Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Huge invasion of Trojan horses mixed with some viruses and spyware


  • This topic is locked This topic is locked
3 replies to this topic

#1 ewjimmy

ewjimmy

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:19 AM

Posted 06 April 2009 - 08:55 PM

Hello and thank you very much for attending this post.
I'm not sure about when and why it all began, but now my Windows Xp Pro is totally infected by a true Horde of Trojans and some other malicious files. I've already tried (both in normal and safe mode rebootings) running some applications such as AVG Antivirus, Ad-Aware, SpyBot S&D, SuperAntiSpyware, Malwarebytes and HiJackThis.
At the end of this thext i'm including the HJT report and some of the infections i could erase as well as some others that are still under quarantine by the software i've quoted before.


DDS (Ver_09-03-16.01) - NTFSx86
Run by carlos at 2:49:24,65 on 07/04/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.34.3082.18.512.149 [GMT 2:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\Archivos de programa\Archivos comunes\iS3\Anti-Spyware\SZServer.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Archivos comunes\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\ARCHIV~1\AVG\AVG8\avgwdsvc.exe
C:\Archivos de programa\Bonjour\mDNSResponder.exe
C:\ARCHIV~1\AVG\AVG8\avgemc.exe
C:\ARCHIV~1\AVG\AVG8\avgrsx.exe
C:\ARCHIV~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\Archivos de programa\Archivos comunes\Ahead\Lib\NMBgMonitor.exe
C:\ARCHIV~1\AVG\AVG8\avgnsx.exe
C:\Archivos de programa\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Archivos comunes\Ahead\Lib\NMIndexStoreSvr.exe
C:\Archivos de programa\AVG\AVG8\avgcsrvx.exe
C:\Archivos de programa\STOPzilla!\STOPzilla.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Archivos de programa\Archivos comunes\Ahead\Lib\NMIndexingService.exe
C:\Archivos de programa\Mozilla Firefox\firefox.exe
C:\Archivos de programa\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Archivos de programa\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\carlos\Escritorio\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.es/
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: Barra Yahoo!: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\archivos de programa\yahoo!\companion\installs\cpn\yt.dll
mURLSearchHooks: Barra Yahoo!: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\archivos de programa\yahoo!\companion\installs\cpn\yt.dll
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\7z.exe,c:\windows\system32\i386kd.exe,
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\archivos de programa\yahoo!\companion\installs\cpn\yt.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\archivos de programa\adobe\acrobat 5.0\reader\activex\AcroIEHelper.ocx
BHO: STOPzilla Browser Helper Object: {e3215f20-3212-11d6-9f8b-00d0b743919d} - c:\archivos de programa\stopzilla!\SZIEBHO.dll
BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\archivos de programa\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\archivos de programa\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: Barra Yahoo!: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\archivos de programa\yahoo!\companion\installs\cpn\yt.dll
TB: STOPzilla: {98828ded-a591-462f-83ba-d2f62a68b8b8} - c:\archivos de programa\stopzilla!\SZSG.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\archivos de programa\messenger\msmsgs.exe" /background
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\archivos de programa\archivos comunes\ahead\lib\NMBgMonitor.exe"
uRun: [reader_s] c:\documents and settings\carlos\reader_s.exe
mRun: [AVG8_TRAY] c:\archiv~1\avg\avg8\avgtray.exe
dRun: [reader_s] c:\documents and settings\carlos\reader_s.exe
IE: E&xportar a Microsoft Excel - c:\archiv~1\micros~2\office11\EXCEL.EXE/3000
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\archivos de programa\pokerstars\PokerStarsUpdate.exe
IE: {53F6FCCD-9E22-4d71-86EA-6E43136192AB}
IE: {925DAB62-F9AC-4221-806A-057BFB1014AA}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\archivos de programa\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\archiv~1\micros~2\office11\REFIEBAR.DLL
LSP: c:\archivos de programa\archivos comunes\is3\anti-spyware\iS3lsp.dll
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1238954093171
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: {2090402A-545C-481D-B761-4E08AE609F3F} = 80.58.61.250,80.58.61.254
TCP: {443C7356-0D47-4537-A51F-BD7B92707FF6} = 80.58.0.33,80.58.32.97
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\archivos de programa\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\archivos de programa\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\archivos de programa\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\carlos\datosd~1\mozilla\firefox\profiles\f4zj9h8h.default\
FF - component: c:\archivos de programa\avg\avg8\firefox\components\avgssff.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-3-14 64160]
R0 szkg5;szkg;c:\windows\system32\drivers\SZKG.sys [2009-3-12 54656]
R1 ATMhelpr;ATMhelpr;c:\windows\system32\drivers\ATMHELPR.SYS [2008-11-6 4064]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-4-5 325128]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-4-5 27656]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-4-5 107272]
R1 SASDIFSV;SASDIFSV;c:\archivos de programa\superantispyware\SASDIFSV.SYS [2009-2-17 9968]
R1 SASKUTIL;SASKUTIL;c:\archivos de programa\superantispyware\SASKUTIL.SYS [2009-2-17 55024]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\archiv~1\avg\avg8\avgemc.exe [2009-4-5 903960]
R2 avg8wd;AVG Free8 WatchDog;c:\archiv~1\avg\avg8\avgwdsvc.exe [2009-4-5 298264]
R3 echo24;Mia Service;c:\windows\system32\drivers\echo24.sys [2001-11-26 540087]
S2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys --> c:\windows\system32\drivers\npf.sys [?]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\archivos de programa\lavasoft\ad-aware\AAWService.exe [2009-1-18 951632]
S3 SASENUM;SASENUM;c:\archivos de programa\superantispyware\SASENUM.SYS [2009-2-17 7408]
SUnknown DhcpSrv;DhcpSrv; [x]

=============== Created Last 30 ================

2009-04-07 02:23 376 a------- c:\windows\system32\drivers\kgpfr2.cfg
2009-04-07 02:21 1,816 a------- c:\windows\system32\drivers\kgpcpy.cfg
2009-04-07 02:04 <DIR> --d----- c:\archivos de programa\Trend Micro
2009-04-07 01:50 <DIR> --d----- c:\docume~1\carlos\datosd~1\Malwarebytes
2009-04-07 01:50 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-07 01:50 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-07 01:50 <DIR> --d----- c:\docume~1\alluse~1\datosd~1\Malwarebytes
2009-04-07 01:50 <DIR> --d----- c:\archivos de programa\Malwarebytes' Anti-Malware
2009-04-07 01:32 230,400 a------- c:\windows\system32\w.ex_
2009-04-06 20:09 62 a------- c:\windows\system32\xma
2009-04-06 20:09 1 a------- c:\windows\system32\1E.tmp
2009-04-06 19:56 <DIR> --d----- c:\docume~1\alluse~1\datosd~1\SITEguard
2009-04-06 19:55 <DIR> --d----- c:\archivos de programa\STOPzilla!
2009-04-06 19:55 <DIR> --d----- c:\docume~1\alluse~1\datosd~1\STOPzilla!
2009-04-06 19:55 <DIR> --d----- c:\archivos de programa\archivos comunes\iS3
2009-04-06 04:28 0 a------- c:\windows\system32\10.tmp
2009-04-06 03:11 129 a------- c:\windows\wininit.ini
2009-04-06 01:11 <DIR> --d----- c:\windows\dhcp
2009-04-06 01:11 21,704 a------- c:\windows\system32\vv.exe
2009-04-05 20:39 2,138,624 -c------ c:\windows\system32\dllcache\ntkrnlmp.exe
2009-04-05 20:39 2,182,784 -c------ c:\windows\system32\dllcache\ntoskrnl.exe
2009-04-05 20:39 2,060,160 -c------ c:\windows\system32\dllcache\ntkrnlpa.exe
2009-04-05 20:39 2,018,304 -c------ c:\windows\system32\dllcache\ntkrpamp.exe
2009-04-05 20:34 272,512 -c------ c:\windows\system32\dllcache\bthport.sys
2009-04-05 20:20 453,632 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2009-04-05 13:57 45,056 ac------ c:\windows\system32\dllcache\nsepm.dll
2009-04-05 13:56 452,096 ac------ c:\windows\system32\dllcache\fxsapi.dll
2009-04-05 13:55 290,816 ac------ c:\windows\system32\dllcache\adsiis51.dll
2009-04-05 13:55 43,520 ac------ c:\windows\system32\dllcache\admwprox.dll
2009-04-05 13:55 16,439 ac------ c:\windows\system32\dllcache\admin.exe
2009-04-05 13:55 20,540 ac------ c:\windows\system32\dllcache\admin.dll
2009-04-05 13:34 488 a---hr-- c:\windows\system32\logonui.exe.manifest
2009-04-05 13:34 749 a---hr-- c:\windows\WindowsShell.Manifest
2009-04-05 13:34 749 a---hr-- c:\windows\system32\wuaucpl.cpl.manifest
2009-04-05 13:34 749 a---hr-- c:\windows\system32\sapi.cpl.manifest
2009-04-05 13:34 749 a---hr-- c:\windows\system32\nwc.cpl.manifest
2009-04-05 13:34 749 a---hr-- c:\windows\system32\ncpa.cpl.manifest
2009-04-05 12:04 <DIR> --d----- c:\windows\system32\appmgmt
2009-04-05 11:48 <DIR> --d----- c:\archivos de programa\Free Offers from Freeze.com
2009-04-05 11:47 <DIR> --d----- c:\archivos de programa\Winferno
2009-04-05 11:28 <DIR> --d----- c:\docume~1\alluse~1\datosd~1\Spybot - Search & Destroy
2009-04-05 11:28 <DIR> --d----- c:\archivos de programa\Spybot - Search & Destroy
2009-04-05 11:06 <DIR> --d----- c:\archivos de programa\WinPcap
2009-04-05 10:47 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-04-05 10:47 107,272 a------- c:\windows\system32\drivers\avgtdix.sys
2009-04-05 10:47 325,128 a------- c:\windows\system32\drivers\avgldx86.sys
2009-04-05 10:47 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-04-05 10:16 0 a------- c:\windows\system32\14.tmp
2009-04-05 08:43 536,477,696 a------- c:\windows\MEMORY.DMP
2009-04-05 07:15 36,864 ac------ c:\windows\system32\dllcache\isignup.exe
2009-04-05 07:13 133,632 ac------ c:\windows\system32\dllcache\calc.exe
2009-04-05 07:13 133,632 a------- c:\windows\system32\calc.exe
2009-04-05 06:53 7,334 ac------ c:\windows\system32\dllcache\wmerrenu.cat
2009-04-05 06:53 14,043 a----r-- c:\windows\SETC0.tmp
2009-04-05 06:53 1,086,058 a----r-- c:\windows\SETB4.tmp
2009-04-05 06:53 1,014,555 a----r-- c:\windows\SETB1.tmp
2009-04-05 06:13 469,007 a----r-- C:\txtsetup.sif
2009-04-05 06:13 261,904 a----r-- C:\$LDR$
2009-04-05 06:13 <DIR> --d----- C:\$WIN_NT$.~BT
2009-04-05 05:48 <DIR> --d----- c:\archivos de programa\ASUS
2009-04-05 05:35 <DIR> --d----- c:\windows\SiS
2009-04-05 05:35 126,976 a----r-- c:\windows\SiSUSBrg.exe
2009-04-05 05:35 32,768 a----r-- c:\windows\SIS_LIB.DLL
2009-04-05 05:35 3,583 a----r-- c:\windows\SiSport.sys
2009-04-05 05:34 979 a------- c:\windows\system32\2_ssetup.ini
2009-04-05 05:34 926 a------- c:\windows\system32\1_ssetup.ini
2009-04-05 05:34 33 a------- c:\windows\system32\sunistlog.ini
2009-04-05 05:34 9,344 a----r-- c:\windows\system32\drivers\sisperf.sys
2009-04-05 05:34 5,888 a----r-- c:\windows\system32\drivers\siside.sys
2009-04-05 05:33 3,967 a------- c:\windows\Ascd_tmp.ini
2009-04-05 05:15 325,120 a------- c:\windows\IsUninst.exe
2009-04-05 05:05 5,120 a------- c:\windows\system32\tcusbdrv.dll
2009-04-05 05:05 <DIR> --d----- c:\windows\zy_tmp
2009-03-31 14:57 17,408 a----r-- c:\windows\system32\SZIO5.dll
2009-03-31 14:56 294,912 a----r-- c:\windows\system32\SZBase5.dll
2009-03-31 14:55 540,672 a----r-- c:\windows\system32\SZComp5.dll
2009-03-27 10:56 126,976 a----r-- c:\windows\system32\IS3HTUI5.dll
2009-03-27 10:55 393,216 a----r-- c:\windows\system32\IS3DBA5.dll
2009-03-27 10:55 372,736 a----r-- c:\windows\system32\IS3UI5.dll
2009-03-27 10:55 61,440 a----r-- c:\windows\system32\IS3Hks5.dll
2009-03-27 10:54 23,040 a----r-- c:\windows\system32\IS3XDat5.dll
2009-03-27 10:54 221,184 a----r-- c:\windows\system32\IS3Win325.dll
2009-03-27 10:54 94,208 a----r-- c:\windows\system32\IS3Inet5.dll
2009-03-27 10:53 90,112 a----r-- c:\windows\system32\IS3Svc5.dll
2009-03-27 10:50 716,800 a----r-- c:\windows\system32\IS3Base5.dll
2009-03-23 17:01 <DIR> --d----- c:\archivos de programa\RegCleaner
2009-03-23 16:54 <DIR> --d----- c:\archivos de programa\Yahoo!
2009-03-23 16:53 <DIR> --d----- c:\archivos de programa\CCleaner
2009-03-23 15:33 <DIR> --d----- c:\docume~1\alluse~1\datosd~1\SUPERAntiSpyware.com
2009-03-23 15:33 <DIR> --d----- c:\docume~1\carlos\datosd~1\SUPERAntiSpyware.com
2009-03-23 15:33 <DIR> --d----- c:\archivos de programa\SUPERAntiSpyware
2009-03-23 15:33 <DIR> --d----- c:\archivos de programa\archivos comunes\Wise Installation Wizard
2009-03-23 15:32 <DIR> --d----- c:\archivos de programa\SpywareBlaster
2009-03-21 12:14 127 a------- c:\windows\system32\MRT.INI
2009-03-21 10:56 71,680 a------- c:\windows\system32\1D.tmp
2009-03-21 10:55 31,744 a------- c:\windows\system32\1C.tmp
2009-03-21 10:55 124 a------- c:\windows\system32\1B.tmp
2009-03-19 23:49 58,880 a------- c:\windows\system32\1A.tmp
2009-03-19 23:49 1 a------- c:\windows\system32\19.tmp
2009-03-19 23:49 84 a------- c:\windows\system32\18.tmp
2009-03-19 20:45 1 a------- c:\windows\system32\16.tmp
2009-03-19 20:45 84 a------- c:\windows\system32\15.tmp
2009-03-19 18:37 1 a------- c:\windows\system32\13.tmp
2009-03-19 18:37 84 a------- c:\windows\system32\12.tmp
2009-03-19 11:02 0 a------- c:\windows\system32\11.tmp
2009-03-19 01:40 0 a------- c:\windows\system32\26.tmp
2009-03-17 01:14 88,566 a------- c:\windows\system32\nvapps.xml
2009-03-17 01:14 17,056 a------- c:\windows\system32\nvdisp.nvu
2009-03-17 01:14 <DIR> --d----- c:\windows\nview
2009-03-17 01:14 229,376 a------- c:\windows\system32\nvudisp.exe
2009-03-17 01:14 229,376 a------- c:\windows\system32\NVUNINST.EXE
2009-03-17 01:13 <DIR> --d----- C:\NVIDIA
2009-03-14 21:46 15,688 a------- c:\windows\system32\lsdelete.exe
2009-03-14 19:46 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-03-14 19:32 <DIR> -cd-h--- c:\docume~1\alluse~1\datosd~1\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-03-14 19:31 <DIR> --d----- c:\archivos de programa\Lavasoft
2009-03-12 12:18 54,656 a----r-- c:\windows\system32\drivers\SZKG.sys

==================== Find3M ====================

2009-04-06 06:31 182,912 a------- c:\windows\system32\drivers\ndis.sys
2009-04-05 15:32 362,564 a------- c:\windows\system32\perfh00A.dat
2009-04-05 15:32 51,286 a------- c:\windows\system32\perfc00A.dat
2009-04-05 13:33 23,064 a------- c:\windows\system32\emptyregdb.dat
2009-02-09 16:17 1,846,400 a------- c:\windows\system32\win32k.sys

============= FINISH: 2:51:27,85 ===============





I'll also post the HiJackThis report:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:29:37, on 07/04/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\Archivos comunes\iS3\Anti-Spyware\SZServer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Archivos comunes\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\ARCHIV~1\AVG\AVG8\avgwdsvc.exe
C:\Archivos de programa\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\ARCHIV~1\AVG\AVG8\avgemc.exe
C:\ARCHIV~1\AVG\AVG8\avgrsx.exe
C:\ARCHIV~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\Archivos de programa\Archivos comunes\Ahead\Lib\NMBgMonitor.exe
C:\ARCHIV~1\AVG\AVG8\avgnsx.exe
C:\Archivos de programa\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Archivos comunes\Ahead\Lib\NMIndexStoreSvr.exe
C:\Archivos de programa\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Archivos de programa\STOPzilla!\STOPzilla.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Archivos comunes\Ahead\Lib\NMIndexingService.exe
C:\Archivos de programa\Mozilla Firefox\firefox.exe
C:\Archivos de programa\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.es/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
R3 - URLSearchHook: Barra Yahoo! - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Archivos de programa\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\7z.exe,C:\WINDOWS\system32\i386kd.exe,
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Archivos de programa\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Archivos de programa\STOPzilla!\SZIEBHO.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Archivos de programa\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Archivos de programa\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Barra Yahoo! - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Archivos de programa\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: STOPzilla - {98828DED-A591-462F-83BA-D2F62A68B8B8} - C:\Archivos de programa\STOPzilla!\SZSG.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\ARCHIV~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Archivos de programa\Archivos comunes\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [reader_s] C:\Documents and Settings\carlos\reader_s.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Servicio de red')
O4 - HKUS\S-1-5-18\..\Run: [reader_s] C:\Documents and Settings\carlos\reader_s.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [reader_s] C:\Documents and Settings\carlos\reader_s.exe (User 'Default user')
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Archivos de programa\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: (no name) - {53F6FCCD-9E22-4d71-86EA-6E43136192AB} - (no file)
O9 - Extra button: (no name) - {925DAB62-F9AC-4221-806A-057BFB1014AA} - (no file)
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\archivos de programa\archivos comunes\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\archivos de programa\archivos comunes\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\archivos de programa\archivos comunes\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\archivos de programa\archivos comunes\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\archivos de programa\archivos comunes\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\archivos de programa\archivos comunes\is3\anti-spyware\is3lsp.dll
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1238954093171
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2090402A-545C-481D-B761-4E08AE609F3F}: NameServer = 80.58.61.250,80.58.61.254
O17 - HKLM\System\CCS\Services\Tcpip\..\{443C7356-0D47-4537-A51F-BD7B92707FF6}: NameServer = 80.58.0.33,80.58.32.97
O17 - HKLM\System\CS1\Services\Tcpip\..\{2090402A-545C-481D-B761-4E08AE609F3F}: NameServer = 80.58.61.250,80.58.61.254
O17 - HKLM\System\CS2\Services\Tcpip\..\{2090402A-545C-481D-B761-4E08AE609F3F}: NameServer = 80.58.61.250,80.58.61.254
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Archivos de programa\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Archivos de programa\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Archivos de programa\Archivos comunes\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\ARCHIV~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\ARCHIV~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Servicio Bonjour (Bonjour Service) - Apple Inc. - C:\Archivos de programa\Bonjour\mDNSResponder.exe
O23 - Service: Servicio del iPod (iPod Service) - Apple Inc. - C:\Archivos de programa\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Archivos de programa\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NBService - Nero AG - C:\Archivos de programa\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Archivos de programa\Archivos comunes\Ahead\Lib\NMIndexingService.exe
O23 - Service: STOPzilla Service (szserver) - iS3, Inc. - C:\Archivos de programa\Archivos comunes\iS3\Anti-Spyware\SZServer.exe

--
End of file - 8154 bytes

____________________________________________________________




*These are the main infections related by Stopzilla (and not fixed since I only got the trial version):
Trojans: Stats1; Sopidkc; Haxdoor
Spyware: MalPak.D
Adware: Comidle; Qva61; Zxx; Jokol32; Spyguard 2009

*Here the bots already eliminated and backuped by Spybot S&D:
Freeze, Win32.Joleee.k, SpambotLoad.cn, Win32.Agent.pz, Win32.Delf.rtk, Win32.Delf.uc, Win32.Iksmas.ai

*And for last, the items i got in the AVG's virus vault because i was not able to delete them. Should I empty the vault with no fear of crashing anything in my PC?:
Trojans: Clicker.XXH, SHeur2.ZCU, Downloader.Generic_r.DX, Downloader.Delf.CFG, Generic13.PPX, Spam Tool.CGX, SpamTool.AQY
Viruses: Win32/Heur, Win32/Cryptor
Registry key: C:\WINDOWS\TEMP\BN4.tmp




Thanks a lot.

Attached Files



BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:19 AM

Posted 07 April 2009 - 08:09 AM

Hello ewjimmy,

Download Lop S&D
Lop S&D will only run on Windows XP and Windows Vista

You can find a detailed instructions with visuals here

Double-click Lop S&D.exe

If you are using Windows Vista, right-click on LopSD.exe icon and select 'Run as administrator' to perform this scan.

Choose the language, then choose Option 1 (Search)
Wait till the end of the scan
Post the log which is created: (%SystemDrive%\lopR.txt)



Please show hidden files and folders
  • Please go to VirSCAN.org FREE on-line scan service
  • Copy and paste the following file path into the "Suspicious files to scan"box on the top of the page:
    • c:\documents and settings\carlos\reader_s.exe
  • Click on the Upload button
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.
If VirScan.org server is too busy, please submit the file to VirusTotal instead.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 ewjimmy

ewjimmy
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:19 AM

Posted 29 April 2009 - 11:36 AM

Thank you for your answer, Sifu. Finally I could manage to save some important data, format the main hard drive and reinstall windows XP. Now it's free from intruders!

#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:19 AM

Posted 29 April 2009 - 12:09 PM

That is good to hear. Sometimes a reformat and reinstall is the best course.

Since you problem is resolved, I will close this thread.

Edited by SifuMike, 29 April 2009 - 12:10 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users