BleepingComputer.com: Possible rootkit infection

I was bragging on irc channels that my computer was invulnerable and I felt confident to say that, I had running superantispyware pro and malware bytes with active protection, then I had sygate blocking a whole bunch of ips from advertisers and I had disable file sharing for my tcp/internet connection and also was using limited account and a strong admin password but none of that matter I left my pc overnight and next morning it was acting weird.


-----------

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_20

Run by emperador at 19:53:41 on 2011-09-17

Microsoft Windows XP Professional 5.1.2600.3.1252.34.3082.18.2047.1625 [GMT -6:00]

.

.

============== Running Processes ===============

.

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Archivos de programa\Creative\Shared Files\CTAudSvc.exe

C:\WINDOWS\system32\crypserv.exe

C:\Archivos de programa\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\Archivos de programa\CyberLink\Shared files\RichVideo.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

A:\8ttfqd6m.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = https://www.ixquick.com

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - AcroIEHlprObj Class

BHO: WormRadar.com IESiteBlocker.NavFilter: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - AVG Safe Search

BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\archivos de programa\java\jre6\bin\jp2ssv.dll

BHO: {e5a1691b-d188-4419-ad02-90002030b8ee} - FlashFXP Helper for Internet Explorer

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\archivos de programa\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

uRun: [DAEMON Tools Lite] "c:\archivos de programa\daemon tools lite\DTLite.exe" -autorun

dRun: [DWQueuedReporting] "c:\archiv~1\archiv~1\micros~1\dw\dwtrig20.exe" -t

dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\archivos de programa\messenger\msmsgs.exe

TCP: Interfaces\{C29FD719-342B-4864-BFA3-6E23246F2E46} : NameServer = 68.87.85.102,68.87.69.150

Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\archivos de programa\archivos comunes\microsoft shared\web folders\PKMCDO.DLL

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\archiv~1\archiv~1\skype\SKYPE4~1.DLL

Name-Space Handler: ftp\GetRightIEClickCatcher - {73BA8F12-723E-11D1-A9E2-00403320FCF2} - c:\archivos de programa\getright\xx2gr.dll

Name-Space Handler: http\GetRightIEClickCatcher - {73BA8F12-723E-11D1-A9E2-00403320FCF2} - c:\archivos de programa\getright\xx2gr.dll

Notify: !SASWinLogon - h:\archivos de programa\superantispyware\SASWINLO.DLL

Notify: AtiExtEvent - Ati2evxx.dll

Notify: ComPlusSetup - c:\windows\system32\catsrvut.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - h:\archivos de programa\superantispyware\SASSEH.DLL

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\administrador\datos de programa\mozilla\firefox\profiles\hrc436z7.default\

FF - plugin: c:\archivos de programa\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\archivos de programa\opera\program\plugins\NPDocBox.dll

FF - plugin: c:\archivos de programa\opera\program\plugins\nppdf32.dll

FF - plugin: c:\documents and settings\all users\datos de programa\zylom\zylomgamesplayer\npzylomgamesplayer.dll

FF - plugin: c:\program files\real\realplayer\netscape6\nppl3260.dll

FF - plugin: c:\program files\real\realplayer\netscape6\nprjplug.dll

FF - plugin: c:\program files\real\realplayer\netscape6\nprpjplug.dll

FF - plugin: h:\archivos de programa\divx\divx web player\npdivx32.dll

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\archivos de programa\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\archivos de programa\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

FF - Ext: Java Quick Starter: jqs@sun.com - h:\archivos de programa\java\jre6\lib\deploy\jqs\ff

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

.

============= SERVICES / DRIVERS ===============

.

R0 d344bus6;d344bus6;c:\windows\system32\drivers\d344bus6.sys [2007-10-31 137216]

R0 d344prt6;d344prt6;c:\windows\system32\drivers\d344prt6.sys [2007-10-31 5248]

R0 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [2010-8-14 155136]

R0 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [2010-8-14 5248]

R0 SI3114;SiI-3114 SATALink Controller;c:\windows\system32\drivers\SI3114.sys [2011-9-16 73768]

R0 SiWinAcc;SiWinAcc;c:\windows\system32\drivers\SiWinAcc.sys [2004-8-10 19240]

R1 SASDIFSV;SASDIFSV;h:\archivos de programa\superantispyware\sasdifsv.sys [2010-2-17 12872]

R1 SASKUTIL;SASKUTIL;h:\archivos de programa\superantispyware\SASKUTIL.SYS [2010-5-10 67656]

R1 VBoxDrv;VirtualBox Service;c:\windows\system32\drivers\VBoxDrv.sys [2009-11-19 116560]

R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\drivers\VBoxUSBMon.sys [2009-11-19 41424]

R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-10-20 50704]

R3 3xHybrid;Pinnacle PCTV 100i-110i-300i-310i-MCE;c:\windows\system32\drivers\3xHybrid.sys [2009-11-13 1121536]

R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [2010-3-18 99416]

R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [2010-3-18 555096]

R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [2010-3-18 566360]

R3 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [2011-9-16 232512]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-9-11 20952]

R3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\drivers\VBoxNetFlt.sys [2009-11-10 104016]

S0 d344bus;d344bus;c:\windows\system32\drivers\d344bus.sys --> c:\windows\system32\drivers\d344bus.sys [?]

S0 d344prt;d344prt;c:\windows\system32\drivers\d344prt.sys --> c:\windows\system32\drivers\d344prt.sys [?]

S1 mirrorv3;mirrorv3;c:\windows\system32\drivers\rminiv3.sys [2006-11-1 3328]

S2 MBAMService;MBAMService;h:\archivos de programa\malwarebytes' anti-malware\mbamservice.exe [2010-9-11 304464]

S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [2010-3-18 99416]

S3 COMMPR;CommView/WiFi Driver by TamoSoft;c:\windows\system32\drivers\commpr.sys [2004-4-1 15104]

S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\archivos de programa\archivos comunes\creative labs shared\service\CTAELicensing.exe [2010-9-22 79360]

S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [2010-3-18 555096]

S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [2010-3-18 100952]

S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [2010-3-18 100952]

S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [2010-3-18 566360]

S3 ddsxeiservice;ddsxeiservice2;\??\c:\archivos de programa\sxe injected\ddsxei.sys --> c:\archivos de programa\sxe injected\ddsxei.sys [?]

S3 IPN2120;Wireless-B PCI Adapter Driver;c:\windows\system32\drivers\lsipnds.sys --> c:\windows\system32\drivers\LSIPNDS.sys [?]

S3 ISLNDIS5;ISLNDIS5 Protocol Driver;\??\c:\windows\system32\islndis5.sys --> c:\windows\system32\ISLNDIS5.SYS [?]

S3 jgameenp;jgameenp;\??\c:\docume~1\compgeek\config~1\temp\jgameenp.sys --> c:\docume~1\compgeek\config~1\temp\jgameenp.sys [?]

S3 MA311;NETGEAR Wireless LAN Driver;c:\windows\system32\drivers\ma311n51.sys [2007-2-23 54784]

S3 RTCore;RTCore;\??\c:\documents and settings\compgeek\escritorio\rightmark memory analyzer v3.43_rmma343bin_fix\rtcore.sys --> c:\documents and settings\compgeek\escritorio\rightmark memory analyzer v3.43_rmma343bin_fix\RTCore.sys [?]

S3 SASENUM;SASENUM;\??\c:\archivos de programa\superantispyware\sasenum.sys --> c:\archivos de programa\superantispyware\SASENUM.SYS [?]

S3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\drivers\VBoxNetAdp.sys [2009-11-19 95568]

S3 XDva359;XDva359;\??\c:\windows\system32\xdva359.sys --> c:\windows\system32\XDva359.sys [?]

S3 XIRLINK;Dsc Pro Digital 640 Camera;c:\windows\system32\drivers\C-itNT.sys [2010-1-18 447245]

S4 ppa;Controlador de filtro de puerto paralelo Iomega Parallel;c:\windows\system32\drivers\ppa.sys [2007-3-31 17792]

.

=============== Created Last 30 ================

.

2011-09-17 20:05:52 114 ----a-w- c:\windows\Printdir.bat

2011-09-17 04:59:22 73768 ----a-w- c:\windows\system32\drivers\SI3114.sys

2011-09-17 04:59:22 119848 ----a-w- c:\windows\system32\SilSupp.dll

2011-09-17 01:29:48 232512 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys

2011-09-17 01:09:20 102160 ----a-w- c:\windows\system32\drivers\nbf.sys

2011-09-17 00:21:08 -------- d-----w- c:\windows\ime

2011-09-10 20:22:23 -------- d-sha-r- C:\cmdcons

2011-09-10 20:22:21 -------- d-----w- c:\windows\setup.pss

2011-09-03 18:29:11 -------- d-----w- c:\archivos de programa\DAEMON Tools Lite

2011-09-03 18:28:53 -------- d-----w- c:\documents and settings\administrador\datos de programa\DAEMON Tools Lite

2011-09-03 18:28:49 -------- d-----w- c:\documents and settings\all users\datos de programa\DAEMON Tools Lite

.

==================== Find3M ====================

.

2011-06-26 06:45:56 256000 ----a-w- c:\windows\PEV.exe

2002-11-11 18:19:04 2274816 ----a-w- c:\archivos de programa\archivos comunes\Monopoly.exe

1999-12-09 19:17:14 172032 ----a-w- c:\archivos de programa\archivos comunes\binkw32.dll

1999-12-09 19:17:12 411648 ----a-w- c:\archivos de programa\archivos comunes\boarded.exe

.

============= FINISH: 19:54:01.15 ===============



AND NOW THE ATTACHED LOGS from DDS and GMER.

I have Gmer still running in case I need to delete a service, so I would appreciate a relatively fast help. Thank you and good night@<

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

• Do not run any other tool untill instructed to do so!
  
• Please Do not Attach logs or put in code boxes.
  
• Tell me about any problems that have occurred during the fix.
  
• Tell me of any other symptoms you may be having as these can help also.
  
• Do not run anything while running a fix.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

In order for me to see the status of the infection I will need a new set of logs to start with.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

DeFogger:

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.

• The application window will appear
  
• Click the Disable button to disable your CD Emulation drivers
  
• Click Yes to continue
  
• A 'Finished!' message will appear
  
• Click OK
  
• DeFogger may ask you to reboot the machine, if it does - click OK

Do not re-enable these drivers until otherwise instructed.

Download DDS:

Please download DDS by sUBs from one of the links below and save it to your desktop:


Download DDS and save it to your desktop

Link1
Link2
Link3

Please disable any anti-malware program that will block scripts from running before running DDS.


• Double-Click on dds.scr and a command window will appear. This is normal.
  
• Shortly after two logs will appear:
  
  • DDS.txt
    
  • Attach.txt
  
  
• A window will open instructing you save & post the logs
  
• Save the logs to a convenient place such as your desktop
  
• Copy the contents of both logs & post in your next reply

information and logs:

In your next post I need the following


• .logs from DDS
  
• let me know of any problems you may have had

Gringo

9/27

HERE are the TWO logs you requested:

FROM dds.txt
------------
.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_20

Run by emperador at 13:57:54 on 2011-09-24

Microsoft Windows XP Professional 5.1.2600.3.1252.34.3082.18.2047.1631 [GMT -6:00]

.

.

============== Running Processes ===============

.

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Archivos de programa\Creative\Shared Files\CTAudSvc.exe

C:\WINDOWS\system32\crypserv.exe

C:\Archivos de programa\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\Archivos de programa\CyberLink\Shared files\RichVideo.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

.

============== Pseudo HJT Report ===============

.

uStart Page = https://www.ixquick.com

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - AcroIEHlprObj Class

BHO: WormRadar.com IESiteBlocker.NavFilter: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - AVG Safe Search

BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\archivos de programa\java\jre6\bin\jp2ssv.dll

BHO: {e5a1691b-d188-4419-ad02-90002030b8ee} - FlashFXP Helper for Internet Explorer

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\archivos de programa\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

dRun: [DWQueuedReporting] "c:\archiv~1\archiv~1\micros~1\dw\dwtrig20.exe" -t

dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\archivos de programa\messenger\msmsgs.exe

TCP: Interfaces\{C29FD719-342B-4864-BFA3-6E23246F2E46} : NameServer = 68.87.85.102,68.87.69.150

Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\archivos de programa\archivos comunes\microsoft shared\web folders\PKMCDO.DLL

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\archiv~1\archiv~1\skype\SKYPE4~1.DLL

Name-Space Handler: ftp\GetRightIEClickCatcher - {73BA8F12-723E-11D1-A9E2-00403320FCF2} - c:\archivos de programa\getright\xx2gr.dll

Name-Space Handler: http\GetRightIEClickCatcher - {73BA8F12-723E-11D1-A9E2-00403320FCF2} - c:\archivos de programa\getright\xx2gr.dll

Notify: !SASWinLogon - h:\archivos de programa\superantispyware\SASWINLO.DLL

Notify: AtiExtEvent - Ati2evxx.dll

Notify: ComPlusSetup - c:\windows\system32\catsrvut.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - h:\archivos de programa\superantispyware\SASSEH.DLL

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\administrador\datos de programa\mozilla\firefox\profiles\hrc436z7.default\

FF - plugin: c:\archivos de programa\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\archivos de programa\opera\program\plugins\NPDocBox.dll

FF - plugin: c:\archivos de programa\opera\program\plugins\nppdf32.dll

FF - plugin: c:\documents and settings\all users\datos de programa\zylom\zylomgamesplayer\npzylomgamesplayer.dll

FF - plugin: c:\program files\real\realplayer\netscape6\nppl3260.dll

FF - plugin: c:\program files\real\realplayer\netscape6\nprjplug.dll

FF - plugin: c:\program files\real\realplayer\netscape6\nprpjplug.dll

FF - plugin: h:\archivos de programa\divx\divx web player\npdivx32.dll

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\archivos de programa\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\archivos de programa\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

FF - Ext: Java Quick Starter: jqs@sun.com - h:\archivos de programa\java\jre6\lib\deploy\jqs\ff

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

.

============= SERVICES / DRIVERS ===============

.

R0 d344bus6;d344bus6;c:\windows\system32\drivers\d344bus6.sys [2007-10-31 137216]

R0 SI3114;SiI-3114 SATALink Controller;c:\windows\system32\drivers\SI3114.sys [2011-9-16 73768]

R0 SiWinAcc;SiWinAcc;c:\windows\system32\drivers\SiWinAcc.sys [2004-8-10 19240]

R1 SASDIFSV;SASDIFSV;h:\archivos de programa\superantispyware\sasdifsv.sys [2010-2-17 12872]

R1 SASKUTIL;SASKUTIL;h:\archivos de programa\superantispyware\SASKUTIL.SYS [2010-5-10 67656]

R1 VBoxDrv;VirtualBox Service;c:\windows\system32\drivers\VBoxDrv.sys [2009-11-19 116560]

R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\drivers\VBoxUSBMon.sys [2009-11-19 41424]

R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-10-20 50704]

R3 3xHybrid;Pinnacle PCTV 100i-110i-300i-310i-MCE;c:\windows\system32\drivers\3xHybrid.sys [2009-11-13 1121536]

R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [2010-3-18 99416]

R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [2010-3-18 555096]

R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [2010-3-18 566360]

R3 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [2011-9-16 232512]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-9-11 20952]

R3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\drivers\VBoxNetFlt.sys [2009-11-10 104016]

S0 d344bus;d344bus;c:\windows\system32\drivers\d344bus.sys --> c:\windows\system32\drivers\d344bus.sys [?]

S0 d344prt;d344prt;c:\windows\system32\drivers\d344prt.sys --> c:\windows\system32\drivers\d344prt.sys [?]

S1 mirrorv3;mirrorv3;c:\windows\system32\drivers\rminiv3.sys [2006-11-1 3328]

S2 MBAMService;MBAMService;h:\archivos de programa\malwarebytes' anti-malware\mbamservice.exe [2010-9-11 304464]

S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [2010-3-18 99416]

S3 COMMPR;CommView/WiFi Driver by TamoSoft;c:\windows\system32\drivers\commpr.sys [2004-4-1 15104]

S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\archivos de programa\archivos comunes\creative labs shared\service\CTAELicensing.exe [2010-9-22 79360]

S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [2010-3-18 555096]

S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [2010-3-18 100952]

S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [2010-3-18 100952]

S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [2010-3-18 566360]

S3 ddsxeiservice;ddsxeiservice2;\??\c:\archivos de programa\sxe injected\ddsxei.sys --> c:\archivos de programa\sxe injected\ddsxei.sys [?]

S3 IPN2120;Wireless-B PCI Adapter Driver;c:\windows\system32\drivers\lsipnds.sys --> c:\windows\system32\drivers\LSIPNDS.sys [?]

S3 ISLNDIS5;ISLNDIS5 Protocol Driver;\??\c:\windows\system32\islndis5.sys --> c:\windows\system32\ISLNDIS5.SYS [?]

S3 jgameenp;jgameenp;\??\c:\docume~1\compgeek\config~1\temp\jgameenp.sys --> c:\docume~1\compgeek\config~1\temp\jgameenp.sys [?]

S3 MA311;NETGEAR Wireless LAN Driver;c:\windows\system32\drivers\ma311n51.sys [2007-2-23 54784]

S3 RTCore;RTCore;\??\c:\documents and settings\compgeek\escritorio\rightmark memory analyzer v3.43_rmma343bin_fix\rtcore.sys --> c:\documents and settings\compgeek\escritorio\rightmark memory analyzer v3.43_rmma343bin_fix\RTCore.sys [?]

S3 SASENUM;SASENUM;\??\c:\archivos de programa\superantispyware\sasenum.sys --> c:\archivos de programa\superantispyware\SASENUM.SYS [?]

S3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\drivers\VBoxNetAdp.sys [2009-11-19 95568]

S3 XDva359;XDva359;\??\c:\windows\system32\xdva359.sys --> c:\windows\system32\XDva359.sys [?]

S3 XIRLINK;Dsc Pro Digital 640 Camera;c:\windows\system32\drivers\C-itNT.sys [2010-1-18 447245]

S4 d344prt6;d344prt6;c:\windows\system32\drivers\d344prt6.sys [2007-10-31 5248]

S4 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [2010-8-14 155136]

S4 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [2010-8-14 5248]

S4 ppa;Controlador de filtro de puerto paralelo Iomega Parallel;c:\windows\system32\drivers\ppa.sys [2007-3-31 17792]

.

=============== Created Last 30 ================

.

2011-09-17 20:05:52 114 ----a-w- c:\windows\Printdir.bat

2011-09-17 04:59:22 73768 ----a-w- c:\windows\system32\drivers\SI3114.sys

2011-09-17 04:59:22 119848 ----a-w- c:\windows\system32\SilSupp.dll

2011-09-17 01:29:48 232512 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys

2011-09-17 01:09:20 102160 ----a-w- c:\windows\system32\drivers\nbf.sys

2011-09-17 00:21:08 -------- d-----w- c:\windows\ime

2011-09-10 20:22:23 -------- d-sha-r- C:\cmdcons

2011-09-10 20:22:21 -------- d-----w- c:\windows\setup.pss

2011-09-03 18:29:11 -------- d-----w- c:\archivos de programa\DAEMON Tools Lite

2011-09-03 18:28:53 -------- d-----w- c:\documents and settings\administrador\datos de programa\DAEMON Tools Lite

2011-09-03 18:28:49 -------- d-----w- c:\documents and settings\all users\datos de programa\DAEMON Tools Lite

.

==================== Find3M ====================

.

2002-11-11 18:19:04 2274816 ----a-w- c:\archivos de programa\archivos comunes\Monopoly.exe

1999-12-09 19:17:14 172032 ----a-w- c:\archivos de programa\archivos comunes\binkw32.dll

1999-12-09 19:17:12 411648 ----a-w- c:\archivos de programa\archivos comunes\boarded.exe

.

============= FINISH: 13:58:24.15 ===============



\\\\\\\





From Attach.txt
---------------

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2011-08-26.01)

.

Microsoft Windows XP Professional

Boot Device: \Device\HarddiskVolume1

Install Date: 21/09/2010 18:25:31

System Uptime: 24/09/2011 13:55:29 (0 hours ago)

.

Motherboard: | | nVidia-nForce

Processor: AMD Athlon™ XP | Socket A | 1804/200mhz

.

==== Disk Partitions =========================

.

A: is Removable

C: is FIXED (NTFS) - 112 GiB total, 5,77 GiB free.

D: is Removable

E: is CDROM ()

H: is FIXED (NTFS) - 167 GiB total, 10,136 GiB free.

J: is Removable

.

==== Disabled Device Manager Items =============

.

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}

Description: Adaptador de red 1394

Device ID: V1394\NIC1394\41001AF523C01

Manufacturer: Microsoft

Name: Adaptador de red 1394 #4

PNP Device ID: V1394\NIC1394\41001AF523C01

Service: NIC1394

.

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}

Description: Controladora de red

Device ID: PCI\VEN_1260&DEV_3873&SUBSYS_38731260&REV_01\4&3B1D9AB8&0&4840

Manufacturer:

Name: Controladora de red

PNP Device ID: PCI\VEN_1260&DEV_3873&SUBSYS_38731260&REV_01\4&3B1D9AB8&0&4840

Service:

.

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}

Description: VirtualBox Host-Only Ethernet Adapter

Device ID: ROOT\NET\0000

Manufacturer: Sun Microsystems, Inc.

Name: VirtualBox Host-Only Ethernet Adapter

PNP Device ID: ROOT\NET\0000

Service: VBoxNetAdp

.

==== System Restore Points ===================

.

No restore point in system.

.

==== Installed Programs ======================

.

3DMark06

AC3Filter 1.63b

Active@ Disk Image

Actualización de seguridad para Windows XP (KB923789)

Adobe AIR

Adobe Flash Player 10 Plugin

Adobe Photoshop 7.0

Adobe Shockwave Player

AGEIA PhysX v7.07.09

AnalogX Proxy

AnalogX SimpleServer:WWW

ArcSoft Panorama Maker 4

ATI - Software Uninstall Utility

ATI Catalyst Control Center

ATI Display Driver

ATITool Overclocking Utility

Bass Audio Decoder (remove only)

Bookworm Adventures Deluxe 1.0

BulletProof FTP Client v2.60.0.53

BulletProof FTP Server (remove only)

BulletProof FTP Server 2010 (remove only)

Call of Duty® 4 - Modern Warfare™

Call of Duty® 4 - Modern Warfare™ 1.6 Patch

Call of Duty® 4 - Modern Warfare™ 1.7 Patch

Call of Duty® 4 - Modern Warfare™ Demo

Catalyst Control Center - Branding

Catalyst Control Center Core Implementation

Catalyst Control Center Graphics Full Existing

Catalyst Control Center Graphics Full New

Catalyst Control Center Graphics Light

Catalyst Control Center Graphics Previews Common

Catalyst Control Center HydraVision Full

Catalyst Control Center Localization All

ccc-core-preinstall

ccc-core-static

ccc-utility

CCC Help Chinese Standard

CCC Help Chinese Traditional

CCC Help Czech

CCC Help Danish

CCC Help Dutch

CCC Help English

CCC Help Finnish

CCC Help French

CCC Help German

CCC Help Greek

CCC Help Hungarian

CCC Help Italian

CCC Help Japanese

CCC Help Korean

CCC Help Norwegian

CCC Help Polish

CCC Help Portuguese

CCC Help Russian

CCC Help Spanish

CCC Help Swedish

CCC Help Thai

CCC Help Turkish

CD Audio Reader Filter (remove only)

CDRoller version 8.81

Cheating-Death 4.33.4

ClearContext

Clifford Reading

Commview for Wifi

Consola de audio de Creative

Cool Edit Pro 2.1

Counter-Strike 1.6

Counter-Strike Source

Creative Software AutoUpdate

Cross Fire En

DAEMON Tools Lite

Diner Dash Hometown Hero Gourmet (remove only)

DirectVobSub (remove only)

Disketch CD Label Software

Disney's Toontown Online

DivX 5.0.5 Pro Video Codec

Dsc Pro

DScaler 5 Mpeg Decoders

DVD-lab PRO 2.51

DVD Decrypter (Remove Only)

EA.com Matchup

EA.com Update

Express Burn

Express Rip

ffdshow [rev 3124] [2009-11-03]

FFMPEG Core Files (remove only)

FIFA 2001

FileOpen Client

FinitySoft Memory Manger 4.0

FlashFXP v3

Foxit Reader

Fraps (remove only)

Gabest MPEG Splitter (remove only)

GetDataBack for NTFS

GetRight

GGPO

Golden Records Vinyl to CD Converter

GOM Player

GSpot Codec Information Appliance

Haali Media Splitter

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

HotWired (remove only)

hp deskjet 630c series

ImagXpress

ImgBurn

Insaniquarium Deluxe 1.1

ioquake3

IrfanView (remove only)

IsoBuster 2.8

Java Auto Updater

Java™ 6 Update 20

Java™ 6 Update 3

Java™ 6 Update 5

Java™ 6 Update 7

Juiced

LimeWire 5.3.6

Lock On: Modern Air Combat

Logitech Gaming Software

MA311 Device Driver and Configuration Utility

Malwarebytes' Anti-Malware

Medal of Honor Airborne Demo

Medal of Honor Allied Assault™ Breakthrough Demo

Microsoft .NET Framework 2.0 Service Pack 2

Microsoft Application Error Reporting

Microsoft IntelliPoint 7.1

Microsoft Office PowerPoint Viewer 2007 (English)

Microsoft Office Word Viewer 2003

Microsoft Office XP Professional with FrontPage

Microsoft Plus! para Windows XP

Microsoft Silverlight

Microsoft SQL Server 2005 Compact Edition [ENU]

Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

Microsoft WSE 3.0 Runtime

Microsoft XML Parser

Mozilla Firefox (3.6.8)

MSXML 4.0 SP2 (KB936181)

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

MSXML 6 Service Pack 2 (KB973686)

NeoTrace Pro 3.25

Nero OEM

neroxml

New Star Soccer 2010 v4.11

NewBlue 3D Explosions for Windows

NewBlue 3D Transformations for Windows

NewBlue Art Blends for Windows

NewBlue Art Effects for Windows

NewBlue Film Effects for Windows

NewBlue Motion Blends for Windows

NewBlue Motion Effects for Windows

NewBlue Video Essentials for Windows

Nikon Message Center

NVIDIA Drivers

Odyssey Client

OpenOffice.org 3.2

OpenSource AVI Splitter (remove only)

OpenSource DTS/AC3/DD+ Source Filter (remove only)

OpenSource Flash Video Splitter (remove only)

Opera 10.53

PC Inspector Smart Recovery

PesLauncher v3.75

PowerDVD

Prime95

Pro Evolution Soccer 2010 DEMO

Pro Evolution Soccer 4

Pro Evolution Soccer 6

QuickTime

R-Studio 3.0

Readiris Pro 11 Corporate Edition

RealMedia (remove only)

RealPlayer

RegCure 1.5.0.1

Registry Repair Wizard

Remote Administrator v2.1

Revisión para Windows XP (KB942288-v3)

Roxio DVDit Pro HD

SHOUTcast Source (remove only)

Skins

Skulltag

Skype web features

Skype™ 4.1

SmartSound Quicktracks Plugin

Sonic Update Manager

Sony Vegas Pro 8.0

Star Wars Republic Commando

Starcraft

Steam

Subtitle Workshop 2.51

Subtitles modifier 2.95

Sun VirtualBox

SUPERAntiSpyware

Tag&Rename 3.5.6

Tama Character 1.0

TeamSpeak 2 RC2

TeamSpeak 3 Client

The KMPlayer (remove only)

The Sims™ 3

TheBat! Home v4.2.36.4

TMPGEnc Plus 2.5

Tom Clancy's Ghost Recon Advanced Warfighter® 2

Treasure of the Incas

ubi.com

UltraISO Premium V9.36

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

VCRedistSetup

Vegas Pro 9.0

VideoLAN VLC media player 0.8.6d

VideoPad Video Editor

Virtools 3D Life Player

Vuze

WebFldrs XP

WinAce Archiver

Windows Installer Clean Up

Windows Media Format 11 runtime

Windows Media Format Runtime

Windows Media Player 10

Windows Media Tools 4.0

WinImage

WinPcap 4.1.1

WinRAR archiver

WORLD SOCCER WINNING ELEVEN 8 INTERNATIONAL

Xfire (remove only)

Xilisoft DVD Subtitle Ripper

Xvid 1.2.2 final uninstall

Yahoo! Internet Mail

Yahoo! Messenger

zbattle.net 1.09 SR-1 beta

Zoom Player (remove only)

.

==== End Of File ===========================


No problems during this log copilation.

I want to know if you see something that shouldn't be there... I used combofix on this machine before I came to this forum and it got rid of 4 windows directories on different accounts I supposed they were fake windows directories containting the rootkit. But my concern is that starting windows is still slow as it was with the virus... it takes almost a minute for the login screen to show up, so I suppose some remanent from the virus may still be breathing inside.

-Also many of the icons that position near the clock have disappeared includding malware bytes.

This post has been edited by peruano1947: 24 September 2011 - 04:53 PM

Hello

I would like you to download an updated version of combofix.

update combofix

Delete the version of combofix you have now on your desktop and download a new one from here


Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note:Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

In your next post I need the following


• Log from Combofix
  
• let me know of any problems you may have had
  
• How is the computer doing now?

Gringo

Hello

48 Hour bump

It has been more than 48 hours since my last post.

• do you still need help with this?
  
• do you need more time?
  
• are you having problems following my instructions?
  
• if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

The topic has been reopened Let me have the report when ready



gringo

First I want to know what made you think I need to run combofix.
Weren't the logs I provided detailed enough?

Hello

I like to run combofix first because of the backups it makes - plus installing the recovery console if needed, it will also clear out alot of virus that may or may not show in the other scans and because what you think is on the computer I want to start with combofix

gringo

HEre are the attached logs from combofix, please let me know why my login screen is slow to show up also why the start up options were most unchecked as if someone had manually uncheck them... that's why many of the taskbar icons were missing. please Clear up my concerns.

Btw I can see a virus file was detected on the log but the computer still boots up slow to show the login accounts

ComboFix 11-10-01.02 - emperador 10/01/2011 10:16:49.44.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.34.3082.18.2047.1678 [GMT -6:00]
Running from: c:\documents and settings\Administrador\Escritorio\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\d3d9caps.dat
.
.
((((((((((((((((((((((((( Files Created from 2011-09-01 to 2011-10-01 )))))))))))))))))))))))))))))))
.
.
2011-09-17 20:05 . 2011-09-17 20:05 114 ----a-w- c:\windows\Printdir.bat
2011-09-17 04:59 . 2008-04-14 18:52 119848 ----a-w- c:\windows\system32\SilSupp.dll
2011-09-17 04:59 . 2008-04-14 18:52 73768 ----a-w- c:\windows\system32\drivers\SI3114.sys
2011-09-17 01:29 . 2011-09-17 01:29 232512 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys
2011-09-17 01:09 . 2003-02-06 20:26 102160 ----a-w- c:\windows\system32\drivers\nbf.sys
2011-09-17 00:21 . 2011-09-17 00:21 -------- d-----w- c:\windows\ime
2011-09-03 18:29 . 2011-09-17 01:29 -------- d-----w- c:\archivos de programa\DAEMON Tools Lite
2011-09-03 18:28 . 2011-09-17 01:16 -------- d-----w- c:\documents and settings\Administrador\Datos de programa\DAEMON Tools Lite
2011-09-03 18:28 . 2011-09-03 18:28 -------- d-----w- c:\documents and settings\All Users\Datos de programa\DAEMON Tools Lite
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2002-11-11 18:19 . 2007-04-03 19:40 2274816 ----a-w- c:\archivos de programa\Archivos comunes\Monopoly.exe
1999-12-09 19:17 . 2007-04-03 19:40 172032 ----a-w- c:\archivos de programa\Archivos comunes\binkw32.dll
1999-12-09 19:17 . 2007-04-03 19:40 411648 ----a-w- c:\archivos de programa\Archivos comunes\boarded.exe
.
.
((((((((((((((((((((((((((((( SnapShot_2010-09-22_10.47.39 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-10-01 16:01 . 2011-10-01 16:01 16384 c:\windows\temp\Perflib_Perfdata_5e0.dat
+ 2010-09-25 04:40 . 2000-04-25 00:40 40960 c:\windows\system32\PicEng.dll
- 2001-08-24 11:00 . 2010-09-22 00:40 83816 c:\windows\system32\perfc00A.dat
+ 2001-08-24 11:00 . 2011-10-01 16:05 83816 c:\windows\system32\perfc00A.dat
- 2001-08-24 11:00 . 2010-09-22 00:40 66328 c:\windows\system32\perfc009.dat
+ 2001-08-24 11:00 . 2011-10-01 16:05 66328 c:\windows\system32\perfc009.dat
+ 2008-04-14 07:48 . 2008-04-14 13:48 16896 c:\windows\system32\msyuv.dll
- 2008-04-14 07:48 . 2008-04-14 06:01 16896 c:\windows\system32\msyuv.dll
+ 2008-04-14 07:48 . 2008-04-14 13:48 47616 c:\windows\system32\iyuv_32.dll
- 2008-04-14 07:48 . 2008-04-14 06:01 47616 c:\windows\system32\iyuv_32.dll
+ 2004-08-10 10:41 . 2008-04-14 18:52 19240 c:\windows\system32\drivers\SiWinAcc.sys
+ 2007-04-06 03:19 . 2008-04-14 13:48 54784 c:\windows\system32\dllcache\vfwwdm32.dll
+ 2008-04-14 07:48 . 2008-04-14 13:48 16896 c:\windows\system32\dllcache\msyuv.dll
+ 2008-04-14 07:48 . 2008-04-14 13:48 47616 c:\windows\system32\dllcache\iyuv_32.dll
+ 2010-09-25 05:07 . 1999-11-11 13:25 49152 c:\windows\system32\CamCapEx.dll
- 2001-08-22 22:15 . 2001-08-24 17:00 8192 c:\windows\system32\tsbyuv.dll
+ 2001-08-22 22:15 . 2001-08-23 04:15 8192 c:\windows\system32\tsbyuv.dll
+ 2001-08-22 22:15 . 2001-08-23 04:15 8192 c:\windows\system32\dllcache\tsbyuv.dll
+ 2009-01-24 15:55 . 2008-04-14 14:48 159232 c:\windows\system32\ptpusd.dll
- 2009-01-24 15:55 . 2004-08-19 22:42 159232 c:\windows\system32\ptpusd.dll
- 2001-08-24 11:00 . 2010-09-22 00:40 490216 c:\windows\system32\perfh00A.dat
+ 2001-08-24 11:00 . 2011-10-01 16:05 490216 c:\windows\system32\perfh00A.dat
+ 2001-08-24 11:00 . 2011-10-01 16:05 427894 c:\windows\system32\perfh009.dat
- 2001-08-24 11:00 . 2010-09-22 00:40 427894 c:\windows\system32\perfh009.dat
+ 2008-04-14 07:49 . 2008-04-14 13:49 294912 c:\windows\system32\msh263.drv
- 2008-04-14 07:49 . 2008-04-14 06:01 294912 c:\windows\system32\msh263.drv
- 2010-01-18 22:53 . 2000-04-28 00:29 447245 c:\windows\system32\drivers\C-itNT.sys
+ 2010-01-18 22:53 . 2000-04-27 23:29 447245 c:\windows\system32\drivers\C-itNT.sys
+ 2010-09-25 04:44 . 2000-05-03 17:08 225280 c:\windows\system32\camfc.dll
+ 2010-09-25 03:10 . 1998-10-29 22:45 306688 c:\windows\IsUninst.exe
+ 2010-11-05 01:21 . 2010-11-05 01:21 265216 c:\windows\Installer\157d4.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\archiv~1\ARCHIV~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-19 44544]
.
c:\documents and settings\Natalia.AMD-2500\Men£ Inicio\Programas\Inicio\
LimeWire On Startup.lnk - h:\archivos de programa\LimeWire\LimeWire.exe [2009-9-30 503808]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "h:\archivos de programa\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- h:\archivos de programa\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ComPlusSetup]
2008-04-14 05:48 625664 ----a-w- c:\windows\system32\catsrvut.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0sprestrt\0sprestrt
.
[HKLM\~\startupfolder\C:^Documents and Settings^Administrador^Menú Inicio^Programas^Inicio^OpenOffice.org 3.2.lnk]
path=c:\documents and settings\Administrador\Menú Inicio\Programas\Inicio\OpenOffice.org 3.2.lnk
backup=c:\windows\pss\OpenOffice.org 3.2.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Menú Inicio\Programas\Inicio\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^Adobe Reader Speed Launch.lnk]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^Configuration Utility.lnk]
backup=c:\windows\pss\Configuration Utility.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Menú Inicio\Programas\Inicio\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
c:\windows\system32\dumprep 0 -u [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
2010-03-19 01:17 19456 ----a-w- c:\windows\system32\CtHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
2009-11-11 23:23 1468256 ----a-w- c:\archivos de programa\Microsoft IntelliPoint\ipoint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2004-07-27 23:50 81920 ----a-w- c:\archivos de programa\Archivos comunes\InstallShield\UpdateService\issch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
2006-05-18 18:29 49152 ----a-w- h:\archivos de programa\CyberLink\PowerDVD\Language\Language.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]
2010-04-29 21:39 437584 ----a-w- h:\archivos de programa\Malwarebytes' Anti-Malware\mbamgui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-19 04:16 421888 ----a-w- c:\archivos de programa\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Registry Repair Wizard Scheduler]
2010-03-15 04:56 1540352 ----a-w- c:\archivos de programa\SmartPCTools\Registry Repair Wizard\RCHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2010-02-11 05:32 61440 ----a-w- c:\archivos de programa\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-02-18 17:43 248040 ----a-w- c:\archivos de programa\Archivos comunes\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2010-07-19 17:50 2403568 ----a-w- h:\archivos de programa\SUPERAntiSpyware\SUPERAntiSpyware.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
.
R0 d344bus6;d344bus6;c:\windows\system32\drivers\d344bus6.sys [31/10/2007 21:09 137216]
R0 SI3114;SiI-3114 SATALink Controller;c:\windows\system32\drivers\SI3114.sys [16/09/2011 22:59 73768]
R0 SiWinAcc;SiWinAcc;c:\windows\system32\drivers\SiWinAcc.sys [10/08/2004 4:41 19240]
R1 SASDIFSV;SASDIFSV;h:\archivos de programa\SUPERAntiSpyware\sasdifsv.sys [17/02/2010 12:25 12872]
R1 SASKUTIL;SASKUTIL;h:\archivos de programa\SUPERAntiSpyware\SASKUTIL.SYS [10/05/2010 12:41 67656]
R1 VBoxDrv;VirtualBox Service;c:\windows\system32\drivers\VBoxDrv.sys [19/11/2009 3:05 116560]
R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\drivers\VBoxUSBMon.sys [19/11/2009 3:05 41424]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [20/10/2009 12:19 50704]
R3 3xHybrid;Pinnacle PCTV 100i-110i-300i-310i-MCE;c:\windows\system32\drivers\3xHybrid.sys [13/11/2009 1:09 1121536]
R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [18/03/2010 20:39 99416]
R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [18/03/2010 20:39 555096]
R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [18/03/2010 20:39 566360]
R3 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [16/09/2011 19:29 232512]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [11/09/2010 14:28 20952]
R3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\drivers\VBoxNetFlt.sys [10/11/2009 15:53 104016]
S0 d344bus;d344bus;c:\windows\system32\DRIVERS\d344bus.sys --> c:\windows\system32\DRIVERS\d344bus.sys [?]
S0 d344prt;d344prt;c:\windows\system32\Drivers\d344prt.sys --> c:\windows\system32\Drivers\d344prt.sys [?]
S2 MBAMService;MBAMService;h:\archivos de programa\Malwarebytes' Anti-Malware\mbamservice.exe [11/09/2010 14:28 304464]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [18/03/2010 20:39 99416]
S3 COMMPR;CommView/WiFi Driver by TamoSoft;c:\windows\system32\drivers\commpr.sys [01/04/2004 14:15 15104]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\archivos de programa\Archivos comunes\Creative Labs Shared\Service\CTAELicensing.exe [22/09/2010 4:32 79360]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [18/03/2010 20:39 555096]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [18/03/2010 20:39 100952]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [18/03/2010 20:39 100952]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [18/03/2010 20:39 566360]
S3 ddsxeiservice;ddsxeiservice2;\??\c:\archivos de programa\sXe Injected\ddsxei.sys --> c:\archivos de programa\sXe Injected\ddsxei.sys [?]
S3 IPN2120;Wireless-B PCI Adapter Driver;c:\windows\system32\DRIVERS\LSIPNDS.sys --> c:\windows\system32\DRIVERS\LSIPNDS.sys [?]
S3 ISLNDIS5;ISLNDIS5 Protocol Driver;\??\c:\windows\system32\ISLNDIS5.SYS --> c:\windows\system32\ISLNDIS5.SYS [?]
S3 jgameenp;jgameenp;\??\c:\docume~1\CompGeek\CONFIG~1\Temp\jgameenp.sys --> c:\docume~1\CompGeek\CONFIG~1\Temp\jgameenp.sys [?]
S3 MA311;NETGEAR Wireless LAN Driver;c:\windows\system32\drivers\ma311n51.sys [23/02/2007 6:14 54784]
S3 RTCore;RTCore;\??\c:\documents and settings\CompGeek\Escritorio\RightMark Memory Analyzer v3.43_rmma343bin_fix\RTCore.sys --> c:\documents and settings\CompGeek\Escritorio\RightMark Memory Analyzer v3.43_rmma343bin_fix\RTCore.sys [?]
S3 SASENUM;SASENUM;\??\c:\archivos de programa\SUPERAntiSpyware\SASENUM.SYS --> c:\archivos de programa\SUPERAntiSpyware\SASENUM.SYS [?]
S3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\drivers\VBoxNetAdp.sys [19/11/2009 3:05 95568]
S3 XDva359;XDva359;\??\c:\windows\system32\XDva359.sys --> c:\windows\system32\XDva359.sys [?]
S3 XIRLINK;Dsc Pro Digital 640 Camera;c:\windows\system32\drivers\C-itNT.sys [18/01/2010 16:53 447245]
S4 d344prt6;d344prt6;c:\windows\system32\drivers\d344prt6.sys [31/10/2007 21:09 5248]
S4 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [14/08/2010 17:22 155136]
S4 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [14/08/2010 17:22 5248]
S4 ppa;Controlador de filtro de puerto paralelo Iomega Parallel;c:\windows\system32\drivers\ppa.sys [31/03/2007 15:02 17792]
S4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys --> c:\windows\system32\Drivers\sptd.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-01 c:\windows\Tasks\RegCure Program Check.job
- h:\archivos de programa\RegCure\RegCure.exe [2008-04-21 21:43]
.
2011-09-17 c:\windows\Tasks\RegCure.job
- h:\archivos de programa\RegCure\RegCure.exe [2008-04-21 21:43]
.
2011-10-01 c:\windows\Tasks\User_Feed_Synchronization-{54FBF54B-D709-4EAF-8BA4-90642F3015BF}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 10:31]
.
2011-10-01 c:\windows\Tasks\User_Feed_Synchronization-{9C80E4EA-A568-4953-A489-882C402303FD}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 10:31]
.
.
------- Supplementary Scan -------
.
uStart Page = https://www.ixquick.com
TCP: Interfaces\{C29FD719-342B-4864-BFA3-6E23246F2E46}: NameServer = 68.87.85.102,68.87.69.150
Name-Space Handler: ftp\GetRightIEClickCatcher - {73BA8F12-723E-11D1-A9E2-00403320FCF2} - c:\archivos de programa\GetRight\xx2gr.dll
Name-Space Handler: http\GetRightIEClickCatcher - {73BA8F12-723E-11D1-A9E2-00403320FCF2} - c:\archivos de programa\GetRight\xx2gr.dll
FF - ProfilePath - c:\documents and settings\Administrador\Datos de programa\Mozilla\Firefox\Profiles\hrc436z7.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\archivos de programa\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\archivos de programa\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - h:\archivos de programa\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-SmcService - h:\archiv~1\Sygate\SPF\smc.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-01 10:21
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1960408961-616249376-725345543-500\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{C329C830-F1FD-FB8E-3A61-BD39E75F1645}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"hafnldifegiaedhc"=hex:6f,61,67,69,68,70,6f,69,6c,67,65,6d,61,67,66,6b,68,68,
6f,61,6d,68,6b,61,69,69,62,68,6f,66,00,77
"jaingdongmmnailnfkel"=hex:64,62,69,6e,6e,65,6b,67,69,67,65,65,62,6d,67,6d,70,
6f,6f,6a,6c,6b,6f,64,69,6b,62,62,61,6b,6c,6b,61,64,68,6e,6f,70,62,64,00,ef
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(560)
h:\archivos de programa\SUPERAntiSpyware\SASWINLO.DLL
c:\documents and settings\Administrador\Datos de programa\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
c:\documents and settings\Administrador\Datos de programa\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
c:\documents and settings\Administrador\Datos de programa\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\msi.dll
.
Completion time: 2011-10-01 10:23:23
ComboFix-quarantined-files.txt 2011-10-01 16:23
ComboFix2.txt 2011-09-10 21:38
ComboFix3.txt 2011-09-10 19:22
ComboFix4.txt 2011-09-03 18:07
ComboFix5.txt 2011-09-10 21:55
.
Pre-Run: 6,068,604,928 bytes libres
Post-Run: 6,011,637,760 bytes libres
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
Current=4 Default=4 Failed=0 LastKnownGood=9 Sets=1,2,3,4,5,6,7,8,9
- - End Of File - - 53941B5A94BC020B081D8A1C2FB41420

This post has been edited by gringo_pr: 05 October 2011 - 09:08 PM

Greetings

Good That cleaned up some bad guys but I see some other stuff that we need to go after, so I want you to run this custom script for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

RegNull::
[HKEY_USERS\S-1-5-21-1960408961-616249376-725345543-500\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{C329C830-F1FD-FB8E-3A61-BD39E75F1645}*]

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe

This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"

In your next post I need the following


• report from Combofix
  
• let me know of any problems you may have had
  
• How is the computer doing now after running the script?

Gringo

gringo_pr, on 05 October 2011 - 09:11 PM, said:

I saved the text in a file but I'm using linux so the saved file looked out of format on windows I tried saving it differently using gedit hopefully the script worked how do I know if the script executed correctly?

Here's the report from Combofix.
btw I installed comodo firewall, I forgot I shouldn't had installed anything but I didn't have any firewall on it after I removed sygate so sorry if that could had change things...

- I didn't run any problems other then not knowing if the script actually worked but I think it did because combofix ate the file.

- And my login screen still lags like 15-20 seconds for the logins to show up what may that be? I think it use to be like a min long.
Tell me about what you see on the log.

This post has been edited by peruano1947: 05 October 2011 - 11:32 PM

Hello

I want you to run this tool for me next.

tdsskiller:

Please read carefully and follow these steps.

• Download TDSSKiller and save it to your Desktop.
  
• doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  
• If an infected file is detected, the default action will be Cure, click on Continue.
  
• If a suspicious file is detected, the default action will be Skip, click on Continue.
  
• It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  
• If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  
• If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Gringo