Infected With A Virus Named Autorun.inf

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Forum Guidelines

Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help

Posted Image

Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.

Posted Image

DO NOT RUN ComboFix unless requested to.

Posted Image

Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

Posted Image

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Posted Image

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

Page 1 of 1

You cannot start a new topic
This topic is locked

Infected With A Virus Named Autorun.inf AVG nor superantispyware cant rmove it

#1 FolkenMx

New Member

Group: Members
Posts: 9
Joined: 11-July 08

Posted 11 July 2008 - 08:40 PM

Hi! Folks I new here , I hope you can help me. I caught a massiv infection and AVG seems to heal a file named Autorun.inf, but everytime i run anoter scan is still there. That thing doent alllow me to see hidden files and search on any net search engines... I need help

THANKS FOR THE HELP

here is the log file:

Deckard's System Scanner v20071014.68
Run by User on 2008-07-11 16:45:16
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --
22: 2008-07-11 23:45:25 UTC - RP558 - Deckard's System Scanner Restore Point
21: 2008-07-11 01:38:03 UTC - RP557 - Installed SUPERAntiSpyware Free Edition
20: 2008-07-11 00:57:42 UTC - RP556 - Operación de restauración
19: 2008-07-11 00:09:38 UTC - RP555 - Operación de restauración
18: 2008-07-10 03:22:02 UTC - RP554 - Operación de restauración

-- First Restore Point --
1: 2008-06-27 09:57:11 UTC - RP537 - Punto de control del sistema

Backed up registry hives.
Performed disk cleanup.

System Drive C: has 1.25 GiB (less than 15%) free.

-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-07-11 16:48:34
Platform: Windows XP Service Pack 1 (5.01.2600)
MSIE: Internet Explorer (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Grisoft\AVG Free\avgamsvr.exe
C:\Archivos de programa\Grisoft\AVG Free\avgupsvc.exe
C:\Archivos de programa\Grisoft\AVG Free\avgemc.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Archivos de programa\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\ltmsg.exe
C:\Archivos de programa\SlySoft\AnyDVD\AnyDVD.exe
C:\Archivos de programa\Grisoft\AVG Free\avgcc.exe
C:\Archivos de programa\Java\jre1.6.0_05\bin\jusched.exe
C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Archivos de programa\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Archivos de programa\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Archivos de programa\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Documents and Settings\User\Escritorio\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe
O2 - BHO: {b633518b-94a1-9ed8-b1f4-db3167ed7a71} - {17a7de76-13bd-4f1b-8de9-1a49b815336b} - C:\WINDOWS\system32\liquuk.dll
O2 - BHO: DgnWebIE - {2843DAC1-05EF-11D2-95BA-0060083493D6} - C:\Archivos de programa\Dragon Systems\NaturallySpeaking\Program\web_ie.dll
O2 - BHO: (no name) - {2A27A3FE-E989-4E73-86A4-0941E7710C38} - C:\WINDOWS\System32\qoMcdDVM.dll (file missing)
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\Archivos de programa\MegauploadToolbar\megauploadtoolbar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00403} - (no file)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\Archivos de programa\MegauploadToolbar\megauploadtoolbar.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Archivos de programa\Winamp Toolbar\winamptb.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Archivos de programa\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [AnyDVD] C:\Archivos de programa\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [OM_Monitor] C:\Archivos de programa\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [StartCCC] "C:\Archivos de programa\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [dcaaa0e0] rundll32.exe "C:\WINDOWS\System32\iuofujwe.dll",b
O4 - HKLM\..\Run: [BMdf99937c] Rundll32.exe "C:\WINDOWS\System32\rtykywer.dll",s
O4 - HKCU\..\Run: [OM_Monitor] C:\Archivos de programa\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
O4 - HKCU\..\Run: [kamsoft] C:\WINDOWS\System32\ckvo.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Archivos de programa\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\ARCHIV~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\ARCHIV~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [clc] C:\WINDOWS\system32\clc.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\ARCHIV~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [clc] C:\WINDOWS\system32\clc.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\ARCHIV~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Product Registration.lnk = D:\ATR1.EXE
O4 - Startup: Registration Brothers In Arms.LNK = E:\Support\Register\RegistrationReminder.exe
O4 - Global Startup: Inicio rápido de Adobe Reader.lnk = C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Búsqueda en Google - res://C:\Archivos de programa\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Traducir palabra inglesa - res://C:\Archivos de programa\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All Users\Datos de programa\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Instantánea de caché de la página - res://C:\Archivos de programa\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Páginas similares - res://C:\Archivos de programa\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Páginas vinculadas - res://C:\Archivos de programa\Google\GoogleToolbar1.dll/cmbacklinks.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} () -
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {3334504D-9980-0010-8000-00AA00389B71} () - http://download.microsoft.com/download/0/C...C4D/mp43dmo.CAB
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} () - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Archivos de programa\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Archivos de programa\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Archivos de programa\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: z - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00403} - (no file)
O22 - SharedTaskScheduler: z - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00404} - (no file)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Archivos de programa\Grisoft\AVG Free\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Archivos de programa\Grisoft\AVG Free\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\Archivos de programa\Grisoft\AVG Free\avgemc.exe

--
End of file - 10246 bytes

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 cdrbsdrv - c:\windows\system32\drivers\cdrbsdrv.sys <Not Verified; B.H.A Corporation; B's Recorder GOLD7>
R2 ElbyCDIO (ElbyCDIO Driver) - c:\windows\system32\drivers\elbycdio.sys <Not Verified; Elaborate Bytes AG; CDRTools>
R3 AnyDVD - c:\windows\system32\drivers\anydvd.sys <Not Verified; SlySoft, Inc.; AnyDVD>

S3 AvFlt (Antivirus Filter Driver) - c:\windows\system32\drivers\av5flt.sys (file missing)
S3 GMSIPCI - d:\install\gmsipci.sys (file missing)
S3 npkcrypt - c:\archivos de programa\atlantisro2\npkcrypt.sys (file missing)
S3 REMOVE - c:\windows\system32\drivers\remove.sys (file missing)

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.

-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.

-- Scheduled Tasks -------------------------------------------------------------

2008-07-04 17:15:00 402 --a------ C:\WINDOWS\Tasks\1-Click Maintenance.job

-- Files created between 2008-06-11 and 2008-07-11 -----------------------------

2008-07-11 11:33:05 116498 -r-hs---- C:\ffojc.com
2008-07-10 18:38:09 0 d-------- C:\Archivos de programa\SUPERAntiSpyware
2008-07-10 18:37:37 0 d-------- C:\Archivos de programa\Archivos comunes\Wise Installation Wizard
2008-07-10 17:41:27 117255 -r-hs---- C:\0gjn3yw.exe
2008-07-10 03:22:01 101376 --a------ C:\WINDOWS\System32\liquuk.dll
2008-07-10 03:21:59 101376 --a------ C:\WINDOWS\System32\dbelfybv.dll
2008-07-10 03:18:59 80896 --a------ C:\WINDOWS\System32\iuofujwe.dll
2008-07-10 03:16:01 92672 --a------ C:\WINDOWS\System32\rtykywer.dll
2008-07-09 14:29:13 0 d-------- C:\Archivos de programa\Uniblue
2008-07-09 11:13:49 77312 -r-hs---- C:\WINDOWS\System32\ckvo2.dll
2008-07-09 01:16:02 101888 --a------ C:\WINDOWS\System32\tatugg.dll
2008-07-09 01:16:00 101888 --a------ C:\WINDOWS\System32\hxvwbhfl.dll
2008-07-09 01:10:41 92160 --a------ C:\WINDOWS\System32\rjyeynid.dll
2008-07-09 01:09:59 387674 --ahs---- C:\WINDOWS\System32\yFMSCMoq.ini2
2008-07-08 22:32:24 77312 -r-hs---- C:\WINDOWS\System32\ckvo1.dll
2008-07-08 22:32:10 117526 -r-hs---- C:\hgu.bat
2008-07-08 22:31:44 77312 -r-hs---- C:\WINDOWS\System32\ckvo0.dll
2008-07-08 22:31:44 116498 -r-hs---- C:\WINDOWS\System32\ckvo.exe
2008-07-08 22:01:19 77312 -r-hs---- C:\WINDOWS\System32\amvo1.dll
2008-07-08 21:59:33 116657 -r-hs---- C:\00hoeav.com
2008-07-06 01:47:19 0 d-------- C:\Archivos de programa\Red Kawa
2008-07-02 22:10:12 104448 --a------ C:\WINDOWS\System32\kdsmng.dll
2008-07-02 22:10:10 104448 --a------ C:\WINDOWS\System32\sigqdker.dll
2008-06-27 22:35:09 104960 --a------ C:\WINDOWS\System32\twvggv.dll
2008-06-27 22:35:08 104960 --a------ C:\WINDOWS\System32\nfvqcxbl.dll
2008-06-27 22:33:31 94208 --a------ C:\WINDOWS\System32\redqwrql.dll
2008-06-27 02:56:59 455058 --ahs---- C:\WINDOWS\System32\MVDdcMoq.ini2
2008-06-25 00:30:36 0 d-------- C:\Archivos de programa\ScummVM
2008-06-11 18:44:24 38704 --a------ C:\WINDOWS\scunin.dat
2008-06-11 18:44:23 967 --a------ C:\WINDOWS\ScUnin.pif
2008-06-11 18:44:23 94208 --a------ C:\WINDOWS\ScUnin.exe <Not Verified; Blizzard Entertainment; Starcraft Uninstaller>
2008-06-11 18:43:24 0 d-------- C:\Archivos de programa\Starcraft

-- Find3M Report ---------------------------------------------------------------

2008-07-11 11:33:13 0 d-------- C:\Documents and Settings\User\Datos de programa\AVG7
2008-07-10 18:38:09 0 d-------- C:\Documents and Settings\User\Datos de programa\SUPERAntiSpyware.com
2008-07-10 11:51:41 0 d-------- C:\Documents and Settings\User\Datos de programa\MegauploadToolbar
2008-07-09 14:29:27 0 d-------- C:\Documents and Settings\User\Datos de programa\Uniblue
2008-06-25 00:30:42 0 d-------- C:\Documents and Settings\User\Datos de programa\ScummVM
2008-06-24 23:25:27 0 d-------- C:\Archivos de programa\Archivos comunes\Adobe
2008-06-24 23:22:42 0 d-------- C:\Documents and Settings\User\Datos de programa\AdobeUM
2008-06-09 02:39:50 0 d-------- C:\Archivos de programa\DivX
2008-05-30 16:22:48 802816 --a------ C:\WINDOWS\System32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2008-05-30 16:22:48 823296 --a------ C:\WINDOWS\System32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-30 16:22:48 823296 --a------ C:\WINDOWS\System32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-30 16:22:46 815104 --a------ C:\WINDOWS\System32\divx_xx0a.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-30 16:22:46 683520 --a------ C:\WINDOWS\System32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-22 15:22:18 3596288 --a------ C:\WINDOWS\System32\qt-dx331.dll
2008-05-22 15:19:46 196608 --a------ C:\WINDOWS\System32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2008-05-22 15:19:46 81920 --a------ C:\WINDOWS\System32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-05-22 15:18:54 12288 --a------ C:\WINDOWS\System32\DivXWMPExtType.dll
2008-05-21 21:46:01 120 --a------ C:\drmHeader.bin
2008-05-18 21:19:25 52736 --a------ C:\WINDOWS\ipuninst.exe <Not Verified; Interplay Productions; Interplay Uninstaller for Windows 95>
2008-05-18 18:06:49 0 d-------- C:\Documents and Settings\User\Datos de programa\BitTorrent

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{17a7de76-13bd-4f1b-8de9-1a49b815336b}]
10/07/2008 03:22 a.m. 101376 --a------ C:\WINDOWS\System32\liquuk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2A27A3FE-E989-4E73-86A4-0941E7710C38}]
C:\WINDOWS\System32\qoMcdDVM.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A4F94C0C-54A7-4DB1-9AF3-B22E63D00403}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}"= C:\Archivos de programa\Winamp Toolbar\winamptb.dll [04/10/2007 01:06 p.m. 1135968]

[-HKEY_CLASSES_ROOT\CLSID\{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [09/07/2001 11:50 a.m.]
"RemoteControl"="C:\Archivos de programa\CyberLink\PowerDVD\PDVDServ.exe" [02/11/2004 08:24 p.m.]
"LTMSG"="LTMSG.exe" [14/07/2003 10:52 a.m. C:\WINDOWS\ltmsg.exe]
"AnyDVD"="C:\Archivos de programa\SlySoft\AnyDVD\AnyDVD.exe" [17/04/2005 06:21 p.m.]
"OM_Monitor"="C:\Archivos de programa\OLYMPUS\OLYMPUS Master\FirstStart.exe" [19/07/2005 12:06 p.m.]
"AVG7_CC"="C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe" [27/06/2008 09:55 a.m.]
"SunJavaUpdateSched"="C:\Archivos de programa\Java\jre1.6.0_05\bin\jusched.exe" [22/02/2008 05:25 a.m.]
"TkBellExe"="C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" [27/05/2007 02:29 p.m.]
"StartCCC"="C:\Archivos de programa\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [10/11/2006 01:35 p.m.]
"dcaaa0e0"="C:\WINDOWS\System32\iuofujwe.dll" [10/07/2008 03:19 a.m.]
"BMdf99937c"="C:\WINDOWS\System32\rtykywer.dll" [10/07/2008 03:16 a.m.]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OM_Monitor"="C:\Archivos de programa\OLYMPUS\OLYMPUS Master\Monitor.exe" [19/07/2005 12:14 p.m.]
"kamsoft"="C:\WINDOWS\System32\ckvo.exe" [11/07/2008 11:32 a.m.]
"SUPERAntiSpyware"="C:\Archivos de programa\SUPERAntiSpyware\SUPERAntiSpyware.exe" [28/05/2008 10:33 a.m.]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"clc"=C:\WINDOWS\system32\clc.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Archivos de programa\SUPERAntiSpyware\SASSEH.DLL [13/05/2008 10:13 a.m. 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Archivos de programa\SUPERAntiSpyware\SASWINLO.dll 19/04/2007 01:41 p.m. 294912 C:\Archivos de programa\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\System32\qoMCSMFy

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fe5d2cae-ffdc-11db-a5a7-00e0183aca85}]
AutoRun\command- F:\ffojc.com
explore\Command- F:\ffojc.com
open\Command- F:\ffojc.com

-- End of Deckard's System Scanner: finished at 2008-07-11 16:49:36 ------------

#2 Buckeye_Sam

Malware Expert

Group: Malware Response Team
Posts: 17,382
Joined: 23-December 04
Gender:Male
Location:Pickerington, Ohio

Posted 12 July 2008 - 10:40 AM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

Make sure you are connected to the Internet.
Double-click on Download_mbam-setup.exe to install the application.
When the installation begins, follow the prompts and do not make any changes to default settings.
When installation has finished, make sure you leave both of these checked:
- Update Malwarebytes' Anti-Malware
- Launch Malwarebytes' Anti-Malware
Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
- Make sure the "Perform Quick Scan" option is selected.
- Then click on the Scan button.
If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
Make sure that everything is checked, and click Remove Selected.
When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Also post a new log from DSS.

If I have helped you in any way, please consider a donation to help me continue the fight against malware.

Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!

========================================================

#3 FolkenMx

New Member

Group: Members
Posts: 9
Joined: 11-July 08

Posted 15 July 2008 - 09:28 PM

Thank you very much Sam, i really apreciate this, i got my internet cutted, and today was replugged, so dont close the tread please, i will send the report after the scan Thank you again

#4 FolkenMx

New Member

Group: Members
Posts: 9
Joined: 11-July 08

Posted 16 July 2008 - 12:26 AM

OK Sam here are the logs:

Deckard's System Scanner v20071014.68
Run by User on 2008-07-15 22:20:37
Computer is in Normal Mode.
--------------------------------------------------------------------------------

System Drive C: has 2.35 GiB (less than 15%) free.

-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-07-15 22:20:59
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Archivos de programa\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\ltmsg.exe
C:\Archivos de programa\SlySoft\AnyDVD\AnyDVD.exe
C:\Archivos de programa\Java\jre1.6.0_05\bin\jusched.exe
C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe
C:\Archivos de programa\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Archivos de programa\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Archivos de programa\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Documents and Settings\User\Escritorio\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe
O2 - BHO: {b633518b-94a1-9ed8-b1f4-db3167ed7a71} - {17a7de76-13bd-4f1b-8de9-1a49b815336b} - C:\WINDOWS\System32\liquuk.dll (file missing)
O2 - BHO: DgnWebIE - {2843DAC1-05EF-11D2-95BA-0060083493D6} - C:\Archivos de programa\Dragon Systems\NaturallySpeaking\Program\web_ie.dll
O2 - BHO: (no name) - {2A27A3FE-E989-4E73-86A4-0941E7710C38} - C:\WINDOWS\System32\qoMcdDVM.dll (file missing)
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\Archivos de programa\MegauploadToolbar\megauploadtoolbar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00403} - (no file)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\Archivos de programa\MegauploadToolbar\megauploadtoolbar.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Archivos de programa\Winamp Toolbar\winamptb.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Archivos de programa\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [AnyDVD] C:\Archivos de programa\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [OM_Monitor] C:\Archivos de programa\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [StartCCC] "C:\Archivos de programa\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKCU\..\Run: [OM_Monitor] C:\Archivos de programa\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
O4 - HKCU\..\Run: [kamsoft] C:\WINDOWS\System32\ckvo.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Archivos de programa\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\ARCHIV~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\ARCHIV~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [clc] C:\WINDOWS\system32\clc.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\ARCHIV~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [clc] C:\WINDOWS\system32\clc.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\ARCHIV~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Product Registration.lnk = D:\ATR1.EXE
O4 - Startup: Registration Brothers In Arms.LNK = E:\Support\Register\RegistrationReminder.exe
O4 - Global Startup: Inicio rápido de Adobe Reader.lnk = C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Búsqueda en Google - res://C:\Archivos de programa\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Traducir palabra inglesa - res://C:\Archivos de programa\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All Users\Datos de programa\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Instantánea de caché de la página - res://C:\Archivos de programa\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Páginas similares - res://C:\Archivos de programa\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Páginas vinculadas - res://C:\Archivos de programa\Google\GoogleToolbar1.dll/cmbacklinks.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\messenger\msmsgs.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} () -
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {3334504D-9980-0010-8000-00AA00389B71} () - http://download.microsoft.com/download/0/C...C4D/mp43dmo.CAB
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} () - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Archivos de programa\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Archivos de programa\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Archivos de programa\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: z - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00403} - (no file)
O22 - SharedTaskScheduler: z - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00404} - (no file)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - Unknown owner - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgemc.exe

--
End of file - 10137 bytes

-- Files created between 2008-06-15 and 2008-07-15 -----------------------------

2008-07-15 21:27:52 0 d-------- C:\Archivos de programa\Malwarebytes' Anti-Malware
2008-07-12 01:27:54 0 d-------- C:\Archivos de programa\MSXML 4.0
2008-07-12 00:52:40 96966 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-07-12 00:52:40 88774 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-07-12 00:51:08 262176 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-07-12 00:51:08 1702432 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-07-12 00:51:07 0 d-------- C:\Archivos de programa\Kaspersky Lab
2008-07-12 00:35:14 0 d-------- C:\WINDOWS\Prefetch
2008-07-11 20:56:06 7561216 --a------ C:\Documents and Settings\User\ntuser.dat
2008-07-11 19:43:55 0 d-------- C:\Archivos de programa\messenger
2008-07-11 19:43:19 0 d-------- C:\WINDOWS\peernet
2008-07-11 19:43:16 0 d-------- C:\WINDOWS\provisioning
2008-07-11 19:38:38 0 d-------- C:\WINDOWS\ServicePackFiles
2008-07-11 19:28:03 0 d-------- C:\WINDOWS\EHome
2008-07-10 18:38:09 0 d-------- C:\Archivos de programa\SUPERAntiSpyware
2008-07-10 18:37:37 0 d-------- C:\Archivos de programa\Archivos comunes\Wise Installation Wizard
2008-07-09 14:29:13 0 d-------- C:\Archivos de programa\Uniblue
2008-07-09 01:09:59 387674 --ahs---- C:\WINDOWS\system32\yFMSCMoq.ini2
2008-07-08 22:32:24 77312 -r-hs---- C:\WINDOWS\system32\ckvo1.dll
2008-07-08 22:31:44 77312 -r-hs---- C:\WINDOWS\system32\ckvo0.dll
2008-07-06 01:47:19 0 d-------- C:\Archivos de programa\Red Kawa
2008-06-27 02:56:59 455058 --ahs---- C:\WINDOWS\system32\MVDdcMoq.ini2
2008-06-25 00:30:36 0 d-------- C:\Archivos de programa\ScummVM

-- Find3M Report ---------------------------------------------------------------

2008-07-15 21:27:58 0 d-------- C:\Documents and Settings\User\Datos de programa\Malwarebytes
2008-07-15 21:03:29 0 d-------- C:\Archivos de programa\MSN Messenger
2008-07-12 12:28:23 453360 --a----c- C:\WINDOWS\system32\perfh00A.dat
2008-07-12 12:28:23 76482 --a----c- C:\WINDOWS\system32\perfc00A.dat
2008-07-12 03:59:08 0 d-------- C:\Archivos de programa\Movie Maker
2008-07-12 00:47:33 0 d-------- C:\Documents and Settings\User\Datos de programa\AVG7
2008-07-11 19:37:55 0 d-------- C:\Archivos de programa\Windows NT
2008-07-11 17:34:10 0 d-------- C:\Documents and Settings\User\Datos de programa\MegauploadToolbar
2008-07-10 18:38:09 0 d-------- C:\Documents and Settings\User\Datos de programa\SUPERAntiSpyware.com
2008-07-09 14:29:27 0 d-------- C:\Documents and Settings\User\Datos de programa\Uniblue
2008-06-27 03:18:04 38704 --a------ C:\WINDOWS\scunin.dat
2008-06-27 03:18:04 0 d-------- C:\Archivos de programa\Starcraft
2008-06-27 03:18:02 967 --a------ C:\WINDOWS\ScUnin.pif
2008-06-27 03:18:02 94208 --a------ C:\WINDOWS\ScUnin.exe <Not Verified; Blizzard Entertainment; Starcraft Uninstaller>
2008-06-25 00:30:42 0 d-------- C:\Documents and Settings\User\Datos de programa\ScummVM
2008-06-24 23:25:27 0 d-------- C:\Archivos de programa\Archivos comunes\Adobe
2008-06-24 23:22:42 0 d-------- C:\Documents and Settings\User\Datos de programa\AdobeUM
2008-06-09 02:39:50 0 d-------- C:\Archivos de programa\DivX
2008-05-30 16:22:48 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2008-05-30 16:22:48 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-30 16:22:48 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-30 16:22:46 815104 --a------ C:\WINDOWS\system32\divx_xx0a.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-30 16:22:46 683520 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-22 15:22:18 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-05-22 15:19:46 196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2008-05-22 15:19:46 81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-05-22 15:18:54 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2008-05-21 21:46:01 120 --a------ C:\drmHeader.bin
2008-05-18 21:19:25 52736 --a------ C:\WINDOWS\ipuninst.exe <Not Verified; Interplay Productions; Interplay Uninstaller for Windows 95>
2008-05-18 18:06:49 0 d-------- C:\Documents and Settings\User\Datos de programa\BitTorrent

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{17a7de76-13bd-4f1b-8de9-1a49b815336b}]
C:\WINDOWS\System32\liquuk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2A27A3FE-E989-4E73-86A4-0941E7710C38}]
C:\WINDOWS\System32\qoMcdDVM.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A4F94C0C-54A7-4DB1-9AF3-B22E63D00403}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}"= C:\Archivos de programa\Winamp Toolbar\winamptb.dll [04/10/2007 01:06 p.m. 1135968]

[-HKEY_CLASSES_ROOT\CLSID\{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [09/07/2001 11:50 a.m.]
"RemoteControl"="C:\Archivos de programa\CyberLink\PowerDVD\PDVDServ.exe" [02/11/2004 08:24 p.m.]
"LTMSG"="LTMSG.exe" [14/07/2003 10:52 a.m. C:\WINDOWS\ltmsg.exe]
"AnyDVD"="C:\Archivos de programa\SlySoft\AnyDVD\AnyDVD.exe" [17/04/2005 06:21 p.m.]
"OM_Monitor"="C:\Archivos de programa\OLYMPUS\OLYMPUS Master\FirstStart.exe" [19/07/2005 12:06 p.m.]
"AVG7_CC"="C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe" []
"SunJavaUpdateSched"="C:\Archivos de programa\Java\jre1.6.0_05\bin\jusched.exe" [22/02/2008 05:25 a.m.]
"TkBellExe"="C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" [27/05/2007 02:29 p.m.]
"StartCCC"="C:\Archivos de programa\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [10/11/2006 01:35 p.m.]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OM_Monitor"="C:\Archivos de programa\OLYMPUS\OLYMPUS Master\Monitor.exe" [19/07/2005 12:14 p.m.]
"kamsoft"="C:\WINDOWS\System32\ckvo.exe" []
"SUPERAntiSpyware"="C:\Archivos de programa\SUPERAntiSpyware\SUPERAntiSpyware.exe" [28/05/2008 10:33 a.m.]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"clc"=C:\WINDOWS\system32\clc.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Archivos de programa\SUPERAntiSpyware\SASSEH.DLL [13/05/2008 10:13 a.m. 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Archivos de programa\SUPERAntiSpyware\SASWINLO.dll 19/04/2007 01:41 p.m. 294912 C:\Archivos de programa\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\System32\qoMCSMFy

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

-- End of Deckard's System Scanner: finished at 2008-07-15 22:22:55 ------------

AND HERE IS THE MALWARE LOG:

Malwarebytes' Anti-Malware 1.20
Versión de la Base de Datos: 957
Windows 5.1.2600 Service Pack 2

09:57:59 p.m. 15/07/2008
mbam-log-7-15-2008 (21-57-59).txt

Tipo de examen : Examen Rápido
Objetos examinados: 38334
Tiempo transcurrido: 7 minute(s), 19 second(s)

Procesos en Memoria Infectados: 0
Módulos en Memoria Infectados: 0
Claves del Registro Infectadas: 2
Valores del Registro Infectados: 2
Elementos de Datos del Registro Infectados: 1
Carpetas Infectadas: 0
Ficheros Infectados: 5

Procesos en Memoria Infectados:
(No se han detectado elementos maliciosos)

Módulos en Memoria Infectados:
(No se han detectado elementos maliciosos)

Claves del Registro Infectadas:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

Valores del Registro Infectados:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dcaaa0e0 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bmdf99937c (Trojan.Agent) -> Quarantined and deleted successfully.

Elementos de Datos del Registro Infectados:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Carpetas Infectadas:
(No se han detectado elementos maliciosos)

Ficheros Infectados:
C:\WINDOWS\system32\amvo1.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\acrsecB.fon (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\acrsecI.fon (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\BMdf99937c.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BMdf99937c.txt (Trojan.Vundo) -> Quarantined and deleted successfully.

#5 FolkenMx

New Member

Group: Members
Posts: 9
Joined: 11-July 08

Posted 16 July 2008 - 12:35 AM

Oh man thank so much!!!, I can see my hidden files again, one last question what antivirus do you recommend?

#6 Buckeye_Sam

Malware Expert

Group: Malware Response Team
Posts: 17,382
Joined: 23-December 04
Gender:Male
Location:Pickerington, Ohio

Posted 16 July 2008 - 08:42 AM

Whoa up partner! You are far from being in the clear. You still have many infected files on your computer.

Please visit this page for instructions to download and use Combofix.

How to use Combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.
Please post the log from Combofix here in your next reply.

#7 FolkenMx

New Member

Group: Members
Posts: 9
Joined: 11-July 08

Posted 19 July 2008 - 10:45 PM

Hi Sam:
here is the log sorry for the late report, thank you for your time

ComboFix 08-07-15.4 - User 2008-07-19 20:10:51.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.3082.18.264 [GMT -7:00]
Se ejecuta desde: C:\Documents and Settings\User\Escritorio\ComboFix.exe
Command switches used :: C:\Documents and Settings\User\Escritorio\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Creado un nuevo punto de restauración
.

(((((((((((((((((((((((((((((((((((( Otras eliminaciones )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
C:\DOCUME~1\User\CONFIG~1\Temp\zb5ok.dll
C:\ffojc.com
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\apiqilir.ini
C:\WINDOWS\system32\ckvo.exe
C:\WINDOWS\system32\ckvo0.dll
C:\WINDOWS\system32\ewjufoui.ini
C:\WINDOWS\system32\MVDdcMoq.ini
C:\WINDOWS\system32\MVDdcMoq.ini2
C:\WINDOWS\system32\txkqpchw.ini
C:\WINDOWS\system32\unydkauj.ini
C:\WINDOWS\system32\winsys.exe
C:\WINDOWS\system32\xctqxovs.ini
C:\WINDOWS\system32\ycruokhg.ini
C:\WINDOWS\system32\yFMSCMoq.ini
C:\WINDOWS\system32\yFMSCMoq.ini2

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SXSERV

(((((((((((((((((( Archivos creados desde 2008-06-20 - 2008-07-20 )))))))))))))))))))))))))))))))))
.

2008-07-19 18:56 . 2008-07-19 18:55 115,799 -r-hs---- C:\ybj8df.exe
2008-07-17 18:34 . 2008-07-16 16:12 115,233 -r-hs---- C:\ivcvknr.bat
2008-07-16 16:13 . 2008-07-16 16:12 115,233 -r-hs---- C:\p83gjy.exe
2008-07-15 21:27 . 2008-07-15 21:27 <DIR> d-------- C:\Documents and Settings\User\Datos de programa\Malwarebytes
2008-07-15 21:27 . 2008-07-15 21:27 <DIR> d-------- C:\Documents and Settings\All Users\Datos de programa\Malwarebytes
2008-07-15 21:27 . 2008-07-15 21:27 <DIR> d-------- C:\Archivos de programa\Malwarebytes' Anti-Malware
2008-07-15 21:27 . 2008-07-07 17:35 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-07-15 21:27 . 2008-07-07 17:35 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-12 12:28 . 2008-07-12 12:28 3,218 --a------ C:\WINDOWS\system32\PerfStringBackup.TMP
2008-07-12 01:31 . 2006-08-21 02:14 128,896 -----c--- C:\WINDOWS\system32\dllcache\fltmgr.sys
2008-07-12 01:31 . 2006-08-21 02:14 23,040 -----c--- C:\WINDOWS\system32\dllcache\fltmc.exe
2008-07-12 01:31 . 2006-08-21 05:27 16,896 -----c--- C:\WINDOWS\system32\dllcache\fltlib.dll
2008-07-12 01:27 . 2008-07-12 01:27 <DIR> d-------- C:\Archivos de programa\MSXML 4.0
2008-07-12 00:52 . 2008-07-12 01:08 96,966 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-07-12 00:52 . 2008-07-12 01:08 88,774 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-07-12 00:51 . 2008-07-12 12:07 <DIR> d-------- C:\Documents and Settings\All Users\Datos de programa\Kaspersky Lab
2008-07-12 00:51 . 2008-07-12 00:51 <DIR> d-------- C:\Archivos de programa\Kaspersky Lab
2008-07-12 00:51 . 2008-07-12 12:23 1,702,432 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-07-12 00:51 . 2008-07-12 12:23 262,176 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-07-12 00:51 . 2008-07-12 12:23 14,380 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-07-12 00:51 . 2008-07-12 12:23 1,976 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-07-12 00:38 . 2008-07-12 00:38 <DIR> d-------- C:\Documents and Settings\LocalService\Men£ Inicio
2008-07-11 22:41 . 2008-06-14 10:59 272,512 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-07-11 22:40 . 2007-07-09 06:11 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-07-11 19:46 . 2004-08-19 15:42 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-07-11 19:38 . 2008-07-11 19:38 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-07-11 19:32 . 2004-07-17 11:40 19,528 --a------ C:\WINDOWS\002481_.tmp
2008-07-11 19:28 . 2008-07-11 19:43 <DIR> d-------- C:\WINDOWS\EHome
2008-07-11 17:30 . 2007-07-30 19:19 38,232 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-07-11 17:30 . 2007-07-30 19:18 30,040 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-07-11 17:30 . 2007-07-30 19:20 30,040 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-07-11 17:30 . 2007-07-30 19:18 20,824 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-07-11 16:45 . 2008-07-11 16:45 <DIR> d-------- C:\Deckard
2008-07-11 01:18 . 2008-07-11 01:18 <DIR> d-------- C:\Archivos de programa\ESET
2008-07-10 18:38 . 2008-07-10 18:38 <DIR> d-------- C:\Documents and Settings\User\Datos de programa\SUPERAntiSpyware.com
2008-07-10 18:38 . 2008-07-10 18:38 <DIR> d-------- C:\Documents and Settings\All Users\Datos de programa\SUPERAntiSpyware.com
2008-07-10 18:38 . 2008-07-10 18:38 <DIR> d-------- C:\Archivos de programa\SUPERAntiSpyware
2008-07-10 18:37 . 2008-07-10 18:37 <DIR> d-------- C:\Archivos de programa\Archivos comunes\Wise Installation Wizard
2008-07-10 16:36 . 2008-07-10 16:36 <DIR> d-------- C:\Documents and Settings\All Users\Datos de programa\Kaspersky Lab Setup Files
2008-07-09 14:29 . 2008-07-09 14:29 <DIR> d-------- C:\Documents and Settings\User\Datos de programa\Uniblue
2008-07-09 14:29 . 2008-07-09 14:29 <DIR> d-------- C:\Archivos de programa\Uniblue
2008-07-08 22:32 . 2008-07-19 18:55 77,312 -r-hs---- C:\WINDOWS\system32\ckvo1.dll
2008-07-06 01:47 . 2008-07-06 01:47 <DIR> d-------- C:\Archivos de programa\Red Kawa
2008-07-03 21:04 . 2008-07-09 14:33 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-07-03 21:04 . 2008-07-09 14:33 1,409 --a------ C:\WINDOWS\QTFont.for
2008-06-25 00:30 . 2008-06-25 00:30 <DIR> d-------- C:\Documents and Settings\User\Datos de programa\ScummVM
2008-06-25 00:30 . 2008-06-25 00:37 <DIR> d-------- C:\Archivos de programa\ScummVM

.
(((((((((((((((((((((((((((((((((((((( Reporte Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-16 04:03 --------- d-----w C:\Archivos de programa\MSN Messenger
2008-07-12 07:47 --------- d-----w C:\Documents and Settings\User\Datos de programa\AVG7
2008-07-12 07:47 --------- d-----w C:\Documents and Settings\All Users\Datos de programa\avg7
2008-07-12 00:34 --------- d-----w C:\Documents and Settings\User\Datos de programa\MegauploadToolbar
2008-06-27 10:18 94,208 ----a-w C:\WINDOWS\ScUnin.exe
2008-06-27 10:18 --------- d-----w C:\Archivos de programa\Starcraft
2008-06-25 06:25 --------- d-----w C:\Archivos de programa\Archivos comunes\Adobe
2008-06-25 06:22 --------- d-----w C:\Documents and Settings\User\Datos de programa\AdobeUM
2008-06-14 17:59 272,512 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-09 09:39 --------- d-----w C:\Archivos de programa\DivX
2008-05-22 04:46 120 ----a-w C:\drmHeader.bin
2008-05-19 04:19 52,736 ----a-w C:\WINDOWS\ipuninst.exe
2007-04-14 02:56 1,607,696 ----a-w C:\Archivos de programa\2006-12-28BGM
2005-05-15 19:05 13,195 -c--a-w C:\Documents and Settings\User\ZGUICFGW.DAT
.

((((((((((((((((((((((((((((((((( Cargando Puntos Reg ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* entradas vac¡as & entradas leg¡timas predeterminadas no son mostradas

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OM_Monitor"="C:\Archivos de programa\OLYMPUS\OLYMPUS Master\Monitor.exe" [2005-07-19 12:14 57344]
"SUPERAntiSpyware"="C:\Archivos de programa\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"RemoteControl"="C:\Archivos de programa\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 20:24 32768]
"AnyDVD"="C:\Archivos de programa\SlySoft\AnyDVD\AnyDVD.exe" [2005-04-17 18:21 329728]
"OM_Monitor"="C:\Archivos de programa\OLYMPUS\OLYMPUS Master\FirstStart.exe" [2005-07-19 12:06 40960]
"SunJavaUpdateSched"="C:\Archivos de programa\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"TkBellExe"="C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" [2007-05-27 14:29 185896]
"StartCCC"="C:\Archivos de programa\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 13:35 90112]
"LTMSG"="LTMSG.exe" [2003-07-14 10:52 40960 C:\WINDOWS\ltmsg.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-19 15:42 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Archivos de programa\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 C:\Archivos de programa\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= i420vfw.dll
"VIDC.MJPG"= pvmjpg21.dll
"msacm.l3fhg"= mp3fhg.acm
"VIDC.X264"= x264vfw.dll
"VIDC.HFYU"= huffyuv.dll
"vidc.i263"= i263_32.drv
"msacm.imc"= imc32.acm
"msacm.divxa32"= divxa32.acm

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Archivos de programa\\BitTorrent\\bittorrent.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Archivos de programa\\MSN Messenger\\msnmsgr.exe"=
"C:\\Archivos de programa\\MSN Messenger\\livecall.exe"=

S3 AvFlt;Antivirus Filter Driver;C:\WINDOWS\system32\drivers\av5flt.sys []
S3 ICAM8USB;Intel® PC Camera CS120;C:\WINDOWS\system32\Drivers\Icm8D2.SYS [2001-07-12 13:23]
S3 REMOVE;REMOVE;C:\WINDOWS\system32\drivers\REMOVE.SYS []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fe5d2cae-ffdc-11db-a5a7-00e0183aca85}]
\Shell\AutoRun\command - F:\p83gjy.exe
\Shell\explore\Command - F:\p83gjy.exe
\Shell\open\Command - F:\p83gjy.exe
.
Contenido de carpeta 'Tareas Programadas'
"2008-07-12 00:15:05 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Archivos de programa\TuneUp Utilities 2006\SystemOptimizer.exe
.
- - - - ORPHANS REMOVED - - - -

BHO-{17a7de76-13bd-4f1b-8de9-1a49b815336b} - C:\WINDOWS\System32\liquuk.dll
BHO-{2A27A3FE-E989-4E73-86A4-0941E7710C38} - C:\WINDOWS\System32\qoMcdDVM.dll
HKCU-Run-kamsoft - C:\WINDOWS\system32\ckvo.exe
HKLM-Run-AVG7_CC - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe
HKU-Default-Run-clc - C:\WINDOWS\system32\clc.exe
HKU-Default-Run-AVG7_Run - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgw.exe

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-19 20:18:51
Windows 5.1.2600 Service Pack 2 NTFS

escaneando procesos ocultos ...

escaneando entradas ocultas de autostart ...

escaneando archivos ocultos ...

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Tiempo completado: 2008-07-19 20:33:05 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-20 03:31:57

13 dirs 2,275,966,976 bytes libres
18 dirs 2,202,943,488 bytes libres

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

183 --- E O F --- 2008-07-16 06:47:27

Hi Sam:
here is the log sorry for the late report, thank you for your time

ComboFix 08-07-15.4 - User 2008-07-19 20:10:51.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.3082.18.264 [GMT -7:00]
Se ejecuta desde: C:\Documents and Settings\User\Escritorio\ComboFix.exe
Command switches used :: C:\Documents and Settings\User\Escritorio\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Creado un nuevo punto de restauración
.

(((((((((((((((((((((((((((((((((((( Otras eliminaciones )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
C:\DOCUME~1\User\CONFIG~1\Temp\zb5ok.dll
C:\ffojc.com
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\apiqilir.ini
C:\WINDOWS\system32\ckvo.exe
C:\WINDOWS\system32\ckvo0.dll
C:\WINDOWS\system32\ewjufoui.ini
C:\WINDOWS\system32\MVDdcMoq.ini
C:\WINDOWS\system32\MVDdcMoq.ini2
C:\WINDOWS\system32\txkqpchw.ini
C:\WINDOWS\system32\unydkauj.ini
C:\WINDOWS\system32\winsys.exe
C:\WINDOWS\system32\xctqxovs.ini
C:\WINDOWS\system32\ycruokhg.ini
C:\WINDOWS\system32\yFMSCMoq.ini
C:\WINDOWS\system32\yFMSCMoq.ini2

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SXSERV

(((((((((((((((((( Archivos creados desde 2008-06-20 - 2008-07-20 )))))))))))))))))))))))))))))))))
.

2008-07-19 18:56 . 2008-07-19 18:55 115,799 -r-hs---- C:\ybj8df.exe
2008-07-17 18:34 . 2008-07-16 16:12 115,233 -r-hs---- C:\ivcvknr.bat
2008-07-16 16:13 . 2008-07-16 16:12 115,233 -r-hs---- C:\p83gjy.exe
2008-07-15 21:27 . 2008-07-15 21:27 <DIR> d-------- C:\Documents and Settings\User\Datos de programa\Malwarebytes
2008-07-15 21:27 . 2008-07-15 21:27 <DIR> d-------- C:\Documents and Settings\All Users\Datos de programa\Malwarebytes
2008-07-15 21:27 . 2008-07-15 21:27 <DIR> d-------- C:\Archivos de programa\Malwarebytes' Anti-Malware
2008-07-15 21:27 . 2008-07-07 17:35 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-07-15 21:27 . 2008-07-07 17:35 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-12 12:28 . 2008-07-12 12:28 3,218 --a------ C:\WINDOWS\system32\PerfStringBackup.TMP
2008-07-12 01:31 . 2006-08-21 02:14 128,896 -----c--- C:\WINDOWS\system32\dllcache\fltmgr.sys
2008-07-12 01:31 . 2006-08-21 02:14 23,040 -----c--- C:\WINDOWS\system32\dllcache\fltmc.exe
2008-07-12 01:31 . 2006-08-21 05:27 16,896 -----c--- C:\WINDOWS\system32\dllcache\fltlib.dll
2008-07-12 01:27 . 2008-07-12 01:27 <DIR> d-------- C:\Archivos de programa\MSXML 4.0
2008-07-12 00:52 . 2008-07-12 01:08 96,966 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-07-12 00:52 . 2008-07-12 01:08 88,774 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-07-12 00:51 . 2008-07-12 12:07 <DIR> d-------- C:\Documents and Settings\All Users\Datos de programa\Kaspersky Lab
2008-07-12 00:51 . 2008-07-12 00:51 <DIR> d-------- C:\Archivos de programa\Kaspersky Lab
2008-07-12 00:51 . 2008-07-12 12:23 1,702,432 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-07-12 00:51 . 2008-07-12 12:23 262,176 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-07-12 00:51 . 2008-07-12 12:23 14,380 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-07-12 00:51 . 2008-07-12 12:23 1,976 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-07-12 00:38 . 2008-07-12 00:38 <DIR> d-------- C:\Documents and Settings\LocalService\Men£ Inicio
2008-07-11 22:41 . 2008-06-14 10:59 272,512 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-07-11 22:40 . 2007-07-09 06:11 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-07-11 19:46 . 2004-08-19 15:42 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-07-11 19:38 . 2008-07-11 19:38 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-07-11 19:32 . 2004-07-17 11:40 19,528 --a------ C:\WINDOWS\002481_.tmp
2008-07-11 19:28 . 2008-07-11 19:43 <DIR> d-------- C:\WINDOWS\EHome
2008-07-11 17:30 . 2007-07-30 19:19 38,232 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-07-11 17:30 . 2007-07-30 19:18 30,040 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-07-11 17:30 . 2007-07-30 19:20 30,040 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-07-11 17:30 . 2007-07-30 19:18 20,824 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-07-11 16:45 . 2008-07-11 16:45 <DIR> d-------- C:\Deckard
2008-07-11 01:18 . 2008-07-11 01:18 <DIR> d-------- C:\Archivos de programa\ESET
2008-07-10 18:38 . 2008-07-10 18:38 <DIR> d-------- C:\Documents and Settings\User\Datos de programa\SUPERAntiSpyware.com
2008-07-10 18:38 . 2008-07-10 18:38 <DIR> d-------- C:\Documents and Settings\All Users\Datos de programa\SUPERAntiSpyware.com
2008-07-10 18:38 . 2008-07-10 18:38 <DIR> d-------- C:\Archivos de programa\SUPERAntiSpyware
2008-07-10 18:37 . 2008-07-10 18:37 <DIR> d-------- C:\Archivos de programa\Archivos comunes\Wise Installation Wizard
2008-07-10 16:36 . 2008-07-10 16:36 <DIR> d-------- C:\Documents and Settings\All Users\Datos de programa\Kaspersky Lab Setup Files
2008-07-09 14:29 . 2008-07-09 14:29 <DIR> d-------- C:\Documents and Settings\User\Datos de programa\Uniblue
2008-07-09 14:29 . 2008-07-09 14:29 <DIR> d-------- C:\Archivos de programa\Uniblue
2008-07-08 22:32 . 2008-07-19 18:55 77,312 -r-hs---- C:\WINDOWS\system32\ckvo1.dll
2008-07-06 01:47 . 2008-07-06 01:47 <DIR> d-------- C:\Archivos de programa\Red Kawa
2008-07-03 21:04 . 2008-07-09 14:33 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-07-03 21:04 . 2008-07-09 14:33 1,409 --a------ C:\WINDOWS\QTFont.for
2008-06-25 00:30 . 2008-06-25 00:30 <DIR> d-------- C:\Documents and Settings\User\Datos de programa\ScummVM
2008-06-25 00:30 . 2008-06-25 00:37 <DIR> d-------- C:\Archivos de programa\ScummVM

.
(((((((((((((((((((((((((((((((((((((( Reporte Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-16 04:03 --------- d-----w C:\Archivos de programa\MSN Messenger
2008-07-12 07:47 --------- d-----w C:\Documents and Settings\User\Datos de programa\AVG7
2008-07-12 07:47 --------- d-----w C:\Documents and Settings\All Users\Datos de programa\avg7
2008-07-12 00:34 --------- d-----w C:\Documents and Settings\User\Datos de programa\MegauploadToolbar
2008-06-27 10:18 94,208 ----a-w C:\WINDOWS\ScUnin.exe
2008-06-27 10:18 --------- d-----w C:\Archivos de programa\Starcraft
2008-06-25 06:25 --------- d-----w C:\Archivos de programa\Archivos comunes\Adobe
2008-06-25 06:22 --------- d-----w C:\Documents and Settings\User\Datos de programa\AdobeUM
2008-06-14 17:59 272,512 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-09 09:39 --------- d-----w C:\Archivos de programa\DivX
2008-05-22 04:46 120 ----a-w C:\drmHeader.bin
2008-05-19 04:19 52,736 ----a-w C:\WINDOWS\ipuninst.exe
2007-04-14 02:56 1,607,696 ----a-w C:\Archivos de programa\2006-12-28BGM
2005-05-15 19:05 13,195 -c--a-w C:\Documents and Settings\User\ZGUICFGW.DAT
.

((((((((((((((((((((((((((((((((( Cargando Puntos Reg ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* entradas vac¡as & entradas leg¡timas predeterminadas no son mostradas

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OM_Monitor"="C:\Archivos de programa\OLYMPUS\OLYMPUS Master\Monitor.exe" [2005-07-19 12:14 57344]
"SUPERAntiSpyware"="C:\Archivos de programa\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"RemoteControl"="C:\Archivos de programa\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 20:24 32768]
"AnyDVD"="C:\Archivos de programa\SlySoft\AnyDVD\AnyDVD.exe" [2005-04-17 18:21 329728]
"OM_Monitor"="C:\Archivos de programa\OLYMPUS\OLYMPUS Master\FirstStart.exe" [2005-07-19 12:06 40960]
"SunJavaUpdateSched"="C:\Archivos de programa\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"TkBellExe"="C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" [2007-05-27 14:29 185896]
"StartCCC"="C:\Archivos de programa\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 13:35 90112]
"LTMSG"="LTMSG.exe" [2003-07-14 10:52 40960 C:\WINDOWS\ltmsg.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-19 15:42 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Archivos de programa\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 C:\Archivos de programa\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= i420vfw.dll
"VIDC.MJPG"= pvmjpg21.dll
"msacm.l3fhg"= mp3fhg.acm
"VIDC.X264"= x264vfw.dll
"VIDC.HFYU"= huffyuv.dll
"vidc.i263"= i263_32.drv
"msacm.imc"= imc32.acm
"msacm.divxa32"= divxa32.acm

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Archivos de programa\\BitTorrent\\bittorrent.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Archivos de programa\\MSN Messenger\\msnmsgr.exe"=
"C:\\Archivos de programa\\MSN Messenger\\livecall.exe"=

S3 AvFlt;Antivirus Filter Driver;C:\WINDOWS\system32\drivers\av5flt.sys []
S3 ICAM8USB;Intel® PC Camera CS120;C:\WINDOWS\system32\Drivers\Icm8D2.SYS [2001-07-12 13:23]
S3 REMOVE;REMOVE;C:\WINDOWS\system32\drivers\REMOVE.SYS []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fe5d2cae-ffdc-11db-a5a7-00e0183aca85}]
\Shell\AutoRun\command - F:\p83gjy.exe
\Shell\explore\Command - F:\p83gjy.exe
\Shell\open\Command - F:\p83gjy.exe
.
Contenido de carpeta 'Tareas Programadas'
"2008-07-12 00:15:05 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Archivos de programa\TuneUp Utilities 2006\SystemOptimizer.exe
.
- - - - ORPHANS REMOVED - - - -

BHO-{17a7de76-13bd-4f1b-8de9-1a49b815336b} - C:\WINDOWS\System32\liquuk.dll
BHO-{2A27A3FE-E989-4E73-86A4-0941E7710C38} - C:\WINDOWS\System32\qoMcdDVM.dll
HKCU-Run-kamsoft - C:\WINDOWS\system32\ckvo.exe
HKLM-Run-AVG7_CC - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe
HKU-Default-Run-clc - C:\WINDOWS\system32\clc.exe
HKU-Default-Run-AVG7_Run - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgw.exe

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-19 20:18:51
Windows 5.1.2600 Service Pack 2 NTFS

escaneando procesos ocultos ...

escaneando entradas ocultas de autostart ...

escaneando archivos ocultos ...

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Tiempo completado: 2008-07-19 20:33:05 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-20 03:31:57

13 dirs 2,275,966,976 bytes libres
18 dirs 2,202,943,488 bytes libres

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

183 --- E O F --- 2008-07-16 06:47:27

#8 Buckeye_Sam

Malware Expert

Group: Malware Response Team
Posts: 17,382
Joined: 23-December 04
Gender:Male
Location:Pickerington, Ohio

Posted 20 July 2008 - 09:33 AM

Didn't believe me until things started getting bad again huh? :thumbsup:

Download Flash_Disinfector.exe by sUBs and save it to your desktop.

Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
Wait until it has finished scanning and then exit the program.
Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.

=================

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
F:\p83gjy.exe
C:\WINDOWS\system32\ckvo1.dll
C:\ybj8df.exe
C:\ivcvknr.bat
C:\p83gjy.exe

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fe5d2cae-ffdc-11db-a5a7-00e0183aca85}]

Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

#9 FolkenMx

New Member

Group: Members
Posts: 9
Joined: 11-July 08

Posted 20 July 2008 - 12:40 PM

I will never doubt of you again Sam :thumbsup:

Here´s the log:

ComboFix 08-07-15.4 - User 2008-07-20 10:23:46.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.3082.18.269 [GMT -7:00]
Se ejecuta desde: C:\Documents and Settings\User\Escritorio\ComboFix.exe
Command switches used :: C:\Documents and Settings\User\Escritorio\CFScript.txt
* Creado un nuevo punto de restauración

FILE ::
C:\ivcvknr.bat
C:\p83gjy.exe
C:\WINDOWS\system32\ckvo1.dll
C:\ybj8df.exe
F:\p83gjy.exe
.

(((((((((((((((((((((((((((((((((((( Otras eliminaciones )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\p83gjy.exe
C:\WINDOWS\system32\ckvo1.dll
C:\ybj8df.exe

.
(((((((((((((((((( Archivos creados desde 2008-06-20 - 2008-07-20 )))))))))))))))))))))))))))))))))
.

2008-07-19 20:33 . 2008-07-19 20:33 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Configuraci¾n local
2008-07-19 20:33 . 2008-07-19 20:33 <DIR> d-------- C:\Documents and Settings\User\Configuraci¾n local
2008-07-19 20:33 . 2008-07-19 20:33 <DIR> d-------- C:\Documents and Settings\NetworkService\Configuraci¾n local
2008-07-19 20:33 . 2008-07-19 20:33 <DIR> d-------- C:\Documents and Settings\LocalService\Configuraci¾n local
2008-07-15 21:27 . 2008-07-15 21:27 <DIR> d-------- C:\Documents and Settings\User\Datos de programa\Malwarebytes
2008-07-15 21:27 . 2008-07-15 21:27 <DIR> d-------- C:\Documents and Settings\All Users\Datos de programa\Malwarebytes
2008-07-15 21:27 . 2008-07-15 21:27 <DIR> d-------- C:\Archivos de programa\Malwarebytes' Anti-Malware
2008-07-15 21:27 . 2008-07-07 17:35 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-07-15 21:27 . 2008-07-07 17:35 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-12 12:28 . 2008-07-12 12:28 3,218 --a------ C:\WINDOWS\system32\PerfStringBackup.TMP
2008-07-12 01:31 . 2006-08-21 02:14 128,896 -----c--- C:\WINDOWS\system32\dllcache\fltmgr.sys
2008-07-12 01:31 . 2006-08-21 02:14 23,040 -----c--- C:\WINDOWS\system32\dllcache\fltmc.exe
2008-07-12 01:31 . 2006-08-21 05:27 16,896 -----c--- C:\WINDOWS\system32\dllcache\fltlib.dll
2008-07-12 01:27 . 2008-07-12 01:27 <DIR> d-------- C:\Archivos de programa\MSXML 4.0
2008-07-12 00:52 . 2008-07-12 01:08 96,966 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-07-12 00:52 . 2008-07-12 01:08 88,774 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-07-12 00:51 . 2008-07-12 12:07 <DIR> d-------- C:\Documents and Settings\All Users\Datos de programa\Kaspersky Lab
2008-07-12 00:51 . 2008-07-12 00:51 <DIR> d-------- C:\Archivos de programa\Kaspersky Lab
2008-07-12 00:51 . 2008-07-12 12:23 1,702,432 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-07-12 00:51 . 2008-07-12 12:23 262,176 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-07-12 00:51 . 2008-07-12 12:23 14,380 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-07-12 00:51 . 2008-07-12 12:23 1,976 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-07-12 00:38 . 2008-07-12 00:38 <DIR> d-------- C:\Documents and Settings\LocalService\Menú Inicio
2008-07-11 22:41 . 2008-06-14 10:59 272,512 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-07-11 22:40 . 2007-07-09 06:11 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-07-11 19:46 . 2004-08-19 15:42 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-07-11 19:38 . 2008-07-11 19:38 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-07-11 19:32 . 2004-07-17 11:40 19,528 --a------ C:\WINDOWS\002481_.tmp
2008-07-11 19:28 . 2008-07-11 19:43 <DIR> d-------- C:\WINDOWS\EHome
2008-07-11 17:30 . 2007-07-30 19:19 38,232 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-07-11 17:30 . 2007-07-30 19:18 30,040 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-07-11 17:30 . 2007-07-30 19:20 30,040 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-07-11 17:30 . 2007-07-30 19:18 20,824 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-07-11 16:45 . 2008-07-11 16:45 <DIR> d-------- C:\Deckard
2008-07-11 01:18 . 2008-07-11 01:18 <DIR> d-------- C:\Archivos de programa\ESET
2008-07-10 18:38 . 2008-07-10 18:38 <DIR> d-------- C:\Documents and Settings\User\Datos de programa\SUPERAntiSpyware.com
2008-07-10 18:38 . 2008-07-10 18:38 <DIR> d-------- C:\Documents and Settings\All Users\Datos de programa\SUPERAntiSpyware.com
2008-07-10 18:38 . 2008-07-10 18:38 <DIR> d-------- C:\Archivos de programa\SUPERAntiSpyware
2008-07-10 18:37 . 2008-07-10 18:37 <DIR> d-------- C:\Archivos de programa\Archivos comunes\Wise Installation Wizard
2008-07-10 16:36 . 2008-07-10 16:36 <DIR> d-------- C:\Documents and Settings\All Users\Datos de programa\Kaspersky Lab Setup Files
2008-07-09 14:29 . 2008-07-09 14:29 <DIR> d-------- C:\Documents and Settings\User\Datos de programa\Uniblue
2008-07-09 14:29 . 2008-07-09 14:29 <DIR> d-------- C:\Archivos de programa\Uniblue
2008-07-06 01:47 . 2008-07-06 01:47 <DIR> d-------- C:\Archivos de programa\Red Kawa
2008-07-03 21:04 . 2008-07-09 14:33 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-07-03 21:04 . 2008-07-09 14:33 1,409 --a------ C:\WINDOWS\QTFont.for
2008-06-25 00:30 . 2008-06-25 00:30 <DIR> d-------- C:\Documents and Settings\User\Datos de programa\ScummVM
2008-06-25 00:30 . 2008-06-25 00:37 <DIR> d-------- C:\Archivos de programa\ScummVM

.
(((((((((((((((((((((((((((((((((((((( Reporte Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-16 04:03 --------- d-----w C:\Archivos de programa\MSN Messenger
2008-07-12 07:47 --------- d-----w C:\Documents and Settings\User\Datos de programa\AVG7
2008-07-12 07:47 --------- d-----w C:\Documents and Settings\All Users\Datos de programa\avg7
2008-07-12 00:34 --------- d-----w C:\Documents and Settings\User\Datos de programa\MegauploadToolbar
2008-06-27 10:18 94,208 ----a-w C:\WINDOWS\ScUnin.exe
2008-06-27 10:18 --------- d-----w C:\Archivos de programa\Starcraft
2008-06-25 06:25 --------- d-----w C:\Archivos de programa\Archivos comunes\Adobe
2008-06-25 06:22 --------- d-----w C:\Documents and Settings\User\Datos de programa\AdobeUM
2008-06-14 17:59 272,512 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-09 09:39 --------- d-----w C:\Archivos de programa\DivX
2008-05-30 23:22 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2008-05-30 23:22 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2008-05-30 23:22 815,104 ----a-w C:\WINDOWS\system32\divx_xx0a.dll
2008-05-30 23:22 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2008-05-30 23:22 683,520 ----a-w C:\WINDOWS\system32\DivX.dll
2008-05-30 23:22 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2008-05-30 23:22 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2008-05-30 23:22 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2008-05-30 23:22 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2008-05-30 23:22 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2008-05-30 23:22 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2008-05-22 22:22 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2008-05-22 22:22 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2008-05-22 22:20 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-05-22 22:20 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2008-05-22 22:19 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2008-05-22 22:19 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2008-05-22 22:19 161,096 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-05-22 22:18 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2008-05-22 04:46 120 ----a-w C:\drmHeader.bin
2008-05-19 04:19 52,736 ----a-w C:\WINDOWS\ipuninst.exe
2008-05-07 05:15 1,293,824 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-26 01:22 206,088 ----a-w C:\WINDOWS\system32\klogon.dll
2008-04-21 07:02 662,016 ----a-w C:\WINDOWS\system32\wininet.dll
2007-04-14 02:56 1,607,696 ----a-w C:\Archivos de programa\2006-12-28BGM
2005-05-15 19:05 13,195 -c--a-w C:\Documents and Settings\User\ZGUICFGW.DAT
.

((((((((((((((((((((((((((((((((( Cargando Puntos Reg ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* entradas vacías & entradas legítimas predeterminadas no son mostradas

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OM_Monitor"="C:\Archivos de programa\OLYMPUS\OLYMPUS Master\Monitor.exe" [2005-07-19 12:14 57344]
"SUPERAntiSpyware"="C:\Archivos de programa\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"RemoteControl"="C:\Archivos de programa\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 20:24 32768]
"AnyDVD"="C:\Archivos de programa\SlySoft\AnyDVD\AnyDVD.exe" [2005-04-17 18:21 329728]
"OM_Monitor"="C:\Archivos de programa\OLYMPUS\OLYMPUS Master\FirstStart.exe" [2005-07-19 12:06 40960]
"SunJavaUpdateSched"="C:\Archivos de programa\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"TkBellExe"="C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" [2007-05-27 14:29 185896]
"StartCCC"="C:\Archivos de programa\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 13:35 90112]
"LTMSG"="LTMSG.exe" [2003-07-14 10:52 40960 C:\WINDOWS\ltmsg.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-19 15:42 15360]

C:\Documents and Settings\All Users\Men£ Inicio\Programas\Inicio\
Inicio r pido de Adobe Reader.lnk - C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 03:38:16 29696]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Archivos de programa\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 C:\Archivos de programa\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= i420vfw.dll
"VIDC.MJPG"= pvmjpg21.dll
"msacm.l3fhg"= mp3fhg.acm
"VIDC.X264"= x264vfw.dll
"VIDC.HFYU"= huffyuv.dll
"vidc.i263"= i263_32.drv
"msacm.imc"= imc32.acm
"msacm.divxa32"= divxa32.acm

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Archivos de programa\\BitTorrent\\bittorrent.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Archivos de programa\\MSN Messenger\\msnmsgr.exe"=
"C:\\Archivos de programa\\MSN Messenger\\livecall.exe"=

S3 AvFlt;Antivirus Filter Driver;C:\WINDOWS\system32\drivers\av5flt.sys []
S3 ICAM8USB;Intel® PC Camera CS120;C:\WINDOWS\system32\Drivers\Icm8D2.SYS [2001-07-12 13:23]
S3 REMOVE;REMOVE;C:\WINDOWS\system32\drivers\REMOVE.SYS []

*Newly Created Service* - CATCHME
.
Contenido de carpeta 'Tareas Programadas'
"2008-07-12 00:15:05 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Archivos de programa\TuneUp Utilities 2006\SystemOptimizer.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-20 10:27:51
Windows 5.1.2600 Service Pack 2 NTFS

escaneando procesos ocultos ...

escaneando entradas ocultas de autostart ...

escaneando archivos ocultos ...

el escaneo se completo con exito
archivos ocultos: 0

**************************************************************************
.
Tiempo completado: 2008-07-20 10:35:21
ComboFix-quarantined-files.txt 2008-07-20 17:35:10
ComboFix2.txt 2008-07-20 03:33:06

14 dirs 2,292,473,856 bytes libres
18 dirs 2,276,749,312 bytes libres

171 --- E O F --- 2008-07-16 06:47:27

#10 Buckeye_Sam

Malware Expert

Group: Malware Response Team
Posts: 17,382
Joined: 23-December 04
Gender:Male
Location:Pickerington, Ohio

Posted 21 July 2008 - 07:24 AM

Your log looks good to me.
How are things on your end? Any popups or other issues?

#11 FolkenMx

New Member

Group: Members
Posts: 9
Joined: 11-July 08

Posted 24 July 2008 - 09:46 PM

Thank you very much Sam, it has not given any problems since, Thank for your patience :thumbsup:

. So what do you recommend to stay clean?

#12 Buckeye_Sam

Malware Expert

Group: Malware Response Team
Posts: 17,382
Joined: 23-December 04
Gender:Male
Location:Pickerington, Ohio

Posted 25 July 2008 - 06:30 AM

First follow this process to uninstall Combofix. It will also restore a few settings and remove quarantined items.

Click START then RUN
Now type Combofix /u in the runbox and click OK

===============

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

You can find instructions on how to enable and reenable system restore here:

Windows XP System Restore Guide

Renable system restore with instructions from tutorial above
Make your Internet Explorer more secure - This can be done by following these simple instructions:
- From within Internet Explorer click on the Tools menu and then click on Options.
- Click once on the Security tab
- Click once on the Internet icon so it becomes highlighted.
- Click once on the Custom Level button.
  - Change the Download signed ActiveX controls to Prompt
  - Change the Download unsigned ActiveX controls to Disable
  - Change the Initialize and script ActiveX controls not marked as safe to Disable
  - Change the Installation of desktop items to Prompt
  - Change the Launching programs and files in an IFRAME to Prompt
  - Change the Navigate sub-frames across different domains to Prompt
  - When all these settings have been made, click on the OK button.
  - If it prompts you as to whether or not you want to save the settings, press the Yes button.
- Next press the Apply button and then the OK to exit the Internet Properties page.
Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

See this link for a listing of some online & their stand-alone antivirus programs:

Virus, Spyware, and Malware Protection and Removal Resources
Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see the link below:

Understanding and Using Firewalls
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

A tutorial on installing & using this product can be found here:

Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers
Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

A tutorial on installing & using this product can be found here:

Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer
Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware
Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

:thumbsup:

#13 Buckeye_Sam

Malware Expert

Group: Malware Response Team
Posts: 17,382
Joined: 23-December 04
Gender:Male
Location:Pickerington, Ohio

Posted 29 July 2008 - 07:44 AM

Now that your problem appears to be resolved, this thread will be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request.