Jump to content


Photo

CPU usage too high


  • This topic is locked This topic is locked
76 replies to this topic

#51 queno

queno

    Member

  • Full Member
  • Pip
  • 39 posts

Posted 28 December 2009 - 02:25 PM

:yahoo:

ComboFix 09-12-22.09 - pc 28/12/2009 20:08:22.7.1 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.1.1252.34.3082.18.1023.729 [GMT 1:00]
Running from: c:\documents and settings\pc\Escritorio\ComboFix.exe
.
/wow section - STAGE 4


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\qmgr.dll . . . is infected!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SERVICE


((((((((((((((((((((((((( Files Created from 2009-11-28 to 2009-12-28 )))))))))))))))))))))))))))))))
.

2009-12-26 02:36 . 2009-12-26 02:36 -------- d-----w- c:\archivos de programa\EarMaster Pro 5
2009-12-26 02:36 . 2009-12-26 02:36 -------- d-----w- c:\documents and settings\pc\Datos de programa\EarMaster
2009-12-23 22:39 . 2009-12-23 22:53 -------- d-----w- c:\documents and settings\pc\Datos de programa\GNU Solfege
2009-12-23 22:37 . 2009-12-23 22:37 -------- d-----w- c:\archivos de programa\GNU Solfege
2009-12-22 22:45 . 2009-12-22 22:45 -------- d-----w- c:\windows\Logs
2009-12-22 22:45 . 2009-12-22 22:45 -------- d-----w- c:\archivos de programa\Telltale Games
2009-12-19 20:20 . 2009-12-19 20:20 -------- d--h--r- c:\documents and settings\LocalService\Reciente
2009-12-14 22:29 . 2009-12-14 22:30 -------- d-----w- C:\rsit
2009-12-14 00:20 . 2009-12-14 00:19 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-12 19:38 . 2009-12-12 19:38 -------- d-----w- c:\windows\ERUNT
2009-12-07 03:02 . 2009-12-07 03:03 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-12-04 11:18 . 2009-12-04 11:18 -------- d-----w- c:\documents and settings\All Users\Datos de programa\Kaspersky Lab Setup Files
2009-12-04 10:09 . 2009-12-04 10:09 -------- d-----w- c:\documents and settings\Administrador\Datos de programa\Malwarebytes
2009-11-29 08:12 . 2009-11-29 08:12 -------- d-----w- c:\windows\system32\wbem\Repository
2009-11-29 08:12 . 2009-11-29 08:12 -------- d-----w- c:\documents and settings\All Users\Datos de programa\Agnitum
2009-11-29 08:12 . 2009-11-29 08:12 -------- d-----w- c:\archivos de programa\Agnitum
2009-11-29 02:23 . 2009-11-29 02:31 -------- d-----w- c:\documents and settings\pc\Datos de programa\GlarySoft
2009-11-29 02:17 . 2009-11-29 02:17 -------- d-----w- c:\archivos de programa\Glary Utilities
2009-11-28 20:46 . 2005-01-06 09:09 206 ----a-w- c:\windows\myClean.bat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-28 19:08 . 2001-08-24 16:00 68826 ----a-w- c:\windows\system32\perfc00A.dat
2009-12-28 19:08 . 2001-08-24 16:00 440050 ----a-w- c:\windows\system32\perfh00A.dat
2009-12-23 21:17 . 2007-10-15 11:21 -------- d-----w- c:\archivos de programa\SUPERAntiSpyware
2009-12-22 06:02 . 2006-01-19 20:39 -------- d-----w- c:\archivos de programa\Google
2009-12-21 19:21 . 2007-01-27 14:18 -------- d-----w- c:\archivos de programa\Spybot - Search & Destroy
2009-12-21 19:20 . 2007-01-27 14:18 -------- d-----w- c:\documents and settings\All Users\Datos de programa\Spybot - Search & Destroy
2009-12-14 05:00 . 2009-10-28 02:15 117760 ----a-w- c:\documents and settings\pc\Datos de programa\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-12-14 00:19 . 2007-10-23 13:34 -------- d-----w- c:\archivos de programa\Java
2009-12-06 00:50 . 2009-11-28 09:58 -------- d-----w- c:\archivos de programa\SpeedFan
2009-12-06 00:28 . 2008-04-30 22:10 -------- d-----w- c:\archivos de programa\Malwarebytes' Anti-Malware
2009-12-06 00:28 . 2008-05-18 12:54 4844296 ----a-w- c:\documents and settings\All Users\Datos de programa\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-12-05 23:57 . 2007-10-12 23:58 -------- d-----w- c:\archivos de programa\Unlocker
2009-12-05 23:57 . 2005-05-20 17:00 -------- d-----w- c:\archivos de programa\Atari
2009-12-05 23:57 . 2005-04-08 10:27 -------- d--h--w- c:\archivos de programa\InstallShield Installation Information
2009-12-05 23:56 . 2005-05-20 17:16 -------- d-----w- c:\documents and settings\pc\Datos de programa\Atari
2009-12-05 20:34 . 2006-03-04 15:51 -------- d-----w- c:\documents and settings\pc\Datos de programa\ppstream
2009-12-03 15:14 . 2008-11-02 11:57 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 15:13 . 2008-05-18 12:54 18520 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-29 02:23 . 2005-11-01 14:44 -------- d-----w- c:\archivos de programa\RapidLeecher
2009-11-29 02:21 . 2005-05-11 11:58 -------- d-----w- c:\archivos de programa\BitComet
2009-11-28 19:10 . 2005-12-25 14:21 -------- d-----w- c:\archivos de programa\DDD Pool
2009-11-23 22:32 . 2005-04-08 18:12 -------- d-----w- c:\archivos de programa\Archivos comunes\Adobe
2009-11-23 01:13 . 2008-05-12 13:47 -------- d-----w- c:\documents and settings\pc\Datos de programa\FFSJ
2009-10-28 02:14 . 2009-10-28 02:14 65024 ----a-r- c:\documents and settings\pc\Datos de programa\Microsoft\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
2009-10-28 02:14 . 2009-10-28 02:14 5120 ----a-r- c:\documents and settings\pc\Datos de programa\Microsoft\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF16.exe
2009-10-28 02:14 . 2009-10-28 02:14 18944 ----a-r- c:\documents and settings\pc\Datos de programa\Microsoft\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
2005-10-02 18:55 . 2005-10-02 18:55 0 -c--a-w- c:\archivos de programa\AILog.txt
2007-10-28 16:44 . 2007-10-28 16:41 48 -csh--w- c:\windows\S46C32A27.tmp
2006-02-16 18:50 . 2006-02-16 18:47 952 -csha-w- c:\windows\system32\KGyGaAvL.sys
.

------- Sigcheck -------



[7] 2004-08-11 00:45 . A477391B7A8B0A0DAABADB17CF533A4B . 25088 . . [10.0.3790.3646] . . c:\windows\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}\MsPMSNSv.dll
[-] 2002-12-17 16:43 . 53D4E72452CE025F96B652B02BF9B89C . 52736 . . [9.0.1.56] . . c:\windows\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}$BACKUP$\System\MsPMSNSv.dll
[-] 2002-12-17 16:43 . 53D4E72452CE025F96B652B02BF9B89C . 52736 . . [9.0.1.56] . . c:\windows\system32\MsPMSNSv.dll

c:\windows\System32\wscntfy.exe ... is missing !!
c:\windows\System32\xmlprov.dll ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\archivos de programa\Messenger\msmsgs.exe" [2004-11-15 1670144]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"McAfeeUpdaterUI"="c:\archivos de programa\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 139320]
"ShStatEXE"="c:\archivos de programa\Network Associates\VirusScan\SHSTAT.EXE" [2004-08-25 94208]
"Network Associates Error Reporting Service"="c:\archivos de programa\Archivos comunes\Network Associates\TalkBack\tbmon.exe" [2003-10-07 147514]
"SunJavaUpdateSched"="c:\archivos de programa\Java\jre6\bin\jusched.exe" [2009-12-14 149280]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2002-09-09 13312]

c:\documents and settings\All Users\Men£ Inicio\Programas\Inicio\
uninstall.exe [2009-12-28 421888]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\archivos de programa\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 14:21 548352 ----a-w- c:\archivos de programa\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^Google Updater.lnk]
path=c:\documents and settings\All Users\Menú Inicio\Programas\Inicio\Google Updater.lnk
backup=c:\windows\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^Microsoft Office.lnk]
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^uninstall.exe]
path=c:\documents and settings\All Users\Menú Inicio\Programas\Inicio\uninstall.exe
backup=c:\windows\pss\uninstall.exeCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^uninstall.exe.old]
path=c:\documents and settings\All Users\Menú Inicio\Programas\Inicio\uninstall.exe.old
backup=c:\windows\pss\uninstall.exe.oldCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^VIA RAID TOOL.lnk]
backup=c:\windows\pss\VIA RAID TOOL.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^WinZip Quick Pick.lnk]
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmartRAM

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acceso directo a la página de propiedades de High Definition Audio]
2004-03-17 13:10 61952 -c----w- c:\windows\system32\Hdaudpropshortcut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2009-09-04 11:08 935288 ----a-r- c:\archivos de programa\Archivos comunes\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AgenteADSL_15]
2006-08-05 11:32 28672 ----a-w- c:\archivos de programa\Telefonica\KitAIM\AimExDll.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
2006-09-14 20:09 157592 ----a-w- c:\archivos de programa\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
2004-09-13 09:51 1450096 ------w- c:\archivos de programa\Ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2005-02-16 16:15 81920 ----a-w- c:\archivos de programa\Archivos comunes\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2006-08-05 11:32 155648 -c--a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2005-08-24 11:29 98304 ----a-w- c:\archivos de programa\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2008-06-10 02:27 144784 ----a-w- c:\archivos de programa\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2009-10-12 20:24 2000112 ----a-w- c:\archivos de programa\SUPERAntiSpyware\SUPERAntiSpyware.exe

R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [31/07/2005 19:19 58016]
R1 SASDIFSV;SASDIFSV;c:\archivos de programa\SUPERAntiSpyware\sasdifsv.sys [12/10/2009 21:24 9968]
R1 SASKUTIL;SASKUTIL;c:\archivos de programa\SUPERAntiSpyware\SASKUTIL.SYS [12/10/2009 21:24 74480]
R2 RVIEGVST;VSC VST Engine;c:\archivos de programa\Roland\Virtual Sound Canvas VST\RVIEg01VST.sys [29/03/2009 22:56 188276]
R3 cmudax;C-Media High Definition Audio Interface;c:\windows\system32\drivers\cmudax.sys [08/04/2005 11:28 1258432]
S0 pcsctdwx;pcsctdwx;c:\windows\System32\drivers\bkenhzrq.dat --> c:\windows\System32\drivers\bkenhzrq.dat [?]
S2 gupdate1c98713c4b29a9c;Google Update Service (gupdate1c98713c4b29a9c);c:\archivos de programa\Google\Update\GoogleUpdate.exe [04/02/2009 22:58 133104]
S2 xwovauhs;AGP Bus w766b Helper;c:\windows\System32\svchost.exe -k netsvcs [24/08/2001 17:00 12800]
S3 {BEE686B9-4C84-4487-9D72-9F40F051E973};{BEE686B9-4C84-4487-9D72-9F40F051E973};c:\windows\System32\svchost.exe -k netsvcs [24/08/2001 17:00 12800]
S3 SASENUM;SASENUM;c:\archivos de programa\SUPERAntiSpyware\SASENUM.SYS [12/10/2009 21:24 7408]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [31/12/2006 17:28 639224]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
xwovauhs

{BEE686B9-4C84-4487-9D72-9F40F051E973}
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = microweb
IE: E&xportar a Microsoft Excel - c:\archiv~1\MICROS~2\Office10\EXCEL.EXE/3000
TCP: {6141C6A4-C488-4BFB-89DB-EE4A062B2C88} = 80.58.61.250,80.58.61.254
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\pc\Datos de programa\Mozilla\Firefox\Profiles\7mq150nj.default\
FF - plugin: c:\archivos de programa\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\archivos de programa\Google\Update\1.2.183.13\npGoogleOneClick8.dll
.
- - - - ORPHANS REMOVED - - - -

Toolbar-ID - (no file)
ShellIconOverlayIdentifiers-{83CBAEF3-AE6D-4F61-8EA9-EEC110A9440D} - (no file)
SafeBoot-AVG Anti-Spyware Driver
SafeBoot-AVG Anti-Spyware Guard
MSConfigStartUp-AdobeUpdater - c:\archivos de programa\Archivos comunes\Adobe\Updater5\AdobeUpdater.exe
MSConfigStartUp-Cmaudio - cmicnfg.cpl
ActiveSetup-{035C8BE1-1A47-D921-0606-030204040601} - c:\windows\System32\vspool.exe
AddRemove-MicrosoftCinemania97 - E:\cinmania.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-28 20:19
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x86A645A0]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf78edaac
\Driver\ACPI -> 0x86a645a0
\Driver\atapi -> atapi.sys @ 0xf77d803c
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x80567e94
ParseProcedure -> ntoskrnl.exe @ 0x80566f60
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x80567e94
ParseProcedure -> 0x86a6b060
NDIS: Broadcom NetLink ™ Gigabit Ethernet -> SendCompleteHandler -> NDIS.sys @ 0xf76e2d84
PacketIndicateHandler -> NDIS.sys @ 0xf76ef480
SendHandler -> NDIS.sys @ 0xf76d0933
Warning: possible MBR rootkit infection !
copy of MBR has been found in sector 0x017BD1417
malicious code @ sector 0x017BD141A !
PE file found in sector at 0x017BD1430 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\pcsctdwx]
"ImagePath"="system32\drivers\bkenhzrq.dat"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\{BEE686B9-4C84-4487-9D72-9F40F051E973}]
"ServiceDll"="c:\docume~1\pc\CONFIG~1\Temp\24.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-682003330-484061587-2147183463-1003\Software\SecuROM\License information*]
"datasecu"=hex:02,68,ba,dc,54,d4,11,32,e0,e6,ce,10,8a,61,09,99,aa,09,59,0f,36,
e6,b6,d3,3e,dc,15,5f,3c,f6,c8,3a,81,1f,f2,d8,a4,d6,17,d4,07,82,f0,b4,5c,db,\
"rkeysecu"=hex:7a,87,67,9f,a0,16,fa,68,fb,1d,d8,31,b3,f6,87,bb

[HKEY_USERS\S-1-5-21-682003330-484061587-2147183463-1003\Software\Zepter Software\RegLib*e4257279\CloneDVD2/2]
"1"=dword:4569f51e
"2"=dword:4723939c
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(976)
c:\windows\System32\ODBC32.dll
c:\archivos de programa\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\midimap.dll

- - - - - - - > 'lsass.exe'(1032)
c:\windows\system32\MSVCRT40.dll
c:\windows\system32\MSVCIRT.dll
c:\windows\System32\dssenh.dll
c:\windows\System32\EntApi.dll

- - - - - - - > 'explorer.exe'(2508)
c:\windows\System32\EntApi.dll
c:\windows\System32\msi.dll
c:\windows\System32\midimap.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\Ati2evxx.exe
c:\archivos de programa\Ahead\InCD\InCDsrv.exe
c:\windows\system32\Ati2evxx.exe
c:\archivos de programa\Google\Update\1.2.183.13\GoogleCrashHandler.exe
c:\archivos de programa\Java\jre6\bin\jqs.exe
c:\archivos de programa\Network Associates\Common Framework\FrameworkService.exe
c:\archivos de programa\Network Associates\VirusScan\mcshield.exe
c:\archivos de programa\Network Associates\VirusScan\vstskmgr.exe
c:\archiv~1\NETWOR~1\COMMON~1\naPrdMgr.exe
c:\archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\System32\wdfmgr.exe
.
**************************************************************************
.
Completion time: 2009-12-28 20:22:16 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-28 19:22

Pre-Run: 24.198.713.344 bytes libres
Post-Run: 24.061.067.264 bytes libres

Current=5 Default=5 Failed=4 LastKnownGood=6 Sets=1,2,3,4,5,6
- - End Of File - - C930962E01BFB1DA40667E22A6B3702D

#52 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,093 posts

Posted 29 December 2009 - 09:44 AM

Open notepad and copy/paste the text in the quote box below into it:

Registry::
[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\pcsctdwx]
"ImagePath"=-

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\{BEE686B9-4C84-4487-9D72-9F40F051E973}]
"ServiceDll"=-

NetSvc::
xwovauhs


Save this as CFScript on your desktop.

Posted Image

Referring to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.
p.s. execute this ComboFix script in Safe Mode if not possible in Normal mode.

Restart the computer normally.
===

Please download this file, place it on our desktop.
http://www2.gmer.net/mbr/mbr.exe

Open the Start > run box
type cmd hit the ok button.

At the DOS prompt type mbr.exe -f (make sure you have a space before the e and the -f

hit the enter key.

Type exit at the prompt and hit the enter key.

Restart the computer normally.
===

Run the mbr.exe again.
Let me see the results.

====

Some files are damaged or missing. Let see if you have backup copies on your computer.
If not found please let me know if you have a copy of the XP operating system or access to one.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy and paste the content of the following bold text into the main textfield:


    :filefind
    qmgr.dll

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

Repeat the search for this files.


:filefind
wscntfy.exe



:filefind
xmlprov.dll



Post the ComboFix log,the MBR results and what has been found by SustemLook.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#53 queno

queno

    Member

  • Full Member
  • Pip
  • 39 posts

Posted 29 December 2009 - 02:36 PM

ComboFix log:

ComboFix 09-12-22.09 - pc 29/12/2009 20:00:27.8.1 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.1.1252.34.3082.18.1023.821 [GMT 1:00]
Running from: c:\documents and settings\pc\Escritorio\ComboFix.exe
Command switches used :: c:\documents and settings\pc\Escritorio\CFScript.txt
.
/wow section - STAGE 4


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\qmgr.dll was found and disinfected
Restored copy from - c:\windows\erdnt\cache\qmgr.dll

.
((((((((((((((((((((((((( Files Created from 2009-11-28 to 2009-12-29 )))))))))))))))))))))))))))))))
.

2009-12-26 02:36 . 2009-12-26 02:36 -------- d-----w- c:\archivos de programa\EarMaster Pro 5
2009-12-26 02:36 . 2009-12-26 02:36 -------- d-----w- c:\documents and settings\pc\Datos de programa\EarMaster
2009-12-23 22:39 . 2009-12-23 22:53 -------- d-----w- c:\documents and settings\pc\Datos de programa\GNU Solfege
2009-12-23 22:37 . 2009-12-23 22:37 -------- d-----w- c:\archivos de programa\GNU Solfege
2009-12-22 22:45 . 2009-12-22 22:45 -------- d-----w- c:\windows\Logs
2009-12-22 22:45 . 2009-12-22 22:45 -------- d-----w- c:\archivos de programa\Telltale Games
2009-12-19 20:20 . 2009-12-19 20:20 -------- d--h--r- c:\documents and settings\LocalService\Reciente
2009-12-14 22:29 . 2009-12-14 22:30 -------- d-----w- C:\rsit
2009-12-14 00:20 . 2009-12-14 00:19 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-12 19:38 . 2009-12-12 19:38 -------- d-----w- c:\windows\ERUNT
2009-12-07 03:02 . 2009-12-07 03:03 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-12-04 11:18 . 2009-12-04 11:18 -------- d-----w- c:\documents and settings\All Users\Datos de programa\Kaspersky Lab Setup Files
2009-12-04 10:09 . 2009-12-04 10:09 -------- d-----w- c:\documents and settings\Administrador\Datos de programa\Malwarebytes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-29 19:12 . 2001-08-24 16:00 68826 ----a-w- c:\windows\system32\perfc00A.dat
2009-12-29 19:12 . 2001-08-24 16:00 440050 ----a-w- c:\windows\system32\perfh00A.dat
2009-12-23 21:17 . 2007-10-15 11:21 -------- d-----w- c:\archivos de programa\SUPERAntiSpyware
2009-12-22 06:02 . 2006-01-19 20:39 -------- d-----w- c:\archivos de programa\Google
2009-12-21 19:21 . 2007-01-27 14:18 -------- d-----w- c:\archivos de programa\Spybot - Search & Destroy
2009-12-21 19:20 . 2007-01-27 14:18 -------- d-----w- c:\documents and settings\All Users\Datos de programa\Spybot - Search & Destroy
2009-12-14 05:00 . 2009-10-28 02:15 117760 ----a-w- c:\documents and settings\pc\Datos de programa\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-12-14 00:19 . 2007-10-23 13:34 -------- d-----w- c:\archivos de programa\Java
2009-12-06 00:50 . 2009-11-28 09:58 -------- d-----w- c:\archivos de programa\SpeedFan
2009-12-06 00:28 . 2008-04-30 22:10 -------- d-----w- c:\archivos de programa\Malwarebytes' Anti-Malware
2009-12-06 00:28 . 2008-05-18 12:54 4844296 ----a-w- c:\documents and settings\All Users\Datos de programa\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-12-05 23:57 . 2007-10-12 23:58 -------- d-----w- c:\archivos de programa\Unlocker
2009-12-05 23:57 . 2005-05-20 17:00 -------- d-----w- c:\archivos de programa\Atari
2009-12-05 23:57 . 2005-04-08 10:27 -------- d--h--w- c:\archivos de programa\InstallShield Installation Information
2009-12-05 23:56 . 2005-05-20 17:16 -------- d-----w- c:\documents and settings\pc\Datos de programa\Atari
2009-12-05 20:34 . 2006-03-04 15:51 -------- d-----w- c:\documents and settings\pc\Datos de programa\ppstream
2009-12-03 15:14 . 2008-11-02 11:57 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 15:13 . 2008-05-18 12:54 18520 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-29 08:12 . 2009-11-29 08:12 -------- d-----w- c:\documents and settings\All Users\Datos de programa\Agnitum
2009-11-29 08:12 . 2009-11-29 08:12 -------- d-----w- c:\archivos de programa\Agnitum
2009-11-29 02:31 . 2009-11-29 02:23 -------- d-----w- c:\documents and settings\pc\Datos de programa\GlarySoft
2009-11-29 02:23 . 2005-11-01 14:44 -------- d-----w- c:\archivos de programa\RapidLeecher
2009-11-29 02:21 . 2005-05-11 11:58 -------- d-----w- c:\archivos de programa\BitComet
2009-11-29 02:17 . 2009-11-29 02:17 -------- d-----w- c:\archivos de programa\Glary Utilities
2009-11-28 19:10 . 2005-12-25 14:21 -------- d-----w- c:\archivos de programa\DDD Pool
2009-11-23 22:32 . 2005-04-08 18:12 -------- d-----w- c:\archivos de programa\Archivos comunes\Adobe
2009-11-23 01:13 . 2008-05-12 13:47 -------- d-----w- c:\documents and settings\pc\Datos de programa\FFSJ
2009-10-28 02:14 . 2009-10-28 02:14 65024 ----a-r- c:\documents and settings\pc\Datos de programa\Microsoft\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
2009-10-28 02:14 . 2009-10-28 02:14 5120 ----a-r- c:\documents and settings\pc\Datos de programa\Microsoft\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF16.exe
2009-10-28 02:14 . 2009-10-28 02:14 18944 ----a-r- c:\documents and settings\pc\Datos de programa\Microsoft\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
2005-10-02 18:55 . 2005-10-02 18:55 0 -c--a-w- c:\archivos de programa\AILog.txt
2007-10-28 16:44 . 2007-10-28 16:41 48 -csh--w- c:\windows\S46C32A27.tmp
2006-02-16 18:50 . 2006-02-16 18:47 952 -csha-w- c:\windows\system32\KGyGaAvL.sys
.

------- Sigcheck -------



[7] 2004-08-11 00:45 . A477391B7A8B0A0DAABADB17CF533A4B . 25088 . . [10.0.3790.3646] . . c:\windows\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}\MsPMSNSv.dll
[-] 2002-12-17 16:43 . 53D4E72452CE025F96B652B02BF9B89C . 52736 . . [9.0.1.56] . . c:\windows\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}$BACKUP$\System\MsPMSNSv.dll
[-] 2002-12-17 16:43 . 53D4E72452CE025F96B652B02BF9B89C . 52736 . . [9.0.1.56] . . c:\windows\system32\MsPMSNSv.dll

c:\windows\System32\wscntfy.exe ... is missing !!
c:\windows\System32\xmlprov.dll ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\archivos de programa\Messenger\msmsgs.exe" [2004-11-15 1670144]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"McAfeeUpdaterUI"="c:\archivos de programa\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 139320]
"ShStatEXE"="c:\archivos de programa\Network Associates\VirusScan\SHSTAT.EXE" [2004-08-25 94208]
"Network Associates Error Reporting Service"="c:\archivos de programa\Archivos comunes\Network Associates\TalkBack\tbmon.exe" [2003-10-07 147514]
"SunJavaUpdateSched"="c:\archivos de programa\Java\jre6\bin\jusched.exe" [2009-12-14 149280]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2002-09-09 13312]

c:\documents and settings\All Users\Men£ Inicio\Programas\Inicio\
uninstall.exe [2009-12-29 421888]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\archivos de programa\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 14:21 548352 ----a-w- c:\archivos de programa\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^Google Updater.lnk]
path=c:\documents and settings\All Users\Menú Inicio\Programas\Inicio\Google Updater.lnk
backup=c:\windows\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^Microsoft Office.lnk]
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^uninstall.exe]
path=c:\documents and settings\All Users\Menú Inicio\Programas\Inicio\uninstall.exe
backup=c:\windows\pss\uninstall.exeCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^uninstall.exe.old]
path=c:\documents and settings\All Users\Menú Inicio\Programas\Inicio\uninstall.exe.old
backup=c:\windows\pss\uninstall.exe.oldCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^VIA RAID TOOL.lnk]
backup=c:\windows\pss\VIA RAID TOOL.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^WinZip Quick Pick.lnk]
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acceso directo a la página de propiedades de High Definition Audio]
2004-03-17 13:10 61952 -c----w- c:\windows\system32\Hdaudpropshortcut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2009-09-04 11:08 935288 ----a-r- c:\archivos de programa\Archivos comunes\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AgenteADSL_15]
2006-08-05 11:32 28672 ----a-w- c:\archivos de programa\Telefonica\KitAIM\AimExDll.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
2006-09-14 20:09 157592 ----a-w- c:\archivos de programa\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
2004-09-13 09:51 1450096 ------w- c:\archivos de programa\Ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2005-02-16 16:15 81920 ----a-w- c:\archivos de programa\Archivos comunes\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2006-08-05 11:32 155648 -c--a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2005-08-24 11:29 98304 ----a-w- c:\archivos de programa\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2008-06-10 02:27 144784 ----a-w- c:\archivos de programa\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2009-10-12 20:24 2000112 ----a-w- c:\archivos de programa\SUPERAntiSpyware\SUPERAntiSpyware.exe

R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [31/07/2005 19:19 58016]
R1 SASDIFSV;SASDIFSV;c:\archivos de programa\SUPERAntiSpyware\sasdifsv.sys [12/10/2009 21:24 9968]
R1 SASKUTIL;SASKUTIL;c:\archivos de programa\SUPERAntiSpyware\SASKUTIL.SYS [12/10/2009 21:24 74480]
R2 RVIEGVST;VSC VST Engine;c:\archivos de programa\Roland\Virtual Sound Canvas VST\RVIEg01VST.sys [29/03/2009 22:56 188276]
R3 cmudax;C-Media High Definition Audio Interface;c:\windows\system32\drivers\cmudax.sys [08/04/2005 11:28 1258432]
S0 pcsctdwx;pcsctdwx; [x]
S2 gupdate1c98713c4b29a9c;Google Update Service (gupdate1c98713c4b29a9c);c:\archivos de programa\Google\Update\GoogleUpdate.exe [04/02/2009 22:58 133104]
S2 xwovauhs;AGP Bus w766b Helper;c:\windows\System32\svchost.exe -k netsvcs [24/08/2001 17:00 12800]
S3 {BEE686B9-4C84-4487-9D72-9F40F051E973};{BEE686B9-4C84-4487-9D72-9F40F051E973};c:\windows\System32\svchost.exe -k netsvcs [24/08/2001 17:00 12800]
S3 SASENUM;SASENUM;c:\archivos de programa\SUPERAntiSpyware\SASENUM.SYS [12/10/2009 21:24 7408]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [31/12/2006 17:28 639224]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

{BEE686B9-4C84-4487-9D72-9F40F051E973}
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = microweb
IE: E&xportar a Microsoft Excel - c:\archiv~1\MICROS~2\Office10\EXCEL.EXE/3000
TCP: {6141C6A4-C488-4BFB-89DB-EE4A062B2C88} = 80.58.61.250,80.58.61.254
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\pc\Datos de programa\Mozilla\Firefox\Profiles\7mq150nj.default\
FF - plugin: c:\archivos de programa\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\archivos de programa\Google\Update\1.2.183.13\npGoogleOneClick8.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-29 20:09
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\{BEE686B9-4C84-4487-9D72-9F40F051E973}]
"ServiceDll"="c:\docume~1\pc\CONFIG~1\Temp\24.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-682003330-484061587-2147183463-1003\Software\SecuROM\License information*]
"datasecu"=hex:02,68,ba,dc,54,d4,11,32,e0,e6,ce,10,8a,61,09,99,aa,09,59,0f,36,
e6,b6,d3,3e,dc,15,5f,3c,f6,c8,3a,81,1f,f2,d8,a4,d6,17,d4,07,82,f0,b4,5c,db,\
"rkeysecu"=hex:7a,87,67,9f,a0,16,fa,68,fb,1d,d8,31,b3,f6,87,bb

[HKEY_USERS\S-1-5-21-682003330-484061587-2147183463-1003\Software\Zepter Software\RegLib*e4257279\CloneDVD2/2]
"1"=dword:4569f51e
"2"=dword:4723939c
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(924)
c:\windows\System32\ODBC32.dll
c:\archivos de programa\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\midimap.dll

- - - - - - - > 'lsass.exe'(980)
c:\windows\System32\dssenh.dll
c:\windows\System32\EntApi.dll

- - - - - - - > 'explorer.exe'(2416)
c:\windows\System32\EntApi.dll
c:\windows\System32\msi.dll
c:\windows\System32\midimap.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\Ati2evxx.exe
c:\archivos de programa\Ahead\InCD\InCDsrv.exe
c:\archivos de programa\Google\Update\1.2.183.13\GoogleCrashHandler.exe
c:\archivos de programa\Java\jre6\bin\jqs.exe
c:\archivos de programa\Network Associates\Common Framework\FrameworkService.exe
c:\archivos de programa\Network Associates\VirusScan\mcshield.exe
c:\archivos de programa\Network Associates\VirusScan\vstskmgr.exe
c:\archiv~1\NETWOR~1\COMMON~1\naPrdMgr.exe
c:\archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\System32\wdfmgr.exe
c:\windows\system32\Ati2evxx.exe
c:\docume~1\pc\CONFIG~1\Temp\4.tmp
.
**************************************************************************
.
Completion time: 2009-12-29 20:13:50 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-29 19:13

Pre-Run: 24.833.011.712 bytes libres
Post-Run: 24.690.454.528 bytes libres

Current=5 Default=5 Failed=4 LastKnownGood=6 Sets=1,2,3,4,5,6
- - End Of File - - 2FB220237FAB013F509795989306E2EF


MBR log:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\ACPI -> 0x86a645a0
\Device\Harddisk0\DR0 -> ParseProcedure -> 0x86a6b060
NDIS: Broadcom NetLink ™ Gigabit Ethernet -> SendCompleteHandler -> 0x86acb3a0
Warning: possible MBR rootkit infection !
copy of MBR has been found in sector 0x017BD1417
malicious code @ sector 0x017BD141A !
PE file found in sector at 0x017BD1430 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

SystemLook logs:

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 20:34 on 29/12/2009 by pc (Administrator - Elevation successful)

========== filefind ==========

Searching for "qmgr.dll"
C:\WINDOWS\erdnt\cache\qmgr.dll --a--- 222720 bytes [19:20 28/12/2009] [17:51 09/09/2002] 08CE366B9C953931A4C88F4C8402056C
C:\WINDOWS\system32\qmgr.dll ------ 222720 bytes [09:53 08/04/2005] [17:51 09/09/2002] 08CE366B9C953931A4C88F4C8402056C

-=End Of File=-

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 20:35 on 29/12/2009 by pc (Administrator - Elevation successful)

========== filefind ==========

Searching for "wscntfy.exe"
No files found.

-=End Of File=-


SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 20:36 on 29/12/2009 by pc (Administrator - Elevation successful)

========== filefind ==========

Searching for "xmlprov.dll"
No files found.

-=End Of File=-

#54 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,093 posts

Posted 30 December 2009 - 09:25 AM


Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Find out if this file in bold is present.
Delete it if found.
c:\docume~1\pc\CONFIG~1\Temp\24.tmp
===

Open notepad and copy/paste the text in the quote box below into it:

FixCSet::


Save this as CFScript on your desktop.

Posted Image

Referring to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log
===

Repeat these instructions again. You should have the mbr.exe tool, no need to download it again.

Please download this file, place it on our desktop.
http://www2.gmer.net/mbr/mbr.exe

Open the Start > run box
type cmd hit the ok button.

At the DOS prompt type mbr.exe -f (make sure you have a space before the e and the -f

hit the enter key.

Type exit at the prompt and hit the enter key.

Restart the computer normally.
===

Run the mbr.exe again.
Let me see the results.
===

You are missing these files.
wscntfy.exe
xmlprov.dll

Do you have the XP installation disk?
===

Please submit the logs requested and tell me what problem persists.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#55 queno

queno

    Member

  • Full Member
  • Pip
  • 39 posts

Posted 30 December 2009 - 02:38 PM

ComboFix log:


ComboFix 09-12-29.06 - pc 30/12/2009 20:15:29.9.1 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.1.1252.34.3082.18.1023.822 [GMT 1:00]
Running from: c:\documents and settings\pc\Escritorio\ComboFix.exe
Command switches used :: c:\documents and settings\pc\Escritorio\CFScript.txt
.
/wow section - STAGE 4


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\unins000.dat
c:\windows\unins000.exe

Infected copy of c:\windows\system32\qmgr.dll was found and disinfected
Restored copy from - c:\windows\erdnt\cache\qmgr.dll

.
((((((((((((((((((((((((( Files Created from 2009-11-28 to 2009-12-30 )))))))))))))))))))))))))))))))
.

2009-12-26 02:36 . 2009-12-26 02:36 -------- d-----w- c:\archivos de programa\EarMaster Pro 5
2009-12-26 02:36 . 2009-12-26 02:36 -------- d-----w- c:\documents and settings\pc\Datos de programa\EarMaster
2009-12-23 22:39 . 2009-12-23 22:53 -------- d-----w- c:\documents and settings\pc\Datos de programa\GNU Solfege
2009-12-23 22:37 . 2009-12-23 22:37 -------- d-----w- c:\archivos de programa\GNU Solfege
2009-12-22 22:45 . 2009-12-22 22:45 -------- d-----w- c:\windows\Logs
2009-12-22 22:45 . 2009-12-22 22:45 -------- d-----w- c:\archivos de programa\Telltale Games
2009-12-19 20:20 . 2009-12-19 20:20 -------- d--h--r- c:\documents and settings\LocalService\Reciente
2009-12-14 22:29 . 2009-12-14 22:30 -------- d-----w- C:\rsit
2009-12-14 00:20 . 2009-12-14 00:19 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-12 19:38 . 2009-12-12 19:38 -------- d-----w- c:\windows\ERUNT
2009-12-07 03:02 . 2009-12-07 03:03 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-12-04 11:18 . 2009-12-04 11:18 -------- d-----w- c:\documents and settings\All Users\Datos de programa\Kaspersky Lab Setup Files
2009-12-04 10:09 . 2009-12-04 10:09 -------- d-----w- c:\documents and settings\Administrador\Datos de programa\Malwarebytes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-30 19:17 . 2001-08-24 16:00 440050 ----a-w- c:\windows\system32\perfh00A.dat
2009-12-30 19:17 . 2001-08-24 16:00 68826 ----a-w- c:\windows\system32\perfc00A.dat
2009-12-23 21:17 . 2007-10-15 11:21 -------- d-----w- c:\archivos de programa\SUPERAntiSpyware
2009-12-22 06:02 . 2006-01-19 20:39 -------- d-----w- c:\archivos de programa\Google
2009-12-21 19:21 . 2007-01-27 14:18 -------- d-----w- c:\archivos de programa\Spybot - Search & Destroy
2009-12-21 19:20 . 2007-01-27 14:18 -------- d-----w- c:\documents and settings\All Users\Datos de programa\Spybot - Search & Destroy
2009-12-14 05:00 . 2009-10-28 02:15 117760 ----a-w- c:\documents and settings\pc\Datos de programa\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-12-14 00:19 . 2007-10-23 13:34 -------- d-----w- c:\archivos de programa\Java
2009-12-06 00:50 . 2009-11-28 09:58 -------- d-----w- c:\archivos de programa\SpeedFan
2009-12-06 00:28 . 2008-04-30 22:10 -------- d-----w- c:\archivos de programa\Malwarebytes' Anti-Malware
2009-12-06 00:28 . 2008-05-18 12:54 4844296 ----a-w- c:\documents and settings\All Users\Datos de programa\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-12-05 23:57 . 2007-10-12 23:58 -------- d-----w- c:\archivos de programa\Unlocker
2009-12-05 23:57 . 2005-05-20 17:00 -------- d-----w- c:\archivos de programa\Atari
2009-12-05 23:57 . 2005-04-08 10:27 -------- d--h--w- c:\archivos de programa\InstallShield Installation Information
2009-12-05 23:56 . 2005-05-20 17:16 -------- d-----w- c:\documents and settings\pc\Datos de programa\Atari
2009-12-05 20:34 . 2006-03-04 15:51 -------- d-----w- c:\documents and settings\pc\Datos de programa\ppstream
2009-12-03 15:14 . 2008-11-02 11:57 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 15:13 . 2008-05-18 12:54 18520 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-29 08:12 . 2009-11-29 08:12 -------- d-----w- c:\documents and settings\All Users\Datos de programa\Agnitum
2009-11-29 08:12 . 2009-11-29 08:12 -------- d-----w- c:\archivos de programa\Agnitum
2009-11-29 02:31 . 2009-11-29 02:23 -------- d-----w- c:\documents and settings\pc\Datos de programa\GlarySoft
2009-11-29 02:23 . 2005-11-01 14:44 -------- d-----w- c:\archivos de programa\RapidLeecher
2009-11-29 02:21 . 2005-05-11 11:58 -------- d-----w- c:\archivos de programa\BitComet
2009-11-29 02:17 . 2009-11-29 02:17 -------- d-----w- c:\archivos de programa\Glary Utilities
2009-11-28 19:10 . 2005-12-25 14:21 -------- d-----w- c:\archivos de programa\DDD Pool
2009-11-23 22:32 . 2005-04-08 18:12 -------- d-----w- c:\archivos de programa\Archivos comunes\Adobe
2009-11-23 01:13 . 2008-05-12 13:47 -------- d-----w- c:\documents and settings\pc\Datos de programa\FFSJ
2009-10-28 02:14 . 2009-10-28 02:14 65024 ----a-r- c:\documents and settings\pc\Datos de programa\Microsoft\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
2009-10-28 02:14 . 2009-10-28 02:14 5120 ----a-r- c:\documents and settings\pc\Datos de programa\Microsoft\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF16.exe
2009-10-28 02:14 . 2009-10-28 02:14 18944 ----a-r- c:\documents and settings\pc\Datos de programa\Microsoft\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
2005-10-02 18:55 . 2005-10-02 18:55 0 -c--a-w- c:\archivos de programa\AILog.txt
2007-10-28 16:44 . 2007-10-28 16:41 48 -csh--w- c:\windows\S46C32A27.tmp
2006-02-16 18:50 . 2006-02-16 18:47 952 -csha-w- c:\windows\system32\KGyGaAvL.sys
.

------- Sigcheck -------



[7] 2004-08-11 00:45 . A477391B7A8B0A0DAABADB17CF533A4B . 25088 . . [10.0.3790.3646] . . c:\windows\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}\MsPMSNSv.dll
[-] 2002-12-17 16:43 . 53D4E72452CE025F96B652B02BF9B89C . 52736 . . [9.0.1.56] . . c:\windows\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}$BACKUP$\System\MsPMSNSv.dll
[-] 2002-12-17 16:43 . 53D4E72452CE025F96B652B02BF9B89C . 52736 . . [9.0.1.56] . . c:\windows\system32\MsPMSNSv.dll

c:\windows\System32\wscntfy.exe ... is missing !!
c:\windows\System32\xmlprov.dll ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\archivos de programa\Messenger\msmsgs.exe" [2004-11-15 1670144]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"McAfeeUpdaterUI"="c:\archivos de programa\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 139320]
"ShStatEXE"="c:\archivos de programa\Network Associates\VirusScan\SHSTAT.EXE" [2004-08-25 94208]
"Network Associates Error Reporting Service"="c:\archivos de programa\Archivos comunes\Network Associates\TalkBack\tbmon.exe" [2003-10-07 147514]
"SunJavaUpdateSched"="c:\archivos de programa\Java\jre6\bin\jusched.exe" [2009-12-14 149280]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2002-09-09 13312]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\archivos de programa\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 14:21 548352 ----a-w- c:\archivos de programa\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^Google Updater.lnk]
path=c:\documents and settings\All Users\Menú Inicio\Programas\Inicio\Google Updater.lnk
backup=c:\windows\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^Microsoft Office.lnk]
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^uninstall.exe]
path=c:\documents and settings\All Users\Menú Inicio\Programas\Inicio\uninstall.exe
backup=c:\windows\pss\uninstall.exeCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^uninstall.exe.old]
path=c:\documents and settings\All Users\Menú Inicio\Programas\Inicio\uninstall.exe.old
backup=c:\windows\pss\uninstall.exe.oldCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^VIA RAID TOOL.lnk]
backup=c:\windows\pss\VIA RAID TOOL.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^WinZip Quick Pick.lnk]
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acceso directo a la página de propiedades de High Definition Audio]
2004-03-17 13:10 61952 -c----w- c:\windows\system32\Hdaudpropshortcut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2009-09-04 11:08 935288 ----a-r- c:\archivos de programa\Archivos comunes\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AgenteADSL_15]
2006-08-05 11:32 28672 ----a-w- c:\archivos de programa\Telefonica\KitAIM\AimExDll.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
2006-09-14 20:09 157592 ----a-w- c:\archivos de programa\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
2004-09-13 09:51 1450096 ------w- c:\archivos de programa\Ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2005-02-16 16:15 81920 ----a-w- c:\archivos de programa\Archivos comunes\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2006-08-05 11:32 155648 -c--a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2005-08-24 11:29 98304 ----a-w- c:\archivos de programa\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2008-06-10 02:27 144784 ----a-w- c:\archivos de programa\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2009-10-12 20:24 2000112 ----a-w- c:\archivos de programa\SUPERAntiSpyware\SUPERAntiSpyware.exe

R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [31/07/2005 19:19 58016]
R1 SASDIFSV;SASDIFSV;c:\archivos de programa\SUPERAntiSpyware\sasdifsv.sys [12/10/2009 21:24 9968]
R1 SASKUTIL;SASKUTIL;c:\archivos de programa\SUPERAntiSpyware\SASKUTIL.SYS [12/10/2009 21:24 74480]
R2 RVIEGVST;VSC VST Engine;c:\archivos de programa\Roland\Virtual Sound Canvas VST\RVIEg01VST.sys [29/03/2009 22:56 188276]
R3 cmudax;C-Media High Definition Audio Interface;c:\windows\system32\drivers\cmudax.sys [08/04/2005 11:28 1258432]
S0 pcsctdwx;pcsctdwx; [x]
S2 gupdate1c98713c4b29a9c;Google Update Service (gupdate1c98713c4b29a9c);c:\archivos de programa\Google\Update\GoogleUpdate.exe [04/02/2009 22:58 133104]
S2 xwovauhs;AGP Bus w766b Helper;c:\windows\System32\svchost.exe -k netsvcs [24/08/2001 17:00 12800]
S3 {BEE686B9-4C84-4487-9D72-9F40F051E973};{BEE686B9-4C84-4487-9D72-9F40F051E973};c:\windows\System32\svchost.exe -k netsvcs [24/08/2001 17:00 12800]
S3 SASENUM;SASENUM;c:\archivos de programa\SUPERAntiSpyware\SASENUM.SYS [12/10/2009 21:24 7408]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [31/12/2006 17:28 639224]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

{BEE686B9-4C84-4487-9D72-9F40F051E973}
.
Contents of the 'Scheduled Tasks' folder

2009-11-29 c:\windows\Tasks\GlaryInitialize.job
- c:\archivos de programa\Glary Utilities\initialize.exe [2009-11-29 09:21]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = microweb
IE: E&xportar a Microsoft Excel - c:\archiv~1\MICROS~2\Office10\EXCEL.EXE/3000
TCP: {6141C6A4-C488-4BFB-89DB-EE4A062B2C88} = 80.58.61.250,80.58.61.254
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\pc\Datos de programa\Mozilla\Firefox\Profiles\7mq150nj.default\
FF - plugin: c:\archivos de programa\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\archivos de programa\Google\Update\1.2.183.13\npGoogleOneClick8.dll
.
- - - - ORPHANS REMOVED - - - -

AddRemove-File Splitter and Joiner_is1 - c:\windows\unins000.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-30 20:24
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\{BEE686B9-4C84-4487-9D72-9F40F051E973}]
"ServiceDll"="c:\docume~1\pc\CONFIG~1\Temp\24.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-682003330-484061587-2147183463-1003\Software\SecuROM\License information*]
"datasecu"=hex:02,68,ba,dc,54,d4,11,32,e0,e6,ce,10,8a,61,09,99,aa,09,59,0f,36,
e6,b6,d3,3e,dc,15,5f,3c,f6,c8,3a,81,1f,f2,d8,a4,d6,17,d4,07,82,f0,b4,5c,db,\
"rkeysecu"=hex:7a,87,67,9f,a0,16,fa,68,fb,1d,d8,31,b3,f6,87,bb

[HKEY_USERS\S-1-5-21-682003330-484061587-2147183463-1003\Software\Zepter Software\RegLib*e4257279\CloneDVD2/2]
"1"=dword:4569f51e
"2"=dword:4723939c
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(924)
c:\windows\System32\ODBC32.dll
c:\archivos de programa\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\midimap.dll

- - - - - - - > 'lsass.exe'(980)
c:\windows\System32\dssenh.dll
c:\windows\System32\EntApi.dll

- - - - - - - > 'explorer.exe'(2648)
c:\windows\System32\EntApi.dll
c:\windows\System32\msi.dll
c:\windows\System32\midimap.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\Ati2evxx.exe
c:\archivos de programa\Ahead\InCD\InCDsrv.exe
c:\archivos de programa\Java\jre6\bin\jqs.exe
c:\archivos de programa\Google\Update\1.2.183.13\GoogleCrashHandler.exe
c:\archivos de programa\Network Associates\Common Framework\FrameworkService.exe
c:\archivos de programa\Network Associates\VirusScan\mcshield.exe
c:\archivos de programa\Network Associates\VirusScan\vstskmgr.exe
c:\archiv~1\NETWOR~1\COMMON~1\naPrdMgr.exe
c:\archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\System32\wdfmgr.exe
c:\windows\system32\Ati2evxx.exe
.
**************************************************************************
.
Completion time: 2009-12-30 20:26:42 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-30 19:26

Pre-Run: 23.849.189.376 bytes libres
Post-Run: 23.763.873.792 bytes libres

- - End Of File - - DD31F9BEC73B680CE8CCF7F36F575B5B


MBR log:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x017BD1417
malicious code @ sector 0x017BD141A !
PE file found in sector at 0x017BD1430 !


Yes, I have the XP installation disk.

#56 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,093 posts

Posted 31 December 2009 - 09:35 AM

Open notepad and copy/paste the text in the quote box below into it:

File::
c:\docume~1\pc\CONFIG~1\Temp\24.tmp

Driver::
BEE686B9-4C84-4487-9D72-9F40F051E973
{BEE686B9-4C84-4487-9D72-9F40F051E973}


Save this as CFScript on your desktop.

Posted Image

Referring to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.

Please execute the mbr.exe -f command again.

Post the log.

Important please let me know how the computer is performing?
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#57 queno

queno

    Member

  • Full Member
  • Pip
  • 39 posts

Posted 31 December 2009 - 02:42 PM

ComboFix 09-12-31.01 - pc 31/12/2009 20:13:21.10.1 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.1.1252.34.3082.18.1023.821 [GMT 1:00]
Running from: c:\documents and settings\pc\Escritorio\ComboFix.exe
Command switches used :: c:\documents and settings\pc\Escritorio\CFScript.txt

FILE ::
"c:\docume~1\pc\CONFIG~1\Temp\24.tmp"
.
/wow section - STAGE 4


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\qmgr.dll was found and disinfected
Restored copy from - c:\windows\erdnt\cache\qmgr.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{BEE686B9-4C84-4487-9D72-9F40F051E973}
-------\Service_{BEE686B9-4C84-4487-9D72-9F40F051E973}


((((((((((((((((((((((((( Files Created from 2009-11-28 to 2009-12-31 )))))))))))))))))))))))))))))))
.

2009-12-26 02:36 . 2009-12-26 02:36 -------- d-----w- c:\archivos de programa\EarMaster Pro 5
2009-12-26 02:36 . 2009-12-26 02:36 -------- d-----w- c:\documents and settings\pc\Datos de programa\EarMaster
2009-12-23 22:39 . 2009-12-23 22:53 -------- d-----w- c:\documents and settings\pc\Datos de programa\GNU Solfege
2009-12-23 22:37 . 2009-12-23 22:37 -------- d-----w- c:\archivos de programa\GNU Solfege
2009-12-22 22:45 . 2009-12-22 22:45 -------- d-----w- c:\windows\Logs
2009-12-22 22:45 . 2009-12-22 22:45 -------- d-----w- c:\archivos de programa\Telltale Games
2009-12-19 20:20 . 2009-12-19 20:20 -------- d--h--r- c:\documents and settings\LocalService\Reciente
2009-12-14 22:29 . 2009-12-14 22:30 -------- d-----w- C:\rsit
2009-12-14 00:20 . 2009-12-14 00:19 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-12 19:38 . 2009-12-12 19:38 -------- d-----w- c:\windows\ERUNT
2009-12-07 03:02 . 2009-12-07 03:03 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-12-04 11:18 . 2009-12-04 11:18 -------- d-----w- c:\documents and settings\All Users\Datos de programa\Kaspersky Lab Setup Files
2009-12-04 10:09 . 2009-12-04 10:09 -------- d-----w- c:\documents and settings\Administrador\Datos de programa\Malwarebytes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-31 19:15 . 2001-08-24 16:00 68826 ----a-w- c:\windows\system32\perfc00A.dat
2009-12-31 19:15 . 2001-08-24 16:00 440050 ----a-w- c:\windows\system32\perfh00A.dat
2009-12-23 21:17 . 2007-10-15 11:21 -------- d-----w- c:\archivos de programa\SUPERAntiSpyware
2009-12-22 06:02 . 2006-01-19 20:39 -------- d-----w- c:\archivos de programa\Google
2009-12-21 19:21 . 2007-01-27 14:18 -------- d-----w- c:\archivos de programa\Spybot - Search & Destroy
2009-12-21 19:20 . 2007-01-27 14:18 -------- d-----w- c:\documents and settings\All Users\Datos de programa\Spybot - Search & Destroy
2009-12-14 05:00 . 2009-10-28 02:15 117760 ----a-w- c:\documents and settings\pc\Datos de programa\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-12-14 00:19 . 2007-10-23 13:34 -------- d-----w- c:\archivos de programa\Java
2009-12-06 00:50 . 2009-11-28 09:58 -------- d-----w- c:\archivos de programa\SpeedFan
2009-12-06 00:28 . 2008-04-30 22:10 -------- d-----w- c:\archivos de programa\Malwarebytes' Anti-Malware
2009-12-06 00:28 . 2008-05-18 12:54 4844296 ----a-w- c:\documents and settings\All Users\Datos de programa\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-12-05 23:57 . 2007-10-12 23:58 -------- d-----w- c:\archivos de programa\Unlocker
2009-12-05 23:57 . 2005-05-20 17:00 -------- d-----w- c:\archivos de programa\Atari
2009-12-05 23:57 . 2005-04-08 10:27 -------- d--h--w- c:\archivos de programa\InstallShield Installation Information
2009-12-05 23:56 . 2005-05-20 17:16 -------- d-----w- c:\documents and settings\pc\Datos de programa\Atari
2009-12-05 20:34 . 2006-03-04 15:51 -------- d-----w- c:\documents and settings\pc\Datos de programa\ppstream
2009-12-03 15:14 . 2008-11-02 11:57 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 15:13 . 2008-05-18 12:54 18520 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-29 08:12 . 2009-11-29 08:12 -------- d-----w- c:\documents and settings\All Users\Datos de programa\Agnitum
2009-11-29 08:12 . 2009-11-29 08:12 -------- d-----w- c:\archivos de programa\Agnitum
2009-11-29 02:31 . 2009-11-29 02:23 -------- d-----w- c:\documents and settings\pc\Datos de programa\GlarySoft
2009-11-29 02:23 . 2005-11-01 14:44 -------- d-----w- c:\archivos de programa\RapidLeecher
2009-11-29 02:21 . 2005-05-11 11:58 -------- d-----w- c:\archivos de programa\BitComet
2009-11-29 02:17 . 2009-11-29 02:17 -------- d-----w- c:\archivos de programa\Glary Utilities
2009-11-28 19:10 . 2005-12-25 14:21 -------- d-----w- c:\archivos de programa\DDD Pool
2009-11-23 22:32 . 2005-04-08 18:12 -------- d-----w- c:\archivos de programa\Archivos comunes\Adobe
2009-11-23 01:13 . 2008-05-12 13:47 -------- d-----w- c:\documents and settings\pc\Datos de programa\FFSJ
2009-10-28 02:14 . 2009-10-28 02:14 65024 ----a-r- c:\documents and settings\pc\Datos de programa\Microsoft\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
2009-10-28 02:14 . 2009-10-28 02:14 5120 ----a-r- c:\documents and settings\pc\Datos de programa\Microsoft\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF16.exe
2009-10-28 02:14 . 2009-10-28 02:14 18944 ----a-r- c:\documents and settings\pc\Datos de programa\Microsoft\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
2005-10-02 18:55 . 2005-10-02 18:55 0 -c--a-w- c:\archivos de programa\AILog.txt
2007-10-28 16:44 . 2007-10-28 16:41 48 -csh--w- c:\windows\S46C32A27.tmp
2006-02-16 18:50 . 2006-02-16 18:47 952 -csha-w- c:\windows\system32\KGyGaAvL.sys
.

------- Sigcheck -------



[7] 2004-08-11 00:45 . A477391B7A8B0A0DAABADB17CF533A4B . 25088 . . [10.0.3790.3646] . . c:\windows\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}\MsPMSNSv.dll
[-] 2002-12-17 16:43 . 53D4E72452CE025F96B652B02BF9B89C . 52736 . . [9.0.1.56] . . c:\windows\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}$BACKUP$\System\MsPMSNSv.dll
[-] 2002-12-17 16:43 . 53D4E72452CE025F96B652B02BF9B89C . 52736 . . [9.0.1.56] . . c:\windows\system32\MsPMSNSv.dll

c:\windows\System32\wscntfy.exe ... is missing !!
c:\windows\System32\xmlprov.dll ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\archivos de programa\Messenger\msmsgs.exe" [2004-11-15 1670144]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"McAfeeUpdaterUI"="c:\archivos de programa\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 139320]
"ShStatEXE"="c:\archivos de programa\Network Associates\VirusScan\SHSTAT.EXE" [2004-08-25 94208]
"Network Associates Error Reporting Service"="c:\archivos de programa\Archivos comunes\Network Associates\TalkBack\tbmon.exe" [2003-10-07 147514]
"SunJavaUpdateSched"="c:\archivos de programa\Java\jre6\bin\jusched.exe" [2009-12-14 149280]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2002-09-09 13312]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\archivos de programa\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 14:21 548352 ----a-w- c:\archivos de programa\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^Google Updater.lnk]
path=c:\documents and settings\All Users\Menú Inicio\Programas\Inicio\Google Updater.lnk
backup=c:\windows\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^Microsoft Office.lnk]
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^uninstall.exe]
path=c:\documents and settings\All Users\Menú Inicio\Programas\Inicio\uninstall.exe
backup=c:\windows\pss\uninstall.exeCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^uninstall.exe.old]
path=c:\documents and settings\All Users\Menú Inicio\Programas\Inicio\uninstall.exe.old
backup=c:\windows\pss\uninstall.exe.oldCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^VIA RAID TOOL.lnk]
backup=c:\windows\pss\VIA RAID TOOL.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^WinZip Quick Pick.lnk]
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acceso directo a la página de propiedades de High Definition Audio]
2004-03-17 13:10 61952 -c----w- c:\windows\system32\Hdaudpropshortcut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2009-09-04 11:08 935288 ----a-r- c:\archivos de programa\Archivos comunes\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AgenteADSL_15]
2006-08-05 11:32 28672 ----a-w- c:\archivos de programa\Telefonica\KitAIM\AimExDll.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
2006-09-14 20:09 157592 ----a-w- c:\archivos de programa\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
2004-09-13 09:51 1450096 ------w- c:\archivos de programa\Ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2005-02-16 16:15 81920 ----a-w- c:\archivos de programa\Archivos comunes\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2006-08-05 11:32 155648 -c--a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2005-08-24 11:29 98304 ----a-w- c:\archivos de programa\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2008-06-10 02:27 144784 ----a-w- c:\archivos de programa\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2009-10-12 20:24 2000112 ----a-w- c:\archivos de programa\SUPERAntiSpyware\SUPERAntiSpyware.exe

R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [31/07/2005 19:19 58016]
R1 SASDIFSV;SASDIFSV;c:\archivos de programa\SUPERAntiSpyware\sasdifsv.sys [12/10/2009 21:24 9968]
R1 SASKUTIL;SASKUTIL;c:\archivos de programa\SUPERAntiSpyware\SASKUTIL.SYS [12/10/2009 21:24 74480]
R2 RVIEGVST;VSC VST Engine;c:\archivos de programa\Roland\Virtual Sound Canvas VST\RVIEg01VST.sys [29/03/2009 22:56 188276]
R3 cmudax;C-Media High Definition Audio Interface;c:\windows\system32\drivers\cmudax.sys [08/04/2005 11:28 1258432]
S0 pcsctdwx;pcsctdwx; [x]
S2 gupdate1c98713c4b29a9c;Google Update Service (gupdate1c98713c4b29a9c);c:\archivos de programa\Google\Update\GoogleUpdate.exe [04/02/2009 22:58 133104]
S2 xwovauhs;AGP Bus w766b Helper;c:\windows\System32\svchost.exe -k netsvcs [24/08/2001 17:00 12800]
S3 SASENUM;SASENUM;c:\archivos de programa\SUPERAntiSpyware\SASENUM.SYS [12/10/2009 21:24 7408]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [31/12/2006 17:28 639224]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ENTDRV51

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

.
Contents of the 'Scheduled Tasks' folder

2009-11-29 c:\windows\Tasks\GlaryInitialize.job
- c:\archivos de programa\Glary Utilities\initialize.exe [2009-11-29 09:21]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = microweb
IE: E&xportar a Microsoft Excel - c:\archiv~1\MICROS~2\Office10\EXCEL.EXE/3000
TCP: {6141C6A4-C488-4BFB-89DB-EE4A062B2C88} = 80.58.61.250,80.58.61.254
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\pc\Datos de programa\Mozilla\Firefox\Profiles\7mq150nj.default\
FF - plugin: c:\archivos de programa\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\archivos de programa\Google\Update\1.2.183.13\npGoogleOneClick8.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-31 20:22
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-682003330-484061587-2147183463-1003\Software\SecuROM\License information*]
"datasecu"=hex:02,68,ba,dc,54,d4,11,32,e0,e6,ce,10,8a,61,09,99,aa,09,59,0f,36,
e6,b6,d3,3e,dc,15,5f,3c,f6,c8,3a,81,1f,f2,d8,a4,d6,17,d4,07,82,f0,b4,5c,db,\
"rkeysecu"=hex:7a,87,67,9f,a0,16,fa,68,fb,1d,d8,31,b3,f6,87,bb

[HKEY_USERS\S-1-5-21-682003330-484061587-2147183463-1003\Software\Zepter Software\RegLib*e4257279\CloneDVD2/2]
"1"=dword:4569f51e
"2"=dword:4723939c
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(924)
c:\windows\System32\ODBC32.dll
c:\archivos de programa\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\midimap.dll

- - - - - - - > 'lsass.exe'(980)
c:\windows\System32\dssenh.dll
c:\windows\System32\EntApi.dll

- - - - - - - > 'explorer.exe'(556)
c:\windows\System32\EntApi.dll
c:\windows\System32\msi.dll
c:\windows\System32\midimap.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\Ati2evxx.exe
c:\archivos de programa\Ahead\InCD\InCDsrv.exe
c:\archivos de programa\Java\jre6\bin\jqs.exe
c:\archivos de programa\Google\Update\1.2.183.13\GoogleCrashHandler.exe
c:\archivos de programa\Network Associates\Common Framework\FrameworkService.exe
c:\windows\system32\Ati2evxx.exe
c:\archivos de programa\Network Associates\VirusScan\mcshield.exe
c:\archivos de programa\Network Associates\VirusScan\vstskmgr.exe
c:\archiv~1\NETWOR~1\COMMON~1\naPrdMgr.exe
c:\archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\System32\wdfmgr.exe
.
**************************************************************************
.
Completion time: 2009-12-31 20:25:05 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-31 19:25
ComboFix2.txt 2009-12-30 19:26

Pre-Run: 26.214.678.528 bytes libres
Post-Run: 26.090.278.912 bytes libres

- - End Of File - - C57E16EF897FB04FCDDC84BF996CDE95


Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x017BD1417
malicious code @ sector 0x017BD141A !
PE file found in sector at 0x017BD1430 !


I still have to run ComboFix in safe mode.
I still have the same problems when running GoogleEarth or a game.

Edited by queno, 31 December 2009 - 02:43 PM.


#58 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,093 posts

Posted 01 January 2010 - 09:13 AM

Something is hidden. Let see what this scan will find.

Please download the Sophos Anti-Rootkit Scanner and save it to your desktop.

You will need to enter your name, e-mail address and location in order to access the download page.

  • Once you have downloaded the file, double click the sarsfx icon
  • Review the licence agreement and click on the Accept button
  • The scanner will prompt you to extract the files to C:\SOPHTEMP - DO NOT change this location, simply click the Install button
  • Once the files have been extracted; using Windows Explorer, navigate to C:\SOPHTEMP and double click on the blue shield icon called sargui
  • Ensure that there are checkmarks next to Running processes, Windows registry and Local hard drives, then click Start scan
  • Allow the program to scan your computer - please be patient as it may take some time
  • Once the scan has completed a window will pop-up with the results of the scan - click OK to this
  • In the main window, you will see each of the entries found by the scan (if any)
    • If the scanner generated any warning messages, please click on each warning and copy and paste the text of it into this thread for me to review
    • Once you have posted any warning messages here, you can close the scanner and wait for me to get back to you
  • If you have not had any warnings, any entries which can be cleaned up by the scanner will have a box with a green checkmark in it next to the entry
  • To clean up these entries click on the Clean up checked items button
  • If you accidentally check a file NOT recommended for clean up, you will get a warning message and if necessary can re-select the entries you want to clean up
  • Once you have cleaned the selected files, you will be prompted to re-boot your computer - please do so
  • When you have re-booted, please post a fresh HijackThis log into this thread and tell me how your computer is running now
Thanks
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#59 queno

queno

    Member

  • Full Member
  • Pip
  • 39 posts

Posted 02 January 2010 - 05:31 AM

Hi!

Sophos Anti-Rootkit Scanner detected some hidden registry keys and nothing more. The scanner didn't generate any warning messages and there wasn't any box with a green checkmark in it next to the entry so I couln't press the Clean up checked items button.

Thanks again and happy new year!!!

#60 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,093 posts

Posted 02 January 2010 - 09:26 AM

Download catchme.exe to your desktop.
http://www.gmer.net/catchme.php
This tool is from GMER.

Double click the catchme.exe to run it

Open the catchme.log with Notepad and post the results back here.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#61 queno

queno

    Member

  • Full Member
  • Pip
  • 39 posts

Posted 02 January 2010 - 01:39 PM

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-02 19:33:18
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:a2,16,83,62,f6,9d,b9,e3,72,e9,51,ff,21,12,71,cf,e6,02,3d,f2,03,..
"p0"="C:\Archivos de programa\DAEMON Tools\"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,d6,85,b5,9c,bf,5a,60,d0,c2,eb,20,9e,c6,9f,86,ba,98,..
"khjeh"=hex:c1,e9,f9,0d,b1,46,32,ef,74,75,dd,13,32,26,1f,3c,2b,ca,78,1a,85,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:b5,28,cd,f7,2e,db,c4,3a,1f,b9,d7,07,98,93,82,28,00,c1,83,5d,18,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:e5,1b,94,d2,0e,7e,9b,a4,80,ad,44,4e,63,59,3b,0d,ef,fa,85,d1,d8,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42]
"khjeh"=hex:c1,6a,54,82,b1,79,26,1d,a3,c5,03,35,2f,49,2d,c9,e3,a9,78,a5,df,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43]
"khjeh"=hex:28,69,91,ef,09,c8,f3,a6,9b,e3,ff,bf,a7,e0,74,99,6a,9c,29,b5,3c,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:a2,16,83,62,f6,9d,b9,e3,72,e9,51,ff,21,12,71,cf,e6,02,3d,f2,03,..
"p0"="C:\Archivos de programa\DAEMON Tools\"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,d6,85,b5,9c,bf,5a,60,d0,c2,eb,20,9e,c6,9f,86,ba,98,..
"khjeh"=hex:ae,26,b4,1e,6f,71,ac,03,2f,33,75,ac,d4,df,7b,58,ec,4c,b4,ca,3c,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:b5,28,cd,f7,2e,db,c4,3a,1f,b9,d7,07,98,93,82,28,00,c1,83,5d,18,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:e5,1b,94,d2,0e,7e,9b,a4,80,ad,44,4e,63,59,3b,0d,ef,fa,85,d1,d8,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42]
"khjeh"=hex:ca,43,fd,21,41,42,b8,2d,6a,b8,fe,0d,f9,21,87,c5,33,21,4f,4e,a1,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43]
"khjeh"=hex:44,1e,45,50,5c,a5,44,0a,40,c8,3f,e4,9f,73,dd,f1,e8,46,a6,1d,08,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:a2,16,83,62,f6,9d,b9,e3,72,e9,51,ff,21,12,71,cf,e6,02,3d,f2,03,..
"p0"="C:\Archivos de programa\DAEMON Tools\"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,d6,85,b5,9c,bf,5a,60,d0,c2,eb,20,9e,c6,9f,86,ba,98,..
"khjeh"=hex:ae,26,b4,1e,6f,71,ac,03,2f,33,75,ac,d4,df,7b,58,ec,4c,b4,ca,3c,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:b5,28,cd,f7,2e,db,c4,3a,1f,b9,d7,07,98,93,82,28,00,c1,83,5d,18,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:e5,1b,94,d2,0e,7e,9b,a4,80,ad,44,4e,63,59,3b,0d,ef,fa,85,d1,d8,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42]
"khjeh"=hex:ca,43,fd,21,41,42,b8,2d,6a,b8,fe,0d,f9,21,87,c5,33,21,4f,4e,a1,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43]
"khjeh"=hex:44,1e,45,50,5c,a5,44,0a,40,c8,3f,e4,9f,73,dd,f1,e8,46,a6,1d,08,..

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

#62 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,093 posts

Posted 02 January 2010 - 02:38 PM

I'm checking with the experts. Stay with me.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#63 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,093 posts

Posted 03 January 2010 - 08:38 AM

Not being able to run ComboFix in normal mode may be due to your protection programs.

Disable


Disable all Anti-virus and Firewall...

http://www.bleepingc...opic114351.html

Can you now run it in normal mode.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#64 queno

queno

    Member

  • Full Member
  • Pip
  • 39 posts

Posted 03 January 2010 - 01:57 PM

There isn't enough information about fully disabling my Anti Virus in this link (http://www.bleepingc...opic114351.html), but I have found myself how to do it properly.

ComboFix log (Normal Mode):



ComboFix 10-01-02.05 - pc 03/01/2010 19:30:41.11.1 - x86
Microsoft Windows XP Professional 5.1.2600.1.1252.34.3082.18.1023.689 [GMT 1:00]
Running from: c:\documents and settings\pc\Escritorio\ComboFix.exe
.
/wow section - STAGE 4


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\qmgr.dll was found and disinfected
Restored copy from - c:\windows\erdnt\cache\qmgr.dll

.
((((((((((((((((((((((((( Files Created from 2009-12-03 to 2010-01-03 )))))))))))))))))))))))))))))))
.

2010-01-01 21:07 . 2010-01-01 21:07 -------- d-----w- c:\archivos de programa\Sophos
2009-12-26 02:36 . 2009-12-26 02:36 -------- d-----w- c:\archivos de programa\EarMaster Pro 5
2009-12-26 02:36 . 2009-12-26 02:36 -------- d-----w- c:\documents and settings\pc\Datos de programa\EarMaster
2009-12-23 22:39 . 2009-12-23 22:53 -------- d-----w- c:\documents and settings\pc\Datos de programa\GNU Solfege
2009-12-23 22:37 . 2009-12-23 22:37 -------- d-----w- c:\archivos de programa\GNU Solfege
2009-12-22 22:45 . 2009-12-22 22:45 -------- d-----w- c:\windows\Logs
2009-12-22 22:45 . 2009-12-22 22:45 -------- d-----w- c:\archivos de programa\Telltale Games
2009-12-19 20:20 . 2009-12-19 20:20 -------- d--h--r- c:\documents and settings\LocalService\Reciente
2009-12-14 22:29 . 2009-12-14 22:30 -------- d-----w- C:\rsit
2009-12-14 00:20 . 2009-12-14 00:19 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-12 19:38 . 2009-12-12 19:38 -------- d-----w- c:\windows\ERUNT
2009-12-07 03:02 . 2009-12-07 03:03 664 ----a-w- c:\windows\system32\d3d9caps.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-03 18:22 . 2001-08-24 16:00 68826 ----a-w- c:\windows\system32\perfc00A.dat
2010-01-03 18:22 . 2001-08-24 16:00 440050 ----a-w- c:\windows\system32\perfh00A.dat
2009-12-23 21:17 . 2007-10-15 11:21 -------- d-----w- c:\archivos de programa\SUPERAntiSpyware
2009-12-22 06:02 . 2006-01-19 20:39 -------- d-----w- c:\archivos de programa\Google
2009-12-21 19:21 . 2007-01-27 14:18 -------- d-----w- c:\archivos de programa\Spybot - Search & Destroy
2009-12-21 19:20 . 2007-01-27 14:18 -------- d-----w- c:\documents and settings\All Users\Datos de programa\Spybot - Search & Destroy
2009-12-14 05:00 . 2009-10-28 02:15 117760 ----a-w- c:\documents and settings\pc\Datos de programa\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-12-14 00:19 . 2007-10-23 13:34 -------- d-----w- c:\archivos de programa\Java
2009-12-06 00:50 . 2009-11-28 09:58 -------- d-----w- c:\archivos de programa\SpeedFan
2009-12-06 00:28 . 2008-04-30 22:10 -------- d-----w- c:\archivos de programa\Malwarebytes' Anti-Malware
2009-12-06 00:28 . 2008-05-18 12:54 4844296 ----a-w- c:\documents and settings\All Users\Datos de programa\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-12-05 23:57 . 2007-10-12 23:58 -------- d-----w- c:\archivos de programa\Unlocker
2009-12-05 23:57 . 2005-05-20 17:00 -------- d-----w- c:\archivos de programa\Atari
2009-12-05 23:57 . 2005-04-08 10:27 -------- d--h--w- c:\archivos de programa\InstallShield Installation Information
2009-12-05 23:56 . 2005-05-20 17:16 -------- d-----w- c:\documents and settings\pc\Datos de programa\Atari
2009-12-05 20:34 . 2006-03-04 15:51 -------- d-----w- c:\documents and settings\pc\Datos de programa\ppstream
2009-12-04 11:18 . 2009-12-04 11:18 -------- d-----w- c:\documents and settings\All Users\Datos de programa\Kaspersky Lab Setup Files
2009-12-04 10:09 . 2009-12-04 10:09 -------- d-----w- c:\documents and settings\Administrador\Datos de programa\Malwarebytes
2009-12-03 15:14 . 2008-11-02 11:57 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 15:13 . 2008-05-18 12:54 18520 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-29 08:12 . 2009-11-29 08:12 -------- d-----w- c:\documents and settings\All Users\Datos de programa\Agnitum
2009-11-29 08:12 . 2009-11-29 08:12 -------- d-----w- c:\archivos de programa\Agnitum
2009-11-29 02:31 . 2009-11-29 02:23 -------- d-----w- c:\documents and settings\pc\Datos de programa\GlarySoft
2009-11-29 02:23 . 2005-11-01 14:44 -------- d-----w- c:\archivos de programa\RapidLeecher
2009-11-29 02:21 . 2005-05-11 11:58 -------- d-----w- c:\archivos de programa\BitComet
2009-11-29 02:17 . 2009-11-29 02:17 -------- d-----w- c:\archivos de programa\Glary Utilities
2009-11-28 19:10 . 2005-12-25 14:21 -------- d-----w- c:\archivos de programa\DDD Pool
2009-11-23 22:32 . 2005-04-08 18:12 -------- d-----w- c:\archivos de programa\Archivos comunes\Adobe
2009-11-23 01:13 . 2008-05-12 13:47 -------- d-----w- c:\documents and settings\pc\Datos de programa\FFSJ
2009-10-28 02:14 . 2009-10-28 02:14 65024 ----a-r- c:\documents and settings\pc\Datos de programa\Microsoft\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
2009-10-28 02:14 . 2009-10-28 02:14 5120 ----a-r- c:\documents and settings\pc\Datos de programa\Microsoft\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF16.exe
2009-10-28 02:14 . 2009-10-28 02:14 18944 ----a-r- c:\documents and settings\pc\Datos de programa\Microsoft\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
2005-10-02 18:55 . 2005-10-02 18:55 0 -c--a-w- c:\archivos de programa\AILog.txt
2007-10-28 16:44 . 2007-10-28 16:41 48 -csh--w- c:\windows\S46C32A27.tmp
2006-02-16 18:50 . 2006-02-16 18:47 952 -csha-w- c:\windows\system32\KGyGaAvL.sys
.

------- Sigcheck -------



[7] 2004-08-11 00:45 . A477391B7A8B0A0DAABADB17CF533A4B . 25088 . . [10.0.3790.3646] . . c:\windows\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}\MsPMSNSv.dll
[-] 2002-12-17 16:43 . 53D4E72452CE025F96B652B02BF9B89C . 52736 . . [9.0.1.56] . . c:\windows\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}$BACKUP$\System\MsPMSNSv.dll
[-] 2002-12-17 16:43 . 53D4E72452CE025F96B652B02BF9B89C . 52736 . . [9.0.1.56] . . c:\windows\system32\MsPMSNSv.dll

c:\windows\System32\wscntfy.exe ... is missing !!
c:\windows\System32\xmlprov.dll ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\archivos de programa\Messenger\msmsgs.exe" [2004-11-15 1670144]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"McAfeeUpdaterUI"="c:\archivos de programa\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 139320]
"ShStatEXE"="c:\archivos de programa\Network Associates\VirusScan\SHSTAT.EXE" [2004-08-25 94208]
"Network Associates Error Reporting Service"="c:\archivos de programa\Archivos comunes\Network Associates\TalkBack\tbmon.exe" [2003-10-07 147514]
"SunJavaUpdateSched"="c:\archivos de programa\Java\jre6\bin\jusched.exe" [2009-12-14 149280]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2002-09-09 13312]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\archivos de programa\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 14:21 548352 ----a-w- c:\archivos de programa\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^Google Updater.lnk]
path=c:\documents and settings\All Users\Menú Inicio\Programas\Inicio\Google Updater.lnk
backup=c:\windows\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^Microsoft Office.lnk]
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^uninstall.exe]
path=c:\documents and settings\All Users\Menú Inicio\Programas\Inicio\uninstall.exe
backup=c:\windows\pss\uninstall.exeCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^uninstall.exe.old]
path=c:\documents and settings\All Users\Menú Inicio\Programas\Inicio\uninstall.exe.old
backup=c:\windows\pss\uninstall.exe.oldCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^VIA RAID TOOL.lnk]
backup=c:\windows\pss\VIA RAID TOOL.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^WinZip Quick Pick.lnk]
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acceso directo a la página de propiedades de High Definition Audio]
2004-03-17 13:10 61952 -c----w- c:\windows\system32\Hdaudpropshortcut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2009-09-04 11:08 935288 ----a-r- c:\archivos de programa\Archivos comunes\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AgenteADSL_15]
2006-08-05 11:32 28672 ----a-w- c:\archivos de programa\Telefonica\KitAIM\AimExDll.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
2006-09-14 20:09 157592 ----a-w- c:\archivos de programa\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
2004-09-13 09:51 1450096 ------w- c:\archivos de programa\Ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2005-02-16 16:15 81920 ----a-w- c:\archivos de programa\Archivos comunes\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2006-08-05 11:32 155648 -c--a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2005-08-24 11:29 98304 ----a-w- c:\archivos de programa\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2008-06-10 02:27 144784 ----a-w- c:\archivos de programa\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2009-10-12 20:24 2000112 ----a-w- c:\archivos de programa\SUPERAntiSpyware\SUPERAntiSpyware.exe

R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [31/07/2005 19:19 58016]
R1 SASDIFSV;SASDIFSV;c:\archivos de programa\SUPERAntiSpyware\sasdifsv.sys [12/10/2009 21:24 9968]
R1 SASKUTIL;SASKUTIL;c:\archivos de programa\SUPERAntiSpyware\SASKUTIL.SYS [12/10/2009 21:24 74480]
R2 RVIEGVST;VSC VST Engine;c:\archivos de programa\Roland\Virtual Sound Canvas VST\RVIEg01VST.sys [29/03/2009 22:56 188276]
R3 cmudax;C-Media High Definition Audio Interface;c:\windows\system32\drivers\cmudax.sys [08/04/2005 11:28 1258432]
S0 pcsctdwx;pcsctdwx; [x]
S2 gupdate1c98713c4b29a9c;Google Update Service (gupdate1c98713c4b29a9c);c:\archivos de programa\Google\Update\GoogleUpdate.exe [04/02/2009 22:58 133104]
S2 xwovauhs;AGP Bus w766b Helper;c:\windows\System32\svchost.exe -k netsvcs [24/08/2001 17:00 12800]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\System32\328.tmp --> c:\windows\System32\328.tmp [?]
S3 SASENUM;SASENUM;c:\archivos de programa\SUPERAntiSpyware\SASENUM.SYS [12/10/2009 21:24 7408]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [31/12/2006 17:28 639224]
.
Contents of the 'Scheduled Tasks' folder

2009-11-29 c:\windows\Tasks\GlaryInitialize.job
- c:\archivos de programa\Glary Utilities\initialize.exe [2009-11-29 09:21]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = microweb
IE: E&xportar a Microsoft Excel - c:\archiv~1\MICROS~2\Office10\EXCEL.EXE/3000
TCP: {6141C6A4-C488-4BFB-89DB-EE4A062B2C88} = 80.58.61.250,80.58.61.254
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\pc\Datos de programa\Mozilla\Firefox\Profiles\7mq150nj.default\
FF - plugin: c:\archivos de programa\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\archivos de programa\Google\Update\1.2.183.13\npGoogleOneClick8.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-03 19:38
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\System32\328.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-682003330-484061587-2147183463-1003\Software\SecuROM\License information*]
"datasecu"=hex:02,68,ba,dc,54,d4,11,32,e0,e6,ce,10,8a,61,09,99,aa,09,59,0f,36,
e6,b6,d3,3e,dc,15,5f,3c,f6,c8,3a,81,1f,f2,d8,a4,d6,17,d4,07,82,f0,b4,5c,db,\
"rkeysecu"=hex:7a,87,67,9f,a0,16,fa,68,fb,1d,d8,31,b3,f6,87,bb

[HKEY_USERS\S-1-5-21-682003330-484061587-2147183463-1003\Software\Zepter Software\RegLib*e4257279\CloneDVD2/2]
"1"=dword:4569f51e
"2"=dword:4723939c
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(920)
c:\windows\System32\ODBC32.dll
c:\archivos de programa\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\midimap.dll

- - - - - - - > 'lsass.exe'(976)
c:\windows\System32\dssenh.dll

- - - - - - - > 'explorer.exe'(3544)
c:\windows\System32\msi.dll
c:\windows\System32\midimap.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\Ati2evxx.exe
c:\archivos de programa\Ahead\InCD\InCDsrv.exe
c:\windows\system32\Ati2evxx.exe
c:\archivos de programa\Google\Update\1.2.183.13\GoogleCrashHandler.exe
c:\archivos de programa\Java\jre6\bin\jqs.exe
c:\archivos de programa\Network Associates\Common Framework\FrameworkService.exe
c:\archivos de programa\Network Associates\VirusScan\mcshield.exe
c:\archivos de programa\Network Associates\VirusScan\vstskmgr.exe
c:\archiv~1\NETWOR~1\COMMON~1\naPrdMgr.exe
c:\archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\System32\wdfmgr.exe
.
**************************************************************************
.
Completion time: 2010-01-03 19:40:27 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-03 18:40
ComboFix2.txt 2009-12-31 19:25

Pre-Run: 22.757.163.008 bytes libres
Post-Run: 22.821.101.568 bytes libres

- - End Of File - - 20CC4BDBF973104D20B4471A0ECBBA2D

#65 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,093 posts

Posted 03 January 2010 - 02:06 PM

It's not disabled. Other wise I would see it in the header.

ComboFix 10-01-02.05 - pc 03/01/2010 19:30:41.11.1 - x86
Microsoft Windows XP Professional 5.1.2600.1.1252.34.3082.18.1023.689 [GMT 1:00]
Running from: c:\documents and settings\pc\Escritorio\ComboFix.exe


You will have to remove it completely.

Run ComboFix in normal mode and reinstall McAfee if you plan to use the computer on the Internet.
If you can use an other computer to post your logs that will save you from possibly removing it again if we need to continue using ComboFix.

One other option is to remove it completely with McAfee's removal tool.

http://service.mcafe...spx?id=TS100507


Before you do download one of these free programs.

It is really dangerous to go online without an antivirus. Without one, you are extremely likely to get infected and the consequences could be even worse next time. All of the following are excellent free versions of commercial antiviruses. Be sure to only install one.
avast!.
AntiVir
AVG


Then remove McAfee and install the free program.

Again make sure the free program is disable while running ComboFix.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#66 queno

queno

    Member

  • Full Member
  • Pip
  • 39 posts

Posted 04 January 2010 - 05:27 AM

I have used msconfig to fully disable my Anti-Virus and now Combofix doesn't run.

#67 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,093 posts

Posted 04 January 2010 - 08:47 AM

Delete your copy of ComboFix. Execute this.


Download ComboFix from any of the links below but rename it to queno.exe before saving it to your desktop. <- Important.

Link 1
Link 2
==================================

  • Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

    Double click on the renamed ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply with a fresh HijackThis log.

Note: If you have difficulty properly disabling your protection programs, refer to this link --> http://www.bleepingc...opic114351.html

Do not mouse click combofix's window while it's running. That may cause it to stall
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#68 queno

queno

    Member

  • Full Member
  • Pip
  • 39 posts

Posted 04 January 2010 - 01:55 PM

It doesn't run.

Edited by queno, 04 January 2010 - 02:03 PM.


#69 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,093 posts

Posted 04 January 2010 - 02:30 PM

You may have a file infector or some RootKit malware.

Lets run this tool.

We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#70 queno

queno

    Member

  • Full Member
  • Pip
  • 39 posts

Posted 04 January 2010 - 02:56 PM

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2010/01/04 20:47
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP1
==================================================

Drivers
-------------------
Name: giveio.sys
Image Path: giveio.sys
Address: 0xF7E37000 Size: 1664 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\System32\drivers\rootrepeal.sys
Address: 0xA8E9E000 Size: 49152 File Visible: No Signed: -
Status: -

Name: speedfan.sys
Image Path: speedfan.sys
Address: 0xF7D74000 Size: 5248 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: c:\documents and settings\pc\configuración local\datos de programa\google\googleearth\dbcache.dat
Status: Allocation size mismatch (API: 1274806272, Raw: 1274404864)

SSDT
-------------------
#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x867de109

==EOF==

#71 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,093 posts

Posted 04 January 2010 - 04:28 PM

You must remove the McAfee's program.

The run the ComboFix program. If You are able the to get a run and get a log please post it.

Reinstall McAfee before you reply.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#72 queno

queno

    Member

  • Full Member
  • Pip
  • 39 posts

Posted 04 January 2010 - 05:26 PM

I'm not sure my computer is going to be clean even if I can run ComboFix so I'm going to format my hard drive and install Windows XP SP3.

What important files should I back up before formating my PC? Should I avoid any files? Is it safe?

Thanks for your time and your patience.

#73 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,093 posts

Posted 05 January 2010 - 08:43 AM

To be really safe

These file types should not be backed up.
exe/.scr/.htm/.html/.xml/.zip/.rar files
if you do and they are infected you will infect your new installation.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#74 queno

queno

    Member

  • Full Member
  • Pip
  • 39 posts

Posted 05 January 2010 - 02:56 PM

The only .zip/.rar files I would like to backup are music files and documents (.pdf/.doc).

Edited by queno, 05 January 2010 - 02:57 PM.


#75 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,093 posts

Posted 05 January 2010 - 04:36 PM

Place them on a CD and scan the files for virus.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#76 queno

queno

    Member

  • Full Member
  • Pip
  • 39 posts

Posted 05 January 2010 - 04:45 PM

I have scanned it with McAfee and Malwarebytes and there isn't any file infected.

#77 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,093 posts

Posted 19 January 2010 - 09:55 AM

Glad we could help. :)

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button