Page 2 of 5 FirstFirst 12345 LastLast
Results 11 to 20 of 43

Thread: can't get rid of hldrrr.exe, srosa.sys, wintems.exe

  1. #11
    Junior Member
    Join Date
    Jan 2008
    Posts
    29

    Default

    DSS Main.txt:

    Deckard's System Scanner v20071014.68
    Run by Abramson on 2008-01-09 13:13:33
    Computer is in Normal Mode.
    --------------------------------------------------------------------------------



    -- HijackThis (run as Abramson.exe) --------------------------------------------

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 1:13:36 PM, on 1/9/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16574)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\RTHDCPL.EXE
    C:\WINDOWS\system32\RunDLL32.exe
    C:\Archivos de programa\Logitech\iTouch\iTouch.exe
    C:\Archivos de programa\Net\FileZilla Server\FileZilla Server Interface.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Archivos de programa\Util\CBOClean\BOCORE.exe
    C:\Archivos de programa\Net\FileZilla Server\FileZilla Server.exe
    C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Documents and Settings\Abramson\Escritorio\dss.exe
    C:\ARCHIV~1\Util\HIJACK~1\Abramson.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.cab.cnea.gov.ar:3128
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.cnea.gov.ar;*.ib.edu.ar;<local>;*.local
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\ANTIVI~1\Spybot\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Archivos de programa\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
    O3 - Toolbar: PDF de Adobe - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [Google Desktop Search] "C:\Archivos de programa\Google\Google Desktop Search\GoogleDesktop.exe" /startup
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [zBrowser Launcher] C:\Archivos de programa\Logitech\iTouch\iTouch.exe
    O4 - HKLM\..\Run: [FileZilla Server Interface] "C:\Archivos de programa\Net\FileZilla Server\FileZilla Server Interface.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Archivos de programa\Archivos comunes\Ahead\Lib\NeroCheck.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [TaskSwitchXP] C:\Archivos de programa\Util\TaskSwitchXP\TaskSwitchXP.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICIO LOCAL')
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\ARCHIV~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SERVICIO LOCAL')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Servicio de red')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O8 - Extra context menu item: Convertir a PDF de Adobe - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convertir a PDF existente - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convertir destino de vínculo a PDF existente - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convertir destino de vínculo en archivo PDF de Adobe - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convertir selección a archivo PDF existente - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convertir selección a PDF de Adobe - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convertir vínculos seleccionados a PDF de Adobe - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convertir vínculos seleccionados a PDF existente - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARCHIV~1\ANTIVI~1\Spybot\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARCHIV~1\ANTIVI~1\Spybot\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1191420182250
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{0050570D-B681-42C2-B56D-32BF2A16ADA1}: NameServer = 168.96.72.3,168.96.72.6
    O17 - HKLM\System\CS1\Services\Tcpip\..\{0050570D-B681-42C2-B56D-32BF2A16ADA1}: NameServer = 168.96.72.3,168.96.72.6
    O17 - HKLM\System\CS2\Services\Tcpip\..\{0050570D-B681-42C2-B56D-32BF2A16ADA1}: NameServer = 168.96.72.3,168.96.72.6
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARCHIV~1\ARCHIV~1\Skype\SKYPE4~1.DLL
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Archivos de programa\Archivos comunes\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: AVG Anti-Spyware Guard - Unknown owner - C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\guard.exe (file missing)
    O23 - Service: AVG E-mail Scanner (AVGEMS) - Unknown owner - C:\ARCHIV~1\Grisoft\AVG7\avgemc.exe (file missing)
    O23 - Service: BOCore - COMODO - C:\Archivos de programa\Util\CBOClean\BOCORE.exe
    O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - C:\Archivos de programa\Net\FileZilla Server\FileZilla Server.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Archivos de programa\Archivos comunes\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: Google Desktop Manager 5.5.709.30344 (GoogleDesktopManager-093007-112848) - Google - C:\Archivos de programa\Google\Google Desktop Search\GoogleDesktop.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: PC Tools Auxiliary Service (sdAuxService) - Unknown owner - C:\Archivos de programa\Spyware Doctor\svcntaux.exe (file missing)
    O23 - Service: PC Tools Security Service (sdCoreService) - Unknown owner - C:\Archivos de programa\Spyware Doctor\swdsvc.exe (file missing)

    --
    End of file - 9136 bytes

    -- Files created between 2007-12-09 and 2008-01-09 -----------------------------

    2008-01-08 15:15:06 0 d-------- C:\WINDOWS\ERUNT
    2008-01-08 14:36:08 0 d-------- C:\Archivos de programa\GiPo@Utilities
    2008-01-08 14:36:08 0 d-------- C:\Archivos de programa\Archivos comunes\Gibinsoft Shared
    2008-01-08 14:01:32 0 d-------- C:\WINDOWS\system32\drivers\down
    2008-01-08 11:34:05 235008 --a------ C:\WINDOWS\UNBOC.EXE <Not Verified; COMODO; COMODO BOClean - Anti-Malware>
    2008-01-08 11:34:04 208896 --a------ C:\WINDOWS\CMDLIC.DLL <Not Verified; COMODO; COMODO BOClean - AntiMalware>
    2007-12-27 15:58:08 6 --a------ C:\WINDOWS\ls.bat
    2007-12-27 15:23:37 0 d-------- C:\Archivos de programa\Nero
    2007-12-18 17:16:05 151552 --a------ C:\WINDOWS\system32\nvRegDev.dll
    2007-12-18 11:53:16 0 d--h----- C:\WINDOWS\system32\GroupPolicy
    2007-12-14 16:10:27 0 d--h----- C:\WINDOWS\PIF
    2007-12-14 15:51:37 0 d-------- C:\Archivos de programa\Archivos comunes\Nero
    2007-12-14 15:50:16 0 d-------- C:\Archivos de programa\Archivos comunes\Ahead
    2007-12-14 15:50:15 0 d-------- C:\Archivos de programa\Ahead
    2007-12-14 13:50:29 0 d-------- C:\Archivos de programa\Bonjour
    2007-12-14 13:37:45 0 d-------- C:\Archivos de programa\Archivos comunes\Macrovision Shared
    2007-12-12 18:09:01 552 --a------ C:\WINDOWS\system32\d3d8caps.dat


    -- Find3M Report ---------------------------------------------------------------

    2008-01-09 13:13:12 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\XnView
    2008-01-09 12:57:30 0 d-------- C:\Archivos de programa\Spyware Doctor
    2008-01-09 12:10:35 0 d-------- C:\Archivos de programa\Astro
    2008-01-09 12:07:01 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\WinEdt
    2008-01-09 09:33:23 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\File-Ex
    2008-01-08 15:54:29 0 d-------- C:\Archivos de programa\Util
    2008-01-08 14:36:08 0 d-------- C:\Archivos de programa\Archivos comunes
    2008-01-08 11:03:04 0 d-------- C:\Archivos de programa\Image
    2008-01-08 10:46:05 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\AVG7
    2008-01-07 14:15:40 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\Adobe
    2008-01-03 10:40:13 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\SpeedProject
    2008-01-02 09:35:17 498418 --a------ C:\WINDOWS\system32\perfh00A.dat
    2008-01-02 09:35:17 89006 --a------ C:\WINDOWS\system32\perfc00A.dat
    2007-12-28 16:03:14 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\aignes
    2007-12-28 16:02:39 0 d-------- C:\Archivos de programa\Net
    2007-12-27 10:45:50 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\CyberLink
    2007-12-26 16:28:20 0 d-------- C:\Archivos de programa\video
    2007-12-18 18:32:16 0 d-------- C:\Archivos de programa\Sci
    2007-12-18 17:17:12 0 d--h----- C:\Archivos de programa\InstallShield Installation Information
    2007-12-14 16:03:55 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\Ahead
    2007-12-14 14:50:33 0 d-------- C:\Archivos de programa\Texts
    2007-12-14 13:50:25 0 d-------- C:\Archivos de programa\Archivos comunes\Adobe
    2007-12-12 18:19:35 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\Real
    2007-12-07 17:24:03 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\Google
    2007-11-28 10:14:29 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\ActiveState
    2007-11-23 10:51:12 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\Avanquest
    2007-11-22 11:34:15 0 d-------- C:\Archivos de programa\Microsoft SQL Server Compact Edition
    2007-11-21 17:34:16 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\AdobeUM
    2007-11-21 17:29:46 0 d-------- C:\Archivos de programa\Archivos comunes\Adobe Systems Shared
    2007-11-16 14:57:16 286720 -----n--- C:\WINDOWS\Setup1.exe <Not Verified; Microsoft Corporation; Microsoft Visual Basic for Windows>
    2007-11-16 14:57:15 73216 --a------ C:\WINDOWS\ST6UNST.EXE <Not Verified; Microsoft Corporation; Microsoft® Visual Basic for Windows>
    2007-11-15 18:25:58 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\Macromedia
    2007-11-15 18:12:59 0 d-------- C:\Archivos de programa\Britannica
    2007-11-13 11:06:00 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\InstallShield
    2007-11-12 16:05:30 0 d-------- C:\Archivos de programa\MSECache
    2007-11-12 12:44:03 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\COWON
    2007-10-15 14:23:34 2199552 --a------ C:\WINDOWS\system32\PdfDll32.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS(r) DLL for Windows>
    2007-10-15 14:23:34 65536 --a------ C:\WINDOWS\system32\ltserial.dll


    -- Registry Dump ---------------------------------------------------------------

    *Note* empty entries & legit default entries are not shown


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [09/17/2007 02:07 AM]
    "nwiz"="nwiz.exe" [09/17/2007 02:07 AM C:\WINDOWS\system32\nwiz.exe]
    "RTHDCPL"="RTHDCPL.EXE" [06/15/2007 02:03 AM C:\WINDOWS\RTHDCPL.exe]
    "Google Desktop Search"="C:\Archivos de programa\Google\Google Desktop Search\GoogleDesktop.exe" [11/02/2007 11:55 AM]
    "SunJavaUpdateSched"="C:\Archivos de programa\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 02:11 AM]
    "NvMediaCenter"="NvMCTray.dll" [09/17/2007 02:07 AM C:\WINDOWS\system32\nvmctray.dll]
    "zBrowser Launcher"="C:\Archivos de programa\Logitech\iTouch\iTouch.exe" [03/18/2004 10:33 AM]
    "FileZilla Server Interface"="C:\Archivos de programa\Net\FileZilla Server\FileZilla Server Interface.exe" [02/27/2007 12:55 PM]
    "NeroFilterCheck"="C:\Archivos de programa\Archivos comunes\Ahead\Lib\NeroCheck.exe" [01/12/2006 05:40 PM]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [03/02/2006 10:00 AM]
    "TaskSwitchXP"="C:\Archivos de programa\Util\TaskSwitchXP\TaskSwitchXP.exe" [06/10/2005 08:05 AM]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableLUA"=0 (0x0)

    SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
    @="Driver Group"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RpcSs]
    @="Service"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
    @="Driver"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
    @="DiskDrive"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
    @="Hdc"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
    @="Keyboard"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
    @="Mouse"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
    @="System"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
    @="Volume"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 Pml Driver HPZ12 Net Driver HPZ12




    -- End of Deckard's System Scanner: finished at 2008-01-09 13:13:54 ------------

  2. #12
    Junior Member
    Join Date
    Jan 2008
    Posts
    29

    Default

    Rorschach112, bad news: wintems.exe reappeared. I re-run IS after posting, and there it was, grrrr!:

    Process:

    System Idle Process
    System
    C:\ARCHIV~1\Util\CBOClean\BOCore.exe
    C:\Archivos de programa\Net\FileZilla Server\FileZilla server.exe
    C:\ARCHIV~1\Google\Common\GOOGLE~1\GOOGLE~1.EXE
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\RTHDCPL.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Archivos de programa\Logitech\iTouch\iTouch.exe
    C:\Archivos de programa\Net\FileZilla Server\FileZilla Server Interface.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\drivers\hldrrr.exe
    C:\WINDOWS\system32\wintems.exe

    C:\Archivos de programa\Util\IceSword\IceSword.exe
    C:\Archivos de programa\Net\Opera\Opera.exe
    C:\Archivos de programa\Util\Total Commander 7\TOTALCMD.EXE

  3. #13
    Retired Security Volunteer
    Join Date
    Sep 2007
    Location
    Ireland
    Posts
    1,620

    Default

    Don't worry we will get rid of it

    Run IceSword.exe

    Step 1: Now, we will remove the rootkit! Click the "Processes" tab and right-click on the following red colored processes one by one, and choose "Terminate Process". This will kill the rooted processes.

    C:\WINDOWS\system32\drivers\hldrrr.exe
    C:\WINDOWS\system32\wintems.exe



    Step 2: Now, we have to delete the rooted files. Click "File" tab in IceSword. This will display the Windows Explorer type interface. Navigate to the following and delete the file(s) in bold.

    C:\WINDOWS\system32\drivers\hldrrr.exe
    C:\WINDOWS\system32\wintems.exe
    C:\Windows\System32\drivers\srosa.sys





    Please download OTMoveIt by OldTimer.
    • Save it to your desktop.
    • Please double-click OTMoveIt.exe to run it.
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

      C:\WINDOWS\system32\drivers\hldrrr.exe
      C:\WINDOWS\system32\wintems.exe
      C:\Windows\System32\drivers\srosa.sys


    • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
    • Click the red Moveit! button.
    • Close OTMoveIt

    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

    Please "Copy" the results from the "Results" window (to the right) and then "Paste" them into your next reply on the forum.

    Note : If a reboot was necessary or you needed to Exit before posting the log, you will find a copy of the log at the root of the drive where OTMoveIt is installed, usually at :
    C:\_OTMoveIt\MovedFiles\********_******.log
    (where "********_******" is the "date_time")

    Click "Exit" to close OTMoveIt.




    Reboot and post a new IceSword log and the OTMoveIt results. No need for any more screenshots yet.
    Who watches The Watchmen?

    It's like you said. All I am is what I'm going after.

    ~Scratch~

  4. #14
    Junior Member
    Join Date
    Jan 2008
    Posts
    29

    Default

    OK, I did as said: terminated processes, deleted files in IS, tried to delete files in MoveIt. After pressing MoveIt! I received an error box saying:

    Cannot create file C:\_OTMoveit\MovedFiles\01092008_134803.log
    And the Results pane of MoveIt reads:

    File/Folder C:\WINDOWS\system32\drivers\hldrrr.exe not found.
    File/Folder C:\WINDOWS\system32\wintems.exe not found.
    File/Folder C:\Windows\System32\drivers\srosa.sys not found.

    Created on 01/09/2008 13:48:03
    Still, IS Process show some infection after reboot:

    Process:

    System Idle Process
    System
    C:\ARCHIV~1\Util\CBOClean\BOCore.exe
    C:\Archivos de programa\Net\FileZilla Server\FileZilla server.exe
    C:\ARCHIV~1\Google\Common\GOOGLE~1\GOOGLE~1.EXE
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Archivos de programa\Net\Opera\Opera.exe
    C:\WINDOWS\system32\smss.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\RTHDCPL.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Archivos de programa\Logitech\iTouch\iTouch.exe
    C:\Archivos de programa\Net\FileZilla Server\FileZilla Server Interface.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\drivers\hldrrr.exe
    C:\Archivos de programa\Util\IceSword\IceSword.exe


    Note that wintems.exe is not there, again. This time, the file wintems.exe is not to be found in system32. The folder system32\drivers\down still keeps receiving new exe's. I'm stopping hldrrr.exe after posting. srosa.sys is still there, as is hldrr.exe.

    Guillermo

  5. #15
    Retired Security Volunteer
    Join Date
    Sep 2007
    Location
    Ireland
    Posts
    1,620

    Default

    It seems something is holding it in place. Lets try a different method

    Download Combofix and save it to your desktop.

    **Note: It is important that it is saved directly to your desktop**

    --------------------------------------------------------------------

    1. Close any open browsers.

    2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    --------------------------------------------------------------------

    Double click on combofix.exe & follow the prompts.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt" for further review.


    Note:
    Do not mouseclick combofix's window while it's running. That may cause it to stall
    Who watches The Watchmen?

    It's like you said. All I am is what I'm going after.

    ~Scratch~

  6. #16
    Junior Member
    Join Date
    Jan 2008
    Posts
    29

    Default

    OK, here's ComboFix log. (Byproduct: my default browser was reset to Internet Explorer (from Opera) and IE icon appeared on desktop.

    ):

    ComboFix 08-01-09.2 - Abramson 2008-01-09 14:13:23.1 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.3082.18.1612 [GMT -2:00]
    Se ejecuta desde: C:\Documents and Settings\Abramson\Escritorio\ComboFix.exe
    * Creado un nuevo punto de restauración
    .

    (((((((((((((((((((((((((((((((((((( Otras eliminaciones )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\WINDOWS\system32\_000003_.tmp.dll
    C:\WINDOWS\system32\_000005_.tmp.dll
    C:\WINDOWS\system32\_000007_.tmp.dll
    C:\WINDOWS\system32\_000008_.tmp.dll
    C:\WINDOWS\system32\_000009_.tmp.dll
    C:\WINDOWS\system32\_000010_.tmp.dll
    C:\WINDOWS\system32\_000012_.tmp.dll
    C:\WINDOWS\system32\drivers\srosa.sys
    C:\WINDOWS\system32\wintems.exe

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

    .
    -------\LEGACY_SROSA
    -------\srosa


    (((((((((((((((((( Archivos creados desde 2007-12-09 - 2008-01-09 )))))))))))))))))))))))))))))))))
    .

    2008-01-09 14:12 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
    2008-01-09 13:49 . 2005-06-10 08:05 533,734 --------- C:\WINDOWS\system32\drivers\hldrrr.exe
    2008-01-09 10:25 . 2008-01-09 10:25 <DIR> d-------- C:\Deckard
    2008-01-08 15:15 . 2008-01-08 15:15 <DIR> d-------- C:\WINDOWS\ERUNT
    2008-01-08 14:36 . 2008-01-08 14:36 <DIR> d-------- C:\Archivos de programa\GiPo@Utilities
    2008-01-08 14:36 . 2008-01-08 14:36 <DIR> d-------- C:\Archivos de programa\Archivos comunes\Gibinsoft Shared
    2008-01-08 14:20 . 2007-01-18 10:00 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
    2008-01-08 14:01 . 2008-01-09 14:11 <DIR> d-------- C:\WINDOWS\system32\drivers\down
    2008-01-08 11:34 . 2007-08-08 20:02 235,008 --a------ C:\WINDOWS\UNBOC.EXE
    2008-01-08 11:34 . 2007-05-08 17:01 208,896 --a------ C:\WINDOWS\CMDLIC.DLL
    2008-01-08 11:34 . 2006-03-02 10:00 25,600 --a------ C:\WINDOWS\system32\wsock32.dlb
    2008-01-04 11:03 . 2008-01-04 11:03 49 --a------ C:\WINDOWS\fsplugin.ini
    2008-01-03 14:37 . 2007-10-22 07:10 1,015,808 --a------ C:\WINDOWS\system32\libeay32.dll
    2008-01-03 14:37 . 2007-10-22 07:10 196,608 --a------ C:\WINDOWS\system32\ssleay32.dll
    2008-01-03 14:37 . 2008-01-03 14:37 196,608 --a------ C:\WINDOWS\system32\libssl32.dll
    2008-01-03 10:40 . 2008-01-03 10:40 <DIR> d-------- C:\Documents and Settings\Abramson\Datos de programa\SpeedProject
    2008-01-03 10:11 . 2008-01-08 13:27 21,712 ---h----- C:\treeinfo.wc
    2007-12-28 16:03 . 2007-12-28 16:03 <DIR> d-------- C:\Documents and Settings\Abramson\Datos de programa\aignes
    2007-12-27 15:23 . 2007-12-27 15:41 <DIR> d-------- C:\Archivos de programa\Nero
    2007-12-27 10:45 . 2007-12-27 10:45 <DIR> d-------- C:\Documents and Settings\Abramson\Datos de programa\CyberLink
    2007-12-26 18:38 . 2008-01-02 10:55 69 --a------ C:\WINDOWS\NeroDigital.ini
    2007-12-18 17:16 . 2007-12-18 17:15 151,552 --a------ C:\WINDOWS\system32\nvRegDev.dll
    2007-12-18 11:53 . 2007-12-18 11:53 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
    2007-12-14 16:10 . 2007-12-14 16:10 <DIR> d--h----- C:\WINDOWS\PIF
    2007-12-14 16:03 . 2007-12-14 16:03 <DIR> d-------- C:\Documents and Settings\Abramson\Datos de programa\Ahead
    2007-12-14 15:51 . 2007-12-14 15:51 <DIR> d-------- C:\Archivos de programa\Archivos comunes\Nero
    2007-12-14 15:50 . 2007-12-27 15:25 <DIR> d-------- C:\Archivos de programa\Archivos comunes\Ahead
    2007-12-14 15:50 . 2007-12-27 15:23 <DIR> d-------- C:\Archivos de programa\Ahead
    2007-12-14 13:50 . 2007-12-14 13:50 <DIR> d-------- C:\Archivos de programa\Bonjour
    2007-12-14 13:37 . 2007-12-14 13:37 <DIR> d-------- C:\Archivos de programa\Archivos comunes\Macrovision Shared
    2007-12-12 18:09 . 2007-12-12 18:09 552 --a------ C:\WINDOWS\system32\d3d8caps.dat

    .
    (((((((((((((((((((((((((((((((((((((( Reporte Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-01-09 16:04 --------- d-----w C:\Archivos de programa\Spyware Doctor
    2008-01-09 15:13 --------- d-----w C:\Documents and Settings\Abramson\Datos de programa\XnView
    2008-01-09 14:10 --------- d-----w C:\Archivos de programa\Astro
    2008-01-09 14:07 --------- d-----w C:\Documents and Settings\Abramson\Datos de programa\WinEdt
    2008-01-09 13:25 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Datos de programa\Google Updater
    2008-01-09 11:33 --------- d-----w C:\Documents and Settings\Abramson\Datos de programa\File-Ex
    2008-01-08 17:56 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Datos de programa\Spybot - Search & Destroy
    2008-01-08 17:54 --------- d-----w C:\Archivos de programa\Util
    2008-01-08 13:03 --------- d-----w C:\Archivos de programa\Image
    2008-01-08 12:46 --------- d-----w C:\Documents and Settings\Abramson\Datos de programa\AVG7
    2008-01-08 11:51 --------- d---a-w C:\Documents and Settings\All Users.WINDOWS\Datos de programa\TEMP
    2007-12-28 18:02 --------- d-----w C:\Archivos de programa\Net
    2007-12-26 18:28 --------- d-----w C:\Archivos de programa\video
    2007-12-19 02:29 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Datos de programa\avg7
    2007-12-18 20:32 --------- d-----w C:\Archivos de programa\Sci
    2007-12-18 19:17 --------- d--h--w C:\Archivos de programa\InstallShield Installation Information
    2007-12-14 16:50 --------- d-----w C:\Archivos de programa\Texts
    2007-12-14 15:50 --------- d-----w C:\Archivos de programa\Archivos comunes\Adobe
    2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
    2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
    2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
    2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
    2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
    2007-11-28 12:14 --------- d-----w C:\Documents and Settings\Abramson\Datos de programa\ActiveState
    2007-11-23 12:51 --------- d-----w C:\Documents and Settings\Abramson\Datos de programa\Avanquest
    2007-11-22 13:34 --------- d-----w C:\Archivos de programa\Microsoft SQL Server Compact Edition
    2007-11-21 19:34 --------- d-----w C:\Documents and Settings\Abramson\Datos de programa\AdobeUM
    2007-11-21 19:29 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Datos de programa\Adobe Systems
    2007-11-21 19:29 --------- d-----w C:\Archivos de programa\Archivos comunes\Adobe Systems Shared
    2007-11-19 20:02 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Datos de programa\nView_Profiles
    2007-11-16 16:57 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
    2007-11-16 16:57 286,720 ------w C:\WINDOWS\Setup1.exe
    2007-11-15 20:12 --------- d-----w C:\Archivos de programa\Britannica
    2007-11-13 13:06 --------- d-----w C:\Documents and Settings\Abramson\Datos de programa\InstallShield
    2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
    2007-11-12 18:05 --------- d-----w C:\Archivos de programa\MSECache
    2007-11-12 14:44 --------- d-----w C:\Documents and Settings\Abramson\Datos de programa\COWON
    .

    ((((((((((((((((((((((((((((((((( Cargando Puntos Reg ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    REGEDIT4
    *Nota* entradas vac¡as & entradas leg¡timas predeterminadas no son mostradas

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS0]
    @={5d1cb710-1c4b-11d4-bed5-005004b1f42f}

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS1]
    @={5d1cb711-1c4b-11d4-bed5-005004b1f42f}

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS2]
    @={5d1cb712-1c4b-11d4-bed5-005004b1f42f}

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS3]
    @={5d1cb713-1c4b-11d4-bed5-005004b1f42f}

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS4]
    @={5d1cb714-1c4b-11d4-bed5-005004b1f42f}

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS5]
    @={5d1cb715-1c4b-11d4-bed5-005004b1f42f}

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS6]
    @={5d1cb716-1c4b-11d4-bed5-005004b1f42f}

    [HKEY_CLASSES_ROOT\CLSID\{5d1cb710-1c4b-11d4-bed5-005004b1f42f}]
    2005-07-26 00:33 1073152 --a------ C:\Archivos de programa\Net\TortoiseCVS\TrtseShl.dll

    [HKEY_CLASSES_ROOT\CLSID\{5d1cb711-1c4b-11d4-bed5-005004b1f42f}]
    2005-07-26 00:33 1073152 --a------ C:\Archivos de programa\Net\TortoiseCVS\TrtseShl.dll

    [HKEY_CLASSES_ROOT\CLSID\{5d1cb712-1c4b-11d4-bed5-005004b1f42f}]
    2005-07-26 00:33 1073152 --a------ C:\Archivos de programa\Net\TortoiseCVS\TrtseShl.dll

    [HKEY_CLASSES_ROOT\CLSID\{5d1cb713-1c4b-11d4-bed5-005004b1f42f}]
    2005-07-26 00:33 1073152 --a------ C:\Archivos de programa\Net\TortoiseCVS\TrtseShl.dll

    [HKEY_CLASSES_ROOT\CLSID\{5d1cb714-1c4b-11d4-bed5-005004b1f42f}]
    2005-07-26 00:33 1073152 --a------ C:\Archivos de programa\Net\TortoiseCVS\TrtseShl.dll

    [HKEY_CLASSES_ROOT\CLSID\{5d1cb715-1c4b-11d4-bed5-005004b1f42f}]
    2005-07-26 00:33 1073152 --a------ C:\Archivos de programa\Net\TortoiseCVS\TrtseShl.dll

    [HKEY_CLASSES_ROOT\CLSID\{5d1cb716-1c4b-11d4-bed5-005004b1f42f}]
    2005-07-26 00:33 1073152 --a------ C:\Archivos de programa\Net\TortoiseCVS\TrtseShl.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-02 10:00 15360]
    "TaskSwitchXP"="C:\Archivos de programa\Util\TaskSwitchXP\TaskSwitchXP.exe" [2005-06-10 08:05 533734]
    "german.exe"="C:\WINDOWS\system32\wintems.exe" [ ]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-09-17 02:07 8491008]
    "nwiz"="nwiz.exe" [2007-09-17 02:07 1626112 C:\WINDOWS\system32\nwiz.exe]
    "RTHDCPL"="RTHDCPL.EXE" [2007-06-15 02:03 16132608 C:\WINDOWS\RTHDCPL.exe]
    "Google Desktop Search"="C:\Archivos de programa\Google\Google Desktop Search\GoogleDesktop.exe" [2007-11-02 11:55 29744]
    "SunJavaUpdateSched"="C:\Archivos de programa\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]
    "NvMediaCenter"="NvMCTray.dll" [2007-09-17 02:07 81920 C:\WINDOWS\system32\nvmctray.dll]
    "zBrowser Launcher"="C:\Archivos de programa\Logitech\iTouch\iTouch.exe" [2004-03-18 10:33 892928]
    "FileZilla Server Interface"="C:\Archivos de programa\Net\FileZilla Server\FileZilla Server Interface.exe" [2007-02-27 12:55 937984]
    "NeroFilterCheck"="C:\Archivos de programa\Archivos comunes\Ahead\Lib\NeroCheck.exe" [2006-01-12 17:40 155648]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-03-02 10:00 15360]
    "AVG7_Run"="C:\ARCHIV~1\Grisoft\AVG7\avgw.exe" [ ]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableLUA"= 0 (0x0)

    La clave del Registro SafeBoot necesita reparacion. Esta maquina no puede reiniciar en modo a prueba de fallos (modo seguro).

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
    @="Driver Group"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
    @="Driver"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
    @="DiskDrive"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
    @="Hdc"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
    @="Keyboard"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
    @="Mouse"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
    @="System"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
    @="Volume"

    S3 BOCDRIVE;BOClean Kernel Monitor.;C:\Archivos de programa\Util\CBOClean\BOCDRIVE.sys []
    S3 GoogleDesktopManager-093007-112848;Google Desktop Manager 5.5.709.30344;"C:\Archivos de programa\Google\Google Desktop Search\GoogleDesktop.exe" [2007-11-02 11:55]
    S4 Fix-It Task Manager;Fix-It Task Manager;C:\ARCHIV~1\Util\Fix-It\mxtask.exe [2007-01-29 17:02]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

    .
    Contenido de carpeta 'Tareas Programadas'
    "2008-01-03 15:16:05 C:\WINDOWS\Tasks\Backup de Biblioteca.job"
    - C:\Home\Abramson\Backup\biblioteca.bat
    "2008-01-04 15:02:16 C:\WINDOWS\Tasks\Backup de Email.job"
    - C:\Home\Abramson\Backup\email.bat
    "2008-01-09 15:00:48 C:\WINDOWS\Tasks\Backup de Home.job"
    - C:\Home\Abramson\Backup\backup.bat
    "2007-12-06 19:59:34 C:\WINDOWS\Tasks\SyncToy Abramson en CABFST21.job"
    - C:\Archivos de programa\Util\SyncToy 2.0 Beta\SyncToyCmd.exe
    .
    **************************************************************************

    catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-01-09 14:19:19
    Windows 5.1.2600 Service Pack 2 NTFS

    escaneando procesos ocultos ...

    escaneando entradas ocultas de autostart ...

    escaneando archivos ocultos ...

    el escaneo se completo con exito
    archivos ocultos: 0

    **************************************************************************
    .
    Tiempo completado: 2008-01-09 14:22:39 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-01-09 16:22:37
    .
    2007-12-12 12:15:57 --- E O F ---

    Guillermo

  7. #17
    Junior Member
    Join Date
    Jan 2008
    Posts
    29

    Default

    I checked again with IceSword after last post. No hldrrr.exe nor wintems.exe proceses, no srosa.sys items on SSDT list.

    However, file hldrrr.exe is still in system32\drivers. Should I remove it with MoveIt? Srosa.sys and wintems.exe cannot be found, I hope they do not reappear.

    Guillermo

  8. #18
    Retired Security Volunteer
    Join Date
    Sep 2007
    Location
    Ireland
    Posts
    1,620

    Default

    That seems to have got rid of a bit of it. Try not to restart your PC if possible to be on the safe side



    1. Close any open browsers.

    2. Open notepad and copy/paste the text in the quotebox below into it:

    File::
    C:\WINDOWS\system32\drivers\hldrrr.exe

    Registry::
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "german.exe"=-
    Save this as CFScript.txt, in the same location as ComboFix.exe




    Refering to the picture above, drag CFScript into ComboFix.exe

    When finished, it shall produce a log for you at "C:\ComboFix.txt"

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall





    Download avz4.zip from here
    • Unzip it to your desktop to a folder named avz4
    • Double click on AVZ.exe to run it.
    • Run an update by clicking the Auto Update button on the Right of the Log window:
    • Click Start to begin the update

    Note: If you recieve an error message, chose a different source, then click Start again
    • After the update, from the "File" menu, choose "System Recovery"
    • Check the box beside 10. Restore SafeBoot registry keys
    • Click Execute Selected Scripts, accept any prompts, then reboot your PC.
    Last edited by Rorschach112; 2008-01-09 at 18:56.
    Who watches The Watchmen?

    It's like you said. All I am is what I'm going after.

    ~Scratch~

  9. #19
    Junior Member
    Join Date
    Jan 2008
    Posts
    29

    Default

    Done. ComboFix produced the log reported below.

    AVZ: I couldn't update with any of the sources (2 of them), so I run the tool anyway (since the only selected was restore safeboot... did I mess it up?).

    Then rebooted, and here I am. SI does not show any of the bad guys either in Processes or SSDT. Should I run any other scan? SSD or HijackThis?

    There are still a lot of new xxxx.exe in system32\drivers\down, where xxxx are 5 or 6 figures numbers. Some of these files have icons equal to that of wintems.exe (a keychain with keys). None of them is running as a process.

    Guillermo


    Note: this log is from before I run avz4, hence the SafeBoot note in red

    ComboFix 08-01-09.2 - Abramson 2008-01-09 16:05:54.2 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.3082.18.1581 [GMT -2:00]
    Se ejecuta desde: C:\Documents and Settings\Abramson\Escritorio\ComboFix.exe
    Command switches used :: C:\Documents and Settings\Abramson\Escritorio\CFScript.txt
    * Creado un nuevo punto de restauración

    FILE
    C:\WINDOWS\system32\drivers\hldrrr.exe
    .

    (((((((((((((((((((((((((((((((((((( Otras eliminaciones )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\WINDOWS\system32\drivers\hldrrr.exe

    .
    (((((((((((((((((( Archivos creados desde 2007-12-09 - 2008-01-09 )))))))))))))))))))))))))))))))))
    .

    2008-01-09 14:22 . <DIR> C:\WINDOWS\system32\config\systemprofile\Configuraci=n local
    2008-01-09 14:22 . <DIR> C:\Documents and Settings\NetworkService\Configuraci=n local
    2008-01-09 14:22 . <DIR> C:\Documents and Settings\NetworkService.NT AUTHORITY\Configuraci=n local
    2008-01-09 14:22 . <DIR> C:\Documents and Settings\LocalService\Configuraci=n local
    2008-01-09 14:22 . <DIR> C:\Documents and Settings\LocalService.NT AUTHORITY\Configuraci=n local
    2008-01-09 14:22 . <DIR> C:\Documents and Settings\Default User\Configuraci=n local
    2008-01-09 14:22 . <DIR> C:\Documents and Settings\Default User.WINDOWS\Configuraci=n local
    2008-01-09 14:22 . <DIR> C:\Documents and Settings\Administrador\Configuraci=n local
    2008-01-09 14:22 . <DIR> C:\Documents and Settings\Abramson\Configuraci=n local
    2008-01-09 14:21 . 2008-01-09 14:21 <DIR> d-------- C:\WINDOWS\LastGood
    2008-01-09 14:12 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
    2008-01-09 10:25 . 2008-01-09 10:25 <DIR> d-------- C:\Deckard
    2008-01-08 15:15 . 2008-01-08 15:15 <DIR> d-------- C:\WINDOWS\ERUNT
    2008-01-08 14:36 . 2008-01-08 14:36 <DIR> d-------- C:\Archivos de programa\GiPo@Utilities
    2008-01-08 14:36 . 2008-01-08 14:36 <DIR> d-------- C:\Archivos de programa\Archivos comunes\Gibinsoft Shared
    2008-01-08 14:20 . 2007-01-18 10:00 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
    2008-01-08 14:01 . 2008-01-09 14:11 <DIR> d-------- C:\WINDOWS\system32\drivers\down
    2008-01-08 11:34 . 2007-08-08 20:02 235,008 --a------ C:\WINDOWS\UNBOC.EXE
    2008-01-08 11:34 . 2007-05-08 17:01 208,896 --a------ C:\WINDOWS\CMDLIC.DLL
    2008-01-08 11:34 . 2006-03-02 10:00 25,600 --a------ C:\WINDOWS\system32\wsock32.dlb
    2008-01-04 11:03 . 2008-01-04 11:03 49 --a------ C:\WINDOWS\fsplugin.ini
    2008-01-03 14:37 . 2007-10-22 07:10 1,015,808 --a------ C:\WINDOWS\system32\libeay32.dll
    2008-01-03 14:37 . 2007-10-22 07:10 196,608 --a------ C:\WINDOWS\system32\ssleay32.dll
    2008-01-03 14:37 . 2008-01-03 14:37 196,608 --a------ C:\WINDOWS\system32\libssl32.dll
    2008-01-03 10:40 . 2008-01-03 10:40 <DIR> d-------- C:\Documents and Settings\Abramson\Datos de programa\SpeedProject
    2008-01-03 10:11 . 2008-01-08 13:27 21,712 ---h----- C:\treeinfo.wc
    2007-12-28 16:03 . 2007-12-28 16:03 <DIR> d-------- C:\Documents and Settings\Abramson\Datos de programa\aignes
    2007-12-27 15:23 . 2007-12-27 15:41 <DIR> d-------- C:\Archivos de programa\Nero
    2007-12-27 10:45 . 2007-12-27 10:45 <DIR> d-------- C:\Documents and Settings\Abramson\Datos de programa\CyberLink
    2007-12-26 18:38 . 2008-01-02 10:55 69 --a------ C:\WINDOWS\NeroDigital.ini
    2007-12-18 17:16 . 2007-12-18 17:15 151,552 --a------ C:\WINDOWS\system32\nvRegDev.dll
    2007-12-18 11:53 . 2007-12-18 11:53 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
    2007-12-14 16:10 . 2007-12-14 16:10 <DIR> d--h----- C:\WINDOWS\PIF
    2007-12-14 16:03 . 2007-12-14 16:03 <DIR> d-------- C:\Documents and Settings\Abramson\Datos de programa\Ahead
    2007-12-14 15:51 . 2007-12-14 15:51 <DIR> d-------- C:\Archivos de programa\Archivos comunes\Nero
    2007-12-14 15:50 . 2007-12-27 15:25 <DIR> d-------- C:\Archivos de programa\Archivos comunes\Ahead
    2007-12-14 15:50 . 2007-12-27 15:23 <DIR> d-------- C:\Archivos de programa\Ahead
    2007-12-14 13:50 . 2007-12-14 13:50 <DIR> d-------- C:\Archivos de programa\Bonjour
    2007-12-14 13:37 . 2007-12-14 13:37 <DIR> d-------- C:\Archivos de programa\Archivos comunes\Macrovision Shared
    2007-12-12 18:09 . 2007-12-12 18:09 552 --a------ C:\WINDOWS\system32\d3d8caps.dat

    .
    (((((((((((((((((((((((((((((((((((((( Reporte Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-01-09 16:04 --------- d-----w C:\Archivos de programa\Spyware Doctor
    2008-01-09 15:13 --------- d-----w C:\Documents and Settings\Abramson\Datos de programa\XnView
    2008-01-09 14:10 --------- d-----w C:\Archivos de programa\Astro
    2008-01-09 14:07 --------- d-----w C:\Documents and Settings\Abramson\Datos de programa\WinEdt
    2008-01-09 13:25 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Datos de programa\Google Updater
    2008-01-09 11:33 --------- d-----w C:\Documents and Settings\Abramson\Datos de programa\File-Ex
    2008-01-08 17:56 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Datos de programa\Spybot - Search & Destroy
    2008-01-08 17:54 --------- d-----w C:\Archivos de programa\Util
    2008-01-08 13:03 --------- d-----w C:\Archivos de programa\Image
    2008-01-08 12:46 --------- d-----w C:\Documents and Settings\Abramson\Datos de programa\AVG7
    2008-01-08 11:51 --------- d---a-w C:\Documents and Settings\All Users.WINDOWS\Datos de programa\TEMP
    2007-12-28 18:02 --------- d-----w C:\Archivos de programa\Net
    2007-12-26 18:28 --------- d-----w C:\Archivos de programa\video
    2007-12-19 02:29 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Datos de programa\avg7
    2007-12-18 20:32 --------- d-----w C:\Archivos de programa\Sci
    2007-12-18 19:17 --------- d--h--w C:\Archivos de programa\InstallShield Installation Information
    2007-12-14 16:50 --------- d-----w C:\Archivos de programa\Texts
    2007-12-14 15:50 --------- d-----w C:\Archivos de programa\Archivos comunes\Adobe
    2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
    2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
    2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
    2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
    2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
    2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe
    2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\system32\AVASTSS.scr
    2007-11-28 12:14 --------- d-----w C:\Documents and Settings\Abramson\Datos de programa\ActiveState
    2007-11-23 12:51 --------- d-----w C:\Documents and Settings\Abramson\Datos de programa\Avanquest
    2007-11-22 13:34 --------- d-----w C:\Archivos de programa\Microsoft SQL Server Compact Edition
    2007-11-21 19:34 --------- d-----w C:\Documents and Settings\Abramson\Datos de programa\AdobeUM
    2007-11-21 19:29 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Datos de programa\Adobe Systems
    2007-11-21 19:29 --------- d-----w C:\Archivos de programa\Archivos comunes\Adobe Systems Shared
    2007-11-19 20:02 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Datos de programa\nView_Profiles
    2007-11-16 16:57 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
    2007-11-16 16:57 286,720 ------w C:\WINDOWS\Setup1.exe
    2007-11-15 20:12 --------- d-----w C:\Archivos de programa\Britannica
    2007-11-13 13:06 --------- d-----w C:\Documents and Settings\Abramson\Datos de programa\InstallShield
    2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
    2007-11-12 18:05 --------- d-----w C:\Archivos de programa\MSECache
    2007-11-12 14:44 --------- d-----w C:\Documents and Settings\Abramson\Datos de programa\COWON
    2007-10-29 22:43 1,293,824 ------w C:\WINDOWS\system32\quartz.dll
    2007-10-25 12:28 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
    2007-10-15 16:23 98,304 ----a-w C:\WINDOWS\system32\LtTtf14n.Dll
    2007-10-15 16:23 94,208 ----a-w C:\WINDOWS\system32\ltdoc14n.dll
    2007-10-15 16:23 89,232 ----a-w C:\WINDOWS\system32\LPCPN05N.dll
    2007-10-15 16:23 86,016 ----a-w C:\WINDOWS\system32\lffax14n.dll
    2007-10-15 16:23 85,136 ----a-w C:\WINDOWS\system32\LPINS05N.dll
    2007-10-15 16:23 77,898 ----a-w C:\WINDOWS\system32\lfjb214n.dll
    2007-10-15 16:23 72,848 ----a-w C:\WINDOWS\system32\LpTxt05n.dll
    2007-10-15 16:23 703,632 ----a-w C:\WINDOWS\system32\LPRES05N.DLL
    2007-10-15 16:23 695,440 ----a-w C:\WINDOWS\system32\LPDLG05N.DLL
    2007-10-15 16:23 68,752 ----a-w C:\WINDOWS\system32\Lpdrv05n.DLL
    2007-10-15 16:23 65,536 ----a-w C:\WINDOWS\system32\ltserial.dll
    2007-10-15 16:23 642,192 ----a-w C:\WINDOWS\system32\LPUIR05r.dll
    2007-10-15 16:23 56,464 ----a-w C:\WINDOWS\system32\LPUNI05N.dll
    2007-10-15 16:23 56,464 ----a-w C:\WINDOWS\system32\LPRPC05u.dll
    2007-10-15 16:23 52,368 ----a-w C:\WINDOWS\system32\LPEML05N.DLL
    2007-10-15 16:23 507,024 ----a-w C:\WINDOWS\system32\LtAct14n.dll
    2007-10-15 16:23 48,272 ----a-w C:\WINDOWS\system32\LPRNT05N.DLL
    2007-10-15 16:23 434,176 ----a-w C:\WINDOWS\system32\ltkrn14n.dll
    2007-10-15 16:23 38,032 ----a-w C:\WINDOWS\system32\LPUMD05n.dll
    2007-10-15 16:23 364,544 ----a-w C:\WINDOWS\system32\LFCMP14n.dll
    2007-10-15 16:23 35,984 ----a-w C:\WINDOWS\system32\LPPMN05u.DLL
    2007-10-15 16:23 32,768 ----a-w C:\WINDOWS\system32\Lfwmf14n.dll
    2007-10-15 16:23 262,144 ----a-w C:\WINDOWS\system32\LTDIS14n.dll
    2007-10-15 16:23 253,952 ----a-w C:\WINDOWS\system32\LTEml14n.dll
    2007-10-15 16:23 241,664 ----a-w C:\WINDOWS\system32\ltefx14n.dll
    2007-10-15 16:23 228,496 ----a-w C:\WINDOWS\system32\LpPdf05n.dll
    2007-10-15 16:23 224,400 ----a-w C:\WINDOWS\system32\LPKRN05N.DLL
    2007-10-15 16:23 221,184 ----a-w C:\WINDOWS\system32\Lvkrn14n.dll
    2007-10-15 16:23 2,199,552 ----a-w C:\WINDOWS\system32\PdfDll32.dll
    2007-10-15 16:23 155,648 ----a-w C:\WINDOWS\system32\LTSGM14n.dll
    2007-10-15 16:23 155,648 ----a-w C:\WINDOWS\system32\ltfil14n.dll
    2007-10-15 16:23 146,576 ----a-w C:\WINDOWS\system32\LpDoc05n.dll
    2007-10-15 16:23 142,480 ----a-w C:\WINDOWS\system32\ltact.dll
    2007-10-15 16:23 139,264 ----a-w C:\WINDOWS\system32\lfpdf14n.dll
    2007-10-15 16:23 138,384 ----a-w C:\WINDOWS\system32\LpHTM05n.dll
    2007-10-15 16:23 138,384 ----a-w C:\WINDOWS\system32\LpEmf05n.dll
    2007-10-15 16:23 113,808 ----a-w C:\WINDOWS\system32\LPWSE05n.exe
    2007-10-15 16:23 109,712 ----a-w C:\WINDOWS\system32\LpRTF05n.dll
    2007-10-15 16:23 106,680 ----a-w C:\WINDOWS\system32\LPUID05n.dll
    2007-10-15 16:23 1,703,936 ----a-w C:\WINDOWS\system32\LTCLR14n.dll
    2007-10-15 16:23 1,637,520 ----a-w C:\WINDOWS\system32\LPUIT05N.dll
    2007-10-15 16:23 1,433,600 ----a-w C:\WINDOWS\system32\LTDic14n.dll
    2007-10-15 16:23 1,396,736 ----a-w C:\WINDOWS\system32\ltann14n.dll
    2007-10-15 16:23 1,122,304 ----a-w C:\WINDOWS\system32\ltimg14n.dll
    .

    ((((((((((((((((((((((((((((( snapshot@2008-01-09_14.22.31.53 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2008-01-09 16:13:10 1,232,896 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000001\NTUSER.DAT
    + 2008-01-09 18:05:51 1,232,896 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000001\NTUSER.DAT
    - 2008-01-09 16:13:10 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000002\UsrClass.dat
    + 2008-01-09 18:05:51 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000002\UsrClass.dat
    - 2008-01-09 16:13:10 1,232,896 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000003\NTUSER.DAT
    + 2008-01-09 18:05:52 1,232,896 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000003\NTUSER.DAT
    - 2008-01-09 16:13:10 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000004\UsrClass.dat
    + 2008-01-09 18:05:52 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000004\UsrClass.dat
    - 2008-01-09 16:13:10 5,132,288 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000005\NTUSER.DAT
    + 2008-01-09 18:05:52 5,144,576 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000005\NTUSER.DAT
    - 2008-01-09 16:13:10 221,184 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000006\UsrClass.dat
    + 2008-01-09 18:05:52 221,184 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000006\UsrClass.dat
    .
    ((((((((((((((((((((((((((((((((( Cargando Puntos Reg ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    REGEDIT4
    *Nota* entradas vacías & entradas legítimas predeterminadas no son mostradas

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS0]
    @={5d1cb710-1c4b-11d4-bed5-005004b1f42f}

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS1]
    @={5d1cb711-1c4b-11d4-bed5-005004b1f42f}

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS2]
    @={5d1cb712-1c4b-11d4-bed5-005004b1f42f}

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS3]
    @={5d1cb713-1c4b-11d4-bed5-005004b1f42f}

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS4]
    @={5d1cb714-1c4b-11d4-bed5-005004b1f42f}

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS5]
    @={5d1cb715-1c4b-11d4-bed5-005004b1f42f}

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS6]
    @={5d1cb716-1c4b-11d4-bed5-005004b1f42f}

    [HKEY_CLASSES_ROOT\CLSID\{5d1cb710-1c4b-11d4-bed5-005004b1f42f}]
    2005-07-26 00:33 1073152 --a------ C:\Archivos de programa\Net\TortoiseCVS\TrtseShl.dll

    [HKEY_CLASSES_ROOT\CLSID\{5d1cb711-1c4b-11d4-bed5-005004b1f42f}]
    2005-07-26 00:33 1073152 --a------ C:\Archivos de programa\Net\TortoiseCVS\TrtseShl.dll

    [HKEY_CLASSES_ROOT\CLSID\{5d1cb712-1c4b-11d4-bed5-005004b1f42f}]
    2005-07-26 00:33 1073152 --a------ C:\Archivos de programa\Net\TortoiseCVS\TrtseShl.dll

    [HKEY_CLASSES_ROOT\CLSID\{5d1cb713-1c4b-11d4-bed5-005004b1f42f}]
    2005-07-26 00:33 1073152 --a------ C:\Archivos de programa\Net\TortoiseCVS\TrtseShl.dll

    [HKEY_CLASSES_ROOT\CLSID\{5d1cb714-1c4b-11d4-bed5-005004b1f42f}]
    2005-07-26 00:33 1073152 --a------ C:\Archivos de programa\Net\TortoiseCVS\TrtseShl.dll

    [HKEY_CLASSES_ROOT\CLSID\{5d1cb715-1c4b-11d4-bed5-005004b1f42f}]
    2005-07-26 00:33 1073152 --a------ C:\Archivos de programa\Net\TortoiseCVS\TrtseShl.dll

    [HKEY_CLASSES_ROOT\CLSID\{5d1cb716-1c4b-11d4-bed5-005004b1f42f}]
    2005-07-26 00:33 1073152 --a------ C:\Archivos de programa\Net\TortoiseCVS\TrtseShl.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-02 10:00 15360]
    "TaskSwitchXP"="C:\Archivos de programa\Util\TaskSwitchXP\TaskSwitchXP.exe" [2005-06-10 08:05 533734]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-09-17 02:07 8491008]
    "nwiz"="nwiz.exe" [2007-09-17 02:07 1626112 C:\WINDOWS\system32\nwiz.exe]
    "RTHDCPL"="RTHDCPL.EXE" [2007-06-15 02:03 16132608 C:\WINDOWS\RTHDCPL.exe]
    "Google Desktop Search"="C:\Archivos de programa\Google\Google Desktop Search\GoogleDesktop.exe" [2007-11-02 11:55 29744]
    "SunJavaUpdateSched"="C:\Archivos de programa\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]
    "NvMediaCenter"="NvMCTray.dll" [2007-09-17 02:07 81920 C:\WINDOWS\system32\nvmctray.dll]
    "zBrowser Launcher"="C:\Archivos de programa\Logitech\iTouch\iTouch.exe" [2004-03-18 10:33 892928]
    "FileZilla Server Interface"="C:\Archivos de programa\Net\FileZilla Server\FileZilla Server Interface.exe" [2007-02-27 12:55 937984]
    "NeroFilterCheck"="C:\Archivos de programa\Archivos comunes\Ahead\Lib\NeroCheck.exe" [2006-01-12 17:40 155648]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-03-02 10:00 15360]
    "AVG7_Run"="C:\ARCHIV~1\Grisoft\AVG7\avgw.exe" [ ]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableLUA"= 0 (0x0)

    La clave del Registro SafeBoot necesita reparacion. Esta maquina no puede reiniciar en modo a prueba de fallos (modo seguro).

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
    @="Driver Group"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
    @="Driver"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
    @="DiskDrive"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
    @="Hdc"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
    @="Keyboard"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
    @="Mouse"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
    @="System"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
    @="Volume"

    S3 BOCDRIVE;BOClean Kernel Monitor.;C:\Archivos de programa\Util\CBOClean\BOCDRIVE.sys []
    S3 GoogleDesktopManager-093007-112848;Google Desktop Manager 5.5.709.30344;"C:\Archivos de programa\Google\Google Desktop Search\GoogleDesktop.exe" [2007-11-02 11:55]
    S4 Fix-It Task Manager;Fix-It Task Manager;C:\ARCHIV~1\Util\Fix-It\mxtask.exe [2007-01-29 17:02]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

    .
    Contenido de carpeta 'Tareas Programadas'
    "2008-01-03 15:16:05 C:\WINDOWS\Tasks\Backup de Biblioteca.job"
    - C:\Home\Abramson\Backup\biblioteca.bat
    "2008-01-04 15:02:16 C:\WINDOWS\Tasks\Backup de Email.job"
    - C:\Home\Abramson\Backup\email.bat
    "2008-01-09 15:00:48 C:\WINDOWS\Tasks\Backup de Home.job"
    - C:\Home\Abramson\Backup\backup.bat
    "2007-12-06 19:59:34 C:\WINDOWS\Tasks\SyncToy Abramson en CABFST21.job"
    - C:\Archivos de programa\Util\SyncToy 2.0 Beta\SyncToyCmd.exe
    .
    **************************************************************************

    catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-01-09 16:06:38
    Windows 5.1.2600 Service Pack 2 NTFS

    escaneando procesos ocultos ...

    escaneando entradas ocultas de autostart ...

    escaneando archivos ocultos ...

    el escaneo se completo con exito
    archivos ocultos: 0

    **************************************************************************
    .
    Tiempo completado: 2008-01-09 16:06:59
    ComboFix-quarantined-files.txt 2008-01-09 18:06:51
    ComboFix2.txt 2008-01-09 16:22:39
    .
    2007-12-12 12:15:57 --- E O F ---

  10. #20
    Retired Security Volunteer
    Join Date
    Sep 2007
    Location
    Ireland
    Posts
    1,620

    Default

    Hello

    There are still a lot of new xxxx.exe in system32\drivers\down, where xxxx are 5 or 6 figures numbers. Some of these files have icons equal to that of wintems.exe (a keychain with keys). None of them is running as a process.
    Lets be safe and scan them. Follow these steps for all of the exe files in that folder that have the icon, if there are more than five of these exe files, then don't bother scanning the rest of them



    Go to this site:
    http://www.virustotal.com/
    On top you'll find 'Browse'
    Click the browse button and browse to the file:

    FILE HERE, eg : C:\WINDOWS\system32\drivers\srosa.sys

    Click open.
    Then click the 'Send' button next to it.
    This will scan the file. Please be patient.
    Once scanned, copy and paste the results as well in your next reply.
    Who watches The Watchmen?

    It's like you said. All I am is what I'm going after.

    ~Scratch~

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •