• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
queno

CPU usage too high

77 posts in this topic

:yahoo:

 

ComboFix 09-12-22.09 - pc 28/12/2009 20:08:22.7.1 - x86 MINIMAL

Microsoft Windows XP Professional 5.1.2600.1.1252.34.3082.18.1023.729 [GMT 1:00]

Running from: c:\documents and settings\pc\Escritorio\ComboFix.exe

.

/wow section - STAGE 4

 

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

c:\windows\system32\qmgr.dll . . . is infected!!

 

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

-------\Legacy_SERVICE

 

 

((((((((((((((((((((((((( Files Created from 2009-11-28 to 2009-12-28 )))))))))))))))))))))))))))))))

.

 

2009-12-26 02:36 . 2009-12-26 02:36 -------- d-----w- c:\archivos de programa\EarMaster Pro 5

2009-12-26 02:36 . 2009-12-26 02:36 -------- d-----w- c:\documents and settings\pc\Datos de programa\EarMaster

2009-12-23 22:39 . 2009-12-23 22:53 -------- d-----w- c:\documents and settings\pc\Datos de programa\GNU Solfege

2009-12-23 22:37 . 2009-12-23 22:37 -------- d-----w- c:\archivos de programa\GNU Solfege

2009-12-22 22:45 . 2009-12-22 22:45 -------- d-----w- c:\windows\Logs

2009-12-22 22:45 . 2009-12-22 22:45 -------- d-----w- c:\archivos de programa\Telltale Games

2009-12-19 20:20 . 2009-12-19 20:20 -------- d--h--r- c:\documents and settings\LocalService\Reciente

2009-12-14 22:29 . 2009-12-14 22:30 -------- d-----w- C:\rsit

2009-12-14 00:20 . 2009-12-14 00:19 411368 ----a-w- c:\windows\system32\deploytk.dll

2009-12-12 19:38 . 2009-12-12 19:38 -------- d-----w- c:\windows\ERUNT

2009-12-07 03:02 . 2009-12-07 03:03 664 ----a-w- c:\windows\system32\d3d9caps.dat

2009-12-04 11:18 . 2009-12-04 11:18 -------- d-----w- c:\documents and settings\All Users\Datos de programa\Kaspersky Lab Setup Files

2009-12-04 10:09 . 2009-12-04 10:09 -------- d-----w- c:\documents and settings\Administrador\Datos de programa\Malwarebytes

2009-11-29 08:12 . 2009-11-29 08:12 -------- d-----w- c:\windows\system32\wbem\Repository

2009-11-29 08:12 . 2009-11-29 08:12 -------- d-----w- c:\documents and settings\All Users\Datos de programa\Agnitum

2009-11-29 08:12 . 2009-11-29 08:12 -------- d-----w- c:\archivos de programa\Agnitum

2009-11-29 02:23 . 2009-11-29 02:31 -------- d-----w- c:\documents and settings\pc\Datos de programa\GlarySoft

2009-11-29 02:17 . 2009-11-29 02:17 -------- d-----w- c:\archivos de programa\Glary Utilities

2009-11-28 20:46 . 2005-01-06 09:09 206 ----a-w- c:\windows\myClean.bat

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-12-28 19:08 . 2001-08-24 16:00 68826 ----a-w- c:\windows\system32\perfc00A.dat

2009-12-28 19:08 . 2001-08-24 16:00 440050 ----a-w- c:\windows\system32\perfh00A.dat

2009-12-23 21:17 . 2007-10-15 11:21 -------- d-----w- c:\archivos de programa\SUPERAntiSpyware

2009-12-22 06:02 . 2006-01-19 20:39 -------- d-----w- c:\archivos de programa\Google

2009-12-21 19:21 . 2007-01-27 14:18 -------- d-----w- c:\archivos de programa\Spybot - Search & Destroy

2009-12-21 19:20 . 2007-01-27 14:18 -------- d-----w- c:\documents and settings\All Users\Datos de programa\Spybot - Search & Destroy

2009-12-14 05:00 . 2009-10-28 02:15 117760 ----a-w- c:\documents and settings\pc\Datos de programa\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2009-12-14 00:19 . 2007-10-23 13:34 -------- d-----w- c:\archivos de programa\Java

2009-12-06 00:50 . 2009-11-28 09:58 -------- d-----w- c:\archivos de programa\SpeedFan

2009-12-06 00:28 . 2008-04-30 22:10 -------- d-----w- c:\archivos de programa\Malwarebytes' Anti-Malware

2009-12-06 00:28 . 2008-05-18 12:54 4844296 ----a-w- c:\documents and settings\All Users\Datos de programa\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2009-12-05 23:57 . 2007-10-12 23:58 -------- d-----w- c:\archivos de programa\Unlocker

2009-12-05 23:57 . 2005-05-20 17:00 -------- d-----w- c:\archivos de programa\Atari

2009-12-05 23:57 . 2005-04-08 10:27 -------- d--h--w- c:\archivos de programa\InstallShield Installation Information

2009-12-05 23:56 . 2005-05-20 17:16 -------- d-----w- c:\documents and settings\pc\Datos de programa\Atari

2009-12-05 20:34 . 2006-03-04 15:51 -------- d-----w- c:\documents and settings\pc\Datos de programa\ppstream

2009-12-03 15:14 . 2008-11-02 11:57 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-12-03 15:13 . 2008-05-18 12:54 18520 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-11-29 02:23 . 2005-11-01 14:44 -------- d-----w- c:\archivos de programa\RapidLeecher

2009-11-29 02:21 . 2005-05-11 11:58 -------- d-----w- c:\archivos de programa\BitComet

2009-11-28 19:10 . 2005-12-25 14:21 -------- d-----w- c:\archivos de programa\DDD Pool

2009-11-23 22:32 . 2005-04-08 18:12 -------- d-----w- c:\archivos de programa\Archivos comunes\Adobe

2009-11-23 01:13 . 2008-05-12 13:47 -------- d-----w- c:\documents and settings\pc\Datos de programa\FFSJ

2009-10-28 02:14 . 2009-10-28 02:14 65024 ----a-r- c:\documents and settings\pc\Datos de programa\Microsoft\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe

2009-10-28 02:14 . 2009-10-28 02:14 5120 ----a-r- c:\documents and settings\pc\Datos de programa\Microsoft\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF16.exe

2009-10-28 02:14 . 2009-10-28 02:14 18944 ----a-r- c:\documents and settings\pc\Datos de programa\Microsoft\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe

2005-10-02 18:55 . 2005-10-02 18:55 0 -c--a-w- c:\archivos de programa\AILog.txt

2007-10-28 16:44 . 2007-10-28 16:41 48 -csh--w- c:\windows\S46C32A27.tmp

2006-02-16 18:50 . 2006-02-16 18:47 952 -csha-w- c:\windows\system32\KGyGaAvL.sys

.

 

------- Sigcheck -------

 

 

 

[7] 2004-08-11 00:45 . A477391B7A8B0A0DAABADB17CF533A4B . 25088 . . [10.0.3790.3646] . . c:\windows\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}\MsPMSNSv.dll

[-] 2002-12-17 16:43 . 53D4E72452CE025F96B652B02BF9B89C . 52736 . . [9.0.1.56] . . c:\windows\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}$BACKUP$\System\MsPMSNSv.dll

[-] 2002-12-17 16:43 . 53D4E72452CE025F96B652B02BF9B89C . 52736 . . [9.0.1.56] . . c:\windows\system32\MsPMSNSv.dll

 

c:\windows\System32\wscntfy.exe ... is missing !!

c:\windows\System32\xmlprov.dll ... is missing !!

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\archivos de programa\Messenger\msmsgs.exe" [2004-11-15 1670144]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"McAfeeUpdaterUI"="c:\archivos de programa\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 139320]

"ShStatEXE"="c:\archivos de programa\Network Associates\VirusScan\SHSTAT.EXE" [2004-08-25 94208]

"Network Associates Error Reporting Service"="c:\archivos de programa\Archivos comunes\Network Associates\TalkBack\tbmon.exe" [2003-10-07 147514]

"SunJavaUpdateSched"="c:\archivos de programa\Java\jre6\bin\jusched.exe" [2009-12-14 149280]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2002-09-09 13312]

 

c:\documents and settings\All Users\Men£ Inicio\Programas\Inicio\

uninstall.exe [2009-12-28 421888]

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\archivos de programa\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 14:21 548352 ----a-w- c:\archivos de programa\SUPERAntiSpyware\SASWINLO.dll

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^Google Updater.lnk]

path=c:\documents and settings\All Users\Menú Inicio\Programas\Inicio\Google Updater.lnk

backup=c:\windows\pss\Google Updater.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^Microsoft Office.lnk]

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^uninstall.exe]

path=c:\documents and settings\All Users\Menú Inicio\Programas\Inicio\uninstall.exe

backup=c:\windows\pss\uninstall.exeCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^uninstall.exe.old]

path=c:\documents and settings\All Users\Menú Inicio\Programas\Inicio\uninstall.exe.old

backup=c:\windows\pss\uninstall.exe.oldCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^VIA RAID TOOL.lnk]

backup=c:\windows\pss\VIA RAID TOOL.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^WinZip Quick Pick.lnk]

backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmartRAM

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acceso directo a la página de propiedades de High Definition Audio]

2004-03-17 13:10 61952 -c----w- c:\windows\system32\Hdaudpropshortcut.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

2009-09-04 11:08 935288 ----a-r- c:\archivos de programa\Archivos comunes\Adobe\ARM\1.0\AdobeARM.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AgenteADSL_15]

2006-08-05 11:32 28672 ----a-w- c:\archivos de programa\Telefonica\KitAIM\AimExDll.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]

2006-09-14 20:09 157592 ----a-w- c:\archivos de programa\DAEMON Tools\daemon.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]

2004-09-13 09:51 1450096 ------w- c:\archivos de programa\Ahead\InCD\InCD.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]

2005-02-16 16:15 81920 ----a-w- c:\archivos de programa\Archivos comunes\InstallShield\UpdateService\issch.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

2006-08-05 11:32 155648 -c--a-w- c:\windows\system32\NeroCheck.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2005-08-24 11:29 98304 ----a-w- c:\archivos de programa\QuickTime\qttask.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2008-06-10 02:27 144784 ----a-w- c:\archivos de programa\Java\jre1.6.0_07\bin\jusched.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]

2009-10-12 20:24 2000112 ----a-w- c:\archivos de programa\SUPERAntiSpyware\SUPERAntiSpyware.exe

 

R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [31/07/2005 19:19 58016]

R1 SASDIFSV;SASDIFSV;c:\archivos de programa\SUPERAntiSpyware\sasdifsv.sys [12/10/2009 21:24 9968]

R1 SASKUTIL;SASKUTIL;c:\archivos de programa\SUPERAntiSpyware\SASKUTIL.SYS [12/10/2009 21:24 74480]

R2 RVIEGVST;VSC VST Engine;c:\archivos de programa\Roland\Virtual Sound Canvas VST\RVIEg01VST.sys [29/03/2009 22:56 188276]

R3 cmudax;C-Media High Definition Audio Interface;c:\windows\system32\drivers\cmudax.sys [08/04/2005 11:28 1258432]

S0 pcsctdwx;pcsctdwx;c:\windows\System32\drivers\bkenhzrq.dat --> c:\windows\System32\drivers\bkenhzrq.dat [?]

S2 gupdate1c98713c4b29a9c;Google Update Service (gupdate1c98713c4b29a9c);c:\archivos de programa\Google\Update\GoogleUpdate.exe [04/02/2009 22:58 133104]

S2 xwovauhs;AGP Bus w766b Helper;c:\windows\System32\svchost.exe -k netsvcs [24/08/2001 17:00 12800]

S3 {BEE686B9-4C84-4487-9D72-9F40F051E973};{BEE686B9-4C84-4487-9D72-9F40F051E973};c:\windows\System32\svchost.exe -k netsvcs [24/08/2001 17:00 12800]

S3 SASENUM;SASENUM;c:\archivos de programa\SUPERAntiSpyware\SASENUM.SYS [12/10/2009 21:24 7408]

S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [31/12/2006 17:28 639224]

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

xwovauhs

 

{BEE686B9-4C84-4487-9D72-9F40F051E973}

.

------- Supplementary Scan -------

.

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = microweb

IE: E&xportar a Microsoft Excel - c:\archiv~1\MICROS~2\Office10\EXCEL.EXE/3000

TCP: {6141C6A4-C488-4BFB-89DB-EE4A062B2C88} = 80.58.61.250,80.58.61.254

DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

FF - ProfilePath - c:\documents and settings\pc\Datos de programa\Mozilla\Firefox\Profiles\7mq150nj.default\

FF - plugin: c:\archivos de programa\Google\Google Earth\plugin\npgeplugin.dll

FF - plugin: c:\archivos de programa\Google\Update\1.2.183.13\npGoogleOneClick8.dll

.

- - - - ORPHANS REMOVED - - - -

 

Toolbar-ID - (no file)

ShellIconOverlayIdentifiers-{83CBAEF3-AE6D-4F61-8EA9-EEC110A9440D} - (no file)

SafeBoot-AVG Anti-Spyware Driver

SafeBoot-AVG Anti-Spyware Guard

MSConfigStartUp-AdobeUpdater - c:\archivos de programa\Archivos comunes\Adobe\Updater5\AdobeUpdater.exe

MSConfigStartUp-Cmaudio - cmicnfg.cpl

ActiveSetup-{035C8BE1-1A47-D921-0606-030204040601} - c:\windows\System32\vspool.exe

AddRemove-MicrosoftCinemania97 - E:\cinmania.exe

 

 

 

**************************************************************************

 

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-12-28 20:19

Windows 5.1.2600 Service Pack 1 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

 

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

 

device: opened successfully

user: MBR read successfully

called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x86A645A0]<<

kernel: MBR read successfully

detected MBR rootkit hooks:

\Driver\Disk -> CLASSPNP.SYS @ 0xf78edaac

\Driver\ACPI -> 0x86a645a0

\Driver\atapi -> atapi.sys @ 0xf77d803c

IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x80567e94

ParseProcedure -> ntoskrnl.exe @ 0x80566f60

\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x80567e94

ParseProcedure -> 0x86a6b060

NDIS: Broadcom NetLink Gigabit Ethernet -> SendCompleteHandler -> NDIS.sys @ 0xf76e2d84

PacketIndicateHandler -> NDIS.sys @ 0xf76ef480

SendHandler -> NDIS.sys @ 0xf76d0933

Warning: possible MBR rootkit infection !

copy of MBR has been found in sector 0x017BD1417

malicious code @ sector 0x017BD141A !

PE file found in sector at 0x017BD1430 !

MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

 

**************************************************************************

 

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\pcsctdwx]

"ImagePath"="system32\drivers\bkenhzrq.dat"

 

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\{BEE686B9-4C84-4487-9D72-9F40F051E973}]

"ServiceDll"="c:\docume~1\pc\CONFIG~1\Temp\24.tmp"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

 

[HKEY_USERS\S-1-5-21-682003330-484061587-2147183463-1003\Software\SecuROM\License information*]

"datasecu"=hex:02,68,ba,dc,54,d4,11,32,e0,e6,ce,10,8a,61,09,99,aa,09,59,0f,36,

e6,b6,d3,3e,dc,15,5f,3c,f6,c8,3a,81,1f,f2,d8,a4,d6,17,d4,07,82,f0,b4,5c,db,\

"rkeysecu"=hex:7a,87,67,9f,a0,16,fa,68,fb,1d,d8,31,b3,f6,87,bb

 

[HKEY_USERS\S-1-5-21-682003330-484061587-2147183463-1003\Software\Zepter Software\RegLib*e4257279\CloneDVD2/2]

"1"=dword:4569f51e

"2"=dword:4723939c

.

--------------------- DLLs Loaded Under Running Processes ---------------------

 

- - - - - - - > 'winlogon.exe'(976)

c:\windows\System32\ODBC32.dll

c:\archivos de programa\SUPERAntiSpyware\SASWINLO.dll

c:\windows\system32\Ati2evxx.dll

c:\windows\System32\midimap.dll

 

- - - - - - - > 'lsass.exe'(1032)

c:\windows\system32\MSVCRT40.dll

c:\windows\system32\MSVCIRT.dll

c:\windows\System32\dssenh.dll

c:\windows\System32\EntApi.dll

 

- - - - - - - > 'explorer.exe'(2508)

c:\windows\System32\EntApi.dll

c:\windows\System32\msi.dll

c:\windows\System32\midimap.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\System32\Ati2evxx.exe

c:\archivos de programa\Ahead\InCD\InCDsrv.exe

c:\windows\system32\Ati2evxx.exe

c:\archivos de programa\Google\Update\1.2.183.13\GoogleCrashHandler.exe

c:\archivos de programa\Java\jre6\bin\jqs.exe

c:\archivos de programa\Network Associates\Common Framework\FrameworkService.exe

c:\archivos de programa\Network Associates\VirusScan\mcshield.exe

c:\archivos de programa\Network Associates\VirusScan\vstskmgr.exe

c:\archiv~1\NETWOR~1\COMMON~1\naPrdMgr.exe

c:\archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe

c:\windows\System32\wdfmgr.exe

.

**************************************************************************

.

Completion time: 2009-12-28 20:22:16 - machine was rebooted

ComboFix-quarantined-files.txt 2009-12-28 19:22

 

Pre-Run: 24.198.713.344 bytes libres

Post-Run: 24.061.067.264 bytes libres

 

Current=5 Default=5 Failed=4 LastKnownGood=6 Sets=1,2,3,4,5,6

- - End Of File - - C930962E01BFB1DA40667E22A6B3702D

Share this post


Link to post
Share on other sites

Open notepad and copy/paste the text in the quote box below into it:

 

Registry::
[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\pcsctdwx]
"ImagePath"=-

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\{BEE686B9-4C84-4487-9D72-9F40F051E973}]
"ServiceDll"=-

NetSvc::
xwovauhs

 

Save this as CFScript on your desktop.

 

CFScriptB-4.gif

 

Referring to the picture above, drag CFScript into ComboFix.exe

Then post the resultant log.

p.s. execute this ComboFix script in Safe Mode if not possible in Normal mode.

 

Restart the computer normally.

===

 

Please download this file, place it on our desktop.

http://www2.gmer.net/mbr/mbr.exe

 

Open the Start > run box

type cmd hit the ok button.

 

At the DOS prompt type mbr.exe -f (make sure you have a space before the e and the -f

 

hit the enter key.

 

Type exit at the prompt and hit the enter key.

 

Restart the computer normally.

===

 

Run the mbr.exe again.

Let me see the results.

 

====

 

Some files are damaged or missing. Let see if you have backup copies on your computer.

If not found please let me know if you have a copy of the XP operating system or access to one.

 

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1

Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy and paste the content of the following bold text into the main textfield:
     

    :filefind
    qmgr.dll

     
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

 

Repeat the search for this files.

 

:filefind

wscntfy.exe

 

:filefind

xmlprov.dll

 

 

Post the ComboFix log,the MBR results and what has been found by SustemLook.

Share this post


Link to post
Share on other sites

ComboFix log:

 

ComboFix 09-12-22.09 - pc 29/12/2009 20:00:27.8.1 - x86 MINIMAL

Microsoft Windows XP Professional 5.1.2600.1.1252.34.3082.18.1023.821 [GMT 1:00]

Running from: c:\documents and settings\pc\Escritorio\ComboFix.exe

Command switches used :: c:\documents and settings\pc\Escritorio\CFScript.txt

.

/wow section - STAGE 4

 

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

Infected copy of c:\windows\system32\qmgr.dll was found and disinfected

Restored copy from - c:\windows\erdnt\cache\qmgr.dll

 

.

((((((((((((((((((((((((( Files Created from 2009-11-28 to 2009-12-29 )))))))))))))))))))))))))))))))

.

 

2009-12-26 02:36 . 2009-12-26 02:36 -------- d-----w- c:\archivos de programa\EarMaster Pro 5

2009-12-26 02:36 . 2009-12-26 02:36 -------- d-----w- c:\documents and settings\pc\Datos de programa\EarMaster

2009-12-23 22:39 . 2009-12-23 22:53 -------- d-----w- c:\documents and settings\pc\Datos de programa\GNU Solfege

2009-12-23 22:37 . 2009-12-23 22:37 -------- d-----w- c:\archivos de programa\GNU Solfege

2009-12-22 22:45 . 2009-12-22 22:45 -------- d-----w- c:\windows\Logs

2009-12-22 22:45 . 2009-12-22 22:45 -------- d-----w- c:\archivos de programa\Telltale Games

2009-12-19 20:20 . 2009-12-19 20:20 -------- d--h--r- c:\documents and settings\LocalService\Reciente

2009-12-14 22:29 . 2009-12-14 22:30 -------- d-----w- C:\rsit

2009-12-14 00:20 . 2009-12-14 00:19 411368 ----a-w- c:\windows\system32\deploytk.dll

2009-12-12 19:38 . 2009-12-12 19:38 -------- d-----w- c:\windows\ERUNT

2009-12-07 03:02 . 2009-12-07 03:03 664 ----a-w- c:\windows\system32\d3d9caps.dat

2009-12-04 11:18 . 2009-12-04 11:18 -------- d-----w- c:\documents and settings\All Users\Datos de programa\Kaspersky Lab Setup Files

2009-12-04 10:09 . 2009-12-04 10:09 -------- d-----w- c:\documents and settings\Administrador\Datos de programa\Malwarebytes

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-12-29 19:12 . 2001-08-24 16:00 68826 ----a-w- c:\windows\system32\perfc00A.dat

2009-12-29 19:12 . 2001-08-24 16:00 440050 ----a-w- c:\windows\system32\perfh00A.dat

2009-12-23 21:17 . 2007-10-15 11:21 -------- d-----w- c:\archivos de programa\SUPERAntiSpyware

2009-12-22 06:02 . 2006-01-19 20:39 -------- d-----w- c:\archivos de programa\Google

2009-12-21 19:21 . 2007-01-27 14:18 -------- d-----w- c:\archivos de programa\Spybot - Search & Destroy

2009-12-21 19:20 . 2007-01-27 14:18 -------- d-----w- c:\documents and settings\All Users\Datos de programa\Spybot - Search & Destroy

2009-12-14 05:00 . 2009-10-28 02:15 117760 ----a-w- c:\documents and settings\pc\Datos de programa\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2009-12-14 00:19 . 2007-10-23 13:34 -------- d-----w- c:\archivos de programa\Java

2009-12-06 00:50 . 2009-11-28 09:58 -------- d-----w- c:\archivos de programa\SpeedFan

2009-12-06 00:28 . 2008-04-30 22:10 -------- d-----w- c:\archivos de programa\Malwarebytes' Anti-Malware

2009-12-06 00:28 . 2008-05-18 12:54 4844296 ----a-w- c:\documents and settings\All Users\Datos de programa\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2009-12-05 23:57 . 2007-10-12 23:58 -------- d-----w- c:\archivos de programa\Unlocker

2009-12-05 23:57 . 2005-05-20 17:00 -------- d-----w- c:\archivos de programa\Atari

2009-12-05 23:57 . 2005-04-08 10:27 -------- d--h--w- c:\archivos de programa\InstallShield Installation Information

2009-12-05 23:56 . 2005-05-20 17:16 -------- d-----w- c:\documents and settings\pc\Datos de programa\Atari

2009-12-05 20:34 . 2006-03-04 15:51 -------- d-----w- c:\documents and settings\pc\Datos de programa\ppstream

2009-12-03 15:14 . 2008-11-02 11:57 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-12-03 15:13 . 2008-05-18 12:54 18520 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-11-29 08:12 . 2009-11-29 08:12 -------- d-----w- c:\documents and settings\All Users\Datos de programa\Agnitum

2009-11-29 08:12 . 2009-11-29 08:12 -------- d-----w- c:\archivos de programa\Agnitum

2009-11-29 02:31 . 2009-11-29 02:23 -------- d-----w- c:\documents and settings\pc\Datos de programa\GlarySoft

2009-11-29 02:23 . 2005-11-01 14:44 -------- d-----w- c:\archivos de programa\RapidLeecher

2009-11-29 02:21 . 2005-05-11 11:58 -------- d-----w- c:\archivos de programa\BitComet

2009-11-29 02:17 . 2009-11-29 02:17 -------- d-----w- c:\archivos de programa\Glary Utilities

2009-11-28 19:10 . 2005-12-25 14:21 -------- d-----w- c:\archivos de programa\DDD Pool

2009-11-23 22:32 . 2005-04-08 18:12 -------- d-----w- c:\archivos de programa\Archivos comunes\Adobe

2009-11-23 01:13 . 2008-05-12 13:47 -------- d-----w- c:\documents and settings\pc\Datos de programa\FFSJ

2009-10-28 02:14 . 2009-10-28 02:14 65024 ----a-r- c:\documents and settings\pc\Datos de programa\Microsoft\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe

2009-10-28 02:14 . 2009-10-28 02:14 5120 ----a-r- c:\documents and settings\pc\Datos de programa\Microsoft\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF16.exe

2009-10-28 02:14 . 2009-10-28 02:14 18944 ----a-r- c:\documents and settings\pc\Datos de programa\Microsoft\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe

2005-10-02 18:55 . 2005-10-02 18:55 0 -c--a-w- c:\archivos de programa\AILog.txt

2007-10-28 16:44 . 2007-10-28 16:41 48 -csh--w- c:\windows\S46C32A27.tmp

2006-02-16 18:50 . 2006-02-16 18:47 952 -csha-w- c:\windows\system32\KGyGaAvL.sys

.

 

------- Sigcheck -------

 

 

 

[7] 2004-08-11 00:45 . A477391B7A8B0A0DAABADB17CF533A4B . 25088 . . [10.0.3790.3646] . . c:\windows\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}\MsPMSNSv.dll

[-] 2002-12-17 16:43 . 53D4E72452CE025F96B652B02BF9B89C . 52736 . . [9.0.1.56] . . c:\windows\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}$BACKUP$\System\MsPMSNSv.dll

[-] 2002-12-17 16:43 . 53D4E72452CE025F96B652B02BF9B89C . 52736 . . [9.0.1.56] . . c:\windows\system32\MsPMSNSv.dll

 

c:\windows\System32\wscntfy.exe ... is missing !!

c:\windows\System32\xmlprov.dll ... is missing !!

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\archivos de programa\Messenger\msmsgs.exe" [2004-11-15 1670144]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"McAfeeUpdaterUI"="c:\archivos de programa\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 139320]

"ShStatEXE"="c:\archivos de programa\Network Associates\VirusScan\SHSTAT.EXE" [2004-08-25 94208]

"Network Associates Error Reporting Service"="c:\archivos de programa\Archivos comunes\Network Associates\TalkBack\tbmon.exe" [2003-10-07 147514]

"SunJavaUpdateSched"="c:\archivos de programa\Java\jre6\bin\jusched.exe" [2009-12-14 149280]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2002-09-09 13312]

 

c:\documents and settings\All Users\Men£ Inicio\Programas\Inicio\

uninstall.exe [2009-12-29 421888]

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\archivos de programa\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 14:21 548352 ----a-w- c:\archivos de programa\SUPERAntiSpyware\SASWINLO.dll

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^Google Updater.lnk]

path=c:\documents and settings\All Users\Menú Inicio\Programas\Inicio\Google Updater.lnk

backup=c:\windows\pss\Google Updater.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^Microsoft Office.lnk]

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^uninstall.exe]

path=c:\documents and settings\All Users\Menú Inicio\Programas\Inicio\uninstall.exe

backup=c:\windows\pss\uninstall.exeCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^uninstall.exe.old]

path=c:\documents and settings\All Users\Menú Inicio\Programas\Inicio\uninstall.exe.old

backup=c:\windows\pss\uninstall.exe.oldCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^VIA RAID TOOL.lnk]

backup=c:\windows\pss\VIA RAID TOOL.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^WinZip Quick Pick.lnk]

backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acceso directo a la página de propiedades de High Definition Audio]

2004-03-17 13:10 61952 -c----w- c:\windows\system32\Hdaudpropshortcut.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

2009-09-04 11:08 935288 ----a-r- c:\archivos de programa\Archivos comunes\Adobe\ARM\1.0\AdobeARM.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AgenteADSL_15]

2006-08-05 11:32 28672 ----a-w- c:\archivos de programa\Telefonica\KitAIM\AimExDll.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]

2006-09-14 20:09 157592 ----a-w- c:\archivos de programa\DAEMON Tools\daemon.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]

2004-09-13 09:51 1450096 ------w- c:\archivos de programa\Ahead\InCD\InCD.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]

2005-02-16 16:15 81920 ----a-w- c:\archivos de programa\Archivos comunes\InstallShield\UpdateService\issch.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

2006-08-05 11:32 155648 -c--a-w- c:\windows\system32\NeroCheck.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2005-08-24 11:29 98304 ----a-w- c:\archivos de programa\QuickTime\qttask.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2008-06-10 02:27 144784 ----a-w- c:\archivos de programa\Java\jre1.6.0_07\bin\jusched.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]

2009-10-12 20:24 2000112 ----a-w- c:\archivos de programa\SUPERAntiSpyware\SUPERAntiSpyware.exe

 

R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [31/07/2005 19:19 58016]

R1 SASDIFSV;SASDIFSV;c:\archivos de programa\SUPERAntiSpyware\sasdifsv.sys [12/10/2009 21:24 9968]

R1 SASKUTIL;SASKUTIL;c:\archivos de programa\SUPERAntiSpyware\SASKUTIL.SYS [12/10/2009 21:24 74480]

R2 RVIEGVST;VSC VST Engine;c:\archivos de programa\Roland\Virtual Sound Canvas VST\RVIEg01VST.sys [29/03/2009 22:56 188276]

R3 cmudax;C-Media High Definition Audio Interface;c:\windows\system32\drivers\cmudax.sys [08/04/2005 11:28 1258432]

S0 pcsctdwx;pcsctdwx; [x]

S2 gupdate1c98713c4b29a9c;Google Update Service (gupdate1c98713c4b29a9c);c:\archivos de programa\Google\Update\GoogleUpdate.exe [04/02/2009 22:58 133104]

S2 xwovauhs;AGP Bus w766b Helper;c:\windows\System32\svchost.exe -k netsvcs [24/08/2001 17:00 12800]

S3 {BEE686B9-4C84-4487-9D72-9F40F051E973};{BEE686B9-4C84-4487-9D72-9F40F051E973};c:\windows\System32\svchost.exe -k netsvcs [24/08/2001 17:00 12800]

S3 SASENUM;SASENUM;c:\archivos de programa\SUPERAntiSpyware\SASENUM.SYS [12/10/2009 21:24 7408]

S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [31/12/2006 17:28 639224]

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

 

{BEE686B9-4C84-4487-9D72-9F40F051E973}

.

------- Supplementary Scan -------

.

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = microweb

IE: E&xportar a Microsoft Excel - c:\archiv~1\MICROS~2\Office10\EXCEL.EXE/3000

TCP: {6141C6A4-C488-4BFB-89DB-EE4A062B2C88} = 80.58.61.250,80.58.61.254

DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

FF - ProfilePath - c:\documents and settings\pc\Datos de programa\Mozilla\Firefox\Profiles\7mq150nj.default\

FF - plugin: c:\archivos de programa\Google\Google Earth\plugin\npgeplugin.dll

FF - plugin: c:\archivos de programa\Google\Update\1.2.183.13\npGoogleOneClick8.dll

.

 

**************************************************************************

 

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-12-29 20:09

Windows 5.1.2600 Service Pack 1 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

 

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\{BEE686B9-4C84-4487-9D72-9F40F051E973}]

"ServiceDll"="c:\docume~1\pc\CONFIG~1\Temp\24.tmp"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

 

[HKEY_USERS\S-1-5-21-682003330-484061587-2147183463-1003\Software\SecuROM\License information*]

"datasecu"=hex:02,68,ba,dc,54,d4,11,32,e0,e6,ce,10,8a,61,09,99,aa,09,59,0f,36,

e6,b6,d3,3e,dc,15,5f,3c,f6,c8,3a,81,1f,f2,d8,a4,d6,17,d4,07,82,f0,b4,5c,db,\

"rkeysecu"=hex:7a,87,67,9f,a0,16,fa,68,fb,1d,d8,31,b3,f6,87,bb

 

[HKEY_USERS\S-1-5-21-682003330-484061587-2147183463-1003\Software\Zepter Software\RegLib*e4257279\CloneDVD2/2]

"1"=dword:4569f51e

"2"=dword:4723939c

.

--------------------- DLLs Loaded Under Running Processes ---------------------

 

- - - - - - - > 'winlogon.exe'(924)

c:\windows\System32\ODBC32.dll

c:\archivos de programa\SUPERAntiSpyware\SASWINLO.dll

c:\windows\system32\Ati2evxx.dll

c:\windows\System32\midimap.dll

 

- - - - - - - > 'lsass.exe'(980)

c:\windows\System32\dssenh.dll

c:\windows\System32\EntApi.dll

 

- - - - - - - > 'explorer.exe'(2416)

c:\windows\System32\EntApi.dll

c:\windows\System32\msi.dll

c:\windows\System32\midimap.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\System32\Ati2evxx.exe

c:\archivos de programa\Ahead\InCD\InCDsrv.exe

c:\archivos de programa\Google\Update\1.2.183.13\GoogleCrashHandler.exe

c:\archivos de programa\Java\jre6\bin\jqs.exe

c:\archivos de programa\Network Associates\Common Framework\FrameworkService.exe

c:\archivos de programa\Network Associates\VirusScan\mcshield.exe

c:\archivos de programa\Network Associates\VirusScan\vstskmgr.exe

c:\archiv~1\NETWOR~1\COMMON~1\naPrdMgr.exe

c:\archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe

c:\windows\System32\wdfmgr.exe

c:\windows\system32\Ati2evxx.exe

c:\docume~1\pc\CONFIG~1\Temp\4.tmp

.

**************************************************************************

.

Completion time: 2009-12-29 20:13:50 - machine was rebooted

ComboFix-quarantined-files.txt 2009-12-29 19:13

 

Pre-Run: 24.833.011.712 bytes libres

Post-Run: 24.690.454.528 bytes libres

 

Current=5 Default=5 Failed=4 LastKnownGood=6 Sets=1,2,3,4,5,6

- - End Of File - - 2FB220237FAB013F509795989306E2EF

 

 

MBR log:

 

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

 

device: opened successfully

user: MBR read successfully

kernel: MBR read successfully

detected MBR rootkit hooks:

\Driver\ACPI -> 0x86a645a0

\Device\Harddisk0\DR0 -> ParseProcedure -> 0x86a6b060

NDIS: Broadcom NetLink Gigabit Ethernet -> SendCompleteHandler -> 0x86acb3a0

Warning: possible MBR rootkit infection !

copy of MBR has been found in sector 0x017BD1417

malicious code @ sector 0x017BD141A !

PE file found in sector at 0x017BD1430 !

MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

 

SystemLook logs:

 

SystemLook v1.0 by jpshortstuff (29.08.09)

Log created at 20:34 on 29/12/2009 by pc (Administrator - Elevation successful)

 

========== filefind ==========

 

Searching for "qmgr.dll"

C:\WINDOWS\erdnt\cache\qmgr.dll --a--- 222720 bytes [19:20 28/12/2009] [17:51 09/09/2002] 08CE366B9C953931A4C88F4C8402056C

C:\WINDOWS\system32\qmgr.dll ------ 222720 bytes [09:53 08/04/2005] [17:51 09/09/2002] 08CE366B9C953931A4C88F4C8402056C

 

-=End Of File=-

 

SystemLook v1.0 by jpshortstuff (29.08.09)

Log created at 20:35 on 29/12/2009 by pc (Administrator - Elevation successful)

 

========== filefind ==========

 

Searching for "wscntfy.exe"

No files found.

 

-=End Of File=-

 

 

SystemLook v1.0 by jpshortstuff (29.08.09)

Log created at 20:36 on 29/12/2009 by pc (Administrator - Elevation successful)

 

========== filefind ==========

 

Searching for "xmlprov.dll"

No files found.

 

-=End Of File=-

Share this post


Link to post
Share on other sites


  • Click Start.
    Open My Computer.
    Select the Tools menu and click Folder Options.
    Select the View Tab.
    Under the Hidden files and folders heading select Show hidden files and folders.
    Uncheck the Hide protected operating system files (recommended) option.
    Click Yes to confirm.
    Click OK.

 

Find out if this file in bold is present.

Delete it if found.

c:\docume~1\pc\CONFIG~1\Temp\24.tmp

===

 

Open notepad and copy/paste the text in the quote box below into it:

 

FixCSet::

 

Save this as CFScript on your desktop.

 

CFScriptB-4.gif

 

Referring to the picture above, drag CFScript into ComboFix.exe

Then post the resultant log

===

 

Repeat these instructions again. You should have the mbr.exe tool, no need to download it again.

 

Please download this file, place it on our desktop.

http://www2.gmer.net/mbr/mbr.exe

 

Open the Start > run box

type cmd hit the ok button.

 

At the DOS prompt type mbr.exe -f (make sure you have a space before the e and the -f

 

hit the enter key.

 

Type exit at the prompt and hit the enter key.

 

Restart the computer normally.

===

 

Run the mbr.exe again.

Let me see the results.

===

 

You are missing these files.

wscntfy.exe

xmlprov.dll

Do you have the XP installation disk?

===

 

Please submit the logs requested and tell me what problem persists.

Share this post


Link to post
Share on other sites

ComboFix log:

 

 

ComboFix 09-12-29.06 - pc 30/12/2009 20:15:29.9.1 - x86 MINIMAL

Microsoft Windows XP Professional 5.1.2600.1.1252.34.3082.18.1023.822 [GMT 1:00]

Running from: c:\documents and settings\pc\Escritorio\ComboFix.exe

Command switches used :: c:\documents and settings\pc\Escritorio\CFScript.txt

.

/wow section - STAGE 4

 

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

c:\windows\unins000.dat

c:\windows\unins000.exe

 

Infected copy of c:\windows\system32\qmgr.dll was found and disinfected

Restored copy from - c:\windows\erdnt\cache\qmgr.dll

 

.

((((((((((((((((((((((((( Files Created from 2009-11-28 to 2009-12-30 )))))))))))))))))))))))))))))))

.

 

2009-12-26 02:36 . 2009-12-26 02:36 -------- d-----w- c:\archivos de programa\EarMaster Pro 5

2009-12-26 02:36 . 2009-12-26 02:36 -------- d-----w- c:\documents and settings\pc\Datos de programa\EarMaster

2009-12-23 22:39 . 2009-12-23 22:53 -------- d-----w- c:\documents and settings\pc\Datos de programa\GNU Solfege

2009-12-23 22:37 . 2009-12-23 22:37 -------- d-----w- c:\archivos de programa\GNU Solfege

2009-12-22 22:45 . 2009-12-22 22:45 -------- d-----w- c:\windows\Logs

2009-12-22 22:45 . 2009-12-22 22:45 -------- d-----w- c:\archivos de programa\Telltale Games

2009-12-19 20:20 . 2009-12-19 20:20 -------- d--h--r- c:\documents and settings\LocalService\Reciente

2009-12-14 22:29 . 2009-12-14 22:30 -------- d-----w- C:\rsit

2009-12-14 00:20 . 2009-12-14 00:19 411368 ----a-w- c:\windows\system32\deploytk.dll

2009-12-12 19:38 . 2009-12-12 19:38 -------- d-----w- c:\windows\ERUNT

2009-12-07 03:02 . 2009-12-07 03:03 664 ----a-w- c:\windows\system32\d3d9caps.dat

2009-12-04 11:18 . 2009-12-04 11:18 -------- d-----w- c:\documents and settings\All Users\Datos de programa\Kaspersky Lab Setup Files

2009-12-04 10:09 . 2009-12-04 10:09 -------- d-----w- c:\documents and settings\Administrador\Datos de programa\Malwarebytes

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-12-30 19:17 . 2001-08-24 16:00 440050 ----a-w- c:\windows\system32\perfh00A.dat

2009-12-30 19:17 . 2001-08-24 16:00 68826 ----a-w- c:\windows\system32\perfc00A.dat

2009-12-23 21:17 . 2007-10-15 11:21 -------- d-----w- c:\archivos de programa\SUPERAntiSpyware

2009-12-22 06:02 . 2006-01-19 20:39 -------- d-----w- c:\archivos de programa\Google

2009-12-21 19:21 . 2007-01-27 14:18 -------- d-----w- c:\archivos de programa\Spybot - Search & Destroy

2009-12-21 19:20 . 2007-01-27 14:18 -------- d-----w- c:\documents and settings\All Users\Datos de programa\Spybot - Search & Destroy

2009-12-14 05:00 . 2009-10-28 02:15 117760 ----a-w- c:\documents and settings\pc\Datos de programa\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2009-12-14 00:19 . 2007-10-23 13:34 -------- d-----w- c:\archivos de programa\Java

2009-12-06 00:50 . 2009-11-28 09:58 -------- d-----w- c:\archivos de programa\SpeedFan

2009-12-06 00:28 . 2008-04-30 22:10 -------- d-----w- c:\archivos de programa\Malwarebytes' Anti-Malware

2009-12-06 00:28 . 2008-05-18 12:54 4844296 ----a-w- c:\documents and settings\All Users\Datos de programa\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2009-12-05 23:57 . 2007-10-12 23:58 -------- d-----w- c:\archivos de programa\Unlocker

2009-12-05 23:57 . 2005-05-20 17:00 -------- d-----w- c:\archivos de programa\Atari

2009-12-05 23:57 . 2005-04-08 10:27 -------- d--h--w- c:\archivos de programa\InstallShield Installation Information

2009-12-05 23:56 . 2005-05-20 17:16 -------- d-----w- c:\documents and settings\pc\Datos de programa\Atari

2009-12-05 20:34 . 2006-03-04 15:51 -------- d-----w- c:\documents and settings\pc\Datos de programa\ppstream

2009-12-03 15:14 . 2008-11-02 11:57 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-12-03 15:13 . 2008-05-18 12:54 18520 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-11-29 08:12 . 2009-11-29 08:12 -------- d-----w- c:\documents and settings\All Users\Datos de programa\Agnitum

2009-11-29 08:12 . 2009-11-29 08:12 -------- d-----w- c:\archivos de programa\Agnitum

2009-11-29 02:31 . 2009-11-29 02:23 -------- d-----w- c:\documents and settings\pc\Datos de programa\GlarySoft

2009-11-29 02:23 . 2005-11-01 14:44 -------- d-----w- c:\archivos de programa\RapidLeecher

2009-11-29 02:21 . 2005-05-11 11:58 -------- d-----w- c:\archivos de programa\BitComet

2009-11-29 02:17 . 2009-11-29 02:17 -------- d-----w- c:\archivos de programa\Glary Utilities

2009-11-28 19:10 . 2005-12-25 14:21 -------- d-----w- c:\archivos de programa\DDD Pool

2009-11-23 22:32 . 2005-04-08 18:12 -------- d-----w- c:\archivos de programa\Archivos comunes\Adobe

2009-11-23 01:13 . 2008-05-12 13:47 -------- d-----w- c:\documents and settings\pc\Datos de programa\FFSJ

2009-10-28 02:14 . 2009-10-28 02:14 65024 ----a-r- c:\documents and settings\pc\Datos de programa\Microsoft\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe

2009-10-28 02:14 . 2009-10-28 02:14 5120 ----a-r- c:\documents and settings\pc\Datos de programa\Microsoft\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF16.exe

2009-10-28 02:14 . 2009-10-28 02:14 18944 ----a-r- c:\documents and settings\pc\Datos de programa\Microsoft\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe

2005-10-02 18:55 . 2005-10-02 18:55 0 -c--a-w- c:\archivos de programa\AILog.txt

2007-10-28 16:44 . 2007-10-28 16:41 48 -csh--w- c:\windows\S46C32A27.tmp

2006-02-16 18:50 . 2006-02-16 18:47 952 -csha-w- c:\windows\system32\KGyGaAvL.sys

.

 

------- Sigcheck -------

 

 

 

[7] 2004-08-11 00:45 . A477391B7A8B0A0DAABADB17CF533A4B . 25088 . . [10.0.3790.3646] . . c:\windows\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}\MsPMSNSv.dll

[-] 2002-12-17 16:43 . 53D4E72452CE025F96B652B02BF9B89C . 52736 . . [9.0.1.56] . . c:\windows\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}$BACKUP$\System\MsPMSNSv.dll

[-] 2002-12-17 16:43 . 53D4E72452CE025F96B652B02BF9B89C . 52736 . . [9.0.1.56] . . c:\windows\system32\MsPMSNSv.dll

 

c:\windows\System32\wscntfy.exe ... is missing !!

c:\windows\System32\xmlprov.dll ... is missing !!

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\archivos de programa\Messenger\msmsgs.exe" [2004-11-15 1670144]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"McAfeeUpdaterUI"="c:\archivos de programa\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 139320]

"ShStatEXE"="c:\archivos de programa\Network Associates\VirusScan\SHSTAT.EXE" [2004-08-25 94208]

"Network Associates Error Reporting Service"="c:\archivos de programa\Archivos comunes\Network Associates\TalkBack\tbmon.exe" [2003-10-07 147514]

"SunJavaUpdateSched"="c:\archivos de programa\Java\jre6\bin\jusched.exe" [2009-12-14 149280]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2002-09-09 13312]

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\archivos de programa\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 14:21 548352 ----a-w- c:\archivos de programa\SUPERAntiSpyware\SASWINLO.dll

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^Google Updater.lnk]

path=c:\documents and settings\All Users\Menú Inicio\Programas\Inicio\Google Updater.lnk

backup=c:\windows\pss\Google Updater.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^Microsoft Office.lnk]

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^uninstall.exe]

path=c:\documents and settings\All Users\Menú Inicio\Programas\Inicio\uninstall.exe

backup=c:\windows\pss\uninstall.exeCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^uninstall.exe.old]

path=c:\documents and settings\All Users\Menú Inicio\Programas\Inicio\uninstall.exe.old

backup=c:\windows\pss\uninstall.exe.oldCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^VIA RAID TOOL.lnk]

backup=c:\windows\pss\VIA RAID TOOL.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^WinZip Quick Pick.lnk]

backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acceso directo a la página de propiedades de High Definition Audio]

2004-03-17 13:10 61952 -c----w- c:\windows\system32\Hdaudpropshortcut.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

2009-09-04 11:08 935288 ----a-r- c:\archivos de programa\Archivos comunes\Adobe\ARM\1.0\AdobeARM.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AgenteADSL_15]

2006-08-05 11:32 28672 ----a-w- c:\archivos de programa\Telefonica\KitAIM\AimExDll.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]

2006-09-14 20:09 157592 ----a-w- c:\archivos de programa\DAEMON Tools\daemon.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]

2004-09-13 09:51 1450096 ------w- c:\archivos de programa\Ahead\InCD\InCD.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]

2005-02-16 16:15 81920 ----a-w- c:\archivos de programa\Archivos comunes\InstallShield\UpdateService\issch.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

2006-08-05 11:32 155648 -c--a-w- c:\windows\system32\NeroCheck.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2005-08-24 11:29 98304 ----a-w- c:\archivos de programa\QuickTime\qttask.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2008-06-10 02:27 144784 ----a-w- c:\archivos de programa\Java\jre1.6.0_07\bin\jusched.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]

2009-10-12 20:24 2000112 ----a-w- c:\archivos de programa\SUPERAntiSpyware\SUPERAntiSpyware.exe

 

R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [31/07/2005 19:19 58016]

R1 SASDIFSV;SASDIFSV;c:\archivos de programa\SUPERAntiSpyware\sasdifsv.sys [12/10/2009 21:24 9968]

R1 SASKUTIL;SASKUTIL;c:\archivos de programa\SUPERAntiSpyware\SASKUTIL.SYS [12/10/2009 21:24 74480]

R2 RVIEGVST;VSC VST Engine;c:\archivos de programa\Roland\Virtual Sound Canvas VST\RVIEg01VST.sys [29/03/2009 22:56 188276]

R3 cmudax;C-Media High Definition Audio Interface;c:\windows\system32\drivers\cmudax.sys [08/04/2005 11:28 1258432]

S0 pcsctdwx;pcsctdwx; [x]

S2 gupdate1c98713c4b29a9c;Google Update Service (gupdate1c98713c4b29a9c);c:\archivos de programa\Google\Update\GoogleUpdate.exe [04/02/2009 22:58 133104]

S2 xwovauhs;AGP Bus w766b Helper;c:\windows\System32\svchost.exe -k netsvcs [24/08/2001 17:00 12800]

S3 {BEE686B9-4C84-4487-9D72-9F40F051E973};{BEE686B9-4C84-4487-9D72-9F40F051E973};c:\windows\System32\svchost.exe -k netsvcs [24/08/2001 17:00 12800]

S3 SASENUM;SASENUM;c:\archivos de programa\SUPERAntiSpyware\SASENUM.SYS [12/10/2009 21:24 7408]

S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [31/12/2006 17:28 639224]

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

 

{BEE686B9-4C84-4487-9D72-9F40F051E973}

.

Contents of the 'Scheduled Tasks' folder

 

2009-11-29 c:\windows\Tasks\GlaryInitialize.job

- c:\archivos de programa\Glary Utilities\initialize.exe [2009-11-29 09:21]

.

.

------- Supplementary Scan -------

.

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = microweb

IE: E&xportar a Microsoft Excel - c:\archiv~1\MICROS~2\Office10\EXCEL.EXE/3000

TCP: {6141C6A4-C488-4BFB-89DB-EE4A062B2C88} = 80.58.61.250,80.58.61.254

DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

FF - ProfilePath - c:\documents and settings\pc\Datos de programa\Mozilla\Firefox\Profiles\7mq150nj.default\

FF - plugin: c:\archivos de programa\Google\Google Earth\plugin\npgeplugin.dll

FF - plugin: c:\archivos de programa\Google\Update\1.2.183.13\npGoogleOneClick8.dll

.

- - - - ORPHANS REMOVED - - - -

 

AddRemove-File Splitter and Joiner_is1 - c:\windows\unins000.exe

 

 

 

**************************************************************************

 

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-12-30 20:24

Windows 5.1.2600 Service Pack 1 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

 

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\{BEE686B9-4C84-4487-9D72-9F40F051E973}]

"ServiceDll"="c:\docume~1\pc\CONFIG~1\Temp\24.tmp"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

 

[HKEY_USERS\S-1-5-21-682003330-484061587-2147183463-1003\Software\SecuROM\License information*]

"datasecu"=hex:02,68,ba,dc,54,d4,11,32,e0,e6,ce,10,8a,61,09,99,aa,09,59,0f,36,

e6,b6,d3,3e,dc,15,5f,3c,f6,c8,3a,81,1f,f2,d8,a4,d6,17,d4,07,82,f0,b4,5c,db,\

"rkeysecu"=hex:7a,87,67,9f,a0,16,fa,68,fb,1d,d8,31,b3,f6,87,bb

 

[HKEY_USERS\S-1-5-21-682003330-484061587-2147183463-1003\Software\Zepter Software\RegLib*e4257279\CloneDVD2/2]

"1"=dword:4569f51e

"2"=dword:4723939c

.

--------------------- DLLs Loaded Under Running Processes ---------------------

 

- - - - - - - > 'winlogon.exe'(924)

c:\windows\System32\ODBC32.dll

c:\archivos de programa\SUPERAntiSpyware\SASWINLO.dll

c:\windows\system32\Ati2evxx.dll

c:\windows\System32\midimap.dll

 

- - - - - - - > 'lsass.exe'(980)

c:\windows\System32\dssenh.dll

c:\windows\System32\EntApi.dll

 

- - - - - - - > 'explorer.exe'(2648)

c:\windows\System32\EntApi.dll

c:\windows\System32\msi.dll

c:\windows\System32\midimap.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\System32\Ati2evxx.exe

c:\archivos de programa\Ahead\InCD\InCDsrv.exe

c:\archivos de programa\Java\jre6\bin\jqs.exe

c:\archivos de programa\Google\Update\1.2.183.13\GoogleCrashHandler.exe

c:\archivos de programa\Network Associates\Common Framework\FrameworkService.exe

c:\archivos de programa\Network Associates\VirusScan\mcshield.exe

c:\archivos de programa\Network Associates\VirusScan\vstskmgr.exe

c:\archiv~1\NETWOR~1\COMMON~1\naPrdMgr.exe

c:\archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe

c:\windows\System32\wdfmgr.exe

c:\windows\system32\Ati2evxx.exe

.

**************************************************************************

.

Completion time: 2009-12-30 20:26:42 - machine was rebooted

ComboFix-quarantined-files.txt 2009-12-30 19:26

 

Pre-Run: 23.849.189.376 bytes libres

Post-Run: 23.763.873.792 bytes libres

 

- - End Of File - - DD31F9BEC73B680CE8CCF7F36F575B5B

 

 

MBR log:

 

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

 

device: opened successfully

user: MBR read successfully

kernel: MBR read successfully

user & kernel MBR OK

copy of MBR has been found in sector 0x017BD1417

malicious code @ sector 0x017BD141A !

PE file found in sector at 0x017BD1430 !

 

 

Yes, I have the XP installation disk.

Share this post


Link to post
Share on other sites

Open notepad and copy/paste the text in the quote box below into it:

 

File::
c:\docume~1\pc\CONFIG~1\Temp\24.tmp

Driver::
BEE686B9-4C84-4487-9D72-9F40F051E973
{BEE686B9-4C84-4487-9D72-9F40F051E973}

 

Save this as CFScript on your desktop.

 

CFScriptB-4.gif

 

Referring to the picture above, drag CFScript into ComboFix.exe

Then post the resultant log.

 

Please execute the mbr.exe -f command again.

 

Post the log.

 

Important please let me know how the computer is performing?

Share this post


Link to post
Share on other sites

ComboFix 09-12-31.01 - pc 31/12/2009 20:13:21.10.1 - x86 MINIMAL

Microsoft Windows XP Professional 5.1.2600.1.1252.34.3082.18.1023.821 [GMT 1:00]

Running from: c:\documents and settings\pc\Escritorio\ComboFix.exe

Command switches used :: c:\documents and settings\pc\Escritorio\CFScript.txt

 

FILE ::

"c:\docume~1\pc\CONFIG~1\Temp\24.tmp"

.

/wow section - STAGE 4

 

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

Infected copy of c:\windows\system32\qmgr.dll was found and disinfected

Restored copy from - c:\windows\erdnt\cache\qmgr.dll

 

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

-------\Legacy_{BEE686B9-4C84-4487-9D72-9F40F051E973}

-------\Service_{BEE686B9-4C84-4487-9D72-9F40F051E973}

 

 

((((((((((((((((((((((((( Files Created from 2009-11-28 to 2009-12-31 )))))))))))))))))))))))))))))))

.

 

2009-12-26 02:36 . 2009-12-26 02:36 -------- d-----w- c:\archivos de programa\EarMaster Pro 5

2009-12-26 02:36 . 2009-12-26 02:36 -------- d-----w- c:\documents and settings\pc\Datos de programa\EarMaster

2009-12-23 22:39 . 2009-12-23 22:53 -------- d-----w- c:\documents and settings\pc\Datos de programa\GNU Solfege

2009-12-23 22:37 . 2009-12-23 22:37 -------- d-----w- c:\archivos de programa\GNU Solfege

2009-12-22 22:45 . 2009-12-22 22:45 -------- d-----w- c:\windows\Logs

2009-12-22 22:45 . 2009-12-22 22:45 -------- d-----w- c:\archivos de programa\Telltale Games

2009-12-19 20:20 . 2009-12-19 20:20 -------- d--h--r- c:\documents and settings\LocalService\Reciente

2009-12-14 22:29 . 2009-12-14 22:30 -------- d-----w- C:\rsit

2009-12-14 00:20 . 2009-12-14 00:19 411368 ----a-w- c:\windows\system32\deploytk.dll

2009-12-12 19:38 . 2009-12-12 19:38 -------- d-----w- c:\windows\ERUNT

2009-12-07 03:02 . 2009-12-07 03:03 664 ----a-w- c:\windows\system32\d3d9caps.dat

2009-12-04 11:18 . 2009-12-04 11:18 -------- d-----w- c:\documents and settings\All Users\Datos de programa\Kaspersky Lab Setup Files

2009-12-04 10:09 . 2009-12-04 10:09 -------- d-----w- c:\documents and settings\Administrador\Datos de programa\Malwarebytes

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-12-31 19:15 . 2001-08-24 16:00 68826 ----a-w- c:\windows\system32\perfc00A.dat

2009-12-31 19:15 . 2001-08-24 16:00 440050 ----a-w- c:\windows\system32\perfh00A.dat

2009-12-23 21:17 . 2007-10-15 11:21 -------- d-----w- c:\archivos de programa\SUPERAntiSpyware

2009-12-22 06:02 . 2006-01-19 20:39 -------- d-----w- c:\archivos de programa\Google

2009-12-21 19:21 . 2007-01-27 14:18 -------- d-----w- c:\archivos de programa\Spybot - Search & Destroy

2009-12-21 19:20 . 2007-01-27 14:18 -------- d-----w- c:\documents and settings\All Users\Datos de programa\Spybot - Search & Destroy

2009-12-14 05:00 . 2009-10-28 02:15 117760 ----a-w- c:\documents and settings\pc\Datos de programa\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2009-12-14 00:19 . 2007-10-23 13:34 -------- d-----w- c:\archivos de programa\Java

2009-12-06 00:50 . 2009-11-28 09:58 -------- d-----w- c:\archivos de programa\SpeedFan

2009-12-06 00:28 . 2008-04-30 22:10 -------- d-----w- c:\archivos de programa\Malwarebytes' Anti-Malware

2009-12-06 00:28 . 2008-05-18 12:54 4844296 ----a-w- c:\documents and settings\All Users\Datos de programa\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2009-12-05 23:57 . 2007-10-12 23:58 -------- d-----w- c:\archivos de programa\Unlocker

2009-12-05 23:57 . 2005-05-20 17:00 -------- d-----w- c:\archivos de programa\Atari

2009-12-05 23:57 . 2005-04-08 10:27 -------- d--h--w- c:\archivos de programa\InstallShield Installation Information

2009-12-05 23:56 . 2005-05-20 17:16 -------- d-----w- c:\documents and settings\pc\Datos de programa\Atari

2009-12-05 20:34 . 2006-03-04 15:51 -------- d-----w- c:\documents and settings\pc\Datos de programa\ppstream

2009-12-03 15:14 . 2008-11-02 11:57 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-12-03 15:13 . 2008-05-18 12:54 18520 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-11-29 08:12 . 2009-11-29 08:12 -------- d-----w- c:\documents and settings\All Users\Datos de programa\Agnitum

2009-11-29 08:12 . 2009-11-29 08:12 -------- d-----w- c:\archivos de programa\Agnitum

2009-11-29 02:31 . 2009-11-29 02:23 -------- d-----w- c:\documents and settings\pc\Datos de programa\GlarySoft

2009-11-29 02:23 . 2005-11-01 14:44 -------- d-----w- c:\archivos de programa\RapidLeecher

2009-11-29 02:21 . 2005-05-11 11:58 -------- d-----w- c:\archivos de programa\BitComet

2009-11-29 02:17 . 2009-11-29 02:17 -------- d-----w- c:\archivos de programa\Glary Utilities

2009-11-28 19:10 . 2005-12-25 14:21 -------- d-----w- c:\archivos de programa\DDD Pool

2009-11-23 22:32 . 2005-04-08 18:12 -------- d-----w- c:\archivos de programa\Archivos comunes\Adobe

2009-11-23 01:13 . 2008-05-12 13:47 -------- d-----w- c:\documents and settings\pc\Datos de programa\FFSJ

2009-10-28 02:14 . 2009-10-28 02:14 65024 ----a-r- c:\documents and settings\pc\Datos de programa\Microsoft\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe

2009-10-28 02:14 . 2009-10-28 02:14 5120 ----a-r- c:\documents and settings\pc\Datos de programa\Microsoft\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF16.exe

2009-10-28 02:14 . 2009-10-28 02:14 18944 ----a-r- c:\documents and settings\pc\Datos de programa\Microsoft\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe

2005-10-02 18:55 . 2005-10-02 18:55 0 -c--a-w- c:\archivos de programa\AILog.txt

2007-10-28 16:44 . 2007-10-28 16:41 48 -csh--w- c:\windows\S46C32A27.tmp

2006-02-16 18:50 . 2006-02-16 18:47 952 -csha-w- c:\windows\system32\KGyGaAvL.sys

.

 

------- Sigcheck -------

 

 

 

[7] 2004-08-11 00:45 . A477391B7A8B0A0DAABADB17CF533A4B . 25088 . . [10.0.3790.3646] . . c:\windows\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}\MsPMSNSv.dll

[-] 2002-12-17 16:43 . 53D4E72452CE025F96B652B02BF9B89C . 52736 . . [9.0.1.56] . . c:\windows\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}$BACKUP$\System\MsPMSNSv.dll

[-] 2002-12-17 16:43 . 53D4E72452CE025F96B652B02BF9B89C . 52736 . . [9.0.1.56] . . c:\windows\system32\MsPMSNSv.dll

 

c:\windows\System32\wscntfy.exe ... is missing !!

c:\windows\System32\xmlprov.dll ... is missing !!

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\archivos de programa\Messenger\msmsgs.exe" [2004-11-15 1670144]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"McAfeeUpdaterUI"="c:\archivos de programa\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 139320]

"ShStatEXE"="c:\archivos de programa\Network Associates\VirusScan\SHSTAT.EXE" [2004-08-25 94208]

"Network Associates Error Reporting Service"="c:\archivos de programa\Archivos comunes\Network Associates\TalkBack\tbmon.exe" [2003-10-07 147514]

"SunJavaUpdateSched"="c:\archivos de programa\Java\jre6\bin\jusched.exe" [2009-12-14 149280]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2002-09-09 13312]

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\archivos de programa\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 14:21 548352 ----a-w- c:\archivos de programa\SUPERAntiSpyware\SASWINLO.dll

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^Google Updater.lnk]

path=c:\documents and settings\All Users\Menú Inicio\Programas\Inicio\Google Updater.lnk

backup=c:\windows\pss\Google Updater.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^Microsoft Office.lnk]

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^uninstall.exe]

path=c:\documents and settings\All Users\Menú Inicio\Programas\Inicio\uninstall.exe

backup=c:\windows\pss\uninstall.exeCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^uninstall.exe.old]

path=c:\documents and settings\All Users\Menú Inicio\Programas\Inicio\uninstall.exe.old

backup=c:\windows\pss\uninstall.exe.oldCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^VIA RAID TOOL.lnk]

backup=c:\windows\pss\VIA RAID TOOL.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^WinZip Quick Pick.lnk]

backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acceso directo a la página de propiedades de High Definition Audio]

2004-03-17 13:10 61952 -c----w- c:\windows\system32\Hdaudpropshortcut.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

2009-09-04 11:08 935288 ----a-r- c:\archivos de programa\Archivos comunes\Adobe\ARM\1.0\AdobeARM.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AgenteADSL_15]

2006-08-05 11:32 28672 ----a-w- c:\archivos de programa\Telefonica\KitAIM\AimExDll.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]

2006-09-14 20:09 157592 ----a-w- c:\archivos de programa\DAEMON Tools\daemon.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]

2004-09-13 09:51 1450096 ------w- c:\archivos de programa\Ahead\InCD\InCD.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]

2005-02-16 16:15 81920 ----a-w- c:\archivos de programa\Archivos comunes\InstallShield\UpdateService\issch.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

2006-08-05 11:32 155648 -c--a-w- c:\windows\system32\NeroCheck.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2005-08-24 11:29 98304 ----a-w- c:\archivos de programa\QuickTime\qttask.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2008-06-10 02:27 144784 ----a-w- c:\archivos de programa\Java\jre1.6.0_07\bin\jusched.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]

2009-10-12 20:24 2000112 ----a-w- c:\archivos de programa\SUPERAntiSpyware\SUPERAntiSpyware.exe

 

R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [31/07/2005 19:19 58016]

R1 SASDIFSV;SASDIFSV;c:\archivos de programa\SUPERAntiSpyware\sasdifsv.sys [12/10/2009 21:24 9968]

R1 SASKUTIL;SASKUTIL;c:\archivos de programa\SUPERAntiSpyware\SASKUTIL.SYS [12/10/2009 21:24 74480]

R2 RVIEGVST;VSC VST Engine;c:\archivos de programa\Roland\Virtual Sound Canvas VST\RVIEg01VST.sys [29/03/2009 22:56 188276]

R3 cmudax;C-Media High Definition Audio Interface;c:\windows\system32\drivers\cmudax.sys [08/04/2005 11:28 1258432]

S0 pcsctdwx;pcsctdwx; [x]

S2 gupdate1c98713c4b29a9c;Google Update Service (gupdate1c98713c4b29a9c);c:\archivos de programa\Google\Update\GoogleUpdate.exe [04/02/2009 22:58 133104]

S2 xwovauhs;AGP Bus w766b Helper;c:\windows\System32\svchost.exe -k netsvcs [24/08/2001 17:00 12800]

S3 SASENUM;SASENUM;c:\archivos de programa\SUPERAntiSpyware\SASENUM.SYS [12/10/2009 21:24 7408]

S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [31/12/2006 17:28 639224]

 

--- Other Services/Drivers In Memory ---

 

*NewlyCreated* - ENTDRV51

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

 

.

Contents of the 'Scheduled Tasks' folder

 

2009-11-29 c:\windows\Tasks\GlaryInitialize.job

- c:\archivos de programa\Glary Utilities\initialize.exe [2009-11-29 09:21]

.

.

------- Supplementary Scan -------

.

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = microweb

IE: E&xportar a Microsoft Excel - c:\archiv~1\MICROS~2\Office10\EXCEL.EXE/3000

TCP: {6141C6A4-C488-4BFB-89DB-EE4A062B2C88} = 80.58.61.250,80.58.61.254

DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

FF - ProfilePath - c:\documents and settings\pc\Datos de programa\Mozilla\Firefox\Profiles\7mq150nj.default\

FF - plugin: c:\archivos de programa\Google\Google Earth\plugin\npgeplugin.dll

FF - plugin: c:\archivos de programa\Google\Update\1.2.183.13\npGoogleOneClick8.dll

.

 

**************************************************************************

 

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-12-31 20:22

Windows 5.1.2600 Service Pack 1 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

 

[HKEY_USERS\S-1-5-21-682003330-484061587-2147183463-1003\Software\SecuROM\License information*]

"datasecu"=hex:02,68,ba,dc,54,d4,11,32,e0,e6,ce,10,8a,61,09,99,aa,09,59,0f,36,

e6,b6,d3,3e,dc,15,5f,3c,f6,c8,3a,81,1f,f2,d8,a4,d6,17,d4,07,82,f0,b4,5c,db,\

"rkeysecu"=hex:7a,87,67,9f,a0,16,fa,68,fb,1d,d8,31,b3,f6,87,bb

 

[HKEY_USERS\S-1-5-21-682003330-484061587-2147183463-1003\Software\Zepter Software\RegLib*e4257279\CloneDVD2/2]

"1"=dword:4569f51e

"2"=dword:4723939c

.

--------------------- DLLs Loaded Under Running Processes ---------------------

 

- - - - - - - > 'winlogon.exe'(924)

c:\windows\System32\ODBC32.dll

c:\archivos de programa\SUPERAntiSpyware\SASWINLO.dll

c:\windows\system32\Ati2evxx.dll

c:\windows\System32\midimap.dll

 

- - - - - - - > 'lsass.exe'(980)

c:\windows\System32\dssenh.dll

c:\windows\System32\EntApi.dll

 

- - - - - - - > 'explorer.exe'(556)

c:\windows\System32\EntApi.dll

c:\windows\System32\msi.dll

c:\windows\System32\midimap.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\System32\Ati2evxx.exe

c:\archivos de programa\Ahead\InCD\InCDsrv.exe

c:\archivos de programa\Java\jre6\bin\jqs.exe

c:\archivos de programa\Google\Update\1.2.183.13\GoogleCrashHandler.exe

c:\archivos de programa\Network Associates\Common Framework\FrameworkService.exe

c:\windows\system32\Ati2evxx.exe

c:\archivos de programa\Network Associates\VirusScan\mcshield.exe

c:\archivos de programa\Network Associates\VirusScan\vstskmgr.exe

c:\archiv~1\NETWOR~1\COMMON~1\naPrdMgr.exe

c:\archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe

c:\windows\System32\wdfmgr.exe

.

**************************************************************************

.

Completion time: 2009-12-31 20:25:05 - machine was rebooted

ComboFix-quarantined-files.txt 2009-12-31 19:25

ComboFix2.txt 2009-12-30 19:26

 

Pre-Run: 26.214.678.528 bytes libres

Post-Run: 26.090.278.912 bytes libres

 

- - End Of File - - C57E16EF897FB04FCDDC84BF996CDE95

 

 

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

 

device: opened successfully

user: MBR read successfully

kernel: MBR read successfully

user & kernel MBR OK

copy of MBR has been found in sector 0x017BD1417

malicious code @ sector 0x017BD141A !

PE file found in sector at 0x017BD1430 !

 

 

I still have to run ComboFix in safe mode.

I still have the same problems when running GoogleEarth or a game.

Edited by queno

Share this post


Link to post
Share on other sites

Something is hidden. Let see what this scan will find.

 

Please download the Sophos Anti-Rootkit Scanner and save it to your desktop.

 

You will need to enter your name, e-mail address and location in order to access the download page.

 

  • Once you have downloaded the file, double click the sarsfx icon
  • Review the licence agreement and click on the Accept button
  • The scanner will prompt you to extract the files to C:\SOPHTEMP - DO NOT change this location, simply click the Install button
     
  • Once the files have been extracted; using Windows Explorer, navigate to C:\SOPHTEMP and double click on the blue shield icon called sargui
  • Ensure that there are checkmarks next to Running processes, Windows registry and Local hard drives, then click Start scan
  • Allow the program to scan your computer - please be patient as it may take some time
  • Once the scan has completed a window will pop-up with the results of the scan - click OK to this
  • In the main window, you will see each of the entries found by the scan (if any)
    • If the scanner generated any warning messages, please click on each warning and copy and paste the text of it into this thread for me to review
    • Once you have posted any warning messages here, you can close the scanner and wait for me to get back to you

    [*]If you have not had any warnings, any entries which can be cleaned up by the scanner will have a box with a green checkmark in it next to the entry

    [*]To clean up these entries click on the Clean up checked items button

    [*]If you accidentally check a file NOT recommended for clean up, you will get a warning message and if necessary can re-select the entries you want to clean up

    [*]Once you have cleaned the selected files, you will be prompted to re-boot your computer - please do so

    [*]When you have re-booted, please post a fresh HijackThis log into this thread and tell me how your computer is running now

Thanks

Share this post


Link to post
Share on other sites

Hi!

 

Sophos Anti-Rootkit Scanner detected some hidden registry keys and nothing more. The scanner didn't generate any warning messages and there wasn't any box with a green checkmark in it next to the entry so I couln't press the Clean up checked items button.

 

Thanks again and happy new year!!!

Share this post


Link to post
Share on other sites

Download catchme.exe to your desktop.

http://www.gmer.net/catchme.php

This tool is from GMER.

 

Double click the catchme.exe to run it

 

Open the catchme.log with Notepad and post the results back here.

Share this post


Link to post
Share on other sites

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-01-02 19:33:18

Windows 5.1.2600 Service Pack 1 NTFS

 

scanning hidden processes ...

 

scanning hidden services & system hive ...

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]

"h0"=dword:00000000

"khjeh"=hex:a2,16,83,62,f6,9d,b9,e3,72,e9,51,ff,21,12,71,cf,e6,02,3d,f2,03,..

"p0"="C:\Archivos de programa\DAEMON Tools\"

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]

"a0"=hex:20,01,00,00,d6,85,b5,9c,bf,5a,60,d0,c2,eb,20,9e,c6,9f,86,ba,98,..

"khjeh"=hex:c1,e9,f9,0d,b1,46,32,ef,74,75,dd,13,32,26,1f,3c,2b,ca,78,1a,85,..

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]

"khjeh"=hex:b5,28,cd,f7,2e,db,c4,3a,1f,b9,d7,07,98,93,82,28,00,c1,83,5d,18,..

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]

"khjeh"=hex:e5,1b,94,d2,0e,7e,9b,a4,80,ad,44,4e,63,59,3b,0d,ef,fa,85,d1,d8,..

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42]

"khjeh"=hex:c1,6a,54,82,b1,79,26,1d,a3,c5,03,35,2f,49,2d,c9,e3,a9,78,a5,df,..

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43]

"khjeh"=hex:28,69,91,ef,09,c8,f3,a6,9b,e3,ff,bf,a7,e0,74,99,6a,9c,29,b5,3c,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]

"h0"=dword:00000000

"khjeh"=hex:a2,16,83,62,f6,9d,b9,e3,72,e9,51,ff,21,12,71,cf,e6,02,3d,f2,03,..

"p0"="C:\Archivos de programa\DAEMON Tools\"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]

"a0"=hex:20,01,00,00,d6,85,b5,9c,bf,5a,60,d0,c2,eb,20,9e,c6,9f,86,ba,98,..

"khjeh"=hex:ae,26,b4,1e,6f,71,ac,03,2f,33,75,ac,d4,df,7b,58,ec,4c,b4,ca,3c,..

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]

"khjeh"=hex:b5,28,cd,f7,2e,db,c4,3a,1f,b9,d7,07,98,93,82,28,00,c1,83,5d,18,..

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]

"khjeh"=hex:e5,1b,94,d2,0e,7e,9b,a4,80,ad,44,4e,63,59,3b,0d,ef,fa,85,d1,d8,..

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42]

"khjeh"=hex:ca,43,fd,21,41,42,b8,2d,6a,b8,fe,0d,f9,21,87,c5,33,21,4f,4e,a1,..

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43]

"khjeh"=hex:44,1e,45,50,5c,a5,44,0a,40,c8,3f,e4,9f,73,dd,f1,e8,46,a6,1d,08,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]

"h0"=dword:00000000

"khjeh"=hex:a2,16,83,62,f6,9d,b9,e3,72,e9,51,ff,21,12,71,cf,e6,02,3d,f2,03,..

"p0"="C:\Archivos de programa\DAEMON Tools\"

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]

"a0"=hex:20,01,00,00,d6,85,b5,9c,bf,5a,60,d0,c2,eb,20,9e,c6,9f,86,ba,98,..

"khjeh"=hex:ae,26,b4,1e,6f,71,ac,03,2f,33,75,ac,d4,df,7b,58,ec,4c,b4,ca,3c,..

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]

"khjeh"=hex:b5,28,cd,f7,2e,db,c4,3a,1f,b9,d7,07,98,93,82,28,00,c1,83,5d,18,..

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]

"khjeh"=hex:e5,1b,94,d2,0e,7e,9b,a4,80,ad,44,4e,63,59,3b,0d,ef,fa,85,d1,d8,..

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42]

"khjeh"=hex:ca,43,fd,21,41,42,b8,2d,6a,b8,fe,0d,f9,21,87,c5,33,21,4f,4e,a1,..

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43]

"khjeh"=hex:44,1e,45,50,5c,a5,44,0a,40,c8,3f,e4,9f,73,dd,f1,e8,46,a6,1d,08,..

 

scanning hidden registry entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden processes: 0

hidden services: 0

hidden files: 0

Share this post


Link to post
Share on other sites

I'm checking with the experts. Stay with me.

Share this post


Link to post
Share on other sites

There isn't enough information about fully disabling my Anti Virus in this link (http://www.bleepingc...opic114351.html), but I have found myself how to do it properly.

ComboFix log (Normal Mode):

 

 

ComboFix 10-01-02.05 - pc 03/01/2010 19:30:41.11.1 - x86

Microsoft Windows XP Professional 5.1.2600.1.1252.34.3082.18.1023.689 [GMT 1:00]

Running from: c:\documents and settings\pc\Escritorio\ComboFix.exe

.

/wow section - STAGE 4

 

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

Infected copy of c:\windows\system32\qmgr.dll was found and disinfected

Restored copy from - c:\windows\erdnt\cache\qmgr.dll

 

.

((((((((((((((((((((((((( Files Created from 2009-12-03 to 2010-01-03 )))))))))))))))))))))))))))))))

.

 

2010-01-01 21:07 . 2010-01-01 21:07 -------- d-----w- c:\archivos de programa\Sophos

2009-12-26 02:36 . 2009-12-26 02:36 -------- d-----w- c:\archivos de programa\EarMaster Pro 5

2009-12-26 02:36 . 2009-12-26 02:36 -------- d-----w- c:\documents and settings\pc\Datos de programa\EarMaster

2009-12-23 22:39 . 2009-12-23 22:53 -------- d-----w- c:\documents and settings\pc\Datos de programa\GNU Solfege

2009-12-23 22:37 . 2009-12-23 22:37 -------- d-----w- c:\archivos de programa\GNU Solfege

2009-12-22 22:45 . 2009-12-22 22:45 -------- d-----w- c:\windows\Logs

2009-12-22 22:45 . 2009-12-22 22:45 -------- d-----w- c:\archivos de programa\Telltale Games

2009-12-19 20:20 . 2009-12-19 20:20 -------- d--h--r- c:\documents and settings\LocalService\Reciente

2009-12-14 22:29 . 2009-12-14 22:30 -------- d-----w- C:\rsit

2009-12-14 00:20 . 2009-12-14 00:19 411368 ----a-w- c:\windows\system32\deploytk.dll

2009-12-12 19:38 . 2009-12-12 19:38 -------- d-----w- c:\windows\ERUNT

2009-12-07 03:02 . 2009-12-07 03:03 664 ----a-w- c:\windows\system32\d3d9caps.dat

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-01-03 18:22 . 2001-08-24 16:00 68826 ----a-w- c:\windows\system32\perfc00A.dat

2010-01-03 18:22 . 2001-08-24 16:00 440050 ----a-w- c:\windows\system32\perfh00A.dat

2009-12-23 21:17 . 2007-10-15 11:21 -------- d-----w- c:\archivos de programa\SUPERAntiSpyware

2009-12-22 06:02 . 2006-01-19 20:39 -------- d-----w- c:\archivos de programa\Google

2009-12-21 19:21 . 2007-01-27 14:18 -------- d-----w- c:\archivos de programa\Spybot - Search & Destroy

2009-12-21 19:20 . 2007-01-27 14:18 -------- d-----w- c:\documents and settings\All Users\Datos de programa\Spybot - Search & Destroy

2009-12-14 05:00 . 2009-10-28 02:15 117760 ----a-w- c:\documents and settings\pc\Datos de programa\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2009-12-14 00:19 . 2007-10-23 13:34 -------- d-----w- c:\archivos de programa\Java

2009-12-06 00:50 . 2009-11-28 09:58 -------- d-----w- c:\archivos de programa\SpeedFan

2009-12-06 00:28 . 2008-04-30 22:10 -------- d-----w- c:\archivos de programa\Malwarebytes' Anti-Malware

2009-12-06 00:28 . 2008-05-18 12:54 4844296 ----a-w- c:\documents and settings\All Users\Datos de programa\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2009-12-05 23:57 . 2007-10-12 23:58 -------- d-----w- c:\archivos de programa\Unlocker

2009-12-05 23:57 . 2005-05-20 17:00 -------- d-----w- c:\archivos de programa\Atari

2009-12-05 23:57 . 2005-04-08 10:27 -------- d--h--w- c:\archivos de programa\InstallShield Installation Information

2009-12-05 23:56 . 2005-05-20 17:16 -------- d-----w- c:\documents and settings\pc\Datos de programa\Atari

2009-12-05 20:34 . 2006-03-04 15:51 -------- d-----w- c:\documents and settings\pc\Datos de programa\ppstream

2009-12-04 11:18 . 2009-12-04 11:18 -------- d-----w- c:\documents and settings\All Users\Datos de programa\Kaspersky Lab Setup Files

2009-12-04 10:09 . 2009-12-04 10:09 -------- d-----w- c:\documents and settings\Administrador\Datos de programa\Malwarebytes

2009-12-03 15:14 . 2008-11-02 11:57 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-12-03 15:13 . 2008-05-18 12:54 18520 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-11-29 08:12 . 2009-11-29 08:12 -------- d-----w- c:\documents and settings\All Users\Datos de programa\Agnitum

2009-11-29 08:12 . 2009-11-29 08:12 -------- d-----w- c:\archivos de programa\Agnitum

2009-11-29 02:31 . 2009-11-29 02:23 -------- d-----w- c:\documents and settings\pc\Datos de programa\GlarySoft

2009-11-29 02:23 . 2005-11-01 14:44 -------- d-----w- c:\archivos de programa\RapidLeecher

2009-11-29 02:21 . 2005-05-11 11:58 -------- d-----w- c:\archivos de programa\BitComet

2009-11-29 02:17 . 2009-11-29 02:17 -------- d-----w- c:\archivos de programa\Glary Utilities

2009-11-28 19:10 . 2005-12-25 14:21 -------- d-----w- c:\archivos de programa\DDD Pool

2009-11-23 22:32 . 2005-04-08 18:12 -------- d-----w- c:\archivos de programa\Archivos comunes\Adobe

2009-11-23 01:13 . 2008-05-12 13:47 -------- d-----w- c:\documents and settings\pc\Datos de programa\FFSJ

2009-10-28 02:14 . 2009-10-28 02:14 65024 ----a-r- c:\documents and settings\pc\Datos de programa\Microsoft\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe

2009-10-28 02:14 . 2009-10-28 02:14 5120 ----a-r- c:\documents and settings\pc\Datos de programa\Microsoft\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF16.exe

2009-10-28 02:14 . 2009-10-28 02:14 18944 ----a-r- c:\documents and settings\pc\Datos de programa\Microsoft\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe

2005-10-02 18:55 . 2005-10-02 18:55 0 -c--a-w- c:\archivos de programa\AILog.txt

2007-10-28 16:44 . 2007-10-28 16:41 48 -csh--w- c:\windows\S46C32A27.tmp

2006-02-16 18:50 . 2006-02-16 18:47 952 -csha-w- c:\windows\system32\KGyGaAvL.sys

.

 

------- Sigcheck -------

 

 

 

[7] 2004-08-11 00:45 . A477391B7A8B0A0DAABADB17CF533A4B . 25088 . . [10.0.3790.3646] . . c:\windows\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}\MsPMSNSv.dll

[-] 2002-12-17 16:43 . 53D4E72452CE025F96B652B02BF9B89C . 52736 . . [9.0.1.56] . . c:\windows\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}$BACKUP$\System\MsPMSNSv.dll

[-] 2002-12-17 16:43 . 53D4E72452CE025F96B652B02BF9B89C . 52736 . . [9.0.1.56] . . c:\windows\system32\MsPMSNSv.dll

 

c:\windows\System32\wscntfy.exe ... is missing !!

c:\windows\System32\xmlprov.dll ... is missing !!

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\archivos de programa\Messenger\msmsgs.exe" [2004-11-15 1670144]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"McAfeeUpdaterUI"="c:\archivos de programa\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 139320]

"ShStatEXE"="c:\archivos de programa\Network Associates\VirusScan\SHSTAT.EXE" [2004-08-25 94208]

"Network Associates Error Reporting Service"="c:\archivos de programa\Archivos comunes\Network Associates\TalkBack\tbmon.exe" [2003-10-07 147514]

"SunJavaUpdateSched"="c:\archivos de programa\Java\jre6\bin\jusched.exe" [2009-12-14 149280]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2002-09-09 13312]

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\archivos de programa\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 14:21 548352 ----a-w- c:\archivos de programa\SUPERAntiSpyware\SASWINLO.dll

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^Google Updater.lnk]

path=c:\documents and settings\All Users\Menú Inicio\Programas\Inicio\Google Updater.lnk

backup=c:\windows\pss\Google Updater.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^Microsoft Office.lnk]

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^uninstall.exe]

path=c:\documents and settings\All Users\Menú Inicio\Programas\Inicio\uninstall.exe

backup=c:\windows\pss\uninstall.exeCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^uninstall.exe.old]

path=c:\documents and settings\All Users\Menú Inicio\Programas\Inicio\uninstall.exe.old

backup=c:\windows\pss\uninstall.exe.oldCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^VIA RAID TOOL.lnk]

backup=c:\windows\pss\VIA RAID TOOL.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^WinZip Quick Pick.lnk]

backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acceso directo a la página de propiedades de High Definition Audio]

2004-03-17 13:10 61952 -c----w- c:\windows\system32\Hdaudpropshortcut.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

2009-09-04 11:08 935288 ----a-r- c:\archivos de programa\Archivos comunes\Adobe\ARM\1.0\AdobeARM.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AgenteADSL_15]

2006-08-05 11:32 28672 ----a-w- c:\archivos de programa\Telefonica\KitAIM\AimExDll.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]

2006-09-14 20:09 157592 ----a-w- c:\archivos de programa\DAEMON Tools\daemon.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]

2004-09-13 09:51 1450096 ------w- c:\archivos de programa\Ahead\InCD\InCD.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]

2005-02-16 16:15 81920 ----a-w- c:\archivos de programa\Archivos comunes\InstallShield\UpdateService\issch.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

2006-08-05 11:32 155648 -c--a-w- c:\windows\system32\NeroCheck.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2005-08-24 11:29 98304 ----a-w- c:\archivos de programa\QuickTime\qttask.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2008-06-10 02:27 144784 ----a-w- c:\archivos de programa\Java\jre1.6.0_07\bin\jusched.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]

2009-10-12 20:24 2000112 ----a-w- c:\archivos de programa\SUPERAntiSpyware\SUPERAntiSpyware.exe

 

R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [31/07/2005 19:19 58016]

R1 SASDIFSV;SASDIFSV;c:\archivos de programa\SUPERAntiSpyware\sasdifsv.sys [12/10/2009 21:24 9968]

R1 SASKUTIL;SASKUTIL;c:\archivos de programa\SUPERAntiSpyware\SASKUTIL.SYS [12/10/2009 21:24 74480]

R2 RVIEGVST;VSC VST Engine;c:\archivos de programa\Roland\Virtual Sound Canvas VST\RVIEg01VST.sys [29/03/2009 22:56 188276]

R3 cmudax;C-Media High Definition Audio Interface;c:\windows\system32\drivers\cmudax.sys [08/04/2005 11:28 1258432]

S0 pcsctdwx;pcsctdwx; [x]

S2 gupdate1c98713c4b29a9c;Google Update Service (gupdate1c98713c4b29a9c);c:\archivos de programa\Google\Update\GoogleUpdate.exe [04/02/2009 22:58 133104]

S2 xwovauhs;AGP Bus w766b Helper;c:\windows\System32\svchost.exe -k netsvcs [24/08/2001 17:00 12800]

S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\System32\328.tmp --> c:\windows\System32\328.tmp [?]

S3 SASENUM;SASENUM;c:\archivos de programa\SUPERAntiSpyware\SASENUM.SYS [12/10/2009 21:24 7408]

S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [31/12/2006 17:28 639224]

.

Contents of the 'Scheduled Tasks' folder

 

2009-11-29 c:\windows\Tasks\GlaryInitialize.job

- c:\archivos de programa\Glary Utilities\initialize.exe [2009-11-29 09:21]

.

.

------- Supplementary Scan -------

.

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = microweb

IE: E&xportar a Microsoft Excel - c:\archiv~1\MICROS~2\Office10\EXCEL.EXE/3000

TCP: {6141C6A4-C488-4BFB-89DB-EE4A062B2C88} = 80.58.61.250,80.58.61.254

DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

FF - ProfilePath - c:\documents and settings\pc\Datos de programa\Mozilla\Firefox\Profiles\7mq150nj.default\

FF - plugin: c:\archivos de programa\Google\Google Earth\plugin\npgeplugin.dll

FF - plugin: c:\archivos de programa\Google\Update\1.2.183.13\npGoogleOneClick8.dll

.

 

**************************************************************************

 

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-01-03 19:38

Windows 5.1.2600 Service Pack 1 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

 

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\MEMSWEEP2]

"ImagePath"="\??\c:\windows\System32\328.tmp"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

 

[HKEY_USERS\S-1-5-21-682003330-484061587-2147183463-1003\Software\SecuROM\License information*]

"datasecu"=hex:02,68,ba,dc,54,d4,11,32,e0,e6,ce,10,8a,61,09,99,aa,09,59,0f,36,

e6,b6,d3,3e,dc,15,5f,3c,f6,c8,3a,81,1f,f2,d8,a4,d6,17,d4,07,82,f0,b4,5c,db,\

"rkeysecu"=hex:7a,87,67,9f,a0,16,fa,68,fb,1d,d8,31,b3,f6,87,bb

 

[HKEY_USERS\S-1-5-21-682003330-484061587-2147183463-1003\Software\Zepter Software\RegLib*e4257279\CloneDVD2/2]

"1"=dword:4569f51e

"2"=dword:4723939c

.

--------------------- DLLs Loaded Under Running Processes ---------------------

 

- - - - - - - > 'winlogon.exe'(920)

c:\windows\System32\ODBC32.dll

c:\archivos de programa\SUPERAntiSpyware\SASWINLO.dll

c:\windows\system32\Ati2evxx.dll

c:\windows\System32\midimap.dll

 

- - - - - - - > 'lsass.exe'(976)

c:\windows\System32\dssenh.dll

 

- - - - - - - > 'explorer.exe'(3544)

c:\windows\System32\msi.dll

c:\windows\System32\midimap.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\System32\Ati2evxx.exe

c:\archivos de programa\Ahead\InCD\InCDsrv.exe

c:\windows\system32\Ati2evxx.exe

c:\archivos de programa\Google\Update\1.2.183.13\GoogleCrashHandler.exe

c:\archivos de programa\Java\jre6\bin\jqs.exe

c:\archivos de programa\Network Associates\Common Framework\FrameworkService.exe

c:\archivos de programa\Network Associates\VirusScan\mcshield.exe

c:\archivos de programa\Network Associates\VirusScan\vstskmgr.exe

c:\archiv~1\NETWOR~1\COMMON~1\naPrdMgr.exe

c:\archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe

c:\windows\System32\wdfmgr.exe

.

**************************************************************************

.

Completion time: 2010-01-03 19:40:27 - machine was rebooted

ComboFix-quarantined-files.txt 2010-01-03 18:40

ComboFix2.txt 2009-12-31 19:25

 

Pre-Run: 22.757.163.008 bytes libres

Post-Run: 22.821.101.568 bytes libres

 

- - End Of File - - 20CC4BDBF973104D20B4471A0ECBBA2D

Share this post


Link to post
Share on other sites

It's not disabled. Other wise I would see it in the header.

 

ComboFix 10-01-02.05 - pc 03/01/2010 19:30:41.11.1 - x86

Microsoft Windows XP Professional 5.1.2600.1.1252.34.3082.18.1023.689 [GMT 1:00]

Running from: c:\documents and settings\pc\Escritorio\ComboFix.exe

 

You will have to remove it completely.

 

Run ComboFix in normal mode and reinstall McAfee if you plan to use the computer on the Internet.

If you can use an other computer to post your logs that will save you from possibly removing it again if we need to continue using ComboFix.

 

One other option is to remove it completely with McAfee's removal tool.

 

http://service.mcafee.com/FAQDocument.aspx?id=TS100507

 

 

Before you do download one of these free programs.

 

It is really dangerous to go online without an antivirus. Without one, you are extremely likely to get infected and the consequences could be even worse next time. All of the following are excellent free versions of commercial antiviruses. Be sure to only install one.

avast!.

AntiVir

AVG

 

Then remove McAfee and install the free program.

 

Again make sure the free program is disable while running ComboFix.

Share this post


Link to post
Share on other sites

Delete your copy of ComboFix. Execute this.

 

 

Download ComboFix from any of the links below but rename it to queno.exe before saving it to your desktop. <- Important.

 

Link 1

Link 2

==================================

 

  • Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
     
    Double click on the renamed ComboFix.exe & follow the prompts.
     
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
     
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

 

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

 

RcAuto1.gif

 

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

 

whatnext.png

 

Click on Yes, to continue scanning for malware.

 

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply with a fresh HijackThis log.

 

Note: If you have difficulty properly disabling your protection programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

 

Do not mouse click combofix's window while it's running. That may cause it to stall

Share this post


Link to post
Share on other sites

You may have a file infector or some RootKit malware.

 

Lets run this tool.

 

We Need to check for Rootkits with RootRepeal

  1. Download RootRepeal from the following location and save it to your desktop.

[*]Zip Mirrors (Recommended if you have a slower connection or if the Direct Download mirror is down)

[*]Rar Mirrors - Only if you know what a RAR is and can extract it.

[*]Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).

[*]Open rootRepealDesktopIcon.png on your desktop.

[*]Click the reportTab.png tab.

[*]Click the btnScan.png button.

[*]Check all seven boxes: checkBoxes2.png

[*]Push Ok

[*]Check the box for your main system drive (Usually C:), and press Ok.

[*]Allow RootRepeal to run a scan of your system. This may take some time.

[*]Once the scan completes, push the saveReport.png button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

Share this post


Link to post
Share on other sites

ROOTREPEAL © AD, 2007-2009

==================================================

Scan Start Time: 2010/01/04 20:47

Program Version: Version 1.3.5.0

Windows Version: Windows XP SP1

==================================================

 

Drivers

-------------------

Name: giveio.sys

Image Path: giveio.sys

Address: 0xF7E37000 Size: 1664 File Visible: No Signed: -

Status: -

 

Name: rootrepeal.sys

Image Path: C:\WINDOWS\System32\drivers\rootrepeal.sys

Address: 0xA8E9E000 Size: 49152 File Visible: No Signed: -

Status: -

 

Name: speedfan.sys

Image Path: speedfan.sys

Address: 0xF7D74000 Size: 5248 File Visible: No Signed: -

Status: -

 

Hidden/Locked Files

-------------------

Path: c:\documents and settings\pc\configuración local\datos de programa\google\googleearth\dbcache.dat

Status: Allocation size mismatch (API: 1274806272, Raw: 1274404864)

 

SSDT

-------------------

#: 053 Function Name: NtCreateThread

Status: Hooked by "<unknown>" at address 0x867de109

 

==EOF==

Share this post


Link to post
Share on other sites

You must remove the McAfee's program.

 

The run the ComboFix program. If You are able the to get a run and get a log please post it.

 

Reinstall McAfee before you reply.

Share this post


Link to post
Share on other sites

I'm not sure my computer is going to be clean even if I can run ComboFix so I'm going to format my hard drive and install Windows XP SP3.

 

What important files should I back up before formating my PC? Should I avoid any files? Is it safe?

 

Thanks for your time and your patience.

Share this post


Link to post
Share on other sites

To be really safe

 

These file types should not be backed up.

exe/.scr/.htm/.html/.xml/.zip/.rar files

if you do and they are infected you will infect your new installation.

Share this post


Link to post
Share on other sites

The only .zip/.rar files I would like to backup are music files and documents (.pdf/.doc).

Edited by queno

Share this post


Link to post
Share on other sites

Place them on a CD and scan the files for virus.

Share this post


Link to post
Share on other sites

Glad we could help. :)

 

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0