Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Win32/Cryptor virus


  • This topic is locked This topic is locked
18 replies to this topic

#1 Daffe

Daffe

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:26 PM

Posted 25 January 2009 - 01:21 PM

I hope there is hope for solving this problem.

I described in the post on the Am I infected? What do I do? the following:

1. Trying to run Windows update results in getting redirected to Google.
2. The Anti-Virus Program no longer connects with the update server.
3. Running disk defragmenter is not possible.

The system is in Spanish.

I have two logs, the DDS and the HijackThis, but as I understand you only need the DDS. If I'm wrong, please tell me and I will also post the HijackThis.

Here is the log:

DDS (Ver_09-01-18.01) - NTFSx86
Run by Nelida at 12:15:27,76 on 22/01/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.34.3082.18.2015.1490 [GMT -2:00]

AV: F-Secure Internet Security 2009 9.00 *On-access scanning enabled* (Outdated)
FW: F-Secure Internet Security 2009 9.00 *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Archivos de programa\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Archivos comunes\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\Archivos de programa\Windows Defender\MSASCui.exe
C:\Archivos de programa\CyberLink\PowerDVD\PDVDServ.exe
C:\Archivos de programa\HP\HP Software Update\HPWuSchd2.exe
C:\Archivos de programa\Archivos comunes\LogiShrd\LComMgr\Communications_Helper.exe
C:\Archivos de programa\Java\jre6\bin\jusched.exe
C:\Archivos de programa\F-Secure Internet Security\Common\FSM32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
C:\Archivos de programa\DNA\btdna.exe
C:\Archivos de programa\F-Secure Internet Security\Common\FSMA32.EXE
C:\Archivos de programa\F-Secure Internet Security\Anti-Virus\FSGK32.EXE
C:\Archivos de programa\Java\jre6\bin\jqs.exe
C:\Archivos de programa\Archivos comunes\LogiShrd\LVCOMSER\LVComSer.exe
C:\Archivos de programa\F-Secure Internet Security\Common\FSMB32.EXE
C:\Archivos de programa\HP\Digital Imaging\bin\hpqtra08.exe
C:\Archivos de programa\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
C:\Archivos de programa\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Archivos de programa\F-Secure Internet Security\Common\FCH32.EXE
C:\Archivos de programa\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Archivos de programa\F-Secure Internet Security\Anti-Virus\fsqh.exe
C:\Archivos de programa\F-Secure Internet Security\Common\FAMEH32.EXE
C:\Archivos de programa\F-Secure Internet Security\FSPC\fspc.exe
C:\Archivos de programa\F-Secure Internet Security\FSAUA\program\fsaua.exe
C:\Archivos de programa\F-Secure Internet Security\FWES\Program\fsdfwd.exe
C:\Archivos de programa\F-Secure Internet Security\FSGUI\fsguidll.exe
C:\Archivos de programa\Windows Live\Messenger\usnsvc.exe
C:\Archivos de programa\F-Secure Internet Security\FSAUA\program\fsus.exe
C:\Archivos de programa\Archivos comunes\Logishrd\LQCVFX\COCIManager.exe
C:\Archivos de programa\F-Secure Internet Security\Anti-Virus\fsav32.exe
C:\Archivos de programa\F-Secure Internet Security\Anti-Virus\fssm32.exe
C:\Archivos de programa\Outlook Express\msimn.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\BACKUP\© Local Disk\Archivos de programa\Ectaco\Language Teacher 2000\Language Teacher 2000\ES\es.exe
C:\Documents and Settings\Nelida\Escritorio\dds.scr

============== Pseudo HJT Report ===============

BHO: Aplicación auxiliar de vínculos de Adobe PDF Reader: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\archivos de programa\archivos comunes\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\archivos de programa\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\archivos de programa\avg\avg8\avgssie.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\archivos de programa\java\jre6\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Aplicación auxiliar de inicio de sesión: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\archivos de programa\archivos comunes\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\archivos de programa\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\archivos de programa\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: TextAloud: {f053c368-5458-45b2-9b4d-d8914bdddbff} - c:\archiv~1\textal~1\TAForIE.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [BitTorrent DNA] "c:\archivos de programa\dna\btdna.exe"
uRun: [MsnMsgr] "c:\archivos de programa\windows live\messenger\MsnMsgr.Exe" /background
mRun: [VTTimer] VTTimer.exe
mRun: [Windows Defender] "c:\archivos de programa\windows defender\MSASCui.exe" -hide
mRun: [RemoteControl] "c:\archivos de programa\cyberlink\powerdvd\PDVDServ.exe"
mRun: [HP Software Update] c:\archivos de programa\hp\hp software update\HPWuSchd2.exe
mRun: [LogitechCommunicationsManager] "c:\archivos de programa\archivos comunes\logishrd\lcommgr\Communications_Helper.exe"
mRun: [SunJavaUpdateSched] "c:\archivos de programa\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\archivos de programa\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [LogitechQuickCamRibbon] "c:\archivos de programa\logitech\quickcam\Quickcam.exe" /hide
mRun: [NeroFilterCheck] c:\archivos de programa\archivos comunes\ahead\lib\NeroCheck.exe
mRun: [F-Secure Manager] "c:\archivos de programa\f-secure internet security\common\FSM32.EXE" /splash
mRun: [F-Secure TNB] "c:\archivos de programa\f-secure internet security\fsgui\TNBUtil.exe" /CHECKALL /WAITFORSW
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [DWQueuedReporting] "c:\archiv~1\archiv~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\menini~1\progra~1\inicio\hpdigi~1.lnk - c:\archivos de programa\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\menini~1\progra~1\inicio\logite~1.lnk - c:\archivos de programa\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
StartupFolder: c:\docume~1\alluse~1\menini~1\progra~1\inicio\micros~1.lnk - c:\archivos de programa\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\menini~1\progra~1\inicio\ultrah~1.lnk - c:\windows\installer\{96ef451e-a402-44d8-baee-d70d558a4122}\New_Shortcut_S1449_0EB7CDB78E0C4A918D2CA535D5B8160C.exe
IE: E&xportar a Microsoft Excel - c:\archiv~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\archivos de programa\messenger\msmsgs.exe
IE: {200DB664-75B5-47c0-8B45-A44ACCF73C00} - {D68926FD-18FD-4B0E-A1C7-917D13FAB760} - c:\archivos de programa\f-secure internet security\fspc\fspcmsie.dll
IE: {200DB664-75B5-47c0-8B45-A44ACCF73F01} - {D68926FD-18FD-4B0E-A1C7-917D13FAB760} - c:\archivos de programa\f-secure internet security\fspc\fspcmsie.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\archivos de programa\windows live\writer\WriterBrowserExtension.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\archivos de programa\skype\toolbars\internet explorer\SkypeIEPlugin.dll
LSP: c:\archivos de programa\f-secure internet security\fsps\program\FSLSP.DLL
TCP: NameServer = 85.255.115.60,85.255.112.136
TCP: {489B53CC-1FBE-4D8E-9270-290DC76F4663} = 85.255.115.60,85.255.112.136
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\archivos de programa\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\archiv~1\archiv~1\skype\SKYPE4~1.DLL
SEH: ShellExecuteHook contra el software malintencionado de Microsoft: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\archiv~1\window~4\MpShHook.dll

============= SERVICES / DRIVERS ===============

R0 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [2009-1-21 79904]
R1 F-Secure HIPS;F-Secure HIPS Driver;c:\archivos de programa\f-secure internet security\hips\drivers\fshs.sys [2009-1-21 66720]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\archivos de programa\f-secure internet security\anti-virus\minifilter\fsgk.sys [2009-1-21 72288]
R3 FSORSPClient;F-Secure ORSP Client;c:\archivos de programa\f-secure internet security\orsp client\fsorsp.exe [2009-1-21 55904]
R4 F-Secure Gatekeeper Handler Starter;FSGKHS;c:\archivos de programa\f-secure internet security\anti-virus\fsgk32st.exe [2009-1-21 215648]
R4 WinDefend;Windows Defender;c:\archivos de programa\windows defender\MsMpEng.exe [2006-11-3 13592]
S4 F-Secure Filter;F-Secure File System Filter;c:\archivos de programa\f-secure internet security\anti-virus\win2k\fsfilter.sys [2009-1-21 39776]
S4 F-Secure Recognizer;F-Secure File System Recognizer;c:\archivos de programa\f-secure internet security\anti-virus\win2k\fsrec.sys [2009-1-21 25184]

=============== Created Last 30 ================

2009-01-21 17:39 <DIR> --d----- c:\docume~1\nelida\datosd~1\F-Secure
2009-01-21 17:33 79,904 a------- c:\windows\system32\drivers\fsdfw.sys
2009-01-21 17:32 <DIR> --d----- c:\archivos de programa\F-Secure Internet Security
2009-01-21 17:31 <DIR> --d----- c:\docume~1\alluse~1\datosd~1\fssg
2009-01-21 17:17 <DIR> --d----- c:\docume~1\alluse~1\datosd~1\f-secure
2009-01-21 11:08 71,680 a------- c:\windows\system32\drivers\gaopdxserv.sys
2009-01-21 11:08 255 ---shr-- C:\autorun.inf
2009-01-20 10:26 <DIR> --d----- c:\docume~1\alluse~1\datosd~1\Nero
2009-01-20 10:26 <DIR> --d----- c:\archivos de programa\Nero
2009-01-20 10:26 <DIR> --d----- c:\archivos de programa\archivos comunes\Ahead
2009-01-20 10:24 <DIR> --d----- c:\windows\RegisteredPackages
2009-01-07 18:51 <DIR> --dshr-- C:\resycled
2009-01-07 14:49 70,780 a------- c:\windows\system32\MSSCRIPT.HLP
2009-01-07 14:49 2,154 a------- c:\windows\system32\MSSCRIPT.CNT
2009-01-05 21:52 44 a------- c:\windows\ENROLL.INI
2009-01-05 21:35 35,328 a------- c:\windows\system32\Shellses.dll
2009-01-05 21:35 18,432 a------- c:\windows\system32\Ibmwave.exe
2009-01-05 21:35 22,528 a------- c:\windows\system32\rhmmplay.dll
2009-01-05 21:35 <DIR> --d----- C:\ViaVoice
2009-01-05 21:35 302,592 a------- c:\windows\unin040a.exe
2009-01-05 18:53 <DIR> --d----- c:\archivos de programa\AV VCS 3.0 Gold
2009-01-05 18:53 6,852 a------- c:\windows\system32\drivers\Vcs.sys
2009-01-02 13:53 <DIR> --d----- c:\archivos de programa\Cepstral
2009-01-02 11:07 143,360 a------- c:\windows\picn1120.dll
2009-01-02 11:07 143,360 a------- c:\windows\picn1020.dll
2009-01-02 10:30 356,352 a------- c:\windows\eSellerateEngine.dll
2009-01-02 10:30 225,360 a------- c:\windows\system32\DNLEng.dll
2009-01-02 10:30 31,728 a------- c:\windows\dbrmdwb.exe
2009-01-02 10:30 26 a------- c:\windows\dbrmdwb.bat
2009-01-02 10:30 2,581,984 a------- c:\windows\dbplugin.ocx
2009-01-02 10:30 2,438,640 a------- c:\windows\npdbplug.dll
2009-01-02 10:30 1,023,456 a------- c:\windows\dbplugin.exe
2009-01-02 10:30 633 a------- c:\windows\npdbplug.xpt
2009-01-02 10:29 <DIR> --d----- c:\archivos de programa\DeskTopAuthor
2008-12-24 16:03 <DIR> --d----- c:\archivos de programa\eBook Maestro PRO
2008-12-23 17:34 <DIR> --d----- c:\archivos de programa\Sodels
2008-12-23 17:06 175,104 a------- c:\windows\system32\lame_enc.dll
2008-12-23 17:06 102,400 a------- c:\windows\system32\libfaac.dll
2008-12-23 17:06 <DIR> --d----- c:\archivos de programa\Speak Aloud
2008-12-23 16:27 <DIR> --d----- c:\archivos de programa\TextAloud
2008-12-23 15:40 <DIR> --d----- c:\archivos de programa\Zabaware

==================== Find3M ====================

2009-01-21 17:35 0 a------- c:\windows\system32\drivers\lvuvc.hs
2009-01-21 17:35 0 a------- c:\windows\system32\drivers\logiflt.iad
2009-01-21 17:33 460,118 a------- c:\windows\system32\perfh00A.dat
2009-01-21 17:33 79,596 a------- c:\windows\system32\perfc00A.dat
2008-12-22 20:52 306,432 a------- c:\windows\system32\TuneUpDefragService.exe
2008-12-16 21:02 253,952 -------- c:\windows\Setup1.exe
2008-12-16 21:02 74,240 a------- c:\windows\ST6UNST.EXE
2008-12-15 17:06 410,984 a------- c:\windows\system32\deploytk.dll
2008-11-27 20:44 25,544 a------- c:\docume~1\nelida\datosd~1\GDIPFONTCACHEV1.DAT
2008-07-17 23:15 32,768 a--sh--- c:\windows\system32\config\systemprofile\configuración local\historial\history.ie5\mshist012008063020080707\index.dat
2008-07-17 23:15 32,768 a--sh--- c:\windows\system32\config\systemprofile\configuración local\historial\history.ie5\mshist012008071720080718\index.dat

============= FINISH: 12:16:08,53 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:26 PM

Posted 07 February 2009 - 12:57 PM

Hi

My name is Extremeboy (or EB for short), and I will be helping you with your log.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

If you do not make a reply in 5 days, we will need to close your topic.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.


Install Recovery Console and Run ComboFix

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

Download and Run Scan with GMER

We will use GMER to scan for rootkits.
  • Download gmer.zip and save to your desktop.
    Alternate Download Site 1
  • Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • When you have done this, disconnect from the Internet and close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Click the >>>
  • Click on Settings, then check the first five settings:
    • System Protection and Tracing
    • Processes
    • Save created processes to the log
    • Drivers
    • Save loaded drivers to the log
  • You will be prompted to restart your computer. Please do so.
After the reboot, run Gmer again and click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for Show All.
  • Click on the Scan and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan. You will know that the scan is done when the Stop buttons turns back to Scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose New>Text document. Once the file is created, open it and right-click again and choose Paste. Save the file as gmer.txt and copy the information in your next reply.
If GMER doesn't work in Normal Mode try running it in Safe Mode

Important!:Please do not select the Show all checkbox during the scan..

Post back with:
-Combofix log
-GMER log
-New Pair of DDS logs
-Description of any problems you still have


With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 Daffe

Daffe
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:26 PM

Posted 07 February 2009 - 04:34 PM

Thank you very much for your reply EB. I don't have access to the infected computer before Wednesday, but then I will follow the steps in your reply, and also post the new logs.

Best regards
Daffe

#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:26 PM

Posted 07 February 2009 - 04:37 PM

Okay. That's fine.

THanks for letting me know :thumbup2:

I'll take a look at the logs once it comes in.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 Daffe

Daffe
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:26 PM

Posted 11 February 2009 - 09:56 AM

Partly fixed I guess. :thumbup2:
After running the prosedure the F-secure now connects with the update server, but I still can´t get the system to update windows. I don´t get redirected, but get an error message from the page. [Número de error: 0x800704DD]. (I checked this on the MS webpage, and I´m not sure if I take the chance on entering the registry on a Spanish system) When running the Combofix it reacted on two files. The log says that the MS Recovery Console is not installed, but I was not promped for it. I ran it twice just to be sure. The log is from the first running. After running Combofix I also got up a new file on the desktop called catchme.log. I have not looked at this.

Thank you so so much for your help.

Daffe

Here are the logs:

1. Combofix:

ComboFix 09-02-10.03 - Nelida 2009-02-11 11:01:03.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.34.3082.18.2015.1597 [GMT -2:00]
Running from: c:\documents and settings\Nelida\Escritorio\ComboFix.exe
AV: F-Secure Internet Security 2009 9.00 *On-access scanning disabled* (Updated)
FW: F-Secure Internet Security 2009 9.00 *disabled*

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2009-01-11 to 2009-02-11 )))))))))))))))))))))))))))))))
.

2009-01-27 13:40 . 2009-01-27 13:40 <DIR> d-------- c:\windows\system32\%programfiles%
2009-01-27 13:40 . 2009-01-27 13:40 <DIR> d-------- c:\windows\system32\%commonprogramfiles%
2009-01-23 18:38 . 2009-01-23 18:39 <DIR> d-------- c:\archivos de programa\DeskTopAuthorEval
2009-01-22 17:21 . 2009-01-22 17:21 <DIR> d-------- c:\documents and settings\Nelida\Datos de programa\Canneverbe_Limited
2009-01-22 17:21 . 2009-01-22 17:21 <DIR> d-------- c:\archivos de programa\CDBurnerXP
2009-01-22 12:42 . 2009-01-22 12:42 <DIR> d-------- c:\documents and settings\Nelida\Datos de programa\vlc
2009-01-22 12:39 . 2009-01-22 12:39 <DIR> d-------- c:\archivos de programa\VideoLAN
2009-01-21 17:39 . 2009-01-21 17:39 <DIR> d-------- c:\documents and settings\Nelida\Datos de programa\F-Secure
2009-01-21 17:33 . 2008-10-14 11:01 79,904 --a------ c:\windows\system32\drivers\fsdfw.sys
2009-01-21 17:32 . 2009-01-21 17:34 <DIR> d-------- c:\archivos de programa\F-Secure Internet Security
2009-01-21 17:31 . 2009-01-21 17:31 <DIR> d-------- c:\documents and settings\All Users\Datos de programa\fssg
2009-01-21 17:17 . 2009-01-21 17:33 <DIR> d-------- c:\documents and settings\All Users\Datos de programa\f-secure
2009-01-20 10:30 . 2009-01-20 10:30 <DIR> d-------- c:\documents and settings\Nelida\Datos de programa\Ahead
2009-01-20 10:28 . 2009-01-20 10:28 <DIR> d-------- c:\documents and settings\All Users\Datos de programa\Ahead
2009-01-20 10:26 . 2009-01-20 10:26 <DIR> d-------- c:\documents and settings\All Users\Datos de programa\Nero
2009-01-20 10:26 . 2009-01-20 10:26 <DIR> d-------- c:\archivos de programa\Nero
2009-01-20 10:26 . 2009-01-20 10:27 <DIR> d-------- c:\archivos de programa\Archivos comunes\Ahead

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-11 12:44 0 ----a-w c:\windows\system32\drivers\lvuvc.hs
2009-02-11 12:44 0 ----a-w c:\windows\system32\drivers\logiflt.iad
2009-02-11 12:42 90,112 ----a-w c:\windows\DUMP7f61.tmp
2009-02-11 12:40 --------- d-----w c:\documents and settings\Nelida\Datos de programa\DNA
2009-02-11 11:52 --------- d-----w c:\archivos de programa\DNA
2009-02-03 16:28 90,112 ----a-w c:\windows\DUMP89d1.tmp
2009-02-02 21:28 --------- d-----w c:\documents and settings\Nelida\Datos de programa\BitTorrent
2009-02-02 15:22 --------- d-----w c:\documents and settings\Nelida\Datos de programa\Image Zone Express
2009-01-26 18:12 356,352 ----a-w c:\windows\eSellerateEngine.dll
2009-01-26 18:12 31,728 ----a-w c:\windows\dbrmdwb.exe
2009-01-26 18:12 2,442,736 ----a-w c:\windows\npdbplug.dll
2009-01-23 20:38 --------- d-----w c:\archivos de programa\Archivos comunes\Wise Installation Wizard
2009-01-23 17:09 1,023,456 ----a-w c:\windows\dbplugin.exe
2009-01-21 19:27 --------- d-----w c:\documents and settings\All Users\Datos de programa\avg8
2009-01-21 18:00 --------- d-----w c:\archivos de programa\DeskTopAuthor
2009-01-20 12:14 --------- d-----w c:\archivos de programa\Ahead
2009-01-20 12:00 --------- d-----w c:\archivos de programa\TextAloud
2009-01-05 20:53 --------- d-----w c:\archivos de programa\AV VCS 3.0 Gold
2009-01-02 20:43 --------- d-----w c:\archivos de programa\Cepstral
2009-01-02 13:07 143,360 ----a-w c:\windows\picn1120.dll
2009-01-02 13:07 143,360 ----a-w c:\windows\picn1020.dll
2008-12-24 18:03 --------- d-----w c:\archivos de programa\eBook Maestro PRO
2008-12-23 19:34 --------- d-----w c:\archivos de programa\Sodels
2008-12-23 19:12 --------- d-----w c:\archivos de programa\Speak Aloud
2008-12-23 17:40 --------- d-----w c:\archivos de programa\Zabaware
2008-12-22 22:52 306,432 ----a-w c:\windows\system32\TuneUpDefragService.exe
2008-12-22 22:52 --------- d-----w c:\documents and settings\Nelida\Datos de programa\TuneUp Software
2008-12-22 22:52 --------- d-----w c:\archivos de programa\TuneUp Utilities 2008
2008-12-22 22:51 --------- d-----w c:\documents and settings\All Users\Datos de programa\TuneUp Software
2008-12-22 20:58 --------- d-----w c:\archivos de programa\Loquendo
2008-12-22 19:26 --------- d--h--w c:\archivos de programa\InstallShield Installation Information
2008-12-22 18:11 --------- d-----w c:\documents and settings\All Users\Datos de programa\WinZip
2008-12-19 15:47 --------- d-----w c:\archivos de programa\Clever Software
2008-12-19 14:48 --------- d-----w c:\archivos de programa\PhotonFX
2008-12-19 14:07 --------- d-----w c:\archivos de programa\Dialogoo
2008-12-19 13:50 --------- d-----w c:\archivos de programa\Web Page Maker V2
2008-12-18 16:41 --------- d-----w c:\archivos de programa\Activ E-Book 4.22
2008-12-18 15:19 --------- d-----w c:\archivos de programa\NATATA eBook Compiler 3.0.3
2008-12-17 21:50 --------- d-----w c:\documents and settings\Nelida\Datos de programa\Audio Recorder Titanium
2008-12-17 21:49 --------- d-----w c:\archivos de programa\Audio Recorder Titanium
2008-12-16 23:21 --------- d-----w c:\archivos de programa\Borland
2008-12-16 23:21 --------- d-----w c:\archivos de programa\Ardora
2008-12-16 23:11 --------- d-----w c:\archivos de programa\Gen_Test
2008-12-16 23:02 74,240 ----a-w c:\windows\ST6UNST.EXE
2008-12-16 23:02 253,952 ------w c:\windows\Setup1.exe
2008-12-16 14:41 --------- d-----w c:\archivos de programa\Windows Live
2008-12-16 14:38 --------- d-----w c:\archivos de programa\WebSite X5 Evolution
2008-12-15 19:06 410,984 ----a-w c:\windows\system32\deploytk.dll
2008-12-15 19:05 --------- d-----w c:\archivos de programa\Java
2008-12-15 18:36 --------- d-----w c:\archivos de programa\JMF2.1.1e
2008-12-15 18:27 --------- d-----w c:\archivos de programa\Archivos comunes\Java
2008-11-27 22:44 25,544 ----a-w c:\documents and settings\Nelida\Datos de programa\GDIPFONTCACHEV1.DAT
2008-07-18 01:15 32,768 --sha-w c:\windows\system32\config\systemprofile\Configuración local\Historial\History.IE5\MSHist012008063020080707\index.dat
2008-07-18 01:15 32,768 --sha-w c:\windows\system32\config\systemprofile\Configuración local\Historial\History.IE5\MSHist012008071720080718\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"BitTorrent DNA"="c:\archivos de programa\DNA\btdna.exe" [2008-12-19 342848]
"MsnMsgr"="c:\archivos de programa\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="c:\archivos de programa\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"HP Software Update"="c:\archivos de programa\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 49152]
"LogitechCommunicationsManager"="c:\archivos de programa\Archivos comunes\LogiShrd\LComMgr\Communications_Helper.exe" [2007-07-25 563984]
"SunJavaUpdateSched"="c:\archivos de programa\Java\jre6\bin\jusched.exe" [2008-12-15 136600]
"Adobe Reader Speed Launcher"="c:\archivos de programa\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"LogitechQuickCamRibbon"="c:\archivos de programa\Logitech\QuickCam\Quickcam.exe" [2007-07-25 2027792]
"NeroFilterCheck"="c:\archivos de programa\Archivos comunes\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"F-Secure Manager"="c:\archivos de programa\F-Secure Internet Security\Common\FSM32.EXE" [2008-10-14 182936]
"F-Secure TNB"="c:\archivos de programa\F-Secure Internet Security\FSGUI\TNBUtil.exe" [2008-10-14 957024]
"VTTimer"="VTTimer.exe" [2004-09-01 c:\windows\system32\VTTimer.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\archiv~1\ARCHIV~1\MICROS~1\DW\dwtrig20.exe" [2005-04-25 36040]

c:\documents and settings\All Users\Men£ Inicio\Programas\Inicio\
HP Digital Imaging Monitor.lnk - c:\archivos de programa\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-12 282624]
Logitech Desktop Messenger.lnk - c:\archivos de programa\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2008-10-20 67128]
Microsoft Office.lnk - c:\archivos de programa\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
Ultra Hal Text-to-Speech Reader Startup.lnk - c:\windows\Installer\{96EF451E-A402-44D8-BAEE-D70D558A4122}\New_Shortcut_S1449_0EB7CDB78E0C4A918D2CA535D5B8160C.exe [2008-12-23 40960]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Archivos de programa\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Archivos de programa\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Archivos de programa\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Archivos de programa\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Archivos de programa\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Archivos de programa\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Archivos de programa\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Archivos de programa\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Archivos de programa\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Archivos de programa\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Archivos de programa\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Archivos de programa\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Archivos de programa\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Archivos de programa\\Messenger\\msmsgs.exe"=
"c:\\Archivos de programa\\NetMeeting\\conf.exe"=
"c:\\Archivos de programa\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Archivos de programa\\DNA\\btdna.exe"=
"c:\\Archivos de programa\\BitTorrent\\bittorrent.exe"=
"c:\\Archivos de programa\\Skype\\Phone\\Skype.exe"=
"c:\\Archivos de programa\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Archivos de programa\\Windows Live\\Messenger\\livecall.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=

R0 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [2009-01-21 79904]
R1 F-Secure HIPS;F-Secure HIPS Driver;c:\archivos de programa\F-Secure Internet Security\HIPS\drivers\fshs.sys [2009-01-21 66720]
R2 WinDefend;Windows Defender;c:\archivos de programa\Windows Defender\MsMpEng.exe [2006-11-03 13592]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\archivos de programa\F-Secure Internet Security\Anti-Virus\minifilter\fsgk.sys [2009-01-21 72288]
R3 FSORSPClient;F-Secure ORSP Client;c:\archivos de programa\F-Secure Internet Security\ORSP Client\fsorsp.exe [2009-01-21 55904]
S4 F-Secure Filter;F-Secure File System Filter;c:\archivos de programa\F-Secure Internet Security\Anti-Virus\win2k\fsfilter.sys [2009-01-21 39776]
S4 F-Secure Recognizer;F-Secure File System Recognizer;c:\archivos de programa\F-Secure Internet Security\Anti-Virus\win2k\fsrec.sys [2009-01-21 25184]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3e710378-e6ea-11dd-ab9e-0011d8f95f23}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL resycled\ntldr.com f:
\Shell\Open\command - f:\resycled\ntldr.com f:
.
Contents of the 'Scheduled Tasks' folder

2009-02-06 c:\windows\Tasks\1-Click Maintenance.job
- c:\archivos de programa\TuneUp Utilities 2008\OneClick.exe [2007-12-21 16:17]

2009-02-11 c:\windows\Tasks\MP Scheduled Scan.job
- c:\archivos de programa\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xportar a Microsoft Excel - c:\archiv~1\MICROS~2\Office10\EXCEL.EXE/3000
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\archivos de programa\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-11 11:02:19
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(668)
c:\archivos de programa\F-Secure Internet Security\FWES\Program\fsdc32.dll

- - - - - - - > 'lsass.exe'(724)
c:\archivos de programa\F-Secure Internet Security\FWES\Program\fsdc32.dll

- - - - - - - > 'csrss.exe'(644)
c:\archivos de programa\F-Secure Internet Security\FWES\Program\fsdc32.dll
.
Completion time: 2009-02-11 11:04:21
ComboFix-quarantined-files.txt 2009-02-11 13:03:55
ComboFix2.txt 2009-02-11 12:58:47

Pre-Run: 16.482.476.032 bytes libres
Post-Run: 16,474,058,752 bytes libres

189 --- E O F --- 2009-01-07 13:37:48

2. Gmer:

GMER 1.0.12.12011 - http://www.gmer.net
Rootkit scan 2009-02-11 11:32:26
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.12 ----

Code fsdfw.sys IoCreateDevice

---- Kernel code sections - GMER 1.0.12 ----

PAGE ntoskrnl.exe!IoCreateDevice 8059FA61 5 Bytes JMP F7448FA8 fsdfw.sys
PAGENPNP NDIS.SYS!NdisRegisterProtocol F741917F 5 Bytes JMP F7448DBA fsdfw.sys
PAGENPNP NDIS.SYS!NdisOpenAdapter F7419399 5 Bytes JMP F7449342 fsdfw.sys
PAGENPNP NDIS.SYS!NdisCloseAdapter F7423642 5 Bytes JMP F7448EC6 fsdfw.sys
PAGENPNP NDIS.SYS!NdisDeregisterProtocol F7423821 5 Bytes JMP F744915E fsdfw.sys
PAGENDSP NDIS.SYS!NdisReturnPackets F7426810 5 Bytes JMP F7449BF4 fsdfw.sys
PAGENDSP NDIS.SYS!NdisRequest F742697B 5 Bytes JMP F744955A fsdfw.sys
PAGENDSP NDIS.SYS!NdisSend F7429986 5 Bytes JMP F744A574 fsdfw.sys
PAGENDSP NDIS.SYS!NdisSendPackets F74299A3 5 Bytes JMP F744A646 fsdfw.sys
PAGENDSP NDIS.SYS!NdisTransferData F74299BE 5 Bytes JMP F7449CF2 fsdfw.sys
PAGENDCO NDIS.SYS!NdisCoCreateVc F7430186 5 Bytes JMP F7448E24 fsdfw.sys
PAGENDCO NDIS.SYS!NdisCoDeleteVc F7431557 5 Bytes JMP F7448E92 fsdfw.sys
PAGENDCO NDIS.SYS!NdisCoSendPackets F7431AF1 5 Bytes JMP F744A35E fsdfw.sys

---- Devices - GMER 1.0.12 ----

Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [F744865A] fsdfw.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [F744865A] fsdfw.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [F744865A] fsdfw.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP [F744865A] fsdfw.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [F744865A] fsdfw.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [F744865A] fsdfw.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [F744865A] fsdfw.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP [F744865A] fsdfw.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [F744865A] fsdfw.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [F744865A] fsdfw.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [F744865A] fsdfw.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP [F744865A] fsdfw.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [F744865A] fsdfw.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [F744865A] fsdfw.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [F744865A] fsdfw.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP [F744865A] fsdfw.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE [F744865A] fsdfw.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CONTROL [F744865A] fsdfw.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [F744865A] fsdfw.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLEANUP [F744865A] fsdfw.sys

---- Files - GMER 1.0.12 ----

ADS C:\BACKUP\© Local Disk\Documents and Settings\All Users\Datos de programa\TEMP:08948D52
ADS C:\Documents and Settings\Nelida\Favoritos\4YOU - Video - Video , Inicio.url:favicon
ADS C:\Documents and Settings\Nelida\Favoritos\amazon.com Used and New Berlitz Espanol - Niveles 3-4.url:favicon
ADS C:\Documents and Settings\Nelida\Favoritos\Canal Emprendedor Quienes Somos esmas.com.url:favicon
ADS C:\Documents and Settings\Nelida\Favoritos\Codevisionavr v2 03 5 - Rapidshare Search.url:favicon
ADS C:\Documents and Settings\Nelida\Favoritos\Cultura empresarial japonesa vs. latinoamericana « Gestion Emprendedora.url:favicon
ADS C:\Documents and Settings\Nelida\Favoritos\Descarga de controladores y software HP PSC 1510s All-in-One.url:favicon
ADS C:\Documents and Settings\Nelida\Favoritos\Download DeskTopAuthor Professional 5.6.1 Free Crack Serial Keygen Rapidshare.url:favicon
ADS C:\Documents and Settings\Nelida\Favoritos\e-libro.net Libros digitales Libros gratis Editorial Autores.url:favicon
ADS C:\Documents and Settings\Nelida\Favoritos\personal domestico en Argentina.url:favicon
ADS C:\Documents and Settings\Nelida\Favoritos\programa de chat en tu web , taringa - Buscar con Google.url:favicon
ADS ...

---- EOF - GMER 1.0.12 ----

3. DDS


DDS (Ver_09-02-01.01) - NTFSx86
Run by Nelida at 12:20:59,54 on 11/02/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.34.3082.18.2015.1228 [GMT -2:00]

AV: F-Secure Internet Security 2009 9.00 *On-access scanning disabled* (Updated)
FW: F-Secure Internet Security 2009 9.00 *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Archivos de programa\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Archivos comunes\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Archivos de programa\Java\jre6\bin\jqs.exe
C:\Archivos de programa\Archivos comunes\LogiShrd\LVCOMSER\LVComSer.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
C:\Archivos de programa\CDBurnerXP\NMSAccessU.exe
C:\Archivos de programa\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\Archivos de programa\CyberLink\PowerDVD\PDVDServ.exe
C:\Archivos de programa\HP\HP Software Update\HPWuSchd2.exe
C:\Archivos de programa\Archivos comunes\LogiShrd\LComMgr\Communications_Helper.exe
C:\Archivos de programa\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\DNA\btdna.exe
C:\Archivos de programa\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Archivos de programa\Archivos comunes\Logishrd\LQCVFX\COCIManager.exe
C:\Archivos de programa\F-Secure Internet Security\Common\FSMA32.EXE
C:\Archivos de programa\F-Secure Internet Security\Common\FSMB32.EXE
C:\Archivos de programa\F-Secure Internet Security\Common\FCH32.EXE
C:\Archivos de programa\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
C:\Archivos de programa\F-Secure Internet Security\Common\FSM32.EXE
C:\Archivos de programa\F-Secure Internet Security\FSAUA\program\fsaua.exe
C:\Archivos de programa\F-Secure Internet Security\Common\FAMEH32.EXE
C:\Archivos de programa\F-Secure Internet Security\Anti-Virus\fsqh.exe
C:\Archivos de programa\F-Secure Internet Security\FSPC\fspc.exe
C:\Archivos de programa\F-Secure Internet Security\FWES\Program\fsdfwd.exe
C:\Archivos de programa\F-Secure Internet Security\FSGUI\fsguidll.exe
C:\Archivos de programa\F-Secure Internet Security\FSAUA\program\fsus.exe
C:\Archivos de programa\F-Secure Internet Security\Anti-Virus\fsav32.exe
C:\Archivos de programa\F-Secure Internet Security\Anti-Virus\FSGK32.EXE
C:\Archivos de programa\F-Secure Internet Security\Anti-Virus\fssm32.exe
C:\Archivos de programa\Internet Explorer\IEXPLORE.EXE
C:\Archivos de programa\Archivos comunes\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Archivos de programa\F-Secure Internet Security\FSGUI\scanwizard.exe
C:\Documents and Settings\Nelida\Escritorio\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
BHO: Aplicación auxiliar de vínculos de Adobe PDF Reader: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\archivos de programa\archivos comunes\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\archivos de programa\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\archivos de programa\avg\avg8\avgssie.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\archivos de programa\java\jre6\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Aplicación auxiliar de inicio de sesión: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\archivos de programa\archivos comunes\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\archivos de programa\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\archivos de programa\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: TextAloud: {f053c368-5458-45b2-9b4d-d8914bdddbff} - c:\archiv~1\textal~1\TAForIE.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [BitTorrent DNA] "c:\archivos de programa\dna\btdna.exe"
uRun: [MsnMsgr] "c:\archivos de programa\windows live\messenger\MsnMsgr.Exe" /background
mRun: [VTTimer] VTTimer.exe
mRun: [RemoteControl] "c:\archivos de programa\cyberlink\powerdvd\PDVDServ.exe"
mRun: [HP Software Update] c:\archivos de programa\hp\hp software update\HPWuSchd2.exe
mRun: [LogitechCommunicationsManager] "c:\archivos de programa\archivos comunes\logishrd\lcommgr\Communications_Helper.exe"
mRun: [SunJavaUpdateSched] "c:\archivos de programa\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\archivos de programa\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [LogitechQuickCamRibbon] "c:\archivos de programa\logitech\quickcam\Quickcam.exe" /hide
mRun: [NeroFilterCheck] c:\archivos de programa\archivos comunes\ahead\lib\NeroCheck.exe
mRun: [F-Secure Manager] "c:\archivos de programa\f-secure internet security\common\FSM32.EXE" /splash
mRun: [F-Secure TNB] "c:\archivos de programa\f-secure internet security\fsgui\TNBUtil.exe" /CHECKALL /WAITFORSW
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [DWQueuedReporting] "c:\archiv~1\archiv~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\menini~1\progra~1\inicio\hpdigi~1.lnk - c:\archivos de programa\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\menini~1\progra~1\inicio\logite~1.lnk - c:\archivos de programa\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
StartupFolder: c:\docume~1\alluse~1\menini~1\progra~1\inicio\micros~1.lnk - c:\archivos de programa\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\menini~1\progra~1\inicio\ultrah~1.lnk - c:\windows\installer\{96ef451e-a402-44d8-baee-d70d558a4122}\New_Shortcut_S1449_0EB7CDB78E0C4A918D2CA535D5B8160C.exe
IE: E&xportar a Microsoft Excel - c:\archiv~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\archivos de programa\messenger\msmsgs.exe
IE: {200DB664-75B5-47c0-8B45-A44ACCF73C00} - {D68926FD-18FD-4B0E-A1C7-917D13FAB760} - c:\archivos de programa\f-secure internet security\fspc\fspcmsie.dll
IE: {200DB664-75B5-47c0-8B45-A44ACCF73F01} - {D68926FD-18FD-4B0E-A1C7-917D13FAB760} - c:\archivos de programa\f-secure internet security\fspc\fspcmsie.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\archivos de programa\windows live\writer\WriterBrowserExtension.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\archivos de programa\skype\toolbars\internet explorer\SkypeIEPlugin.dll
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} - hxxp://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1216340467140
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\archivos de programa\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\archiv~1\archiv~1\skype\SKYPE4~1.DLL
SEH: ShellExecuteHook contra el software malintencionado de Microsoft: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\archiv~1\window~4\MpShHook.dll

============= SERVICES / DRIVERS ===============

R0 fsbts;fsbts;c:\windows\system32\drivers\fsbts.sys [2009-2-11 33408]
R0 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [2009-1-21 79904]
R1 F-Secure HIPS;F-Secure HIPS Driver;c:\archivos de programa\f-secure internet security\hips\drivers\fshs.sys [2009-1-21 66720]
R2 F-Secure Gatekeeper Handler Starter;FSGKHS;c:\archivos de programa\f-secure internet security\anti-virus\fsgk32st.exe [2009-1-21 215648]
R2 WinDefend;Windows Defender;c:\archivos de programa\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\archivos de programa\f-secure internet security\anti-virus\minifilter\fsgk.sys [2009-1-21 84096]
R3 FSORSPClient;F-Secure ORSP Client;c:\archivos de programa\f-secure internet security\orsp client\fsorsp.exe [2009-1-21 55904]
S4 F-Secure Filter;F-Secure File System Filter;c:\archivos de programa\f-secure internet security\anti-virus\win2k\fsfilter.sys [2009-1-21 39776]
S4 F-Secure Recognizer;F-Secure File System Recognizer;c:\archivos de programa\f-secure internet security\anti-virus\win2k\fsrec.sys [2009-1-21 25184]

=============== Created Last 30 ================

2009-02-11 11:50 33,408 a------- c:\windows\system32\drivers\fsbts.sys
2009-02-11 11:11 345 a------- c:\windows\gmer.ini
2009-02-11 10:36 161,792 a------- c:\windows\SWREG.exe
2009-02-11 10:36 98,816 a------- c:\windows\sed.exe
2009-01-27 13:40 <DIR> --d----- c:\windows\system32\%programfiles%
2009-01-27 13:40 <DIR> --d----- c:\windows\system32\%commonprogramfiles%
2009-01-23 18:38 <DIR> --d----- c:\archivos de programa\DeskTopAuthorEval
2009-01-22 17:21 <DIR> --d----- c:\docume~1\nelida\datosd~1\Canneverbe_Limited
2009-01-22 12:39 <DIR> --d----- c:\archivos de programa\VideoLAN
2009-01-21 17:39 <DIR> --d----- c:\docume~1\nelida\datosd~1\F-Secure
2009-01-21 17:33 79,904 a------- c:\windows\system32\drivers\fsdfw.sys
2009-01-21 17:32 <DIR> --d----- c:\archivos de programa\F-Secure Internet Security
2009-01-21 17:31 <DIR> --d----- c:\docume~1\alluse~1\datosd~1\fssg
2009-01-21 17:17 <DIR> --d----- c:\docume~1\alluse~1\datosd~1\f-secure
2009-01-20 10:26 <DIR> --d----- c:\docume~1\alluse~1\datosd~1\Nero
2009-01-20 10:26 <DIR> --d----- c:\archivos de programa\Nero
2009-01-20 10:26 <DIR> --d----- c:\archivos de programa\archivos comunes\Ahead
2009-01-20 10:24 <DIR> --d----- c:\windows\RegisteredPackages

==================== Find3M ====================

2009-02-11 11:13 0 a------- c:\windows\system32\drivers\lvuvc.hs
2009-02-11 11:13 0 a------- c:\windows\system32\drivers\logiflt.iad
2009-02-11 10:42 90,112 a------- c:\windows\DUMP7f61.tmp
2009-02-03 14:28 90,112 a------- c:\windows\DUMP89d1.tmp
2009-01-26 16:12 356,352 a------- c:\windows\eSellerateEngine.dll
2009-01-26 16:12 31,728 a------- c:\windows\dbrmdwb.exe
2009-01-26 16:12 2,442,736 a------- c:\windows\npdbplug.dll
2009-01-23 15:09 1,023,456 a------- c:\windows\dbplugin.exe
2009-01-21 17:33 460,118 a------- c:\windows\system32\perfh00A.dat
2009-01-21 17:33 79,596 a------- c:\windows\system32\perfc00A.dat
2009-01-02 11:07 143,360 a------- c:\windows\picn1120.dll
2009-01-02 11:07 143,360 a------- c:\windows\picn1020.dll
2008-12-22 20:52 306,432 a------- c:\windows\system32\TuneUpDefragService.exe
2008-12-16 21:02 253,952 -------- c:\windows\Setup1.exe
2008-12-16 21:02 74,240 a------- c:\windows\ST6UNST.EXE
2008-12-15 17:06 410,984 a------- c:\windows\system32\deploytk.dll
2008-11-27 20:44 25,544 a------- c:\docume~1\nelida\datosd~1\GDIPFONTCACHEV1.DAT
2008-07-17 23:15 32,768 a--sh--- c:\windows\system32\config\systemprofile\configuración local\historial\history.ie5\mshist012008063020080707\index.dat
2008-07-17 23:15 32,768 a--sh--- c:\windows\system32\config\systemprofile\configuración local\historial\history.ie5\mshist012008071720080718\index.dat

============= FINISH: 12:21:27,12 ===============

Attached Files



#6 Daffe

Daffe
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:26 PM

Posted 11 February 2009 - 12:24 PM

Regarding the windows update problem.
After checking this page: http://support.microsoft.com/kb/910341/en-us at MS I took a little look in the registry. I did not change any values.
Instead of this value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
I found only this: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon in my teachers computer.

This is the only value in the notify string. I checked my laptop (norwegian xp home) and it has a lot of different values under the notify string. What can I do to fix this problem?

BR
Daffe

#7 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:26 PM

Posted 11 February 2009 - 04:36 PM

Hello.

Post the first Combofix log please... It's located over here: C:\Qoobox\Combofix2.txt<- This one

You are right do not fix things on your own, especially the REGISTRY.

Is the Windows Update the only problem you have?

With regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#8 Daffe

Daffe
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:26 PM

Posted 12 February 2009 - 12:00 AM

Hi.
I thought this was the first combofix log, but I will check once more. As far as I can tell there is only the windows update that is a problem now, but my teacher wrote me a few hours ago telling me that Live Messenger is shutting down every five minutes. I will check her computer again tomorrow. But after that I will only have remote access to it because I go back to Norway.

#9 Daffe

Daffe
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:26 PM

Posted 12 February 2009 - 10:24 AM

Hi EB
Here is the log you requested:

ComboFix 09-02-10.03 - Nelida 2009-02-11 10:45:34.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.34.3082.18.2015.1607 [GMT -2:00]
Running from: c:\documents and settings\Nelida\Escritorio\ComboFix.exe
AV: F-Secure Internet Security 2009 9.00 *On-access scanning disabled* (Updated)
FW: F-Secure Internet Security 2009 9.00 *disabled*

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
C:\resycled
c:\resycled\ntldr.com
c:\windows\a3kebook.ini
c:\windows\akebook.ini
c:\windows\ANS2000.INI
c:\windows\system32\DNLEng.dll
c:\windows\system32\drivers\gaopdxserv.sys
c:\windows\system32\drivers\msqpdxiqmowqjb.sys
c:\windows\system32\msqpdxpjebyoom.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_MSQPDXSERV.SYS


((((((((((((((((((((((((( Files Created from 2009-01-11 to 2009-02-11 )))))))))))))))))))))))))))))))
.

2009-01-27 13:40 . 2009-01-27 13:40 <DIR> d-------- c:\windows\system32\%programfiles%
2009-01-27 13:40 . 2009-01-27 13:40 <DIR> d-------- c:\windows\system32\%commonprogramfiles%
2009-01-23 18:38 . 2009-01-23 18:39 <DIR> d-------- c:\archivos de programa\DeskTopAuthorEval
2009-01-22 17:21 . 2009-01-22 17:21 <DIR> d-------- c:\documents and settings\Nelida\Datos de programa\Canneverbe_Limited
2009-01-22 17:21 . 2009-01-22 17:21 <DIR> d-------- c:\archivos de programa\CDBurnerXP
2009-01-22 12:42 . 2009-01-22 12:42 <DIR> d-------- c:\documents and settings\Nelida\Datos de programa\vlc
2009-01-22 12:39 . 2009-01-22 12:39 <DIR> d-------- c:\archivos de programa\VideoLAN
2009-01-21 17:39 . 2009-01-21 17:39 <DIR> d-------- c:\documents and settings\Nelida\Datos de programa\F-Secure
2009-01-21 17:33 . 2008-10-14 11:01 79,904 --a------ c:\windows\system32\drivers\fsdfw.sys
2009-01-21 17:32 . 2009-01-21 17:34 <DIR> d-------- c:\archivos de programa\F-Secure Internet Security
2009-01-21 17:31 . 2009-01-21 17:31 <DIR> d-------- c:\documents and settings\All Users\Datos de programa\fssg
2009-01-21 17:17 . 2009-01-21 17:33 <DIR> d-------- c:\documents and settings\All Users\Datos de programa\f-secure
2009-01-20 10:30 . 2009-01-20 10:30 <DIR> d-------- c:\documents and settings\Nelida\Datos de programa\Ahead
2009-01-20 10:28 . 2009-01-20 10:28 <DIR> d-------- c:\documents and settings\All Users\Datos de programa\Ahead
2009-01-20 10:26 . 2009-01-20 10:26 <DIR> d-------- c:\documents and settings\All Users\Datos de programa\Nero
2009-01-20 10:26 . 2009-01-20 10:26 <DIR> d-------- c:\archivos de programa\Nero
2009-01-20 10:26 . 2009-01-20 10:27 <DIR> d-------- c:\archivos de programa\Archivos comunes\Ahead

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-11 12:44 0 ----a-w c:\windows\system32\drivers\lvuvc.hs
2009-02-11 12:44 0 ----a-w c:\windows\system32\drivers\logiflt.iad
2009-02-11 12:42 90,112 ----a-w c:\windows\DUMP7f61.tmp
2009-02-11 12:40 --------- d-----w c:\documents and settings\Nelida\Datos de programa\DNA
2009-02-11 11:52 --------- d-----w c:\archivos de programa\DNA
2009-02-03 16:28 90,112 ----a-w c:\windows\DUMP89d1.tmp
2009-02-02 21:28 --------- d-----w c:\documents and settings\Nelida\Datos de programa\BitTorrent
2009-02-02 15:22 --------- d-----w c:\documents and settings\Nelida\Datos de programa\Image Zone Express
2009-01-26 18:12 356,352 ----a-w c:\windows\eSellerateEngine.dll
2009-01-26 18:12 31,728 ----a-w c:\windows\dbrmdwb.exe
2009-01-26 18:12 2,442,736 ----a-w c:\windows\npdbplug.dll
2009-01-23 20:38 --------- d-----w c:\archivos de programa\Archivos comunes\Wise Installation Wizard
2009-01-23 17:09 1,023,456 ----a-w c:\windows\dbplugin.exe
2009-01-21 19:27 --------- d-----w c:\documents and settings\All Users\Datos de programa\avg8
2009-01-21 18:00 --------- d-----w c:\archivos de programa\DeskTopAuthor
2009-01-20 12:14 --------- d-----w c:\archivos de programa\Ahead
2009-01-20 12:00 --------- d-----w c:\archivos de programa\TextAloud
2009-01-05 20:53 --------- d-----w c:\archivos de programa\AV VCS 3.0 Gold
2009-01-02 20:43 --------- d-----w c:\archivos de programa\Cepstral
2009-01-02 13:07 143,360 ----a-w c:\windows\picn1120.dll
2009-01-02 13:07 143,360 ----a-w c:\windows\picn1020.dll
2008-12-24 18:03 --------- d-----w c:\archivos de programa\eBook Maestro PRO
2008-12-23 19:34 --------- d-----w c:\archivos de programa\Sodels
2008-12-23 19:12 --------- d-----w c:\archivos de programa\Speak Aloud
2008-12-23 17:40 --------- d-----w c:\archivos de programa\Zabaware
2008-12-22 22:52 306,432 ----a-w c:\windows\system32\TuneUpDefragService.exe
2008-12-22 22:52 --------- d-----w c:\documents and settings\Nelida\Datos de programa\TuneUp Software
2008-12-22 22:52 --------- d-----w c:\archivos de programa\TuneUp Utilities 2008
2008-12-22 22:51 --------- d-----w c:\documents and settings\All Users\Datos de programa\TuneUp Software
2008-12-22 20:58 --------- d-----w c:\archivos de programa\Loquendo
2008-12-22 19:26 --------- d--h--w c:\archivos de programa\InstallShield Installation Information
2008-12-22 18:11 --------- d-----w c:\documents and settings\All Users\Datos de programa\WinZip
2008-12-19 15:47 --------- d-----w c:\archivos de programa\Clever Software
2008-12-19 14:48 --------- d-----w c:\archivos de programa\PhotonFX
2008-12-19 14:07 --------- d-----w c:\archivos de programa\Dialogoo
2008-12-19 13:50 --------- d-----w c:\archivos de programa\Web Page Maker V2
2008-12-18 16:41 --------- d-----w c:\archivos de programa\Activ E-Book 4.22
2008-12-18 15:19 --------- d-----w c:\archivos de programa\NATATA eBook Compiler 3.0.3
2008-12-17 21:50 --------- d-----w c:\documents and settings\Nelida\Datos de programa\Audio Recorder Titanium
2008-12-17 21:49 --------- d-----w c:\archivos de programa\Audio Recorder Titanium
2008-12-16 23:21 --------- d-----w c:\archivos de programa\Borland
2008-12-16 23:21 --------- d-----w c:\archivos de programa\Ardora
2008-12-16 23:11 --------- d-----w c:\archivos de programa\Gen_Test
2008-12-16 23:02 74,240 ----a-w c:\windows\ST6UNST.EXE
2008-12-16 23:02 253,952 ------w c:\windows\Setup1.exe
2008-12-16 14:41 --------- d-----w c:\archivos de programa\Windows Live
2008-12-16 14:38 --------- d-----w c:\archivos de programa\WebSite X5 Evolution
2008-12-15 19:06 410,984 ----a-w c:\windows\system32\deploytk.dll
2008-12-15 19:05 --------- d-----w c:\archivos de programa\Java
2008-12-15 18:36 --------- d-----w c:\archivos de programa\JMF2.1.1e
2008-12-15 18:27 --------- d-----w c:\archivos de programa\Archivos comunes\Java
2008-11-27 22:44 25,544 ----a-w c:\documents and settings\Nelida\Datos de programa\GDIPFONTCACHEV1.DAT
2008-07-18 01:15 32,768 --sha-w c:\windows\system32\config\systemprofile\Configuración local\Historial\History.IE5\MSHist012008063020080707\index.dat
2008-07-18 01:15 32,768 --sha-w c:\windows\system32\config\systemprofile\Configuración local\Historial\History.IE5\MSHist012008071720080718\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"BitTorrent DNA"="c:\archivos de programa\DNA\btdna.exe" [2008-12-19 342848]
"MsnMsgr"="c:\archivos de programa\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="c:\archivos de programa\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"HP Software Update"="c:\archivos de programa\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 49152]
"LogitechCommunicationsManager"="c:\archivos de programa\Archivos comunes\LogiShrd\LComMgr\Communications_Helper.exe" [2007-07-25 563984]
"SunJavaUpdateSched"="c:\archivos de programa\Java\jre6\bin\jusched.exe" [2008-12-15 136600]
"Adobe Reader Speed Launcher"="c:\archivos de programa\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"LogitechQuickCamRibbon"="c:\archivos de programa\Logitech\QuickCam\Quickcam.exe" [2007-07-25 2027792]
"NeroFilterCheck"="c:\archivos de programa\Archivos comunes\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"F-Secure Manager"="c:\archivos de programa\F-Secure Internet Security\Common\FSM32.EXE" [2008-10-14 182936]
"F-Secure TNB"="c:\archivos de programa\F-Secure Internet Security\FSGUI\TNBUtil.exe" [2008-10-14 957024]
"VTTimer"="VTTimer.exe" [2004-09-01 c:\windows\system32\VTTimer.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\archiv~1\ARCHIV~1\MICROS~1\DW\dwtrig20.exe" [2005-04-25 36040]

c:\documents and settings\All Users\Men£ Inicio\Programas\Inicio\
HP Digital Imaging Monitor.lnk - c:\archivos de programa\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-12 282624]
Logitech Desktop Messenger.lnk - c:\archivos de programa\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2008-10-20 67128]
Microsoft Office.lnk - c:\archivos de programa\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
Ultra Hal Text-to-Speech Reader Startup.lnk - c:\windows\Installer\{96EF451E-A402-44D8-BAEE-D70D558A4122}\New_Shortcut_S1449_0EB7CDB78E0C4A918D2CA535D5B8160C.exe [2008-12-23 40960]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Archivos de programa\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Archivos de programa\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Archivos de programa\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Archivos de programa\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Archivos de programa\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Archivos de programa\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Archivos de programa\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Archivos de programa\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Archivos de programa\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Archivos de programa\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Archivos de programa\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Archivos de programa\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Archivos de programa\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Archivos de programa\\Messenger\\msmsgs.exe"=
"c:\\Archivos de programa\\NetMeeting\\conf.exe"=
"c:\\Archivos de programa\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Archivos de programa\\DNA\\btdna.exe"=
"c:\\Archivos de programa\\BitTorrent\\bittorrent.exe"=
"c:\\Archivos de programa\\Skype\\Phone\\Skype.exe"=
"c:\\Archivos de programa\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Archivos de programa\\Windows Live\\Messenger\\livecall.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=

R0 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [2009-01-21 79904]
R1 F-Secure HIPS;F-Secure HIPS Driver;c:\archivos de programa\F-Secure Internet Security\HIPS\drivers\fshs.sys [2009-01-21 66720]
R2 WinDefend;Windows Defender;c:\archivos de programa\Windows Defender\MsMpEng.exe [2006-11-03 13592]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\archivos de programa\F-Secure Internet Security\Anti-Virus\minifilter\fsgk.sys [2009-01-21 72288]
R3 FSORSPClient;F-Secure ORSP Client;c:\archivos de programa\F-Secure Internet Security\ORSP Client\fsorsp.exe [2009-01-21 55904]
S4 F-Secure Filter;F-Secure File System Filter;c:\archivos de programa\F-Secure Internet Security\Anti-Virus\win2k\fsfilter.sys [2009-01-21 39776]
S4 F-Secure Recognizer;F-Secure File System Recognizer;c:\archivos de programa\F-Secure Internet Security\Anti-Virus\win2k\fsrec.sys [2009-01-21 25184]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3e710378-e6ea-11dd-ab9e-0011d8f95f23}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL resycled\ntldr.com f:
\Shell\Open\command - f:\resycled\ntldr.com f:
.
Contents of the 'Scheduled Tasks' folder

2009-02-06 c:\windows\Tasks\1-Click Maintenance.job
- c:\archivos de programa\TuneUp Utilities 2008\OneClick.exe [2007-12-21 16:17]

2009-02-11 c:\windows\Tasks\MP Scheduled Scan.job
- c:\archivos de programa\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xportar a Microsoft Excel - c:\archiv~1\MICROS~2\Office10\EXCEL.EXE/3000
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\archivos de programa\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-11 10:56:31
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(668)
c:\archivos de programa\F-Secure Internet Security\FWES\Program\fsdc32.dll

- - - - - - - > 'lsass.exe'(724)
c:\archivos de programa\F-Secure Internet Security\FWES\Program\fsdc32.dll

- - - - - - - > 'csrss.exe'(644)
c:\archivos de programa\F-Secure Internet Security\FWES\Program\fsdc32.dll
.
Completion time: 2009-02-11 10:58:46
ComboFix-quarantined-files.txt 2009-02-11 12:58:12

Pre-Run: 14,262,140,928 bytes libres
Post-Run: 16,477,958,144 bytes libres

204 --- E O F --- 2009-01-07 13:37:48


I forgot to tell you that during the startup after removing files, the machine refused to start up by it self, and tried to start up in the option were I can choose safe mode. After two tries I had to use the power off button and restart. Then it continued fine. When it would not start up there came several beeps and the screen turned up with a lot of colours (just like if you have the wrong driver for the graphics card)
Hope this was relevant info.
BTW after leaving the machine turned on the night through the messenger is stabil.

BR
Daffe

Edited by Daffe, 12 February 2009 - 10:27 AM.


#10 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:26 PM

Posted 12 February 2009 - 05:40 PM

Hello.

Okay, glad that your messenger is sorted out but unfortunately you had a rootkit/backdoor infection. Your computer is already compromised by now. Also, trying to fix a computer using remote can be very difficult. Some tools we run might need Safe Mode, or disconnect the connection while it runs.
Who is operating the machine in question? The instructions given will be step-by-step and easy to understand. If at all possible, run the fixes directly. Do you want to continue using remote?

Posted ImageRootkit Threat

Unfortunatly One or more of the identified infections is a Rootkit/backdoor trojan.

IMPORTANT NOTE: Rootkits and backdoor Trojans are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.

If your computer was used for online banking, has credit card information or other sensitive data on it, you should immediately disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. You should change each password by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Although the rootkit has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because this malware has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful. Tell me what you wish to do.

With Regards,
Extremeboy

Edited by extremeboy, 12 February 2009 - 05:40 PM.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#11 Daffe

Daffe
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:26 PM

Posted 13 February 2009 - 06:38 PM

Hello Extremeboy.
Thank you so much for your help this far. I'm a bit unsure about the further progression. The machine in question is operated by my teacher. She uses it for running her school in Buenos Aires, mainly for using email and producing study material. There is no use of bank involved.
I'm now 17 hours flight away, and she is not very knowledgeable about computers (or English). I think she can get help to reinstall the system, but the problem is taking backup of the data she has.
She now has F-Secure Internet Security 2009 installed and fully functional. (As far as I know that is)
I have been helping her remotely earlier, and was hoping to be able to do it again with this problem. Of course I can try just to tell her what to do, but if something jams I'm afraid she will be without a working computer for a long time. She only have this one computers, so if I loose comm with her by Messenger or mail, it's a bit difficult.
I have read the links and maybe the easiest is to reinstall, but I really have no idea when that is possible to do.
How are the other tools?

BR
Daffe

#12 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:26 PM

Posted 13 February 2009 - 08:19 PM

Hello again.

Backing up isn't really difficult. If there's nothing important then you don't need to backup. If there are some important datas a reinstall will not erase any data. Meaning all pictures, documents and everything will be still there. However, a format is different. This will erase everything. If you want to be on the safe side, plug in a External Hard-drive a backup all important data files. Do not backup an executables including (.exe, .scr, .zip archives etc...) as they may contain traces of malware in them.

Programs that she has installed will need to be reinstall though.

If you have any question or help on reinstall or formating a drive, feel free to start another topic in the XP forum located over here: http://www.bleepingcomputer.com/forums/f/56/windows-xp-home-and-professional/

Someone there will definitely help you with it.
For a FORMAT there is an excellent tutorial provided by wng_z3r0. The link can be found over here

For a REINSTALL look at the following excellent tutorial over here

Any questions should be asked in the Windows XP forum.

You should tell her the infection this is present, although we can clean this machine, it probably will not be trustworthy anymore and may be a privacy risk to some users. If you still want to clean this machine tell me in your next reply.

With Regards,
Extremeboy

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#13 Daffe

Daffe
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:26 PM

Posted 14 February 2009 - 06:24 AM

Hello.
Just for the record EB. By reinstall you here mean using the repair option on the WinXP CD? If so I will tell here to get help with that.

BR
Daffe

#14 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:26 PM

Posted 14 February 2009 - 10:14 AM

Hello Daffe.

Yes, by reinstall it is using the repair option. Make sure she doesn't overwrite any of her files/folders. Also make sure she select the correct one instead of formating everything and overwriting her data if it's all in one drive. If here drive is partitioned and only one drive is for her Windows, they it should be fairly simple. Just by overwriting/setting up windows in that C:\ drive would work.

This tutorial I gave you helps, but questions or comment should be asked in the XP forum: http://www.michaelstevenstech.com/cleanxpinstall.html

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#15 Daffe

Daffe
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:26 PM

Posted 14 February 2009 - 03:26 PM

Ok.
Thank you for your help so far EB. Is there anything else I should ask her to do other than reinstall, or would that do the trick?

BR
Daffe




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users