNDRVA;Cisco Systems Inc. IPSec Driver;\??\C:\WINDOWS\system32\Drivers\CVPNDRVA.sys
R2 FspadSvc;FspadSvc;C:\Archivos de programa\AVC Finger-sensing Pad Driver\FspadSvr.exe
R2 lcfd;Tivoli Endpoint;"C:\Tivoli\lcf\bin\w32-ix86\mrt\lcfd.exe"
R2 NetOp Host for NT Service;NetOp Helper ver. 7.65 (2004342);"C:\Archivos de programa\NetOp Remote Control\HOST\NHOSTSVC.EXE"
R2 NuTCRACKERService;NuTCRACKERService;C:\WINDOWS\system32\nutsrv4.exe
R2 PMEM;PMEM;\??\C:\WINDOWS\system32\drivers\PMEMNT.SYS
R2 Shavlik Scheduler;Shavlik Remote Scheduler Service;C:\WINDOWS\ProPatches\Scheduler\stSchedEx.exe /Service
R3 DNE;Deterministic Network Enhancer Miniport;C:\WINDOWS\system32\DRIVERS\dne2000.sys
R3 EMSCR;EMSCR;C:\WINDOWS\system32\DRIVERS\EMS7SK.sys
R3 ESDCR;ESDCR;C:\WINDOWS\system32\DRIVERS\ESD7SK.sys
R3 fspad;AVC Finger-sensing Pad Driver for Windows 2000/XP;C:\WINDOWS\system32\DRIVERS\fspad.sys
R3 NHOSTNT3;NetOp Driver 3 ver. 7.65 (2004342) (NHOSTNT3);C:\WINDOWS\system32\Drivers\NHOSTNT3.SYS
R3 RTL8023xp;Realtek RTL8139/810x/8169/8110 all in one NDIS XP Driver;C:\WINDOWS\system32\DRIVERS\Rtlnicxp.sys
R3 tunmp;Controlador de adaptador de minipuerto Tun de Microsoft;C:\WINDOWS\system32\DRIVERS\tunmp.sys
R3 vsbus;Virtual Serial Bus Enumerator;C:\WINDOWS\system32\DRIVERS\vsb.sys
R3 w29n51;Controlador de la Conexi¢n de red Intel(R) PRO/Wireless 2200BG para Windows XP;C:\WINDOWS\system32\DRIVERS\w29n51.sys
S2 BTSLBCSP;Bluetooth Port Client Driver;\??\C:\WINDOWS\system32\drivers\btslbcsp.sys
S3 actser;actser;C:\WINDOWS\system32\drivers\actser.sys
S3 CVirtA;Cisco Systems VPN Adapter;C:\WINDOWS\system32\DRIVERS\CVirtA.sys
S3 DKbFltr;Dritek HotKey Keyboard Filter Driver;C:\WINDOWS\system32\Drivers\DKbFltr.sys
S3 MSIRCOMM;Microsoft IR Communications Driver;C:\WINDOWS\system32\DRIVERS\MSIRCOMM.sys
S3 OracleOraHome92ClientCache;OracleOraHome92ClientCache;C:\oracle\ora92\BIN\ONRSD.EXE
S3 p2pgasvc;Autenticaci¢n de grupo de redes de mismo nivel;C:\WINDOWS\system32\svchost.exe -k p2psvc
S3 p2pimsvc;Administrador de identidad de redes de mismo nivel;C:\WINDOWS\system32\svchost.exe -k p2psvc
S3 p2psvc;Redes de mismo nivel;C:\WINDOWS\system32\svchost.exe -k p2psvc
S3 pepifilter;Volume Adapter;C:\WINDOWS\system32\DRIVERS\lv302af.sys
S3 PID_08A0;Labtec WebCam(PID_08A0);C:\WINDOWS\system32\DRIVERS\LV302AV.SYS
S3 PNRPSvc;Protocolo de resoluci¢n de nombres de mismo nivel;C:\WINDOWS\system32\svchost.exe -k p2psvc
S3 sdbus;sdbus;C:\WINDOWS\system32\DRIVERS\sdbus.sys
S3 Tomcat5;Apache Tomcat;"C:\Tomcat 5.0\bin\tomcat5.exe" //RS//Tomcat5
S3 vaxscsi;vaxscsi;C:\WINDOWS\system32\Drivers\vaxscsi.sys
S3 vserial;ELTIMA Virtual Serial Ports Driver;C:\WINDOWS\system32\DRIVERS\vserial.sys
S3 w22n51;Controlador Intel(R) PRO/Wireless 2200 Adapter;C:\WINDOWS\system32\DRIVERS\w22n51.sys
S3 WBSD;Winbond Secure Digital Storage (SD/MMC) Device Driver;C:\WINDOWS\system32\Drivers\WBSD.SYS

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc p2psvc p2pimsvc p2pgasvc PNRPSvc
mysee2 Mysee2_Runtime

Contents of the 'Scheduled Tasks' folder
2007-08-05 13:45:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Archivos de programa\Apple Software Update\SoftwareUpdate.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-07 14:44:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-07 14:45:21 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-07 14:45
C:\ComboFix2.txt ... 2007-08-06 12:43

--- E O F ---

**charlye28** · 2007-08-07, 14:51

Looks like O20 - AppInit_DLLs: c:\windows\system32\ddcyxut.dll

didn't got deleted:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:48, on 2007-08-07
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Cisco Systems\VPN Client\cvpnd.exe
C:\Archivos de programa\AVC Finger-sensing Pad Driver\FspadSvr.exe
C:\Tivoli\lcf\bin\w32-ix86\mrt\lcfd.exe
C:\Archivos de programa\Network Associates\Common Framework\FrameworkService.exe
C:\Archivos de programa\Network Associates\VirusScan\Mcshield.exe
C:\Archivos de programa\Network Associates\VirusScan\VsTskMgr.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nutsrv4.exe
C:\oracle\ora92\bin\omtsreco.exe
C:\WINDOWS\ProPatches\Scheduler\stSchedEx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\Picasa2\PicasaMediaDetector.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\notepad.exe
C:\Archivos de programa\Mozilla Firefox\firefox.exe
C:\Archivos de programa\Network Associates\Common Framework\UdaterUI.exe
C:\Archivos de programa\Network Associates\Common Framework\McTray.exe
C:\Archivos de programa\Trend Micro\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.ieci.geci:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.int;*.geci;128.*;documentum.*;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Archivos de programa\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [NuTCSetupEnviron] C:\Archivos de programa\Rational\Rational Test\nutcroot\bin\ncoeenv.exe
O4 - HKLM\..\Run: [CCDoctorLogonTesting] "c:\Atria\bin\ccdoctor.exe" /LogonStartup
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Archivos de programa\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Servicio de red')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Global Startup: VirtuaWin.lnk = C:\Archivos de programa\VirtuaWin\VirtuaWin.exe
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {4A3CBDDD-C4DC-4C38-B44F-704DAEF628AE} (PjAdoInfo3 Class) - http://10.228.137.37/projectserver/objects/pjclient.cab
O16 - DPF: {759FD3DE-F0EF-4A76-909C-88CF840D4173} (DmDragDrop Class) - http://localhost:9090/dco/wdk/native/WdkPluginCab.CAB
O16 - DPF: {89B8153D-C170-41D7-BB4B-CD4D63FE900C} (Pj11esnC Class) - http://10.228.137.37/projectserver/o...82/pjcintl.cab
O16 - DPF: {B1B47DEB-76C1-4701-9F19-5671101C3344} (PictureSelect.Selector) - http://www.revelaonline.com/class/Re...ureManager.cab
O16 - DPF: {B785FA3C-1DE9-4D20-8396-613C486FE95E} (AeatCtl Class) - https://www1.aeat.es/imagenes/comun/cactivex.cab
O16 - DPF: {BA2174B0-C012-11DA-A94D-0800200C9A66} (DmDragDrop Class) - http://documentum:1975/dco/wdk/native/WdkPluginCab.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = grupoeci.elcorteingles.corp
O17 - HKLM\Software\..\Telephony: DomainName = grupoeci.elcorteingles.corp
O17 - HKLM\System\CCS\Services\Tcpip\..\{3787471A-6F44-475F-B1D8-B928E127E071}: NameServer = 192.168.50.170,192.168.50.171
O17 - HKLM\System\CCS\Services\Tcpip\..\{5AC9E483-93DE-45C2-BE3B-733BD13A2191}: NameServer = 80.58.61.250,80.58.61.254
O17 - HKLM\System\CCS\Services\Tcpip\..\{EA032721-3D92-4450-8B90-A77BAD0D7744}: NameServer = 128.90.0.203,128.90.0.204
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = grupoeci.elcorteingles.corp
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = geci,eci.geci,ieci.geci
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = grupoeci.elcorteingles.corp
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = geci,eci.geci,ieci.geci
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = geci,eci.geci,ieci.geci
O20 - AppInit_DLLs: c:\windows\system32\ddcyxut.dll
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Archivos de programa\Ares\chatServer.exe
O23 - Service: IBM CICS Universal Client (CICSClient) - IBM Corporation - C:\Archivos de programa\IBM\IBM CICS Transaction Gateway\bin\cclserv.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Archivos de programa\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Servidor de applet JDBC de DB2 (DB2JDS) - International Business Machines Corporation - C:\Archivos de programa\IBM\SQLLIB\BIN\db2jds.exe
O23 - Service: Servidor de seguridad DB2 (DB2NTSECSERVER) - International Business Machines Corporation - C:\Archivos de programa\IBM\SQLLIB\BIN\db2sec.exe
O23 - Service: FspadSvc - Unknown owner - C:\Archivos de programa\AVC Finger-sensing Pad Driver\FspadSvr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM CICS Transaction Gateway (IBMCICSTransactionGateway) - IBM Corporation - C:\Archivos de programa\IBM\IBM CICS Transaction Gateway\bin\CTGSERVICE.EXE
O23 - Service: Servicio del iPod (iPod Service) - Apple Inc. - C:\Archivos de programa\iPod\bin\iPodService.exe
O23 - Service: Tivoli Endpoint (lcfd) - Unknown owner - C:\Tivoli\lcf\bin\w32-ix86\mrt\lcfd.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Archivos de programa\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Archivos de programa\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Archivos de programa\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NetOp Helper ver. 7.65 (2004342) (NetOp Host for NT Service) - Danware Data A/S - C:\Archivos de programa\NetOp Remote Control\HOST\NHOSTSVC.EXE
O23 - Service: NuTCRACKERService - DataFocus, Inc. - C:\WINDOWS\system32\nutsrv4.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: ServiceLayer - Nokia. - C:\Archivos de programa\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Shavlik Remote Scheduler Service (Shavlik Scheduler) - Shavlik Technologies - C:\WINDOWS\ProPatches\Scheduler\stSchedEx.exe
O23 - Service: Apache Tomcat (Tomcat5) - Apache Software Foundation - C:\Tomcat 5.0\bin\tomcat5.exe

--
End of file - 7847 bytes

**Shaba** · 2007-08-07, 15:01

Hi

Yes, it looks like so.

Maybe problem was that you fixed it before file was gone.

Open HijackThis, click do a system scan only and checkmark these:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O20 - AppInit_DLLs: c:\windows\system32\ddcyxut.dll

Close all windows including browser and press fix checked.

Reboot.

Please do an online scan with Kaspersky Online Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings
In the scan settings make sure that the following are selected:

o Scan using the following Anti-Virus database:

+ Extended (If available otherwise Standard)

o Scan Options:

+ Scan Archives
+ Scan Mail Bases
Click OK
Now under select a target to scan select My Computer
The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button
Save the file to your desktop.
Copy and paste that information in your next post.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

Post:

- a fresh HijackThis log
- kaspersky report

**charlye28** · 2007-08-08, 09:37

KASPERSKY ONLINE SCANNER REPORT
Wednesday, August 08, 2007 9:31:23 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 7/08/2007
Kaspersky Anti-Virus database records: 376845
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
C:\
E:\
T:\
Scan Statistics
Total number of scanned objects 345370
Number of viruses found 10
Number of infected objects 22
Number of suspicious objects 0
Duration of the scan process 08:31:07

Infected Object Name Virus Name Last Action
C:\AccessProtectionLog.txt Object is locked skipped
C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe Infected: Trojan-Clicker.Win32.Agent.jh skipped
C:\Archivos de programa\EzButton\CplBCL50.EXE Infected: Trojan-Clicker.Win32.Agent.jh skipped
C:\Archivos de programa\Network Associates\Common Framework\UpdaterUI.exe1175202410 Infected: Trojan-Clicker.Win32.Agent.jh skipped
C:\Archivos de programa\Network Associates\System Compliance Profiler\PtchScan.log Object is locked skipped
C:\Archivos de programa\Rainlendar2\Rainlendar2.exe Infected: Trojan-Clicker.Win32.Agent.jh skipped
C:\Archivos de programa\Trend Micro\HijackThis\backups\backup-20070807-142948-905.dll Infected: not-a-virus:AdWare.Win32.BHO.cz skipped
C:\BufferOverflowProtectionLog.txt Object is locked skipped
C:\Documents and Settings\65555955.GRUPOECI\Configuración local\Archivos temporales de Internet\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\65555955.GRUPOECI\Configuración local\Datos de programa\Ares\Data\TempDl\PBTHash_167885A5B56143EF819BE2DD58899F425367F473.dat Object is locked skipped
C:\Documents and Settings\65555955.GRUPOECI\Configuración local\Datos de programa\Ares\Data\TempDl\PBTHash_3705AC98F1EA85E326F9AB3A3CE877B26FD727EE.dat Object is locked skipped
C:\Documents and Settings\65555955.GRUPOECI\Configuración local\Datos de programa\Ares\Data\TempDl\PBTHash_6282427C601564F956A296C0A8D2122EF7C52E57.dat Object is locked skipped
C:\Documents and Settings\65555955.GRUPOECI\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\65555955.GRUPOECI\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\65555955.GRUPOECI\Configuración local\Historial\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\65555955.GRUPOECI\Configuración local\Historial\History.IE5\MSHist012007080720070808\index.dat Object is locked skipped
C:\Documents and Settings\65555955.GRUPOECI\Configuración local\Temp\NAILogs\UpdaterUI_MX3500001DC1053.log Object is locked skipped
C:\Documents and Settings\65555955.GRUPOECI\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\65555955.GRUPOECI\Escritorio\Entre Mujeres [DVDScreener] [www.torrentspain.com].avi\__INCOMPLETE__Entre Mujeres [DVDScreener] [www.torrentspain.com].avi Object is locked skipped
C:\Documents and Settings\65555955.GRUPOECI\Escritorio\Los Simpsons La Pelicula [DVDScreener] [Spanish] [www.torrentspain.com].avi\__INCOMPLETE__Los Simpsons La Pelicula [DVDScreener] [Spanish] [www.torrentspain.com].avi Object is locked skipped
C:\Documents and Settings\65555955.GRUPOECI\Escritorio\Piratas del caribe - El cofre del hombre muerto [DVDRip] [www.torrentspain.com].avi\__INCOMPLETE__Piratas del caribe - El cofre del hombre muerto [DVDRip] [www.torrentspain.com].avi Object is locked skipped
C:\Documents and Settings\65555955.GRUPOECI\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\65555955.GRUPOECI\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\Administrador\Configuración local\Archivos temporales de Internet\Content.IE5\01QJ0HQJ\drf1177614159[1].htm Infected: Trojan-Downloader.Win32.Small.eex skipped
C:\Documents and Settings\Administrador\Configuración local\Archivos temporales de Internet\Content.IE5\ANSJ3KX4\drf1177552416[1].htm.exe Infected: Trojan-Downloader.Win32.Small.eex skipped
C:\Documents and Settings\Administrador\Configuración local\Archivos temporales de Internet\Content.IE5\CLYB8LMF\popup_code[1].htm Infected: Trojan-Downloader.JS.IstBar.ai skipped
C:\Documents and Settings\All Users\Datos de programa\Network Associates\Common Framework\Db\Agent_MX3500001DC1053.log Object is locked skipped
C:\Documents and Settings\All Users\Datos de programa\Network Associates\Common Framework\Db\PrdMgr_MX3500001DC1053.log Object is locked skipped
C:\Documents and Settings\LocalService\Configuración local\Archivos temporales de Internet\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Configuración local\Historial\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\OnAccessScanLog.txt Object is locked skipped
C:\oracle\ora92\oramts\trace\OracleMTSRecoveryService(1024).trc Object is locked skipped
C:\QooBox\Quarantine\C\DOCUME~1\655559~1.GRU\DATOSD~1\tmp94.tmp.exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ddcyxut.dll.vir Infected: Trojan-Downloader.Win32.ConHook.bg skipped
C:\QooBox\Quarantine\C\WINDOWS\vttrrs.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
C:\QooBox\Quarantine\catchme2007-08-06_124136.87.zip/mmfipc.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
C:\QooBox\Quarantine\catchme2007-08-06_124136.87.zip ZIP: infected - 1 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{B8154308-F142-4CB3-B4C3-A78C4ECC29DD}\RP358\A0132074.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
C:\System Volume Information\_restore{B8154308-F142-4CB3-B4C3-A78C4ECC29DD}\RP358\A0132093.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
C:\System Volume Information\_restore{B8154308-F142-4CB3-B4C3-A78C4ECC29DD}\RP358\A0132300.dll Infected: not-a-virus:AdWare.Win32.BHO.cz skipped
C:\System Volume Information\_restore{B8154308-F142-4CB3-B4C3-A78C4ECC29DD}\RP359\A0132348.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
C:\System Volume Information\_restore{B8154308-F142-4CB3-B4C3-A78C4ECC29DD}\RP359\A0132349.dll Infected: Trojan-Downloader.Win32.ConHook.bg skipped
C:\System Volume Information\_restore{B8154308-F142-4CB3-B4C3-A78C4ECC29DD}\RP359\change.log Object is locked skipped
C:\Tivoli\lcf\dat\1\lcfd.log Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\Netlogon.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\inf\usb.inf Object is locked skipped
C:\WINDOWS\inf\usb.PNF Object is locked skipped
C:\WINDOWS\inf\usbstor.inf Object is locked skipped
C:\WINDOWS\inf\usbstor.PNF Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system\DRIVER\csrss.exe Infected: not-a-virus:Server-FTP.Win32.Serv-U.gen skipped
C:\WINDOWS\system\DRIVER\ntauth.dll Infected: Backdoor.IRC.Zapchast skipped
C:\WINDOWS\system\DRIVER\services.exe Infected: Backdoor.Win32.Iroffer.14b2 skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd4941.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\igfxtray.exe Infected: Trojan-Clicker.Win32.Agent.jh skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.

**charlye28** · 2007-08-08, 09:39

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:39, on 2007-08-08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Cisco Systems\VPN Client\cvpnd.exe
C:\Archivos de programa\AVC Finger-sensing Pad Driver\FspadSvr.exe
C:\Tivoli\lcf\bin\w32-ix86\mrt\lcfd.exe
C:\Archivos de programa\Network Associates\Common Framework\FrameworkService.exe
C:\Archivos de programa\Network Associates\VirusScan\Mcshield.exe
C:\Archivos de programa\Network Associates\VirusScan\VsTskMgr.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nutsrv4.exe
C:\oracle\ora92\bin\omtsreco.exe
C:\WINDOWS\ProPatches\Scheduler\stSchedEx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\Picasa2\PicasaMediaDetector.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Network Associates\Common Framework\UdaterUI.exe
C:\Archivos de programa\Network Associates\Common Framework\McTray.exe
C:\Archivos de programa\Ares\Ares.exe
C:\WINDOWS\system32\LVComsX.exe
C:\Archivos de programa\internet explorer\iexplore.exe
C:\ARCHIV~1\MOZILL~1\FIREFOX.EXE
C:\Archivos de programa\Trend Micro\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.ieci.geci:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.int;*.geci;128.*;documentum.*;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Archivos de programa\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [NuTCSetupEnviron] C:\Archivos de programa\Rational\Rational Test\nutcroot\bin\ncoeenv.exe
O4 - HKLM\..\Run: [CCDoctorLogonTesting] "c:\Atria\bin\ccdoctor.exe" /LogonStartup
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Archivos de programa\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Servicio de red')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Global Startup: VirtuaWin.lnk = C:\Archivos de programa\VirtuaWin\VirtuaWin.exe
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {4A3CBDDD-C4DC-4C38-B44F-704DAEF628AE} (PjAdoInfo3 Class) - http://10.228.137.37/projectserver/objects/pjclient.cab
O16 - DPF: {759FD3DE-F0EF-4A76-909C-88CF840D4173} (DmDragDrop Class) - http://localhost:9090/dco/wdk/native/WdkPluginCab.CAB
O16 - DPF: {89B8153D-C170-41D7-BB4B-CD4D63FE900C} (Pj11esnC Class) - http://10.228.137.37/projectserver/o...82/pjcintl.cab
O16 - DPF: {B1B47DEB-76C1-4701-9F19-5671101C3344} (PictureSelect.Selector) - http://www.revelaonline.com/class/Re...ureManager.cab
O16 - DPF: {B785FA3C-1DE9-4D20-8396-613C486FE95E} (AeatCtl Class) - https://www1.aeat.es/imagenes/comun/cactivex.cab
O16 - DPF: {BA2174B0-C012-11DA-A94D-0800200C9A66} (DmDragDrop Class) - http://documentum:1975/dco/wdk/native/WdkPluginCab.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = grupoeci.elcorteingles.corp
O17 - HKLM\Software\..\Telephony: DomainName = grupoeci.elcorteingles.corp
O17 - HKLM\System\CCS\Services\Tcpip\..\{3787471A-6F44-475F-B1D8-B928E127E071}: NameServer = 192.168.50.170,192.168.50.171
O17 - HKLM\System\CCS\Services\Tcpip\..\{5AC9E483-93DE-45C2-BE3B-733BD13A2191}: NameServer = 80.58.61.250,80.58.61.254
O17 - HKLM\System\CCS\Services\Tcpip\..\{EA032721-3D92-4450-8B90-A77BAD0D7744}: NameServer = 128.90.0.203,128.90.0.204
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = grupoeci.elcorteingles.corp
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = geci,eci.geci,ieci.geci
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = grupoeci.elcorteingles.corp
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = geci,eci.geci,ieci.geci
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = geci,eci.geci,ieci.geci
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Archivos de programa\Ares\chatServer.exe
O23 - Service: IBM CICS Universal Client (CICSClient) - IBM Corporation - C:\Archivos de programa\IBM\IBM CICS Transaction Gateway\bin\cclserv.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Archivos de programa\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Servidor de applet JDBC de DB2 (DB2JDS) - International Business Machines Corporation - C:\Archivos de programa\IBM\SQLLIB\BIN\db2jds.exe
O23 - Service: Servidor de seguridad DB2 (DB2NTSECSERVER) - International Business Machines Corporation - C:\Archivos de programa\IBM\SQLLIB\BIN\db2sec.exe
O23 - Service: FspadSvc - Unknown owner - C:\Archivos de programa\AVC Finger-sensing Pad Driver\FspadSvr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM CICS Transaction Gateway (IBMCICSTransactionGateway) - IBM Corporation - C:\Archivos de programa\IBM\IBM CICS Transaction Gateway\bin\CTGSERVICE.EXE
O23 - Service: Servicio del iPod (iPod Service) - Apple Inc. - C:\Archivos de programa\iPod\bin\iPodService.exe
O23 - Service: Tivoli Endpoint (lcfd) - Unknown owner - C:\Tivoli\lcf\bin\w32-ix86\mrt\lcfd.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Archivos de programa\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Archivos de programa\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Archivos de programa\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NetOp Helper ver. 7.65 (2004342) (NetOp Host for NT Service) - Danware Data A/S - C:\Archivos de programa\NetOp Remote Control\HOST\NHOSTSVC.EXE
O23 - Service: NuTCRACKERService - DataFocus, Inc. - C:\WINDOWS\system32\nutsrv4.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: ServiceLayer - Nokia. - C:\Archivos de programa\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Shavlik Remote Scheduler Service (Shavlik Scheduler) - Shavlik Technologies - C:\WINDOWS\ProPatches\Scheduler\stSchedEx.exe
O23 - Service: Apache Tomcat (Tomcat5) - Apache Software Foundation - C:\Tomcat 5.0\bin\tomcat5.exe

--
End of file - 8004 bytes

Thread: Virtumonde but different dll?

Thread Tools

Display

Virtumonde but different dll?

thank u very much

the HJTlog

Combofix log

hjtlog

K Report

and the hjt

Posting Permissions