can't get rid of hldrrr.exe, srosa.sys, wintems.exe

[abramson]

OK. The first one I uploaded was identified as already scanned. I had it rescanned nevertheless, and the result is:

File 36015.exe received on 01.09.2008 19:58:54 (CET)Antivirus Version Last Update Result
AhnLab-V3 2008.1.10.10 2008.01.09 Win-Trojan/Downloader.471556
AntiVir 7.6.0.46 2008.01.09 WORM/Bagle.Gen
Authentium 4.93.8 2008.01.09 -
Avast 4.7.1098.0 2008.01.08 Win32:Beagle-YN
AVG 7.5.0.516 2008.01.09 Generic9.ADGV
BitDefender 7.2 2008.01.09 Win32.Bagle.STT@mm
CAT-QuickHeal 9.00 2008.01.09 Win32.Backdoor.Rbot.bmr
ClamAV 0.91.2 2008.01.09 PUA.Packed.Themida
DrWeb 4.44.0.09170 2008.01.09 Win32.HLLM.Beagle
eSafe 7.0.15.0 2008.01.08 Win32.Mitglieder
eTrust-Vet 31.3.5444 2008.01.09 -
Ewido 4.0 2008.01.09 -
FileAdvisor 1 2008.01.09 -
Fortinet 3.14.0.0 2008.01.09 W32/Bagle.HI!worm
F-Prot 4.4.2.54 2008.01.09 -
F-Secure 6.70.13030.0 2008.01.09 Trojan-Downloader.Win32.Bagle.ho
Ikarus T3.1.1.20 2008.01.09 Virus.Win32.Beagle.YN
Kaspersky 7.0.0.125 2008.01.09 Trojan-Downloader.Win32.Bagle.ho
McAfee 5203 2008.01.09 Generic Downloader.ab
Microsoft 1.3109 2008.01.09 TrojanProxy:Win32/Mitglieder.KT
NOD32v2 2778 2008.01.09 Win32/Bagle.LF
Norman 5.80.02 2008.01.09 SDBot.gen8
Panda 9.0.0.4 2008.01.09 W32/Bagle.QP.worm
Prevx1 V2 2008.01.09 Trojan.Mitglieder
Rising 20.26.21.00 2008.01.09 -
Sophos 4.24.0 2008.01.09 -
Sunbelt 2.2.907.0 2008.01.09 VIPRE.Suspicious
Symantec 10 2008.01.09 Trojan.Mitglieder
TheHacker 6.2.9.184 2008.01.08 W32/Behav-Heuristic-064
VBA32 3.12.2.5 2008.01.09 -
VirusBuster 4.3.26:9 2008.01.09 -
Webwasher-Gateway 6.6.2 2008.01.09 Worm.Bagle.Gen

Additional information
File size: 471556 bytes
MD5: a14a5261685fad6735165b695175df15
SHA1: ba7e102f32030b71164e132918a4c25b13e9a2e3
PEiD: Themida/WinLicense V1.8.0.2 + -> Oreans Technologies
packers: Themida
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=F388B2440420DF753258077D532078001CB1110F
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.

I uploaded a few others from the folder. The ones with the wintems icon were all identified as malware. The ones without the icon were informed as clean. I have to say, though, that they were all downloaded together, they have all the same timestamps. I would get rid of all of them, what do you say?

I guess I remove them with MoveIt?

In the meantime I have checked services.msc and Windows Firewall is again in Automatic, and started!

Should I now reinstall spybot and my antivirus, and run them? Which ones?

Guillermo

 

[Rorschach112]

No need to scan the rest, they are all bad as expected. They should have shown up in the ComboFix log.

What is the time stamp for these files ?

Do the following

Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.


Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
• Choose your usual account.

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard ready for posting back on the forum).
• Finally paste the contents of the Report.txt back on the forum.

Download WinPFind35U.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind35u on your desktop.

• Open the WinPFind35u folder and double-click on WinPFind35U.exe to start the program.
• Under Rootkit Search on the left change it to Yes
• Under Additional Scans check the box beside Reg - Disabled MS Config Items.
• Under Files Created Within change it to 90 days, do the same for Files Modified Within.
• Now click the Run Scan button on the toolbar.
• When the scan is complete Notepad will open with the report file loaded in it.
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Use the Add Reply button and Copy/Paste the information back here in an attachment. I will review it when it comes in. The last line is < End of Report >, so make sure that is the last line in the attached report.

Make sure you attach the report in your reply. You will need to host this attachment on another site like mediafire as you can't upload here unfortunately.

 

[abramson]

What is the time stamp for these files ?

The 29 files now present are from today, from 14:04 to 14:11 local time, which was I believe, the last time that wintems.exe was seen running. Not sure though. Many more were downloaded before, and I deleted them several times (not to the recycler).

I am proceeding with your last instructions now, in safe mode. See you later.

Guillermo

 

[abramson]

I was reading the instructions before proceeding. I say, Rorschach, the WinPFind35U part should also be run in safe mode? Or do I reboot in normal mode for it? Just to be sure...

Guillermo

 

[Rorschach112]

Run WinPFind35 from Normal Mode.

It's always best to make sure

 

[abramson]

Thanks. That's what I thought. Here's SDFix report. I proceed with WinPFind35U (such a name!).


SDFix: Version 1.125

Run by Abramson on Wed 01/09/2008 at 05:45 PM

Microsoft Windows XP [Versión 5.1.2600]

Running From: c:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

No Trojan Files Found





Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-09 17:51:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...


scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 1


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:
---------------


Files with Hidden Attributes:

Thu 19 Aug 2004 60,416 A.SH. --- "C:\Archivos de programa\Outlook Express\msimn.exe"
Thu 1 Nov 2007 5,903,928 A..H. --- "C:\Archivos de programa\Picasa2\setup.exe"
Wed 3 Oct 2007 0 A.SH. --- "C:\Documents and Settings\All Users.WINDOWS\DRM\Cache\Indiv01.tmp"
Wed 3 Oct 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b3958dae49728da026def65195c3aa84\BIT32.tmp"

Finished!

 

[abramson]

Done with WinPFind35U also. I tried to attach the file here but it seems to be too large. I placed it on my webpage: WinPFind35.Txt

But: something is weird with this file. Even though it is all there, down to the last line <End of Report>, I cannot open it correctly in the browser. You can still use "save target as" to heve it in full (perhaps non-ascii characters).

I placed a zipped version, perhaps it gets transmitted better: WinPFind35.zip

Guillermo

 

[abramson]

I can't believe it: the infection has reappeared. I presume after last reboot (the one between sdfix and winpfin35u).

The exe and sys files are again there. IceSword again shows the bad processes and SSDT's... Firewall is deactivated...

What went wrong?

Guillermo

 

[abramson]

And 23 additional bad files were downloaded before I noticed and terminated the processes in IceSword.

Guillermo

 

[abramson]

I need to leave now. Will continue tomorrow. Thanks for your help Rorschach112. See you tomorrow and we finish it.

Guillermo

 

[Rorschach112]

Don't worry Guillermo we will get rid of the infections.

Start WinPFind35U. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.

[Kill Explorer]
[Unregister Dlls]
[Processes - Non-Microsoft Only]
YY -> wintems.exe -> %System32%\wintems.exe
[Win32 Services - Non-Microsoft Only]
YN -> (aswUpdSv) avast! iAVS4 Control Service [Win32_Own | Disabled | Stopped] -> %ProgramFiles%\Antivirus\Avast\aswUpdSv.exe
YN -> (avast! Antivirus) avast! Antivirus [Win32_Own | Disabled | Stopped] -> %ProgramFiles%\Antivirus\Avast\ashServ.exe
YN -> (avast! Mail Scanner) avast! Mail Scanner [Win32_Own | Disabled | Stopped] -> %ProgramFiles%\Antivirus\Avast\ashMaiSv.exe
YN -> (avast! Web Scanner) avast! Web Scanner [Win32_Own | Disabled | Stopped] -> %ProgramFiles%\Antivirus\Avast\ashWebSv.exe
YN -> (AVG Anti-Spyware Guard) AVG Anti-Spyware Guard [Win32_Own | Auto | Stopped] -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\guard.exe
YN -> (Avg7Alrt) AVG7 Alert Manager Server [Win32_Own | Disabled | Stopped] -> %SystemDrive%\ARCHIV~1\Grisoft\AVG7\avgamsvr.exe
YN -> (Avg7UpdSvc) AVG7 Update Service [Win32_Own | Disabled | Stopped] -> %SystemDrive%\ARCHIV~1\Grisoft\AVG7\avgupsvc.exe
YN -> (AVGEMS) AVG E-mail Scanner [Win32_Own | Auto | Stopped] -> %SystemDrive%\ARCHIV~1\Grisoft\AVG7\avgemc.exe
YN -> (sdAuxService) PC Tools Auxiliary Service [Win32_Own | Auto | Stopped] -> %ProgramFiles%\Spyware Doctor\svcntaux.exe
YN -> (sdCoreService) PC Tools Security Service [Win32_Own | Auto | Stopped] -> %ProgramFiles%\Spyware Doctor\swdsvc.exe
[Registry - Non-Microsoft Only]
< Internet Explorer Extensions [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\
YN -> {92780B25-18CC-41C8-B9BE-3C9C571A8263}: [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Referencia]
< Internet Explorer Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} [HKEY_LOCAL_MACHINE] -> [Referencia]
NY -> CmdMapping\\{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Antivirus\Spybot\SDHelper.dll [Spybot - Search & Destroy Configuration]
< Internet Explorer Menu Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\
YN -> Convertir a PDF de Adobe -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll\AcroIECapture.htm
YN -> Convertir a PDF existente -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll\AcroIEAppend.htm
YN -> Convertir destino de vínculo a PDF existente -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll\AcroIEAppend.htm
YN -> Convertir destino de vínculo en archivo PDF de Adobe -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll\AcroIECapture.htm
YN -> Convertir selección a archivo PDF existente -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll\AcroIEAppend.htm
YN -> Convertir selección a PDF de Adobe -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll\AcroIECapture.htm
YN -> Convertir vínculos seleccionados a PDF de Adobe -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll\AcroIECaptureSelLinks.htm
YN -> Convertir vínculos seleccionados a PDF existente -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll\AcroIEAppendSelLinks.htm
YN -> E&xportar a Microsoft Excel ->
[Files/Folders - Created Within 90 days]
YY -> 112062.exe -> %System32%\drivers\down\112062.exe
YY -> 126609.exe -> %System32%\drivers\down\126609.exe
YY -> 128218.exe -> %System32%\drivers\down\128218.exe
YY -> 136468.exe -> %System32%\drivers\down\136468.exe
YY -> 148046.exe -> %System32%\drivers\down\148046.exe
YY -> 148625.exe -> %System32%\drivers\down\148625.exe
YY -> 157625.exe -> %System32%\drivers\down\157625.exe
YY -> 172015.exe -> %System32%\drivers\down\172015.exe
YY -> 172968.exe -> %System32%\drivers\down\172968.exe
YY -> 201078.exe -> %System32%\drivers\down\201078.exe
YY -> 205234.exe -> %System32%\drivers\down\205234.exe
YY -> 206437.exe -> %System32%\drivers\down\206437.exe
YY -> 210843.exe -> %System32%\drivers\down\210843.exe
YY -> 212625.exe -> %System32%\drivers\down\212625.exe
YY -> 216515.exe -> %System32%\drivers\down\216515.exe
YY -> 236765.exe -> %System32%\drivers\down\236765.exe
YY -> 257734.exe -> %System32%\drivers\down\257734.exe
YY -> 261281.exe -> %System32%\drivers\down\261281.exe
YY -> 262093.exe -> %System32%\drivers\down\262093.exe
YY -> 263078.exe -> %System32%\drivers\down\263078.exe
YY -> 264218.exe -> %System32%\drivers\down\264218.exe
YY -> 269906.exe -> %System32%\drivers\down\269906.exe
YY -> 281609.exe -> %System32%\drivers\down\281609.exe
YY -> 36015.exe -> %System32%\drivers\down\36015.exe
YY -> 39234.exe -> %System32%\drivers\down\39234.exe
YY -> 425750.exe -> %System32%\drivers\down\425750.exe
YY -> 437484.exe -> %System32%\drivers\down\437484.exe
YY -> 446437.exe -> %System32%\drivers\down\446437.exe
YY -> 449625.exe -> %System32%\drivers\down\449625.exe
YY -> 452875.exe -> %System32%\drivers\down\452875.exe
YY -> 455140.exe -> %System32%\drivers\down\455140.exe
YY -> 459015.exe -> %System32%\drivers\down\459015.exe
YY -> 460140.exe -> %System32%\drivers\down\460140.exe
YY -> 468109.exe -> %System32%\drivers\down\468109.exe
YY -> 571625.exe -> %System32%\drivers\down\571625.exe
YY -> 572437.exe -> %System32%\drivers\down\572437.exe
YY -> 580406.exe -> %System32%\drivers\down\580406.exe
YY -> 594140.exe -> %System32%\drivers\down\594140.exe
YY -> 595421.exe -> %System32%\drivers\down\595421.exe
YY -> 614015.exe -> %System32%\drivers\down\614015.exe
YY -> 626718.exe -> %System32%\drivers\down\626718.exe
YY -> 635109.exe -> %System32%\drivers\down\635109.exe
YY -> 637984.exe -> %System32%\drivers\down\637984.exe
YY -> 647031.exe -> %System32%\drivers\down\647031.exe
YY -> 77218.exe -> %System32%\drivers\down\77218.exe
YY -> wget.exe -> %SystemRoot%\wget.exe
[Files/Folders - Modified Within 90 days]
YY -> 112062.exe -> %System32%\drivers\down\112062.exe
YY -> 126609.exe -> %System32%\drivers\down\126609.exe
YY -> 128218.exe -> %System32%\drivers\down\128218.exe
YY -> 136468.exe -> %System32%\drivers\down\136468.exe
YY -> 148046.exe -> %System32%\drivers\down\148046.exe
YY -> 148625.exe -> %System32%\drivers\down\148625.exe
YY -> 157625.exe -> %System32%\drivers\down\157625.exe
YY -> 172015.exe -> %System32%\drivers\down\172015.exe
YY -> 172968.exe -> %System32%\drivers\down\172968.exe
YY -> 201078.exe -> %System32%\drivers\down\201078.exe
YY -> 205234.exe -> %System32%\drivers\down\205234.exe
YY -> 206437.exe -> %System32%\drivers\down\206437.exe
YY -> 210843.exe -> %System32%\drivers\down\210843.exe
YY -> 212625.exe -> %System32%\drivers\down\212625.exe
YY -> 216515.exe -> %System32%\drivers\down\216515.exe
YY -> 236765.exe -> %System32%\drivers\down\236765.exe
YY -> 257734.exe -> %System32%\drivers\down\257734.exe
YY -> 261281.exe -> %System32%\drivers\down\261281.exe
YY -> 262093.exe -> %System32%\drivers\down\262093.exe
YY -> 263078.exe -> %System32%\drivers\down\263078.exe
YY -> 264218.exe -> %System32%\drivers\down\264218.exe
YY -> 269906.exe -> %System32%\drivers\down\269906.exe
YY -> 281609.exe -> %System32%\drivers\down\281609.exe
YY -> 36015.exe -> %System32%\drivers\down\36015.exe
YY -> 39234.exe -> %System32%\drivers\down\39234.exe
YY -> 425750.exe -> %System32%\drivers\down\425750.exe
YY -> 437484.exe -> %System32%\drivers\down\437484.exe
YY -> 446437.exe -> %System32%\drivers\down\446437.exe
YY -> 449625.exe -> %System32%\drivers\down\449625.exe
YY -> 452875.exe -> %System32%\drivers\down\452875.exe
YY -> 455140.exe -> %System32%\drivers\down\455140.exe
YY -> 459015.exe -> %System32%\drivers\down\459015.exe
YY -> 460140.exe -> %System32%\drivers\down\460140.exe
YY -> 468109.exe -> %System32%\drivers\down\468109.exe
YY -> 571625.exe -> %System32%\drivers\down\571625.exe
YY -> 572437.exe -> %System32%\drivers\down\572437.exe
YY -> 580406.exe -> %System32%\drivers\down\580406.exe
YY -> 594140.exe -> %System32%\drivers\down\594140.exe
YY -> 595421.exe -> %System32%\drivers\down\595421.exe
YY -> 614015.exe -> %System32%\drivers\down\614015.exe
YY -> 626718.exe -> %System32%\drivers\down\626718.exe
YY -> 635109.exe -> %System32%\drivers\down\635109.exe
YY -> 637984.exe -> %System32%\drivers\down\637984.exe
YY -> 647031.exe -> %System32%\drivers\down\647031.exe
YY -> 77218.exe -> %System32%\drivers\down\77218.exe
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
YN -> "drvsyskit"="C:\WINDOWS\system32\drivers\hldrrr.exe" ->
YN -> "german.exe"="C:\WINDOWS\system32\wintems.exe" ->
YN -> C:\WINDOWS\system32\wintems.exe 471556 bytes executable ->
YN -> C:\WINDOWS\system32\drivers\srosa.sys 108928 bytes executable ->
YN -> C:\WINDOWS\system32\drivers\hldrrr.exe 533734 bytes executable ->
[Empty Temp Folders]
[Start Explorer]
[ZipFiles]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here .

I will review the information when it comes back in.



Then run ComboFix.exe again straight after and post that log here. Also do the IceSword steps again, however the files/processes may not be there. Also post a new IceSword log.


You should find a zip file after you run WinPFind35. I need you to do the following with it

CLICK THIS TO LINK TO BE SURE YOU CAN VIEW HIDDEN FILES

Please go here:
The Spy Killer Forum

• Click on "New Topic"
• Put your name, e-mail address, and this as the title: "%System32%\drivers\down\210843.exe and more"
• Put a link to this topic in the description box.
• Then next to the file box, at the bottom, click the browse button, then navigate to this file:
  
  
  • %System32%\drivers\down\210843.exe and more
  
  
• Click Open.
• Click Post.

Thank you!


Then reboot and see how your PC is running and let me know how it all went.

 

[abramson]

Hi, Rorschach112. Thanks for your post. I was just writting when it arrived. Before I proceed, let me tell you what happened yesterday, after my last post reporting the re-infection.

I re-applied the two steps that you suggested, which were able to remove the infection even after a reboot. These were:

1. Prepare a CFScript.txt with instructions for file removal and registry repair. In the file removal, I added all the bad files downloaded by the virus in system32\drivers\down, besides hldrrr.exe.

2. Drop this script on top of ComboFix.

3. Run avz4 to repair SafeBoot (fortunately I had been able to update before, since network connection was again broken after ComboFix).

4. Reboot.

After this, the computer was clean. IceSword reported no hidden processes nor bad SSDT. AVG AntiRootkit reported all clean. The bad files were gone. I waited a few minutes and all continued to be OK. So I decided to:

5. Reinstall Spybot. The installer ran (good!). A full scan found a couple of bad items (one of them seemed related to the Bagle, which seems to be the infection I had). I removed all.

6. Reinstall AVG. The installer ran (excellent!). I started a complete scan and went to bed. Today the results showed 16 infections found, all removed (several were in the vaults of the tools run at your suggestion). After this I reinstalled Avast and ran a new full scan, which found nothing.

One interesting note: Immediately after AVG completed installation, it reported that WinPFind35U, on my Desktop, was infected. It was moved to the vault, and it's now there. WinPFind35U was the last tool I run, after which the infection reappeared. What do you think? Is it possible that the downloaded file was infected, or that the virus took refuge on an otherwise clean tool? Isn't it strange?

So, the system seems now clean. I would rather run some scan if you suggest so, to verify the results of Spybot, AVG and Avast. I do not believe that further cleaning is necessary. Let me know your opinion.

Guillermo

 

[Rorschach112]

Hello Guillermo, sounds like you did a pretty good job !

The reason why your infection came back was due to all those .exe files. They weren't showing up in any of your logs which is strange.

Immediately after AVG completed installation, it reported that WinPFind35U, on my Desktop, was infected.

Unfortunately this is a false positive. A lot of our tools get detected as malware even though they are not, it is something we have to live with. Do not worry about it though.


Lets just do another scan to be 100% sure you are clean. There are probably a few remains left.


Do this again

Download WinPFind35U.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind35u on your desktop.

• Open the WinPFind35u folder and double-click on WinPFind35U.exe to start the program.
• Under Rootkit Search on the left change it to Yes
• Under Additional Scans check the box beside Reg - Disabled MS Config Items.
• Now click the Run Scan button on the toolbar.
• When the scan is complete Notepad will open with the report file loaded in it.
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Use the Add Reply button and Copy/Paste the information back here in an attachment. I will review it when it comes in. The last line is < End of Report >, so make sure that is the last line in the attached report.

Make sure you attach the report in your reply.



Also post a new HijackThis log.


Can you also run IceSword and take a screenshot of the following areas : Processes, Win32 Services, SSDT, making sure to have the red entries in the screenshot if present, if there are none take a screenshot anyway for me.

 

[abramson]

Hi. Unfortunately, AVG does not allow me to run WinPfind35U. Even if I tell it to "Ignore" the threat, then Windows give me a "can't access" error when I try to run the tool.

Guillermo

 

[Rorschach112]

Can you make sure AVG is fully closed, then re-download WinPFind35 again and run it

If not then do this

Please download Deckard's System Scanner (DSS) and save it to your Desktop.

• Close all other windows before proceeding.
• Double-click on dss.exe and follow the prompts.
• If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
• When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

Then do the other steps in my previous post

 

[abramson]

Here's a HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:16:02 PM, on 1/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\Antivirus\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Antivirus\Avast\aswUpdSv.exe
C:\Archivos de programa\Antivirus\Avast\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Archivos de programa\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Archivos de programa\Logitech\iTouch\iTouch.exe
C:\Archivos de programa\Net\FileZilla Server\FileZilla Server Interface.exe
C:\ARCHIV~1\Grisoft\AVG7\avgcc.exe
C:\ARCHIV~1\ANTIVI~1\Avast\ashDisp.exe
C:\Archivos de programa\Antivirus\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\ARCHIV~1\Grisoft\AVG7\avgamsvr.exe
C:\ARCHIV~1\Grisoft\AVG7\avgupsvc.exe
C:\ARCHIV~1\Grisoft\AVG7\avgemc.exe
C:\Archivos de programa\Net\FileZilla Server\FileZilla Server.exe
C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\Antivirus\Avast\ashMaiSv.exe
C:\Archivos de programa\Antivirus\Avast\ashWebSv.exe
C:\Archivos de programa\Net\Opera\Opera.exe
C:\Archivos de programa\Util\Total Commander 7\TOTALCMD.EXE
C:\Archivos de programa\Util\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.cab.cnea.gov.ar:3128
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.cnea.gov.ar;*.ib.edu.ar;*.local;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\ANTIVI~1\Spybot\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Archivos de programa\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: PDF de Adobe - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Archivos de programa\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Archivos de programa\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [FileZilla Server Interface] "C:\Archivos de programa\Net\FileZilla Server\FileZilla Server Interface.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Archivos de programa\Archivos comunes\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\ARCHIV~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [avast!] C:\ARCHIV~1\ANTIVI~1\Avast\ashDisp.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Archivos de programa\Antivirus\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\ARCHIV~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Servicio de red')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Convertir a PDF de Adobe - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convertir a PDF existente - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convertir destino de vínculo a PDF existente - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convertir destino de vínculo en archivo PDF de Adobe - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convertir selección a archivo PDF existente - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convertir selección a PDF de Adobe - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convertir vínculos seleccionados a PDF de Adobe - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convertir vínculos seleccionados a PDF existente - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARCHIV~1\ANTIVI~1\Spybot\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARCHIV~1\ANTIVI~1\Spybot\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1191420182250
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0050570D-B681-42C2-B56D-32BF2A16ADA1}: NameServer = 168.96.72.3,168.96.72.6
O17 - HKLM\System\CS1\Services\Tcpip\..\{0050570D-B681-42C2-B56D-32BF2A16ADA1}: NameServer = 168.96.72.3,168.96.72.6
O17 - HKLM\System\CS2\Services\Tcpip\..\{0050570D-B681-42C2-B56D-32BF2A16ADA1}: NameServer = 168.96.72.3,168.96.72.6
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARCHIV~1\ARCHIV~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Archivos de programa\Archivos comunes\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Archivos de programa\Antivirus\Avast\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Archivos de programa\Antivirus\Avast\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Archivos de programa\Antivirus\Avast\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Archivos de programa\Antivirus\Avast\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - Unknown owner - C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\guard.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVG7\avgemc.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - C:\Archivos de programa\Net\FileZilla Server\FileZilla Server.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Archivos de programa\Archivos comunes\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Desktop Manager 5.5.709.30344 (GoogleDesktopManager-093007-112848) - Google - C:\Archivos de programa\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - Unknown owner - C:\Archivos de programa\Spyware Doctor\svcntaux.exe (file missing)
O23 - Service: PC Tools Security Service (sdCoreService) - Unknown owner - C:\Archivos de programa\Spyware Doctor\swdsvc.exe (file missing)

--
End of file - 10472 bytes

 

[abramson]

Here's an IceSword Processes log:

Process:

System Idle Process
System
C:\WINDOWS\RTHDCPL.exe
C:\Archivos de programa\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Archivos de programa\Logitech\iTouch\iTouch.exe
C:\Archivos de programa\Net\FileZilla Server\FileZilla Server Interface.exe
C:\ARCHIV~1\Grisoft\AVG7\avgcc.exe
C:\ARCHIV~1\ANTIVI~1\Avast\ashDisp.exe
C:\Archivos de programa\Antivirus\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\ARCHIV~1\Grisoft\AVG7\avgamsvr.exe
C:\ARCHIV~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\ARCHIV~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\Net\FileZilla Server\FileZilla server.exe
C:\ARCHIV~1\Google\Common\GOOGLE~1\GOOGLE~1.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Archivos de programa\Antivirus\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Archivos de programa\Util\IceSword\IceSword.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\Antivirus\Avast\aswUpdSv.exe
C:\Archivos de programa\Util\Total Commander 7\TOTALCMD.EXE
C:\Archivos de programa\Antivirus\Avast\ashServ.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Antivirus\Avast\ashMaiSv.exe
C:\Archivos de programa\Antivirus\Avast\ashWebSv.exe
C:\WINDOWS\system32\alg.exe
C:\Archivos de programa\Net\Opera\Opera.exe

 

[abramson]

Here's an IceSword Win32Services log:

Started Service:

Service Name:ALG Display Name:Servicio de puerta de enlace de capa de aplicación
Service Name:aswUpdSv Display Name:avast! iAVS4 Control Service
Service Name:AudioSrv Display Name:Audio de Windows
Service Name:avast! Antivirus Display Name:avast! Antivirus
Service Name:avast! Mail Scanner Display Name:avast! Mail Scanner
Service Name:avast! Web Scanner Display Name:avast! Web Scanner
Service Name:Avg7Alrt Display Name:AVG7 Alert Manager Server
Service Name:Avg7UpdSvc Display Name:AVG7 Update Service
Service Name:AVGEMS Display Name:AVG E-mail Scanner
Service Name:BITS Display Name:Servicio de transferencia inteligente en segundo plano
Service Name:Browser Display Name:Examinador de equipos
Service Name:CryptSvc Display Name:Servicios de cifrado
Service NamecomLaunch Display Name:Iniciador de procesos de servidor DCOM
Service Namehcp Display Name:Cliente DHCP
Service Name:dmserver Display Name:Administrador de discos lógicos
Service Namenscache Display Name:Cliente DNS
Service Name:ERSvc Display Name:Error Reporting Service
Service Name:Eventlog Display Name:Registro de sucesos
Service Name:EventSystem Display Name:Sistema de sucesos COM+
Service Name:FastUserSwitchingCompatibility Display Name:Compatibilidad de cambio rápido de usuario
Service Name:FileZilla Server Display Name:FileZilla Server FTP server
Service Name:gusvc Display Name:Google Updater Service
Service Name:helpsvc Display Name:Ayuda y soporte técnico
Service Name:lanmanserver Display Name:Servidor
Service Name:lanmanworkstation Display Name:Estación de trabajo
Service Name:LmHosts Display Name:Ayuda de NetBIOS sobre TCP/IP
Service Name:Netman Display Name:Conexiones de red
Service Name:Nla Display Name:NLA (Network Location Awareness)
Service Name:NVSvc Display Name:NVIDIA Display Driver Service
Service NamelugPlay Display Namelug and Play
Service Nameml Driver HPZ12 Display Nameml Driver HPZ12
Service NameolicyAgent Display Name:Servicios IPSEC
Service NamerotectedStorage Display Name:Almacenamiento protegido
Service Name:RasMan Display Name:Administrador de conexión de acceso remoto
Service Name:RemoteRegistry Display Name:Registro remoto
Service Name:RpcSs Display Name:Llamada a procedimiento remoto (RPC)
Service Name:SamSs Display Name:Administrador de cuentas de seguridad
Service Name:Schedule Display Namerogramador de tareas
Service Name:seclogon Display Name:Inicio de sesión secundario
Service Name:SENS Display Name:Notificación de sucesos del sistema
Service Name:SharedAccess Display Name:Firewall de Windows/Conexión compartida a Internet (ICS)
Service Name:ShellHWDetection Display Nameetección de hardware shell
Service Name:Spooler Display Name:Cola de impresión
Service Name:srservice Display Name:Servicio de restauración de sistema
Service Name:SSDPSRV Display Name:Servicio de descubrimientos SSDP
Service Name:stisvc Display Name:Adquisición de imágenes de Windows (WIA)
Service Name:TapiSrv Display Name:Telefonía
Service Name:TermService Display Name:Servicios de Terminal Server
Service Name:Themes Display Name:Temas
Service Name:TrkWks Display Name:Cliente de seguimiento de vinculos distribuidos
Service Name:W32Time Display Name:Horario de Windows
Service Name:WebClient Display Name:Cliente Web
Service Name:WinDefend Display Name:Windows Defender
Service Name:winmgmt Display Name:Instrumental de administración de Windows
Service Name:wscsvc Display Name:Centro de seguridad
Service Name:wuauserv Display Name:Actualizaciones automáticas

 

[abramson]

Here are IceSword SSDT screen captures:

is-ssdt1.jpg
is-ssdt2.jpg
is-ssdt3.jpg
is-ssdt4.jpg
is-ssdt5.jpg
is-ssdt6.jpg

 

[abramson]

Can you make sure AVG is fully closed, then re-download WinPFind35 again and run it

I don't find any AVG option that allows to shut down the antivirus. I could kill it's processes, but there are probably several, even hidden (I say, to protect itself).

Here's DSS Main log. No Extra was produced (?).

Deckard's System Scanner v20071014.68
Run by Abramson on 2008-01-10 12:27:03
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Abramson.exe) --------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:27:05 PM, on 1/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\Antivirus\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Antivirus\Avast\aswUpdSv.exe
C:\Archivos de programa\Antivirus\Avast\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Archivos de programa\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Archivos de programa\Logitech\iTouch\iTouch.exe
C:\Archivos de programa\Net\FileZilla Server\FileZilla Server Interface.exe
C:\ARCHIV~1\Grisoft\AVG7\avgcc.exe
C:\ARCHIV~1\ANTIVI~1\Avast\ashDisp.exe
C:\Archivos de programa\Antivirus\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\ARCHIV~1\Grisoft\AVG7\avgamsvr.exe
C:\ARCHIV~1\Grisoft\AVG7\avgupsvc.exe
C:\ARCHIV~1\Grisoft\AVG7\avgemc.exe
C:\Archivos de programa\Net\FileZilla Server\FileZilla Server.exe
C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\Antivirus\Avast\ashMaiSv.exe
C:\Archivos de programa\Antivirus\Avast\ashWebSv.exe
C:\Documents and Settings\Abramson\Escritorio\dss.exe
C:\ARCHIV~1\Util\HIJACK~1\Abramson.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.cab.cnea.gov.ar:3128
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.cnea.gov.ar;*.ib.edu.ar;*.local;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\ANTIVI~1\Spybot\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Archivos de programa\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: PDF de Adobe - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Archivos de programa\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Archivos de programa\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [FileZilla Server Interface] "C:\Archivos de programa\Net\FileZilla Server\FileZilla Server Interface.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Archivos de programa\Archivos comunes\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\ARCHIV~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [avast!] C:\ARCHIV~1\ANTIVI~1\Avast\ashDisp.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Archivos de programa\Antivirus\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\ARCHIV~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Servicio de red')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Convertir a PDF de Adobe - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convertir a PDF existente - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convertir destino de vínculo a PDF existente - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convertir destino de vínculo en archivo PDF de Adobe - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convertir selección a archivo PDF existente - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convertir selección a PDF de Adobe - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convertir vínculos seleccionados a PDF de Adobe - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convertir vínculos seleccionados a PDF existente - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARCHIV~1\ANTIVI~1\Spybot\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARCHIV~1\ANTIVI~1\Spybot\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1191420182250
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0050570D-B681-42C2-B56D-32BF2A16ADA1}: NameServer = 168.96.72.3,168.96.72.6
O17 - HKLM\System\CS1\Services\Tcpip\..\{0050570D-B681-42C2-B56D-32BF2A16ADA1}: NameServer = 168.96.72.3,168.96.72.6
O17 - HKLM\System\CS2\Services\Tcpip\..\{0050570D-B681-42C2-B56D-32BF2A16ADA1}: NameServer = 168.96.72.3,168.96.72.6
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARCHIV~1\ARCHIV~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Archivos de programa\Archivos comunes\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Archivos de programa\Antivirus\Avast\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Archivos de programa\Antivirus\Avast\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Archivos de programa\Antivirus\Avast\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Archivos de programa\Antivirus\Avast\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - Unknown owner - C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\guard.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVG7\avgemc.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - C:\Archivos de programa\Net\FileZilla Server\FileZilla Server.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Archivos de programa\Archivos comunes\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Desktop Manager 5.5.709.30344 (GoogleDesktopManager-093007-112848) - Google - C:\Archivos de programa\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - Unknown owner - C:\Archivos de programa\Spyware Doctor\svcntaux.exe (file missing)
O23 - Service: PC Tools Security Service (sdCoreService) - Unknown owner - C:\Archivos de programa\Spyware Doctor\swdsvc.exe (file missing)

--
End of file - 10405 bytes

-- Files created between 2007-12-10 and 2008-01-10 -----------------------------

2008-01-09 20:19:16 0 dr-h----- C:\$VAULT$.AVG
2008-01-09 20:03:53 0 d-------- C:\WINDOWS\system32\drivers\down
2008-01-08 15:15:06 0 d-------- C:\WINDOWS\ERUNT
2008-01-08 11:34:05 235008 --a------ C:\WINDOWS\UNBOC.EXE <Not Verified; COMODO; COMODO BOClean - Anti-Malware>
2008-01-08 11:34:04 208896 --a------ C:\WINDOWS\CMDLIC.DLL <Not Verified; COMODO; COMODO BOClean - AntiMalware>
2007-12-27 15:23:37 0 d-------- C:\Archivos de programa\Nero
2007-12-18 17:16:05 151552 --a------ C:\WINDOWS\system32\nvRegDev.dll
2007-12-18 11:53:16 0 d--h----- C:\WINDOWS\system32\GroupPolicy
2007-12-14 16:10:27 0 d--h----- C:\WINDOWS\PIF
2007-12-14 15:51:37 0 d-------- C:\Archivos de programa\Archivos comunes\Nero
2007-12-14 15:50:16 0 d-------- C:\Archivos de programa\Archivos comunes\Ahead
2007-12-14 15:50:15 0 d-------- C:\Archivos de programa\Ahead
2007-12-14 13:50:29 0 d-------- C:\Archivos de programa\Bonjour
2007-12-14 13:37:45 0 d-------- C:\Archivos de programa\Archivos comunes\Macrovision Shared
2007-12-12 18:09:01 552 --a------ C:\WINDOWS\system32\d3d8caps.dat


-- Find3M Report ---------------------------------------------------------------

2008-01-10 12:22:20 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\XnView
2008-01-10 12:16:57 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\WinEdt
2008-01-10 11:08:24 0 d-------- C:\Archivos de programa\Util
2008-01-10 11:08:24 0 d-------- C:\Archivos de programa\Archivos comunes
2008-01-10 10:58:32 0 d-------- C:\Archivos de programa\Antivirus
2008-01-10 09:43:45 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\AVG7
2008-01-09 14:04:35 0 d-------- C:\Archivos de programa\Spyware Doctor
2008-01-09 12:10:35 0 d-------- C:\Archivos de programa\Astro
2008-01-09 09:33:23 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\File-Ex
2008-01-08 11:03:04 0 d-------- C:\Archivos de programa\Image
2008-01-07 14:15:40 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\Adobe
2008-01-03 10:40:13 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\SpeedProject
2008-01-02 09:35:17 498418 --a------ C:\WINDOWS\system32\perfh00A.dat
2008-01-02 09:35:17 89006 --a------ C:\WINDOWS\system32\perfc00A.dat
2007-12-28 16:03:14 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\aignes
2007-12-28 16:02:39 0 d-------- C:\Archivos de programa\Net
2007-12-27 10:45:50 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\CyberLink
2007-12-26 16:28:20 0 d-------- C:\Archivos de programa\video
2007-12-18 18:32:16 0 d-------- C:\Archivos de programa\Sci
2007-12-18 17:17:12 0 d--h----- C:\Archivos de programa\InstallShield Installation Information
2007-12-14 16:03:55 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\Ahead
2007-12-14 14:50:33 0 d-------- C:\Archivos de programa\Texts
2007-12-14 13:50:25 0 d-------- C:\Archivos de programa\Archivos comunes\Adobe
2007-12-12 18:19:35 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\Real
2007-12-07 17:24:03 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\Google
2007-11-28 10:14:29 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\ActiveState
2007-11-23 10:51:12 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\Avanquest
2007-11-22 11:34:15 0 d-------- C:\Archivos de programa\Microsoft SQL Server Compact Edition
2007-11-21 17:34:16 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\AdobeUM
2007-11-21 17:29:46 0 d-------- C:\Archivos de programa\Archivos comunes\Adobe Systems Shared
2007-11-16 14:57:16 286720 -----n--- C:\WINDOWS\Setup1.exe <Not Verified; Microsoft Corporation; Microsoft Visual Basic for Windows>
2007-11-16 14:57:15 73216 --a------ C:\WINDOWS\ST6UNST.EXE <Not Verified; Microsoft Corporation; Microsoft® Visual Basic for Windows>
2007-11-15 18:25:58 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\Macromedia
2007-11-15 18:12:59 0 d-------- C:\Archivos de programa\Britannica
2007-11-13 11:06:00 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\InstallShield
2007-11-12 16:05:30 0 d-------- C:\Archivos de programa\MSECache
2007-11-12 12:44:03 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\COWON
2007-10-15 14:23:34 2199552 --a------ C:\WINDOWS\system32\PdfDll32.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS(r) DLL for Windows>
2007-10-15 14:23:34 65536 --a------ C:\WINDOWS\system32\ltserial.dll


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [09/17/2007 02:07 AM]
"nwiz"="nwiz.exe" [09/17/2007 02:07 AM C:\WINDOWS\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [06/15/2007 02:03 AM C:\WINDOWS\RTHDCPL.exe]
"Google Desktop Search"="C:\Archivos de programa\Google\Google Desktop Search\GoogleDesktop.exe" [11/02/2007 11:55 AM]
"SunJavaUpdateSched"="C:\Archivos de programa\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 02:11 AM]
"NvMediaCenter"="NvMCTray.dll" [09/17/2007 02:07 AM C:\WINDOWS\system32\nvmctray.dll]
"zBrowser Launcher"="C:\Archivos de programa\Logitech\iTouch\iTouch.exe" [03/18/2004 10:33 AM]
"FileZilla Server Interface"="C:\Archivos de programa\Net\FileZilla Server\FileZilla Server Interface.exe" [02/27/2007 12:55 PM]
"NeroFilterCheck"="C:\Archivos de programa\Archivos comunes\Ahead\Lib\NeroCheck.exe" [01/12/2006 05:40 PM]
"AVG7_CC"="C:\ARCHIV~1\Grisoft\AVG7\avgcc.exe" [01/09/2008 08:16 PM]
"avast!"="C:\ARCHIV~1\ANTIVI~1\Avast\ashDisp.exe" [12/04/2007 11:00 AM]
"Windows Defender"="C:\Archivos de programa\Antivirus\Windows Defender\MSASCui.exe" [11/03/2006 07:20 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [03/02/2006 10:00 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 Pml Driver HPZ12 Net Driver HPZ12




-- End of Deckard's System Scanner: finished at 2008-01-10 12:27:22 ------------