Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Badly Infected


  • This topic is locked This topic is locked
16 replies to this topic

#1 julivl1

julivl1

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:59 AM

Posted 04 July 2008 - 01:54 PM

ok idk whats wrong with my pc...all i know its that it goes crazy...windows start popping out...my desktop changes by itself...some websites dont open..i mean IE doesnt work im using mozilla...next to where it says the time and date it says VIRUS ALERT!..some window pops out sayin trojan..win32..netbooster...theres a couple more problems to it as well but here my hijackthis logfile report


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:50: VIRUS ALERT!, on 03/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Java\j2re1.4.2_14\bin\jusched.exe
C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe
C:\Archivos de programa\Windows Live\Messenger\MsnMsgr.Exe
C:\Archivos de programa\Java\j2re1.4.2_14\bin\jucheck.exe
C:\Archivos de programa\Antivirus 2009\av2009.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\Archivos de programa\SJLabs\SJphone\SJphone.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Archivos de programa\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Archivos de programa\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Archivos de programa\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Archivos de programa\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Archivos de programa\Windows Media Player\wmplayer.exe
C:\Archivos de programa\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\ARCHIV~1\MOZILL~1\FIREFOX.EXE
C:\Archivos de programa\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.bearshare.com/sidebar.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.bearshare.com/sidebar.html?src=ssb
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=...6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=61006
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=61006
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=61006
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer proporcionado por APOLO SYSTEM
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
R3 - URLSearchHook: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\ARCHIV~1\Crawler\Toolbar\ctbr.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Archivos de programa\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\ARCHIV~1\Crawler\Toolbar\ctbr.dll
O2 - BHO: QXK Olive - {2433FEB3-8BCA-49F3-8CA8-AD141C81A724} - C:\WINDOWS\kgqfweltlkb.dll
O2 - BHO: scriptproxy - {6D0386B3-FD72-488E-9740-90355AE21735} - C:\WINDOWS\system32\slonyx.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Aplicación auxiliar de inicio de sesión - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\archivos de programa\google\googletoolbar2.dll
O2 - BHO: e404 helper - {F10587E9-0E47-4CBE-84AE-7DD20B8684BB} - C:\Archivos de programa\Helper\megasearcheng.dll (file missing)
O2 - BHO: IE SecPlugin - {F5BDC469-1EC5-4193-824B-2E209993D183} - C:\WINDOWS\system32\bhoSearchSpy.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\archivos de programa\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Archivos de programa\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Protection Bar - {DF4E7A0C-E233-4906-B4C1-A404356541FF} - C:\Archivos de programa\Video ActiveX Access\iesbpl.dll (file missing)
O3 - Toolbar: Barra &Crawler - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\ARCHIV~1\Crawler\Toolbar\ctbr.dll
O3 - Toolbar: nqgpedlr - {EC4A1CF6-AE63-45C3-B7C7-E427DA6CBFD9} - C:\WINDOWS\nqgpedlr.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\j2re1.4.2_14\bin\jusched.exe"
O4 - HKLM\..\Run: [SpywareTerminator] "C:\ARCHIV~1\SPYWAR~1\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [meet great active lies] C:\Documents and Settings\All Users\Datos de programa\soft chic meet great\Rect Htm.exe
O4 - HKLM\..\Run: [avgnt] "C:\Archivos de programa\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [MsnMsgr] "C:\Archivos de programa\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Microsoft Internet Explorer] C:\windows\system32\IEXPLORES.EXE
O4 - HKCU\..\Run: [firewals] C:\WINDOWS\system\msnmsssgser.exe
O4 - HKCU\..\Run: [Open thunk] C:\DOCUME~1\User\DATOSD~1\DATECL~1\Defy Logo.exe
O4 - HKCU\..\Run: [antispy] C:\Archivos de programa\IEAntiVirus\ANTIVIR.exe
O4 - HKCU\..\Run: [75057066929638745538043225741362] C:\Archivos de programa\Antivirus 2009\av2009.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Servicio de red')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: TELEFONÍA UNE.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\j2re1.4.2_14\bin\npjpi142_14.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\j2re1.4.2_14\bin\npjpi142_14.dll
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\User\Menú Inicio\Programas\IMVU\Run IMVU.lnk
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Archivos de programa\Yahoo!\Common\yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{4C7F131A-8648-497A-AD49-69F01145D7A5}: NameServer = 85.255.116.107,85.255.112.83
O17 - HKLM\System\CCS\Services\Tcpip\..\{8BF32FFE-3886-4F0E-AFDA-F983FA73762E}: NameServer = 85.255.116.107,85.255.112.83
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.107 85.255.112.83
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.107 85.255.112.83
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.107 85.255.112.83
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\ARCHIV~1\Crawler\Toolbar\ctbr.dll
O21 - SSODL: axrfgvek - {FC7B7E31-B52A-48BE-B03C-19ADB066D97C} - C:\WINDOWS\axrfgvek.dll
O22 - SharedTaskScheduler: haematobia - {3c767c6b-602d-4b9b-829d-a3dc5b2d89dd} - (no file)
O22 - SharedTaskScheduler: criticalness - {bd2948f8-c949-464f-824a-6272608c739e} - C:\WINDOWS\system32\vjxwnn.dll (file missing)
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Archivos de programa\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Archivos de programa\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSvcHst.exe (file missing)
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

--
End of file - 9440 bytes


any help would be thankfull

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:59 AM

Posted 04 July 2008 - 03:06 PM

Hello julivl1,

Welcome to Bleeping Computer :thumbsup:

You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply along with a new HijackThis log.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background. So only run it once!

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 julivl1

julivl1
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:59 AM

Posted 04 July 2008 - 04:31 PM

thanks for the info n help ill try this out now thanks again

#4 julivl1

julivl1
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:59 AM

Posted 06 July 2008 - 12:23 PM

ok guys this is the report i got...my computer got a little bit better but i still have weird things hapenin to my comp..such as some blue screen comes out saying a bunch of stuff then it changes to the screen where windows loads when u turn on the pc....and little screens come out saying ur computer may be threatend or infected!!!!!!!!! what can i do next guys pls help thanks once again

SmitFraudFix v2.329

Scan done at 19:43:51,84, 05/07/2008
Run from C:\DOCUME~1\User\CONFIG~1\Temp\Rar$EX00.688\SmitfraudFix
OS: Microsoft Windows XP [Versi¢n 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{3c767c6b-602d-4b9b-829d-a3dc5b2d89dd}"="haematobia"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{bd2948f8-c949-464f-824a-6272608c739e}"="criticalness"

[HKEY_CLASSES_ROOT\CLSID\{bd2948f8-c949-464f-824a-6272608c739e}\InProcServer32]
@="C:\WINDOWS\system32\vjxwnn.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{bd2948f8-c949-464f-824a-6272608c739e}\InProcServer32]
@="C:\WINDOWS\system32\vjxwnn.dll"


»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
C:\WINDOWS\kgqfweltlkb.dll deleted.
C:\WINDOWS\nqgpedlr.dll deleted.


»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\privacy_danger\ Deleted
C:\DOCUME~1\User\FAVORI~1\Online Security Test.url Deleted
C:\DOCUME~1\User\FAVORI~1\Error Cleaner.url Deleted
C:\DOCUME~1\User\FAVORI~1\Privacy Protector.url Deleted
C:\DOCUME~1\User\FAVORI~1\Spyware?Malware Protection.url Deleted
C:\Archivos de programa\Helper\ Deleted
C:\Archivos de programa\IEAntiVirus\ Deleted
C:\Archivos de programa\VirusProtectPro 3.5\ Deleted

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» 404Fix

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{4C7F131A-8648-497A-AD49-69F01145D7A5}: NameServer=85.255.116.107,85.255.112.83
HKLM\SYSTEM\CCS\Services\Tcpip\..\{8BF32FFE-3886-4F0E-AFDA-F983FA73762E}: DhcpNameServer=85.255.116.107,85.255.112.83
HKLM\SYSTEM\CCS\Services\Tcpip\..\{8BF32FFE-3886-4F0E-AFDA-F983FA73762E}: NameServer=85.255.116.107,85.255.112.83
HKLM\SYSTEM\CCS\Services\Tcpip\..\{A1B9E0E3-F329-49E0-A566-5FD8534896AB}: DhcpNameServer=200.13.249.101 200.13.224.254
HKLM\SYSTEM\CS1\Services\Tcpip\..\{4C7F131A-8648-497A-AD49-69F01145D7A5}: NameServer=85.255.116.107,85.255.112.83
HKLM\SYSTEM\CS1\Services\Tcpip\..\{8BF32FFE-3886-4F0E-AFDA-F983FA73762E}: DhcpNameServer=85.255.116.107,85.255.112.83
HKLM\SYSTEM\CS1\Services\Tcpip\..\{8BF32FFE-3886-4F0E-AFDA-F983FA73762E}: NameServer=85.255.116.107,85.255.112.83
HKLM\SYSTEM\CS1\Services\Tcpip\..\{A1B9E0E3-F329-49E0-A566-5FD8534896AB}: DhcpNameServer=200.13.249.101 200.13.224.254
HKLM\SYSTEM\CS2\Services\Tcpip\..\{4C7F131A-8648-497A-AD49-69F01145D7A5}: NameServer=85.255.116.107,85.255.112.83
HKLM\SYSTEM\CS2\Services\Tcpip\..\{8BF32FFE-3886-4F0E-AFDA-F983FA73762E}: DhcpNameServer=85.255.116.107,85.255.112.83
HKLM\SYSTEM\CS2\Services\Tcpip\..\{8BF32FFE-3886-4F0E-AFDA-F983FA73762E}: NameServer=85.255.116.107,85.255.112.83
HKLM\SYSTEM\CS2\Services\Tcpip\..\{A1B9E0E3-F329-49E0-A566-5FD8534896AB}: DhcpNameServer=200.13.249.101 200.13.224.254
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=200.13.249.101 200.13.224.254
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: NameServer=85.255.116.107 85.255.112.83
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=200.13.249.101 200.13.224.254
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: NameServer=85.255.116.107 85.255.112.83
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=200.13.249.101 200.13.224.254
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: NameServer=85.255.116.107 85.255.112.83


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"="kdslj.exe"

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» Reboot

C:\WINDOWS\system32\kdslj.exe Deleted

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» End

#5 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:59 AM

Posted 06 July 2008 - 12:32 PM

Hello,

Well we aren't done yet. You have more than one thing floating around in there. :) That got rid of a lot though. :thumbsup:

Can I see a new HijackThis log please? :)

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#6 julivl1

julivl1
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:59 AM

Posted 06 July 2008 - 12:43 PM

oo ok sorry...well here my new hijackthis report


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:42:19, on 06/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\Java\j2re1.4.2_14\bin\jusched.exe
C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe
C:\Archivos de programa\Windows Live\Messenger\MsnMsgr.Exe
C:\Archivos de programa\Antivirus 2009\av2009.exe
C:\Archivos de programa\SJLabs\SJphone\SJphone.exe
C:\Archivos de programa\Java\j2re1.4.2_14\bin\jucheck.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Archivos de programa\Windows Live\Messenger\usnsvc.exe
C:\Archivos de programa\Mozilla Firefox\firefox.exe
C:\Archivos de programa\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=61006
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=61006
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer proporcionado por APOLO SYSTEM
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
R3 - URLSearchHook: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\ARCHIV~1\Crawler\Toolbar\ctbr.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Archivos de programa\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\ARCHIV~1\Crawler\Toolbar\ctbr.dll
O2 - BHO: scriptproxy - {6D0386B3-FD72-488E-9740-90355AE21735} - C:\WINDOWS\system32\slonyx.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Aplicación auxiliar de inicio de sesión - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\archivos de programa\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\archivos de programa\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Archivos de programa\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Barra &Crawler - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\ARCHIV~1\Crawler\Toolbar\ctbr.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\j2re1.4.2_14\bin\jusched.exe"
O4 - HKLM\..\Run: [SpywareTerminator] "C:\ARCHIV~1\SPYWAR~1\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [meet great active lies] C:\Documents and Settings\All Users\Datos de programa\soft chic meet great\Rect Htm.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Archivos de programa\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Microsoft Internet Explorer] C:\windows\system32\IEXPLORES.EXE
O4 - HKCU\..\Run: [firewals] C:\WINDOWS\system\msnmsssgser.exe
O4 - HKCU\..\Run: [Open thunk] C:\DOCUME~1\User\DATOSD~1\DATECL~1\Defy Logo.exe
O4 - HKCU\..\Run: [75057066929638745538043225741362] C:\Archivos de programa\Antivirus 2009\av2009.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Servicio de red')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: TELEFONÍA UNE.lnk = ?
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\j2re1.4.2_14\bin\npjpi142_14.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\j2re1.4.2_14\bin\npjpi142_14.dll
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\User\Menú Inicio\Programas\IMVU\Run IMVU.lnk
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Archivos de programa\Yahoo!\Common\yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{4C7F131A-8648-497A-AD49-69F01145D7A5}: NameServer = 85.255.116.107,85.255.112.83
O17 - HKLM\System\CCS\Services\Tcpip\..\{8BF32FFE-3886-4F0E-AFDA-F983FA73762E}: NameServer = 85.255.116.107,85.255.112.83
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.107 85.255.112.83
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.107 85.255.112.83
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.107 85.255.112.83
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\ARCHIV~1\Crawler\Toolbar\ctbr.dll
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSvcHst.exe (file missing)

--
End of file - 6480 bytes

#7 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:59 AM

Posted 06 July 2008 - 12:47 PM

Not a problem at all. :thumbsup:

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#8 julivl1

julivl1
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:59 AM

Posted 06 July 2008 - 01:16 PM

ok look heres my COMBO FIX report:

ComboFix 08-07-05.1 - User 2008-07-06 12:57:32.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.34.3082.18.44 [GMT -5:00]
Se ejecuta desde: C:\Documents and Settings\User\Escritorio\ComboFix.exe
* Creado un nuevo punto de restauración

ADVERTENCIA - ESTE EQUIPO NO TIENE INSTALADA LA CONSOLA DE RECUPERACION!
.
ADS - svchost.exe: deleted 68 bytes in 1 streams.

(((((((((((((((((((((((((((((((((((( Otras eliminaciones )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Archivos de programa\Antivirus 2009
C:\Archivos de programa\Antivirus 2009\av2009.exe
C:\Archivos de programa\Archivos comunes\winantivirus pro 2006
C:\Archivos de programa\Archivos comunes\winantivirus pro 2006\err.log
C:\Archivos de programa\Archivos comunes\winantivirus pro 2006\WapCHK.dll
C:\Archivos de programa\FunWebProducts
C:\Archivos de programa\FunWebProducts\Shared\Cache\AvatarSmallBtn.html
C:\Archivos de programa\FunWebProducts\Shared\Cache\CursorManiaBtn.html
C:\Archivos de programa\FunWebProducts\Shared\Cache\FunBuddyIconBtn.html
C:\Archivos de programa\FunWebProducts\Shared\Cache\MyFunCardsIMBtn.html
C:\Archivos de programa\FunWebProducts\Shared\Cache\SmileyCentralBtn.html
C:\Archivos de programa\MyWebSearch
C:\Archivos de programa\MyWebSearch\bar\1.bin\F3SPACER.WMV
C:\Archivos de programa\MyWebSearch\bar\1.bin\F3WALLPP.DAT
C:\Archivos de programa\MyWebSearch\bar\1.bin\M3FFXTBR.MANIFEST
C:\Archivos de programa\MyWebSearch\bar\1.bin\M3MSG.DLL
C:\Archivos de programa\MyWebSearch\bar\1.bin\M3NTSTBR.MANIFEST
C:\Archivos de programa\MyWebSearch\bar\1.bin\M3SRCHMN.EXE
C:\Archivos de programa\MyWebSearch\bar\1.bin\MWSBAR.DLL
C:\Archivos de programa\MyWebSearch\bar\History\search2
C:\Archivos de programa\winantivirus pro 2006
C:\Archivos de programa\winantivirus pro 2006\msvcp71.dll
C:\Archivos de programa\winantivirus pro 2006\msvcr71.dll
C:\Documents and Settings\All Users\Datos de programa\WinAntiVirus Pro 2006
C:\Documents and Settings\User\Datos de programa\DriveCleaner 2006 Free
C:\Documents and Settings\User\Datos de programa\DriveCleaner 2006 Free\Logs\update.log
C:\Documents and Settings\User\Datos de programa\FunWebProducts
C:\Documents and Settings\User\Datos de programa\macromedia\Flash Player\#SharedObjects\ZDEZYXM2\iforex.com
C:\Documents and Settings\User\Datos de programa\macromedia\Flash Player\#SharedObjects\ZDEZYXM2\iforex.com\Emerp\Events\flash_object.swf\user_data.sol
C:\Documents and Settings\User\Datos de programa\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com
C:\Documents and Settings\User\Datos de programa\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com\settings.sol
C:\Documents and Settings\User\Datos de programa\Microsoft\Internet Explorer\Quick Launch\Antivirus 2009.lnk
C:\Documents and Settings\User\Datos de programa\WinAntiVirus Pro 2006
C:\Documents and Settings\User\Datos de programa\WinAntiVirus Pro 2006\Logs\update.log
C:\Documents and Settings\User\Datos de programa\WinAntiVirus Pro 2006\Logs\wa6Support.log
C:\Documents and Settings\User\Datos de programa\WinAntiVirus Pro 2006\Logs\winav.log
C:\Documents and Settings\User\Datos de programa\WinAntiVirus Pro 2006\PGE.dat
C:\Documents and Settings\User\err.log
C:\Documents and Settings\User\Menú Inicio\Antivirus 2009
C:\Documents and Settings\User\Menú Inicio\Antivirus 2009\Antivirus 2009.lnk
C:\Documents and Settings\User\Menú Inicio\Antivirus 2009\Uninstall Antivirus 2009.lnk
C:\Documents and Settings\User\Menú Inicio\Programas\IE AntiVirus 3.3.lnk
C:\WA6P
C:\WINDOWS\epnv.exe
C:\WINDOWS\monitorado.dll
C:\WINDOWS\system32\scui.cpl
C:\WINDOWS\system32\stera.job
C:\WINDOWS\system32\stera.log

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_FOPN
-------\Service_FOPN
-------\Service_vspf
-------\Service_vspf_hk


(((((((((((((((((( Archivos creados desde 2008-06-06 - 2008-07-06 )))))))))))))))))))))))))))))))))
.

2008-07-05 19:44 . 2008-07-05 19:44 2,072 --a------ C:\WINDOWS\system32\tmp.reg
2008-07-05 19:43 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-07-05 19:43 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-07-05 19:43 . 2008-05-29 09:35 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-07-05 19:43 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-07-05 19:43 . 2008-07-02 13:33 82,432 --a------ C:\WINDOWS\system32\IEDFix.C.exe
2008-07-05 19:43 . 2008-05-23 18:21 81,920 --a------ C:\WINDOWS\system32\404Fix.exe
2008-07-05 19:43 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-07-05 19:43 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-07-05 19:43 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-07-03 20:05 . 2008-07-03 20:05 <DIR> d-------- C:\Deckard
2008-07-03 19:49 . 2008-07-03 19:49 <DIR> d-------- C:\Archivos de programa\Trend Micro
2008-07-03 14:37 . 2008-07-06 09:31 <DIR> d-------- C:\Documents and Settings\All Users\Datos de programa\Avira
2008-07-03 10:05 . 2008-07-03 10:05 12 --a------ C:\WINDOWS\EZMediaBox2.ini
2008-07-02 22:57 . 2008-07-02 22:57 <DIR> d-------- C:\Documents and Settings\All Users\Datos de programa\ESET
2008-07-02 16:01 . 2008-07-02 11:30 229,376 --a------ C:\WINDOWS\okmdepgb.dll
2008-07-02 16:01 . 2008-07-02 11:30 200,704 --a------ C:\WINDOWS\axrfgvek.dll
2008-07-02 16:01 . 2008-07-02 11:30 86,016 --a------ C:\WINDOWS\mrvtdpqe.exe
2008-07-02 15:57 . 2008-07-02 15:57 25,088 --a------ C:\WINDOWS\system32\sla32.dll
2008-06-23 21:26 . 2008-06-23 21:26 <DIR> d-------- C:\Archivos de programa\Date close site
2008-06-11 07:47 . 2008-06-14 12:59 272,512 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 07:47 . 2008-06-14 12:59 272,512 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-08 12:52 . 2004-08-19 15:42 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2008-06-08 12:52 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-06-08 12:52 . 2004-08-03 22:58 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2008-06-08 12:52 . 2001-08-22 22:15 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll

.
(((((((((((((((((((((((((((((((((((((( Reporte Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-03 20:53 --------- d-----w C:\Archivos de programa\Skype
2008-07-03 20:45 --------- d-----w C:\Archivos de programa\Eset
2008-07-03 20:10 --------- d-----w C:\Documents and Settings\User\Datos de programa\Date close site
2008-07-03 19:59 --------- d-----w C:\Archivos de programa\Circle Developement
2008-07-03 19:13 --------- d-----w C:\Archivos de programa\Kaspersky Lab
2008-07-03 18:09 --------- d-----w C:\Documents and Settings\User\Datos de programa\Lavasoft
2008-07-03 15:20 --------- d-----w C:\Archivos de programa\DivX
2008-07-03 15:05 --------- d--h--w C:\Archivos de programa\InstallShield Installation Information
2008-07-03 01:35 --------- d-----w C:\Archivos de programa\MSN Messenger
2008-07-03 01:19 --------- d-----w C:\Archivos de programa\Archivos comunes\DriveCleaner 2006 Free
2008-07-02 00:30 --------- d-----w C:\Documents and Settings\All Users\Datos de programa\Messenger Plus!
2008-06-24 02:27 --------- d-----w C:\Documents and Settings\All Users\Datos de programa\soft chic meet great
2008-05-31 05:11 --------- d-----w C:\Archivos de programa\Messenger Plus! Live
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 03:46 --------- d-----w C:\Documents and Settings\All Users\Datos de programa\WLInstaller
2008-05-07 03:36 --------- d-----w C:\Documents and Settings\All Users\Datos de programa\WindowsLiveInstaller
2008-05-07 03:36 --------- d-----w C:\Archivos de programa\Windows Live
2001-11-23 04:08 712,704 ----a-r C:\WINDOWS\inf\OTHER\AUDIO3D.DLL
.

((((((((((((((((((((((((((((((((( Cargando Puntos Reg ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* entradas vac¡as & entradas leg¡timas predeterminadas no son mostradas

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Archivos de programa\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 11:34 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Archivos de programa\Java\j2re1.4.2_14\bin\jusched.exe" [2007-03-14 17:23 32881]
"TkBellExe"="C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" [2007-09-14 15:53 185632]
"meet great active lies"="C:\Documents and Settings\All Users\Datos de programa\soft chic meet great\Rect Htm.exe" [2008-07-06 13:04 782336]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-19 15:42 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
--a------ 2004-08-19 15:42 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2006-11-11 21:19 163576 C:\Archivos de programa\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2007-09-14 15:53 185632 C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCTVOICE]
-ra------ 2003-12-18 16:45 180224 C:\WINDOWS\system32\pctspk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
-ra------ 2004-01-15 07:33 49152 C:\WINDOWS\system32\VTTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Archivos de programa\\Messenger\\msmsgs.exe"=
"C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"C:\\Archivos de programa\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Archivos de programa\\Windows Live\\Messenger\\livecall.exe"=

R2 UxTuneUp;Ampliación del diseño de TuneUp;C:\WINDOWS\System32\svchost.exe [2004-08-19 15:43]
S3 FileObjInfo;STFileDriver;C:\Documents and Settings\All Users\Datos de programa\Spyware Terminator\FileObjInfo.sys []

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{07635742-06c0-11db-a4d6-806d6172696f}]
\Shell\AutoRun\command - E:\SETUP.EXE /AUTORUN
\Shell\configure\command - E:\SETUP.EXE
\Shell\install\command - E:\SETUP.EXE

.
Contenido de carpeta 'Tareas Programadas'
"2008-07-06 18:00:03 C:\WINDOWS\Tasks\A298EFA9918B69A5.job"
- c:\docume~1\user\datosd~1\datecl~1\ownshidelist.exe
"2008-06-27 22:36:35 C:\WINDOWS\Tasks\Mantenimiento con 1 clic.job"
- C:\Archivos de programa\TuneUp Utilities 2006\SystemOptimizer.exe
.
- - - - ORPHANS REMOVED - - - -

BHO-{6D0386B3-FD72-488E-9740-90355AE21735} - C:\WINDOWS\system32\slonyx.dll
WebBrowser-{5D4831E0-5A7C-4A46-AFD5-A79AB8CE36C2} - (no file)
WebBrowser-{DF4E7A0C-E233-4906-B4C1-A404356541FF} - (no file)
HKCU-Run-Open thunk - C:\DOCUME~1\User\DATOSD~1\DATECL~1\Defy Logo.exe
HKLM-Run-SpywareTerminator - C:\ARCHIV~1\SPYWAR~1\SpywareTerminatorShield.exe
MSConfigStartUp-Aim6 - C:\Archivos de programa\AIM6\aim6.exe
MSConfigStartUp-My Web Search Bar - C:\ARCHIV~1\MYWEBS~1\bar\1.bin\MWSBAR.DLL
MSConfigStartUp-SDR6Y_Check - C:\Archivos de programa\Archivos comunes\DriveCleaner 2006 Free\sdrmon.exe
MSConfigStartUp-Shareaza - C:\Archivos de programa\Shareaza\Shareaza.exe
MSConfigStartUp-SpywareTerminator - C:\Archivos de programa\Spyware Terminator\SpywareTerminatorShield.exe
MSConfigStartUp-SunJavaUpdateSched - C:\Archivos de programa\Java\jre1.5.0_09\bin\jusched.exe
MSConfigStartUp-supervisor - C:\WINDOWS\supervisor.exe
MSConfigStartUp-Cmaudio - cmicnfg.cpl


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-06 13:04:10
Windows 5.1.2600 Service Pack 2 NTFS

escaneando procesos ocultos ...

escaneando entradas ocultas de autostart ...

escaneando archivos ocultos ...

el escaneo se completo con exito
archivos ocultos: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Archivos de programa\Java\j2re1.4.2_14\bin\jucheck.exe
C:\Archivos de programa\SJLabs\SJphone\SJphone.exe
C:\Archivos de programa\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\WgaTray.exe
.
**************************************************************************
.
Tiempo completado: 2008-07-06 13:12:56 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-06 18:12:40

10 dirs 2,930,094,080 bytes libres
13 dirs 3,491,590,144 bytes libres

209 --- E O F --- 2008-06-20 20:36:58









and here my hijackthis report:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:16:06, on 06/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\Java\j2re1.4.2_14\bin\jusched.exe
C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe
C:\Archivos de programa\Windows Live\Messenger\MsnMsgr.Exe
C:\Archivos de programa\Java\j2re1.4.2_14\bin\jucheck.exe
C:\Archivos de programa\SJLabs\SJphone\SJphone.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Archivos de programa\Mozilla Firefox\firefox.exe
C:\Archivos de programa\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=61006
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=61006
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
R3 - URLSearchHook: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\ARCHIV~1\Crawler\Toolbar\ctbr.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Archivos de programa\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\ARCHIV~1\Crawler\Toolbar\ctbr.dll
O2 - BHO: Windows Live Aplicación auxiliar de inicio de sesión - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\archivos de programa\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\archivos de programa\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Archivos de programa\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Barra &Crawler - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\ARCHIV~1\Crawler\Toolbar\ctbr.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\j2re1.4.2_14\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [meet great active lies] C:\Documents and Settings\All Users\Datos de programa\soft chic meet great\Rect Htm.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Archivos de programa\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Servicio de red')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: TELEFONÍA UNE.lnk = ?
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\j2re1.4.2_14\bin\npjpi142_14.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\j2re1.4.2_14\bin\npjpi142_14.dll
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\User\Menú Inicio\Programas\IMVU\Run IMVU.lnk
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Archivos de programa\Yahoo!\Common\yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{4C7F131A-8648-497A-AD49-69F01145D7A5}: NameServer = 85.255.116.107,85.255.112.83
O17 - HKLM\System\CCS\Services\Tcpip\..\{8BF32FFE-3886-4F0E-AFDA-F983FA73762E}: NameServer = 85.255.116.107,85.255.112.83
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\ARCHIV~1\Crawler\Toolbar\ctbr.dll
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSvcHst.exe (file missing)

--
End of file - 5620 bytes


now whats the next step....thanks again

#9 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:59 AM

Posted 06 July 2008 - 02:55 PM

Hello,

You're welcome. :thumbsup: How is it running please?

Your Java is way out of date, which leaves your computer vulnerable.

Updating Java
  • Download the latest version of Java Runtime Environment (JRE) 6_U6.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6-windows-i586.exe to install the newest version.
Please download Malwarebytes' Anti-Malware from one of these places:
http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html
http://www.besttechie.net/tools/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire report in your next reply along with a fresh HijackThis log.


Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#10 julivl1

julivl1
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:59 AM

Posted 06 July 2008 - 03:31 PM

ok this is my new hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:30:01, on 06/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe
C:\Archivos de programa\Windows Live\Messenger\MsnMsgr.Exe
C:\Archivos de programa\SJLabs\SJphone\SJphone.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Archivos de programa\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=61006
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=61006
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
R3 - URLSearchHook: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\ARCHIV~1\Crawler\Toolbar\ctbr.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Archivos de programa\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\ARCHIV~1\Crawler\Toolbar\ctbr.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Aplicación auxiliar de inicio de sesión - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\archivos de programa\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\archivos de programa\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Archivos de programa\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Barra &Crawler - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\ARCHIV~1\Crawler\Toolbar\ctbr.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [meet great active lies] C:\Documents and Settings\All Users\Datos de programa\soft chic meet great\Rect Htm.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Archivos de programa\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Servicio de red')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: TELEFONÍA UNE.lnk = ?
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\User\Menú Inicio\Programas\IMVU\Run IMVU.lnk
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Archivos de programa\Yahoo!\Common\yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{4C7F131A-8648-497A-AD49-69F01145D7A5}: NameServer = 85.255.116.107,85.255.112.83
O17 - HKLM\System\CCS\Services\Tcpip\..\{8BF32FFE-3886-4F0E-AFDA-F983FA73762E}: NameServer = 85.255.116.107,85.255.112.83
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\ARCHIV~1\Crawler\Toolbar\ctbr.dll
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSvcHst.exe (file missing)

--
End of file - 5573 bytes


and this is my malwarebytes:

Malwarebytes' Anti-Malware 1.19
Versión de la Base de Datos: 899
Windows 5.1.2600 Service Pack 2

03:28:12 p.m. 06/07/2008
mbam-log-7-6-2008 (15-28-12).txt

Tipo de examen : Examen Rápido
Objetos examinados: 37715
Tiempo transcurrido: 5 minute(s), 2 second(s)

Procesos en Memoria Infectados: 0
Módulos en Memoria Infectados: 0
Claves del Registro Infectadas: 50
Valores del Registro Infectados: 1
Elementos de Datos del Registro Infectados: 0
Carpetas Infectadas: 1
Ficheros Infectados: 0

Procesos en Memoria Infectados:
(No se han detectado elementos maliciosos)

Módulos en Memoria Infectados:
(No se han detectado elementos maliciosos)

Claves del Registro Infectadas:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.datacontrol.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.shellviewcontrol (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.shellviewcontrol.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2eff3cf7-99c1-4c29-bc2b-68e057e22340} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{2eff3cf7-99c1-4c29-bc2b-68e057e22340} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{3e720452-b472-4954-b7aa-33069eb53906} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{63d0ed2c-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.pseudotransparentplugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.pseudotransparentplugin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{7473d294-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{7473d294-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{7473d296-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{98d9753d-d73b-42d5-8c85-4469cda897ab} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.browseroverlayembed (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.browseroverlayembed.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a6573479-9075-4a65-98a6-19fd29cf7374} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{a6573479-9075-4a65-98a6-19fd29cf7374} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d9fffb27-d62a-4d64-8cec-1ff006528805} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.chatsessionplugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.chatsessionplugin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e79dfbca-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{e79dfbca-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e342af55-b78a-4cd0-a2bb-da7f52d9d25e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e342af55-b78a-4cd0-a2bb-da7f52d9d25f} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{0d26bc71-a633-4e71-ad31-eadc3a1b6a3a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{17de5e5e-bfe3-4e83-8e1f-8755795359ec} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1f52a5fa-a705-4415-b975-88503b291728} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2763e333-b168-41a0-a112-d35f96f410c0} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{38a7c9da-8db7-4d0f-a7b1-c4b1a305bddb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{621feacd-8857-43a6-ae26-451d670d5370} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{72ee7f04-15bd-4845-a005-d6711144d86a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7473d293-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7473d295-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7473d297-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{8d292ec0-6792-4a38-82ed-73a087e41ba6} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{a626cdbd-3d13-4f78-b819-440a28d7e8fc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e79dfbc9-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e79dfbcb-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{e79dfbc0-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f87d7fb5-9dc5-4c8c-b998-d8dfe02e2978} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.browseroverlaybarbutton (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/x-f3embed (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Valores del Registro Infectados:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media\WMSDK\Sources\f3PopularScreensavers (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Elementos de Datos del Registro Infectados:
(No se han detectado elementos maliciosos)

Carpetas Infectadas:
C:\Archivos de programa\Archivos comunes\DriveCleaner 2006 Free (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

Ficheros Infectados:
(No se han detectado elementos maliciosos)


thanks for the help...

#11 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:59 AM

Posted 06 July 2008 - 03:53 PM

How is it running please?


Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#12 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:59 AM

Posted 06 July 2008 - 03:57 PM

Hello,


Please navigate to and delete this folder, if present:

C:\Documents and Settings\All Users\Datos de programa\soft chic meet great

* Download Deljob.exe and save it on your desktop.
Doubleclick Deljob.exe.

A log, (logit.txt) should open afterwards. This log will be present on your desktop.
Post the contents of the logfile in your next reply together with a new Hijackthis log.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#13 julivl1

julivl1
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:59 AM

Posted 06 July 2008 - 05:32 PM

its runnin much better now than before, much less problems with it now the only problem im sensing right now is that when i open my mozilla a little window comes out saying trying to load a non-local URI...right now thats the only window that pops out no more virus threat windows pop out.

#14 julivl1

julivl1
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:59 AM

Posted 06 July 2008 - 05:34 PM

also i tried searching for what you told me to search for and in the all users folder theres 4 folders and 1 file

1.shared documents
2.start menu
3.favorites
4.desktop
the file is
ntuser

#15 julivl1

julivl1
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:59 AM

Posted 06 July 2008 - 05:35 PM

this would be the deljob log file

--------------------------------------------------------
Backups created in C:\deljob

A298EFA9918B69A5.job
--------------------------------------------------------
Files in Windows Tasks folder

Mantenimiento con 1 clic.job
--------------------------------------------------------
Export App Data folders
--------------------------------------------------------
El volumen de la unidad C no tiene etiqueta.
El n£mero de serie del volumen es: 6068-4471

Directorio de C:\Documents and Settings\User\Datos de programa

06/07/2008 15:20 <DIR> .
06/07/2008 15:20 <DIR> ..
04/09/2006 07:11 <DIR> Adobe
05/10/2007 12:51 <DIR> AdobeUM
03/07/2008 15:10 <DIR> DATECL~1 Date close site
19/03/2008 19:37 <DIR> DivX
11/11/2006 21:19 <DIR> Google
28/06/2006 17:28 <DIR> IDENTI~1 Identities
03/07/2008 13:09 <DIR> Lavasoft
08/11/2007 22:11 <DIR> MACROM~1 Macromedia
06/07/2008 15:20 <DIR> MALWAR~1 Malwarebytes
16/05/2008 14:05 <DIR> MICROS~1 Microsoft
19/04/2007 16:27 <DIR> Mozilla
28/10/2007 14:08 <DIR> ppstream
14/09/2007 15:55 <DIR> Real
07/07/2006 18:17 <DIR> Sun
07/06/2007 15:23 <DIR> TUNEUP~1 TuneUp Software
28/10/2007 14:04 <DIR> TVUNET~1 TVU Networks
01/04/2008 15:42 <DIR> Yahoo!
0 archivos 0 bytes
19 dirs 7.407.058.944 bytes libres
--------------------------------------------------------
All User Accounts
--------------------------------------------------------
All Users
User
--------------------------------------------------------


and this is the new hijackthis file

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:35:10, on 06/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe
C:\Archivos de programa\Java\jre1.6.0_06\bin\jusched.exe
C:\Archivos de programa\Windows Live\Messenger\MsnMsgr.Exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\Archivos de programa\SJLabs\SJphone\SJphone.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Archivos de programa\Windows Live\Messenger\usnsvc.exe
C:\Archivos de programa\Mozilla Firefox\firefox.exe
C:\Archivos de programa\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=61006
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=61006
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
R3 - URLSearchHook: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\ARCHIV~1\Crawler\Toolbar\ctbr.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Archivos de programa\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\ARCHIV~1\Crawler\Toolbar\ctbr.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Aplicación auxiliar de inicio de sesión - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\archivos de programa\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\archivos de programa\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Archivos de programa\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Barra &Crawler - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\ARCHIV~1\Crawler\Toolbar\ctbr.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [meet great active lies] C:\Documents and Settings\All Users\Datos de programa\soft chic meet great\Rect Htm.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Archivos de programa\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Servicio de red')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: TELEFONÍA UNE.lnk = ?
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\User\Menú Inicio\Programas\IMVU\Run IMVU.lnk
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Archivos de programa\Yahoo!\Common\yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{4C7F131A-8648-497A-AD49-69F01145D7A5}: NameServer = 85.255.116.107,85.255.112.83
O17 - HKLM\System\CCS\Services\Tcpip\..\{8BF32FFE-3886-4F0E-AFDA-F983FA73762E}: NameServer = 85.255.116.107,85.255.112.83
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\ARCHIV~1\Crawler\Toolbar\ctbr.dll
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSvcHst.exe (file missing)

--
End of file - 5690 bytes




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users