Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Monder, vundo, rogue.link, BHO, Sheur2 altoghether


  • This topic is locked This topic is locked
32 replies to this topic

#1 JASH

JASH

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:07:04 AM

Posted 30 April 2009 - 12:20 PM

I posted my problem to the "Am I infected? What do I do?" forum. Topic referenced is here: http://www.bleepingcomputer.com/forums/t/222615/another-vundo-and-monder/ ~ OB Quietman helped me in getting rid of most of the issues but one. I cannot make Task Manager to run. We have tried malwarebits removal tool, Sreng2, no success. I first (by my own) passed HijackTHis and gave me a report of three items infected, and I fixed them, apparently. As I had no good results, I visited that forum and asked for help.

Now they tell me to open a topic in this forum for you to help me.

I was told to download DDS and run it. After this, to post the log here, what I am doing now:

====================================================================

DDS (Ver_09-03-16.01) - NTFSx86
Run by JASH at 18:05:44,60 on 30/04/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.34.3082.18.1023.241 [GMT 1:00]

AV: AVG Anti-Virus *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS2\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS2\System32\svchost.exe -k netsvcs
C:\Archivos de programa\Intel\Wireless\Bin\EvtEng.exe
C:\Archivos de programa\Intel\Wireless\Bin\S24EvMon.exe
C:\Archivos de programa\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\WINDOWS2\system32\spoolsv.exe
svchost.exe
C:\WINDOWS2\system32\netdde.exe
C:\Archivos de programa\ESRI\License\arcgis9x\lmgrd.exe
C:\ARCHIV~1\Grisoft\AVG8\avgwdsvc.exe
C:\Archivos de programa\ESRI\License\arcgis9x\ARCGIS.EXE
svchost.exe
C:\Archivos de programa\Dell\Software Bluetooth\bin\btwdins.exe
C:\WINDOWS2\system32\E_S00RP1.EXE
C:\ARCHIV~1\Grisoft\AVG8\avgam.exe
C:\ARCHIV~1\Grisoft\AVG8\avgrsx.exe
C:\Archivos de programa\Google\Update\GoogleUpdate.exe
C:\WINDOWS2\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS2\system32\svchost.exe -k HPService
C:\Archivos de programa\Java\jre6\bin\jqs.exe
C:\Archivos de programa\Archivos comunes\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
C:\Archivos de programa\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS2\system32\nvsvc32.exe
C:\Archivos de programa\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS2\system32\SAgent4.exe
C:\WINDOWS2\System32\svchost.exe -k imgsvc
C:\ARCHIV~1\Grisoft\AVG8\avgemc.exe
C:\Archivos de programa\Grisoft\AVG8\avgcsrvx.exe
C:\WINDOWS2\Explorer.EXE
C:\WINDOWS2\system32\ctfmon.exe
C:\Archivos de programa\Apoint\Apoint.exe
C:\WINDOWS2\system32\rundll32.exe
C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\ARCHIV~1\Grisoft\AVG8\avgtray.exe
C:\Archivos de programa\Dell\QuickSet\Quickset.exe
C:\software\dispositivos\HP Scanner\HP Software Update\HPWuSchd2.exe
C:\software\drivers\Belkin\Wireless Mouse Driver\MOUSE32A.EXE
C:\Archivos de programa\SigmaTel\Controladores de sonido SigmaTel AC97\stacmon.exe
C:\Archivos de programa\Intel\Wireless\Bin\ifrmewrk.exe
C:\Archivos de programa\Intel\Wireless\bin\ZCfgSvc.exe
C:\Archivos de programa\Java\jre6\bin\jusched.exe
C:\Archivos de programa\Apoint\HidFind.exe
C:\Archivos de programa\Archivos comunes\InstallShield\UpdateService\ISUSPM.exe
C:\Archivos de programa\Windows Live\Messenger\MsnMsgr.Exe
C:\Archivos de programa\RocketDock\RocketDock.exe
C:\Archivos de programa\Microsoft ActiveSync\Wcescomm.exe
C:\Archivos de programa\Apoint\Apntex.exe
C:\ARCHIV~1\MICROS~2\rapimgr.exe
C:\Archivos de programa\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Archivos de programa\Dell\Software Bluetooth\BTTray.exe
C:\ARCHIV~1\Dell\SOFTWA~1\BTSTAC~1.EXE
C:\Archivos de programa\Archivos comunes\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\ARCHIV~1\Grisoft\AVG8\avgnsx.exe
C:\software\internet\Mozilla Firefox\firefox.exe
C:\Archivos de programa\Grisoft\AVG8\avgui.exe
C:\Archivos de programa\Grisoft\AVG8\avgcsrvx.exe
C:\software\internet\VoipDiscount.com\VoipDiscount\VoipDiscount.exe
C:\WINDOWS2\system32\notepad.exe
C:\JASH_D\download\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page =
uInternet Settings,ProxyServer = 195.76.153.201:3128
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: DefaultSearchHook Class: {c94e154b-1459-4a47-966b-4b843befc7db} - c:\archivos de programa\asksearch\bin\DefaultSearch.dll
BHO: AutorunsDisabled - No File
BHO: Aplicación auxiliar de vínculos de Adobe PDF Reader: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\archivos de programa\archivos comunes\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\archivos de programa\grisoft\avg8\avgssie.dll
BHO: Windows Live Aplicación auxiliar de inicio de sesión: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\archivos de programa\archivos comunes\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\archivos de programa\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\archivos de programa\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\archivos de programa\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\archivos de programa\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: StylerToolBar: {d2f8f919-690b-4ea2-9fa7-a203d1e04f75} - c:\archivos de programa\styler\tb\StylerTB.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\archivos de programa\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows2\system32\ctfmon.exe
uRun: [ISUSPM] "c:\archivos de programa\archivos comunes\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [msnmsgr] "c:\archivos de programa\windows live\messenger\MsnMsgr.Exe" /background
uRun: [RocketDock] "c:\archivos de programa\rocketdock\RocketDock.exe"
uRun: [H/PC Connection Agent] "c:\archivos de programa\microsoft activesync\Wcescomm.exe"
mRun: [nwiz] nwiz.exe /installquiet
mRun: [Apoint] c:\archivos de programa\apoint\Apoint.exe
mRun: [EPSON Stylus Photo R320 Series] c:\windows2\system32\spool\drivers\w32x86\3\E_FATI9XE.EXE /P30 "EPSON Stylus Photo R320 Series" /O6 "USB001" /M "Stylus Photo R320"
mRun: [\\Ps-58c34f\epson_R320] c:\windows2\system32\spool\drivers\w32x86\3\e_fati9xe.exe /p22 "\\ps-58c34f\epson_r320" /o22 "\\ps-58c34f\epson_R320" /M "Stylus Photo R320"
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows2\system32\NvCpl.dll,NvStartup
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [Acrobat Assistant 8.0] "c:\archivos de programa\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [\\192.168.2.3\epson_R320] c:\windows2\system32\spool\drivers\w32x86\3\e_fati9xe.exe /p24 "\\192.168.2.3\epson_r320" /o24 "\\192.168.2.3\epson_R320" /M "Stylus Photo R320"
mRun: [AVG8_TRAY] c:\archiv~1\grisoft\avg8\avgtray.exe
mRun: [Dell QuickSet] c:\archivos de programa\dell\quickset\Quickset.exe
mRun: [HP Software Update] c:\software\dispositivos\hp scanner\hp software update\HPWuSchd2.exe
mRun: [LWBMOUSE] c:\software\drivers\belkin\wireless mouse driver\MOUSE32A.EXE
mRun: [SigmaTel StacMon] c:\archivos de programa\sigmatel\controladores de sonido sigmatel ac97\stacmon.exe
mRun: [IntelWireless] "c:\archivos de programa\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [IntelZeroConfig] "c:\archivos de programa\intel\wireless\bin\ZCfgSvc.exe"
mRun: [SunJavaUpdateSched] "c:\archivos de programa\java\jre6\bin\jusched.exe"
mRun: [Printer Configuration Manager] c:\windows2\system32\printcfg.exe
dRun: [CTFMON.EXE] c:\windows2\system32\CTFMON.EXE
StartupFolder: c:\docume~1\jash\menini~1\progra~1\inicio\autorunsdisabled\vistastart.lnk - c:\windows2\resources\themes\yafvc3\vistastart\VistaStart1.3.exe
StartupFolder: c:\docume~1\alluse~1.win\menini~1\progra~1\inicio\bttray.lnk - c:\archivos de programa\dell\software bluetooth\BTTray.exe
uPolicies-explorer: NoChangeAnimation = 1 (0x1)
IE: Anexar a PDF existente - c:\archivos de programa\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convertir a Adobe PDF - c:\archivos de programa\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convertir destino de vínculo a PDF existente - c:\archivos de programa\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convertir destino de vínculo en archivo Adobe PDF - c:\archivos de programa\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convertir selección a Adobe PDF - c:\archivos de programa\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convertir selección a archivo PDF existente - c:\archivos de programa\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convertir vínculos seleccionados a Adobe PDF - c:\archivos de programa\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convertir vínculos seleccionados a PDF existente - c:\archivos de programa\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: E&xport to Microsoft Excel - c:\archiv~1\micros~3\office11\EXCEL.EXE/3000
IE: Enviar a &Bluetooth - c:\archivos de programa\dell\software bluetooth\btsendto_ie_ctx.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\archivos de programa\messenger\msmsgs.exe
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\archivos de programa\dell\software bluetooth\btsendto_ie.htm
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\archiv~1\micros~2\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\archiv~1\micros~2\INetRepl.dll
IE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {E763472E-A716-4CD9-89BD-DBDA6122F741} - c:\software\dispositivos\hp scanner\smart web printing\hpswp_extensions.dll
IE: {700259D7-1666-479a-93B1-3250410481E8} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - c:\software\dispositivos\hp scanner\smart web printing\hpswp_extensions.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\archiv~1\micros~3\office11\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java - file://c:\windows2\java\classes\xmldso.cab
DPF: {0000000A-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/d/4/4/d446e8a9-3a86-4b59-bb19-f5bd11b40367/wmavax.CAB
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38576.1258333333
DPF: {CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_12-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
TCP: interfaces = 152.158.2.48,165.87.201.244
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\archivos de programa\grisoft\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\archiv~1\archiv~1\skype\Skype4COM.dll
Handler: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - c:\windows2\system32\BTXPPanel.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows2\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli c:\windows2\system32\nukadije.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jash\datosd~1\mozilla\firefox\profiles\k4uv1kov.default\
FF - prefs.js: browser.search.selectedEngine - Ask
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=101757&gct=&gc=1&q=
FF - prefs.js: network.proxy.ftp - 195.76.153.201
FF - prefs.js: network.proxy.ftp_port - 3128
FF - prefs.js: network.proxy.gopher - 195.76.153.201
FF - prefs.js: network.proxy.gopher_port - 3128
FF - prefs.js: network.proxy.http - 195.76.153.201
FF - prefs.js: network.proxy.http_port - 3128
FF - prefs.js: network.proxy.socks - 195.76.153.201
FF - prefs.js: network.proxy.socks_port - 3128
FF - prefs.js: network.proxy.ssl - 195.76.153.201
FF - prefs.js: network.proxy.ssl_port - 3128
FF - prefs.js: network.proxy.type - 4
FF - component: c:\archivos de programa\grisoft\avg8\firefox\components\avgssff.dll
FF - component: c:\documents and settings\jash\datos de programa\mozilla\firefox\profiles\k4uv1kov.default\extensions\{0b457caa-602d-484a-8fe7-c1d894a011ba}\platform\winnt_x86-msvc\components\SSSLauncher.dll
FF - component: c:\documents and settings\jash\datos de programa\mozilla\firefox\profiles\k4uv1kov.default\extensions\{81bf1d23-5f17-408d-ac6b-bd6df7caf670}\components\XpcomOpusConnector.dll
FF - plugin: c:\archivos de programa\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\archivos de programa\skyhook wireless\loki browser plugin\nploki.dll
FF - plugin: c:\software\graficos\quicktime\plugins\npqtplugin.dll
FF - plugin: c:\software\graficos\quicktime\plugins\npqtplugin2.dll
FF - plugin: c:\software\graficos\quicktime\plugins\npqtplugin3.dll
FF - plugin: c:\software\graficos\quicktime\plugins\npqtplugin4.dll
FF - plugin: c:\software\graficos\quicktime\plugins\npqtplugin5.dll
FF - plugin: c:\software\graficos\quicktime\plugins\npqtplugin6.dll
FF - plugin: c:\software\graficos\quicktime\plugins\npqtplugin7.dll
FF - plugin: c:\software\graficos\realplayer\netscape6\nppl3260.dll
FF - plugin: c:\software\graficos\realplayer\netscape6\nprjplug.dll
FF - plugin: c:\software\graficos\realplayer\netscape6\nprpjplug.dll
FF - plugin: c:\software\graficos\videolan\vlc\npvlc.dll
FF - plugin: c:\software\internet\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\software\internet\mozilla firefox\plugins\npgato.dll
FF - plugin: c:\software\internet\mozilla firefox\plugins\nppdf32(2).dll

---- FIREFOX POLICIES ----

============= SERVICES / DRIVERS ===============

R0 AvgRkx86;avgrkx86.sys;c:\windows2\system32\drivers\avgrkx86.sys [2008-7-22 12552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows2\system32\drivers\avgldx86.sys [2008-7-22 325896]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows2\system32\drivers\avgmfx86.sys [2006-12-17 27784]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows2\system32\drivers\avgtdix.sys [2008-7-22 108552]
R1 VBoxDrv;VirtualBox Service;c:\windows2\system32\drivers\VBoxDrv.sys [2008-3-1 100944]
R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows2\system32\drivers\VBoxUSBMon.sys [2008-3-1 41424]
R2 ArcGIS License Manager;ArcGIS License Manager;c:\archivos de programa\esri\license\arcgis9x\lmgrd.exe [2005-8-15 467968]
R2 avg8emc;AVG8 E-mail Scanner;c:\archiv~1\grisoft\avg8\avgemc.exe [2008-7-22 908568]
R2 avg8wd;AVG8 WatchDog;c:\archiv~1\grisoft\avg8\avgwdsvc.exe [2008-7-22 298776]
R2 P1C1394;Phase One 1394 Camera Driver;c:\windows2\system32\drivers\p1c1394.sys [2008-5-15 23168]
R3 GTICARD;GTICARD;c:\windows2\system32\drivers\gticard.sys [2003-2-6 59328]
R3 VBoxMouse;VirtualBox Guest Mouse Service;c:\windows2\system32\drivers\VBoxMouse.sys [2008-1-2 39696]
R3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows2\system32\drivers\VBoxNetAdp.sys [2009-4-11 79888]
R3 VBoxNetFlt;VBoxNetFlt Service;c:\windows2\system32\drivers\VBoxNetFlt.sys [2009-4-12 87696]
S1 VBoxSF;VirtualBox Shared Folders;c:\windows2\system32\drivers\VBoxSF.sys [2009-2-16 195728]
S2 FLUSBDRV;3Com ADSL-150 USB Driver;c:\windows2\system32\drivers\3CF002LD.sys [2005-8-10 21414]
S2 gupdate1c9a2bcebc1a270;Google Update Service (gupdate1c9a2bcebc1a270);c:\archivos de programa\google\update\GoogleUpdate.exe [2009-3-12 133104]
S2 IWPORT;IWPORT;\??\c:\windows2\system32\drivers\iwport.sys --> c:\windows2\system32\drivers\IWPORT.SYS [?]
S2 VBoxService;VirtualBox Guest Additions Service;system32\VBoxService.exe --> system32\VBoxService.exe [?]
S3 dcdbas;System Management Driver;c:\windows2\system32\drivers\dcdbas32.sys --> c:\windows2\system32\drivers\dcdbas32.sys [?]
S3 NANMp50;NANMp50 NDIS Protocol Driver;c:\windows2\system32\drivers\nanmp50.sys --> c:\windows2\system32\drivers\NANMp50.sys [?]
S3 NANSp50;NANSp50 NDIS Protocol Driver;c:\windows2\system32\drivers\nansp50.sys --> c:\windows2\system32\drivers\NANSp50.sys [?]
S3 usb2vcom;Nokia CA-42 USB;c:\windows2\system32\drivers\usb2vcom.sys [2006-12-18 30272]
S3 USBLC6X0100;%USBLC6X0100.DispName%;c:\windows2\system32\drivers\3cusblr.sys [2005-8-10 309700]
S3 VBoxTAP;VirtualBox TAP Adapter;c:\windows2\system32\drivers\VBoxTAP.sys [2008-3-1 47552]
S3 VBoxUSB;VirtualBox USB;c:\windows2\system32\drivers\VBoxUSB.sys [2009-4-11 31952]
S4 ERMLicSrv_ATL70;ERMLicSrv_ATL70;c:\windows2\system32\erm\7.0\ERMLicSrv_ATL70.exe [2008-1-9 94208]
S4 FME_License_service;FME_License_service;c:\archivos de programa\esri\license\arcgis9x\lmgrd.exe [2005-8-15 467968]
S4 SASDIFSV;SASDIFSV;\??\c:\software\antivirus\superantispyware\sasdifsv.sys --> c:\software\antivirus\superantispyware\SASDIFSV.SYS [?]
S4 SASENUM;SASENUM;\??\c:\software\antivirus\superantispyware\sasenum.sys --> c:\software\antivirus\superantispyware\SASENUM.SYS [?]
S4 SASKUTIL;SASKUTIL;\??\c:\software\antivirus\superantispyware\saskutil.sys --> c:\software\antivirus\superantispyware\SASKUTIL.sys [?]

=============== Created Last 30 ================

2009-04-29 19:13 --d----- C:\SReng2
2009-04-29 01:41 --d----- c:\docume~1\jash\datosd~1\Malwarebytes
2009-04-29 01:41 15,504 a------- c:\windows2\system32\drivers\mbam.sys
2009-04-29 01:41 38,496 a------- c:\windows2\system32\drivers\mbamswissarmy.sys
2009-04-29 01:41 --d----- c:\docume~1\alluse~1.win\datosd~1\Malwarebytes
2009-04-27 23:53 1,089,883 -c------ c:\windows2\system32\dllcache\ntprint.cat
2009-04-27 20:48 --d----- C:\834ff1c239e348b4534f5cbc
2009-04-27 20:46 5,232 a------- c:\windows2\system32\PerfStringBackup.TMP
2009-04-27 10:51 23 a--sh--- c:\windows2\system32\dcadfebec7_x.dat
2009-04-27 10:51 23 a------- c:\windows2\system32\baadecef5_x.xml
2009-04-27 10:50 --d----- c:\archivos de programa\jv16 PowerTools 2009
2009-04-27 06:49 101,888 ac------ c:\windows2\system32\dllcache\adpu160m.sys
2009-04-27 06:49 46,112 ac------ c:\windows2\system32\dllcache\adptsf50.sys
2009-04-27 06:49 10,880 ac------ c:\windows2\system32\dllcache\admjoy.sys
2009-04-27 06:49 747,392 ac------ c:\windows2\system32\dllcache\adm8830.sys
2009-04-27 06:49 584,448 ac------ c:\windows2\system32\dllcache\adm8810.sys
2009-04-27 06:49 553,984 ac------ c:\windows2\system32\dllcache\adm8820.sys
2009-04-27 06:49 20,160 ac------ c:\windows2\system32\dllcache\adm8511.sys
2009-04-27 06:49 7,424 ac------ c:\windows2\system32\dllcache\adicvls.sys
2009-04-27 06:49 61,952 ac------ c:\windows2\system32\dllcache\acerscad.dll
2009-04-27 06:46 66,048 ac------ c:\windows2\system32\dllcache\s3legacy.dll
2009-04-25 05:07 --d----- c:\archivos de programa\Microsoft SQL Server Compact Edition
2009-04-25 05:06 --d----- c:\archivos de programa\ArcPad 7.1
2009-04-22 05:39 166,912 a------- c:\windows2\pdf2txt.exe
2009-04-22 05:37 --d----- c:\archivos de programa\Language Reader
2009-04-22 04:54 --d----- c:\windows2\lhsp
2009-04-22 04:53 --d----- c:\windows2\speech
2009-04-19 15:17 --d----- c:\temp\tt7
2009-04-17 06:41 227,840 -c------ c:\windows2\system32\dllcache\wmiprvse.exe
2009-04-17 06:41 401,408 -c------ c:\windows2\system32\dllcache\rpcss.dll
2009-04-17 06:41 286,720 -c------ c:\windows2\system32\dllcache\pdh.dll
2009-04-17 06:41 111,104 -c------ c:\windows2\system32\dllcache\services.exe
2009-04-17 06:41 473,600 -c------ c:\windows2\system32\dllcache\fastprox.dll
2009-04-17 06:41 685,056 -c------ c:\windows2\system32\dllcache\advapi32.dll
2009-04-17 06:41 453,120 -c------ c:\windows2\system32\dllcache\wmiprvsd.dll
2009-04-17 06:32 219,136 -c------ c:\windows2\system32\dllcache\wordpad.exe
2009-04-15 01:36 --d----- c:\archivos de programa\RocketDock
2009-04-14 08:39 268 a---h--- C:\sqmdata14.sqm
2009-04-14 08:39 244 a---h--- C:\sqmnoopt14.sqm
2009-04-14 02:18 268 a---h--- C:\sqmdata13.sqm
2009-04-14 02:18 244 a---h--- C:\sqmnoopt13.sqm
2009-04-13 00:28 --d----- c:\archivos de programa\NutsAboutNets
2009-04-12 02:44 268 a---h--- C:\sqmdata12.sqm
2009-04-12 02:44 244 a---h--- C:\sqmnoopt12.sqm
2009-04-12 02:02 133,648 a------- c:\windows2\system32\VBoxNetFltNotify.dll
2009-04-12 02:02 87,696 a------- c:\windows2\system32\drivers\VBoxNetFlt.sys
2009-04-11 09:51 79,888 a------- c:\windows2\system32\drivers\VBoxNetAdp.sys
2009-04-11 09:48 31,952 a------- c:\windows2\system32\drivers\VBoxUSB.sys
2009-04-10 06:54 --d----- c:\archivos de programa\JRE
2009-04-07 07:48 --d----- c:\docume~1\jash\datosd~1\BitTorrent
2009-04-07 07:48 --d----- c:\docume~1\jash\datosd~1\DNA
2009-04-07 07:48 --d----- c:\archivos de programa\DNA
2009-04-07 07:47 --d----- c:\archivos de programa\AskSearch

==================== Find3M ====================

2009-04-25 18:03 114,114 a------- c:\windows2\system32\nvModes.dat
2009-04-24 17:47 11,952 a------- c:\windows2\system32\avgrsstx.dll
2009-04-24 17:47 325,896 a------- c:\windows2\system32\drivers\avgldx86.sys
2009-04-24 17:46 12,552 a------- c:\windows2\system32\drivers\avgrkx86.sys
2009-04-24 17:44 108,552 a------- c:\windows2\system32\drivers\avgtdix.sys
2009-04-07 21:25 100,944 a------- c:\windows2\system32\drivers\VBoxDrv.sys
2009-04-07 21:25 41,424 a------- c:\windows2\system32\drivers\VBoxUSBMon.sys
2009-03-09 05:19 410,984 a------- c:\windows2\system32\deploytk.dll
2009-03-06 15:20 286,720 a------- c:\windows2\system32\pdh.dll
2009-03-06 06:54 75,264 a------- c:\windows2\cadkasdeinst01e.exe
2009-02-20 09:10 668,672 a------- c:\windows2\system32\wininet.dll
2009-02-20 09:10 81,920 -------- c:\windows2\system32\ieencode.dll
2009-02-16 17:05 1,063,440 a------- c:\windows2\system32\VBoxService.exe
2009-02-16 17:05 674,320 a------- c:\windows2\system32\VBoxMRXNP.dll
2009-02-16 17:04 65,552 a------- c:\windows2\system32\VBoxHook.dll
2009-02-16 17:04 317,968 a------- c:\windows2\system32\VBoxOGL.dll
2009-02-16 17:04 100,880 a------- c:\windows2\system32\VBoxOGLpassthroughspu.dll
2009-02-16 17:04 2,046,480 a------- c:\windows2\system32\VBoxOGLpackspu.dll
2009-02-16 17:03 494,096 a------- c:\windows2\system32\VBoxOGLarrayspu.dll
2009-02-16 17:03 133,648 a------- c:\windows2\system32\VBoxOGLerrorspu.dll
2009-02-16 17:03 207,376 a------- c:\windows2\system32\VBoxOGLcrutil.dll
2009-02-10 19:06 2,068,480 a------- c:\windows2\system32\ntkrnlpa.exe
2009-02-09 15:06 1,846,912 a------- c:\windows2\system32\win32k.sys
2009-02-09 12:24 2,191,488 a------- c:\windows2\system32\ntoskrnl.exe
2009-02-09 12:23 111,104 a------- c:\windows2\system32\services.exe
2009-02-09 11:52 733,696 a------- c:\windows2\system32\lsasrv.dll
2009-02-09 11:52 685,056 a------- c:\windows2\system32\advapi32.dll
2009-02-09 11:52 401,408 a------- c:\windows2\system32\rpcss.dll
2009-02-09 11:52 739,328 a------- c:\windows2\system32\ntdll.dll
2009-02-06 21:20 13,312 a------- c:\windows2\system32\lsass.exe
2009-02-06 11:39 35,328 a------- c:\windows2\system32\sc.exe
2009-02-03 20:57 56,832 a------- c:\windows2\system32\secur32.dll
2008-03-25 12:20 32 a------- c:\docume~1\alluse~1.win\datosd~1\ezsid.dat
2006-01-30 10:40 786,432 a------- c:\documents and settings\jash\flearn9.dat
2005-08-20 14:25 1,048,576 a------- c:\documents and settings\jash\backup_firmware_grabadora_dvd.bin
2007-07-24 21:39 8 a--shr-- c:\windows2\neoqaz2.dll
2002-07-31 19:55 104 ---sh--- c:\windows2\WSYS049.SYS
2008-04-14 03:19 60,416 a--sh--- c:\windows2\isso\respaldo\msimn.exe

============= FINISH: 18:07:15,61 ===============

Attached Files


Edited by Orange Blossom, 02 May 2009 - 11:24 PM.


BC AdBot (Login to Remove)

 


#2 DocSatan

DocSatan

    Bleepin' Wanna-Be


  • Members
  • 2,156 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, Ma.
  • Local time:10:04 AM

Posted 13 May 2009 - 11:24 AM

Hello JASH and Welcome to BleepingComputer.

I'm DocSatan and I will be helping you with your "Malware" related computer problems.

1. Please Post a NEW DDS Log.
Some time has passed since your initial DDS Log and it's possible that the old DDS Log no longer accurately reflects your computers current state. This will also let me know that you are still interested in receiving assistance with your computer issues. If you do not post a NEW DDS Log, then I will assume that you are no longer in need of assistance and this thread will be closed.
  • Download DDS by sUBs from the following link. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
    • NOTE: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.
    • Information on A/V control HERE
2. Do Not Make Any Changes to the "Infected" Computer.
Once you have posted a NEW DDS Log, Do Not make any changes to the computer. I will be researching the DDS Log that you post and any changes made to the system might interfere with the FIX that I prepare for you. Examples of "Changes":
  • Deleting Files/Folders
  • Installing/Uninstalling Programs
  • Running Anti-Virus, Anti-Malware, Anti-Spyware, etc., Programs
Doc.

#3 JASH

JASH
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:07:04 AM

Posted 13 May 2009 - 04:04 PM

Hi there,

First I have to tell you that English is not my language, so it would possible that I make many mistakes and/or misunderstand things. I will try to do my best, but please, be patient.

Second, the infection of my computer started (at least this is what I think) when I installed a program in my computer in APR, 26th, so the reports that I send you now do not reflect the system's restoring points at the moment of the infection.


Third: Thanks for your help. I am not at my home right now nor will be until JUN 2nd, and there is where I have my original operating system disks.


Here it goes my log:
=======================================

DDS (Ver_09-05-14.01) - NTFSx86
Run by JASH at 21:48:21,86 on 13/05/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.34.3082.18.1023.242 [GMT 1:00]

AV: AVG Anti-Virus *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS2\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS2\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS2\system32\spoolsv.exe
C:\Archivos de programa\Google\Update\GoogleUpdate.exe
C:\WINDOWS2\Explorer.EXE
C:\WINDOWS2\system32\ctfmon.exe
C:\Archivos de programa\Apoint\Apoint.exe
C:\WINDOWS2\system32\rundll32.exe
C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\ARCHIV~1\Grisoft\AVG8\avgtray.exe
C:\Archivos de programa\Dell\QuickSet\Quickset.exe
C:\software\dispositivos\HP Scanner\HP Software Update\HPWuSchd2.exe
C:\software\drivers\Belkin\Wireless Mouse Driver\MOUSE32A.EXE
C:\Archivos de programa\SigmaTel\Controladores de sonido SigmaTel AC97\stacmon.exe
C:\Archivos de programa\Java\jre6\bin\jusched.exe
C:\Archivos de programa\Archivos comunes\InstallShield\UpdateService\ISUSPM.exe
C:\Archivos de programa\Windows Live\Messenger\MsnMsgr.Exe
C:\Archivos de programa\RocketDock\RocketDock.exe
C:\Archivos de programa\Microsoft ActiveSync\Wcescomm.exe
C:\Archivos de programa\Dell\Software Bluetooth\BTTray.exe
C:\ARCHIV~1\MICROS~2\rapimgr.exe
C:\Archivos de programa\Apoint\HidFind.exe
svchost.exe
C:\Archivos de programa\Apoint\Apntex.exe
C:\ARCHIV~1\Dell\SOFTWA~1\BTSTAC~1.EXE
C:\WINDOWS2\system32\netdde.exe
C:\Archivos de programa\ESRI\License\arcgis9x\lmgrd.exe
C:\Archivos de programa\ESRI\License\arcgis9x\ARCGIS.EXE
svchost.exe
C:\Archivos de programa\Dell\Software Bluetooth\bin\btwdins.exe
C:\WINDOWS2\system32\E_S00RP1.EXE
C:\WINDOWS2\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS2\system32\svchost.exe -k HPService
C:\Archivos de programa\Java\jre6\bin\jqs.exe
C:\Archivos de programa\Archivos comunes\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
C:\Archivos de programa\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS2\system32\nvsvc32.exe
C:\WINDOWS2\system32\SAgent4.exe
C:\WINDOWS2\System32\svchost.exe -k imgsvc
C:\Archivos de programa\Archivos comunes\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\Acrobat.exe
C:\software\internet\VoipDiscount.com\VoipDiscount\VoipDiscount.exe
C:\software\internet\SkypePhone\Phone\Skype.exe
C:\software\internet\SkypePhone\Plugin Manager\skypePM.exe
C:\ARCHIV~1\Grisoft\AVG8\avgwdsvc.exe
C:\ARCHIV~1\Grisoft\AVG8\avgam.exe
C:\ARCHIV~1\Grisoft\AVG8\avgrsx.exe
C:\ARCHIV~1\Grisoft\AVG8\avgnsx.exe
C:\ARCHIV~1\Grisoft\AVG8\avgemc.exe
C:\Archivos de programa\Grisoft\AVG8\avgcsrvx.exe
C:\software\internet\Netscape\ThunderBird\thunderbird.exe
C:\software\internet\Mozilla Firefox\firefox.exe
C:\JASH_D\download\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page =
uInternet Settings,ProxyServer = 195.76.153.201:3128
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: DefaultSearchHook Class: {c94e154b-1459-4a47-966b-4b843befc7db} - c:\archivos de programa\asksearch\bin\DefaultSearch.dll
BHO: AutorunsDisabled - No File
BHO: Aplicación auxiliar de vínculos de Adobe PDF Reader: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\archivos de programa\archivos comunes\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\archivos de programa\grisoft\avg8\avgssie.dll
BHO: Windows Live Aplicación auxiliar de inicio de sesión: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\archivos de programa\archivos comunes\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\archivos de programa\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\archivos de programa\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\archivos de programa\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\archivos de programa\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: StylerToolBar: {d2f8f919-690b-4ea2-9fa7-a203d1e04f75} - c:\archivos de programa\styler\tb\StylerTB.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\archivos de programa\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows2\system32\ctfmon.exe
uRun: [ISUSPM] "c:\archivos de programa\archivos comunes\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [msnmsgr] "c:\archivos de programa\windows live\messenger\MsnMsgr.Exe" /background
uRun: [RocketDock] "c:\archivos de programa\rocketdock\RocketDock.exe"
uRun: [H/PC Connection Agent] "c:\archivos de programa\microsoft activesync\Wcescomm.exe"
mRun: [nwiz] nwiz.exe /installquiet
mRun: [Apoint] c:\archivos de programa\apoint\Apoint.exe
mRun: [EPSON Stylus Photo R320 Series] c:\windows2\system32\spool\drivers\w32x86\3\E_FATI9XE.EXE /P30 "EPSON Stylus Photo R320 Series" /O6 "USB001" /M "Stylus Photo R320"
mRun: [\\Ps-58c34f\epson_R320] c:\windows2\system32\spool\drivers\w32x86\3\e_fati9xe.exe /p22 "\\ps-58c34f\epson_r320" /o22 "\\ps-58c34f\epson_R320" /M "Stylus Photo R320"
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows2\system32\NvCpl.dll,NvStartup
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [Acrobat Assistant 8.0] "c:\archivos de programa\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [\\192.168.2.3\epson_R320] c:\windows2\system32\spool\drivers\w32x86\3\e_fati9xe.exe /p24 "\\192.168.2.3\epson_r320" /o24 "\\192.168.2.3\epson_R320" /M "Stylus Photo R320"
mRun: [AVG8_TRAY] c:\archiv~1\grisoft\avg8\avgtray.exe
mRun: [Dell QuickSet] c:\archivos de programa\dell\quickset\Quickset.exe
mRun: [HP Software Update] c:\software\dispositivos\hp scanner\hp software update\HPWuSchd2.exe
mRun: [LWBMOUSE] c:\software\drivers\belkin\wireless mouse driver\MOUSE32A.EXE
mRun: [SigmaTel StacMon] c:\archivos de programa\sigmatel\controladores de sonido sigmatel ac97\stacmon.exe
mRun: [SunJavaUpdateSched] "c:\archivos de programa\java\jre6\bin\jusched.exe"
dRun: [CTFMON.EXE] c:\windows2\system32\CTFMON.EXE
StartupFolder: c:\docume~1\jash\menini~1\progra~1\inicio\autorunsdisabled\vistastart.lnk - c:\windows2\resources\themes\yafvc3\vistastart\VistaStart1.3.exe
StartupFolder: c:\docume~1\alluse~1.win\menini~1\progra~1\inicio\bttray.lnk - c:\archivos de programa\dell\software bluetooth\BTTray.exe
uPolicies-explorer: NoChangeAnimation = 1 (0x1)
IE: Anexar a PDF existente - c:\archivos de programa\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convertir a Adobe PDF - c:\archivos de programa\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convertir destino de vínculo a PDF existente - c:\archivos de programa\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convertir destino de vínculo en archivo Adobe PDF - c:\archivos de programa\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convertir selección a Adobe PDF - c:\archivos de programa\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convertir selección a archivo PDF existente - c:\archivos de programa\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convertir vínculos seleccionados a Adobe PDF - c:\archivos de programa\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convertir vínculos seleccionados a PDF existente - c:\archivos de programa\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: E&xport to Microsoft Excel - c:\archiv~1\micros~3\office11\EXCEL.EXE/3000
IE: Enviar a &Bluetooth - c:\archivos de programa\dell\software bluetooth\btsendto_ie_ctx.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\archivos de programa\messenger\msmsgs.exe
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\archivos de programa\dell\software bluetooth\btsendto_ie.htm
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\archiv~1\micros~2\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\archiv~1\micros~2\INetRepl.dll
IE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {E763472E-A716-4CD9-89BD-DBDA6122F741} - c:\software\dispositivos\hp scanner\smart web printing\hpswp_extensions.dll
IE: {700259D7-1666-479a-93B1-3250410481E8} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - c:\software\dispositivos\hp scanner\smart web printing\hpswp_extensions.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\archiv~1\micros~3\office11\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java - file://c:\windows2\java\classes\xmldso.cab
DPF: {0000000A-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/d/4/4/d446e8a9-3a86-4b59-bb19-f5bd11b40367/wmavax.CAB
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38576.1258333333
DPF: {CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_12-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
TCP: interfaces = 152.158.2.48,165.87.201.244
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\archivos de programa\grisoft\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\archiv~1\archiv~1\skype\Skype4COM.dll
Handler: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - c:\windows2\system32\BTXPPanel.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows2\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli c:\windows2\system32\nukadije.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jash\datosd~1\mozilla\firefox\profiles\k4uv1kov.default\
FF - prefs.js: browser.search.selectedEngine - Ask
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=101757&gct=&gc=1&q=
FF - prefs.js: network.proxy.ftp - 195.76.153.201
FF - prefs.js: network.proxy.ftp_port - 3128
FF - prefs.js: network.proxy.gopher - 195.76.153.201
FF - prefs.js: network.proxy.gopher_port - 3128
FF - prefs.js: network.proxy.http - 195.76.153.201
FF - prefs.js: network.proxy.http_port - 3128
FF - prefs.js: network.proxy.socks - 195.76.153.201
FF - prefs.js: network.proxy.socks_port - 3128
FF - prefs.js: network.proxy.ssl - 195.76.153.201
FF - prefs.js: network.proxy.ssl_port - 3128
FF - prefs.js: network.proxy.type - 4
FF - component: c:\archivos de programa\grisoft\avg8\firefox\components\avgssff.dll
FF - component: c:\documents and settings\jash\datos de programa\mozilla\firefox\profiles\k4uv1kov.default\extensions\{0b457caa-602d-484a-8fe7-c1d894a011ba}\platform\winnt_x86-msvc\components\SSSLauncher.dll
FF - component: c:\documents and settings\jash\datos de programa\mozilla\firefox\profiles\k4uv1kov.default\extensions\{81bf1d23-5f17-408d-ac6b-bd6df7caf670}\components\XpcomOpusConnector.dll
FF - plugin: c:\archivos de programa\google\update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\archivos de programa\skyhook wireless\loki browser plugin\nploki.dll
FF - plugin: c:\software\graficos\quicktime\plugins\npqtplugin.dll
FF - plugin: c:\software\graficos\quicktime\plugins\npqtplugin2.dll
FF - plugin: c:\software\graficos\quicktime\plugins\npqtplugin3.dll
FF - plugin: c:\software\graficos\quicktime\plugins\npqtplugin4.dll
FF - plugin: c:\software\graficos\quicktime\plugins\npqtplugin5.dll
FF - plugin: c:\software\graficos\quicktime\plugins\npqtplugin6.dll
FF - plugin: c:\software\graficos\quicktime\plugins\npqtplugin7.dll
FF - plugin: c:\software\graficos\realplayer\netscape6\nppl3260.dll
FF - plugin: c:\software\graficos\realplayer\netscape6\nprjplug.dll
FF - plugin: c:\software\graficos\realplayer\netscape6\nprpjplug.dll
FF - plugin: c:\software\graficos\videolan\vlc\npvlc.dll
FF - plugin: c:\software\internet\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\software\internet\mozilla firefox\plugins\npgato.dll
FF - plugin: c:\software\internet\mozilla firefox\plugins\nppdf32(2).dll

---- FIREFOX POLICIES ----

============= SERVICES / DRIVERS ===============

R0 AvgRkx86;avgrkx86.sys;c:\windows2\system32\drivers\avgrkx86.sys [2008-7-22 12552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows2\system32\drivers\avgldx86.sys [2008-7-22 325896]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows2\system32\drivers\avgmfx86.sys [2006-12-17 27784]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows2\system32\drivers\avgtdix.sys [2008-7-22 108552]
R1 VBoxDrv;VirtualBox Service;c:\windows2\system32\drivers\VBoxDrv.sys [2008-3-1 100944]
R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows2\system32\drivers\VBoxUSBMon.sys [2008-3-1 41424]
R2 ArcGIS License Manager;ArcGIS License Manager;c:\archivos de programa\esri\license\arcgis9x\lmgrd.exe [2005-8-15 467968]
R2 avg8emc;AVG8 E-mail Scanner;c:\archiv~1\grisoft\avg8\avgemc.exe [2008-7-22 908568]
R2 avg8wd;AVG8 WatchDog;c:\archiv~1\grisoft\avg8\avgwdsvc.exe [2008-7-22 298776]
R2 P1C1394;Phase One 1394 Camera Driver;c:\windows2\system32\drivers\p1c1394.sys [2008-5-15 23168]
R3 GTICARD;GTICARD;c:\windows2\system32\drivers\gticard.sys [2003-2-6 59328]
R3 VBoxMouse;VirtualBox Guest Mouse Service;c:\windows2\system32\drivers\VBoxMouse.sys [2008-1-2 39696]
R3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows2\system32\drivers\VBoxNetAdp.sys [2009-4-11 79888]
R3 VBoxNetFlt;VBoxNetFlt Service;c:\windows2\system32\drivers\VBoxNetFlt.sys [2009-4-12 87696]
S1 VBoxSF;VirtualBox Shared Folders;c:\windows2\system32\drivers\VBoxSF.sys [2009-2-16 195728]
S2 FLUSBDRV;3Com ADSL-150 USB Driver;c:\windows2\system32\drivers\3CF002LD.sys [2005-8-10 21414]
S2 gupdate1c9a2bcebc1a270;Google Update Service (gupdate1c9a2bcebc1a270);c:\archivos de programa\google\update\GoogleUpdate.exe [2009-3-12 133104]
S2 IWPORT;IWPORT;\??\c:\windows2\system32\drivers\iwport.sys --> c:\windows2\system32\drivers\IWPORT.SYS [?]
S2 VBoxService;VirtualBox Guest Additions Service;system32\VBoxService.exe --> system32\VBoxService.exe [?]
S3 dcdbas;System Management Driver;c:\windows2\system32\drivers\dcdbas32.sys --> c:\windows2\system32\drivers\dcdbas32.sys [?]
S3 NANMp50;NANMp50 NDIS Protocol Driver;c:\windows2\system32\drivers\nanmp50.sys --> c:\windows2\system32\drivers\NANMp50.sys [?]
S3 NANSp50;NANSp50 NDIS Protocol Driver;c:\windows2\system32\drivers\nansp50.sys --> c:\windows2\system32\drivers\NANSp50.sys [?]
S3 usb2vcom;Nokia CA-42 USB;c:\windows2\system32\drivers\usb2vcom.sys [2006-12-18 30272]
S3 USBLC6X0100;%USBLC6X0100.DispName%;c:\windows2\system32\drivers\3cusblr.sys [2005-8-10 309700]
S3 VBoxTAP;VirtualBox TAP Adapter;c:\windows2\system32\drivers\VBoxTAP.sys [2008-3-1 47552]
S3 VBoxUSB;VirtualBox USB;c:\windows2\system32\drivers\VBoxUSB.sys [2009-4-11 31952]
S4 ERMLicSrv_ATL70;ERMLicSrv_ATL70;c:\windows2\system32\erm\7.0\ERMLicSrv_ATL70.exe [2008-1-9 94208]
S4 FME_License_service;FME_License_service;c:\archivos de programa\esri\license\arcgis9x\lmgrd.exe [2005-8-15 467968]
S4 SASDIFSV;SASDIFSV;\??\c:\software\antivirus\superantispyware\sasdifsv.sys --> c:\software\antivirus\superantispyware\SASDIFSV.SYS [?]
S4 SASENUM;SASENUM;\??\c:\software\antivirus\superantispyware\sasenum.sys --> c:\software\antivirus\superantispyware\SASENUM.SYS [?]
S4 SASKUTIL;SASKUTIL;\??\c:\software\antivirus\superantispyware\saskutil.sys --> c:\software\antivirus\superantispyware\SASKUTIL.sys [?]

=============== Created Last 30 ================

2009-05-12 01:01 268 a---h--- C:\sqmdata19.sqm
2009-05-12 01:01 244 a---h--- C:\sqmnoopt19.sqm
2009-05-10 06:51 1,979 a------- c:\windows2\system32\taskman.exe.manifest
2009-05-10 02:30 991,232 a------- c:\windows2\system32\W22MLRES.dll
2009-05-10 01:26 268 a---h--- C:\sqmdata18.sqm
2009-05-10 01:26 244 a---h--- C:\sqmnoopt18.sqm
2009-05-10 01:04 268 a---h--- C:\sqmdata17.sqm
2009-05-10 01:04 244 a---h--- C:\sqmnoopt17.sqm
2009-05-06 23:52 268 a---h--- C:\sqmdata16.sqm
2009-05-06 23:52 244 a---h--- C:\sqmnoopt16.sqm
2009-05-05 02:23 145 a------- C:\3d_shp2.prj
2009-05-05 02:23 6,868 a------- C:\3d_shp2.shp
2009-05-05 02:23 291 a------- C:\3d_shp2.dbf
2009-05-05 02:23 172 a------- C:\3d_shp2.shx
2009-05-04 06:02 268 a---h--- C:\sqmdata15.sqm
2009-05-04 06:02 244 a---h--- C:\sqmnoopt15.sqm
2009-04-29 19:13 <DIR> --d----- C:\SReng2
2009-04-29 01:41 <DIR> --d----- c:\docume~1\jash\datosd~1\Malwarebytes
2009-04-29 01:41 15,504 a------- c:\windows2\system32\drivers\mbam.sys
2009-04-29 01:41 38,496 a------- c:\windows2\system32\drivers\mbamswissarmy.sys
2009-04-29 01:41 <DIR> --d----- c:\docume~1\alluse~1.win\datosd~1\Malwarebytes
2009-04-27 23:53 1,089,883 -c------ c:\windows2\system32\dllcache\ntprint.cat
2009-04-27 20:48 <DIR> --d----- C:\834ff1c239e348b4534f5cbc_JASH
2009-04-27 20:46 5,232 a------- c:\windows2\system32\PerfStringBackup.TMP
2009-04-27 10:51 23 a--sh--- c:\windows2\system32\dcadfebec7_x.dat
2009-04-27 10:51 23 a------- c:\windows2\system32\baadecef5_x.xml
2009-04-27 10:50 <DIR> --d----- c:\archivos de programa\jv16 PowerTools 2009
2009-04-27 06:49 101,888 ac------ c:\windows2\system32\dllcache\adpu160m.sys
2009-04-27 06:49 46,112 ac------ c:\windows2\system32\dllcache\adptsf50.sys
2009-04-27 06:49 10,880 ac------ c:\windows2\system32\dllcache\admjoy.sys
2009-04-27 06:49 747,392 ac------ c:\windows2\system32\dllcache\adm8830.sys
2009-04-27 06:49 584,448 ac------ c:\windows2\system32\dllcache\adm8810.sys
2009-04-27 06:49 553,984 ac------ c:\windows2\system32\dllcache\adm8820.sys
2009-04-27 06:49 20,160 ac------ c:\windows2\system32\dllcache\adm8511.sys
2009-04-27 06:49 7,424 ac------ c:\windows2\system32\dllcache\adicvls.sys
2009-04-27 06:49 61,952 ac------ c:\windows2\system32\dllcache\acerscad.dll
2009-04-27 06:46 66,048 ac------ c:\windows2\system32\dllcache\s3legacy.dll
2009-04-25 05:07 <DIR> --d----- c:\archivos de programa\Microsoft SQL Server Compact Edition
2009-04-25 05:06 <DIR> --d----- c:\archivos de programa\ArcPad 7.1
2009-04-22 05:39 166,912 a------- c:\windows2\pdf2txt.exe
2009-04-22 05:37 <DIR> --d----- c:\archivos de programa\Language Reader
2009-04-22 04:54 <DIR> --d----- c:\windows2\lhsp
2009-04-22 04:53 <DIR> --d----- c:\windows2\speech
2009-04-19 15:17 <DIR> --d----- c:\temp\tt7
2009-04-17 06:41 227,840 -c------ c:\windows2\system32\dllcache\wmiprvse.exe
2009-04-17 06:41 401,408 -c------ c:\windows2\system32\dllcache\rpcss.dll
2009-04-17 06:41 286,720 -c------ c:\windows2\system32\dllcache\pdh.dll
2009-04-17 06:41 111,104 -c------ c:\windows2\system32\dllcache\services.exe
2009-04-17 06:41 473,600 -c------ c:\windows2\system32\dllcache\fastprox.dll
2009-04-17 06:41 685,056 -c------ c:\windows2\system32\dllcache\advapi32.dll
2009-04-17 06:41 453,120 -c------ c:\windows2\system32\dllcache\wmiprvsd.dll
2009-04-17 06:32 219,136 -c------ c:\windows2\system32\dllcache\wordpad.exe
2009-04-15 01:36 <DIR> --d----- c:\archivos de programa\RocketDock
2009-04-14 08:39 268 a---h--- C:\sqmdata14.sqm
2009-04-14 08:39 244 a---h--- C:\sqmnoopt14.sqm
2009-04-14 02:18 268 a---h--- C:\sqmdata13.sqm
2009-04-14 02:18 244 a---h--- C:\sqmnoopt13.sqm

==================== Find3M ====================

2009-05-13 21:25 114,114 a------- c:\windows2\system32\nvModes.dat
2009-05-12 03:55 102,400 a------- c:\windows2\DreamAquarium.scr
2009-05-10 06:51 18,944 a------- c:\windows2\system32\taskman.exe
2009-04-24 17:47 11,952 a------- c:\windows2\system32\avgrsstx.dll
2009-04-24 17:47 325,896 a------- c:\windows2\system32\drivers\avgldx86.sys
2009-04-24 17:46 12,552 a------- c:\windows2\system32\drivers\avgrkx86.sys
2009-04-24 17:44 108,552 a------- c:\windows2\system32\drivers\avgtdix.sys
2009-04-07 21:25 100,944 a------- c:\windows2\system32\drivers\VBoxDrv.sys
2009-04-07 21:25 87,696 a------- c:\windows2\system32\drivers\VBoxNetFlt.sys
2009-04-07 21:25 79,888 a------- c:\windows2\system32\drivers\VBoxNetAdp.sys
2009-04-07 21:25 41,424 a------- c:\windows2\system32\drivers\VBoxUSBMon.sys
2009-04-07 21:25 31,952 a------- c:\windows2\system32\drivers\VBoxUSB.sys
2009-04-07 21:25 133,648 a------- c:\windows2\system32\VBoxNetFltNotify.dll
2009-03-09 05:19 410,984 a------- c:\windows2\system32\deploytk.dll
2009-03-06 15:20 286,720 a------- c:\windows2\system32\pdh.dll
2009-03-06 06:54 75,264 a------- c:\windows2\cadkasdeinst01e.exe
2009-02-20 09:10 668,672 a------- c:\windows2\system32\wininet.dll
2009-02-20 09:10 81,920 -------- c:\windows2\system32\ieencode.dll
2009-02-16 17:05 1,063,440 a------- c:\windows2\system32\VBoxService.exe
2009-02-16 17:05 674,320 a------- c:\windows2\system32\VBoxMRXNP.dll
2009-02-16 17:04 65,552 a------- c:\windows2\system32\VBoxHook.dll
2009-02-16 17:04 317,968 a------- c:\windows2\system32\VBoxOGL.dll
2009-02-16 17:04 100,880 a------- c:\windows2\system32\VBoxOGLpassthroughspu.dll
2009-02-16 17:04 2,046,480 a------- c:\windows2\system32\VBoxOGLpackspu.dll
2009-02-16 17:03 494,096 a------- c:\windows2\system32\VBoxOGLarrayspu.dll
2009-02-16 17:03 133,648 a------- c:\windows2\system32\VBoxOGLerrorspu.dll
2009-02-16 17:03 207,376 a------- c:\windows2\system32\VBoxOGLcrutil.dll
2008-03-25 12:20 32 a------- c:\docume~1\alluse~1.win\datosd~1\ezsid.dat
2006-01-30 10:40 786,432 a------- c:\documents and settings\jash\flearn9.dat
2005-08-20 14:25 1,048,576 a------- c:\documents and settings\jash\backup_firmware_grabadora_dvd.bin
2007-07-24 21:39 8 a--shr-- c:\windows2\neoqaz2.dll
2002-07-31 19:55 104 ---sh--- c:\windows2\WSYS049.SYS
2008-04-14 03:19 60,416 a--sh--- c:\windows2\isso\respaldo\msimn.exe

============= FINISH: 21:50:24,67 ===============

Attached Files



#4 DocSatan

DocSatan

    Bleepin' Wanna-Be


  • Members
  • 2,156 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, Ma.
  • Local time:10:04 AM

Posted 13 May 2009 - 06:57 PM

Hello JASH,

Please give me some time to research your log and I will get back to you ASAP. :thumbup2:

First I have to tell you that English is not my language, so it would possible that I make many mistakes and/or misunderstand things. I will try to do my best, but please, be patient.

  • No Problemo! :) If at any time you are not sure what I am asking you to do, please post a reply to this topic with your questions and I will do my best to clarify my instructions. :step4:

Second, the infection of my computer started (at least this is what I think) when I installed a program in my computer in APR, 26th, so the reports that I send you now do not reflect the system's restoring points at the moment of the infection.

  • That's OK. I will be looking over your previous thread that Quietman helped you with.
  • Can you tell me the name of the program that you installed APR 26th? Where did you install the program from, Internet, Peer-To-Peer (P2P), etc.?
  • What did you notice after installing this program that made you think you were infected...Pop-ups, Errors, etc.?

Third: Thanks for your help. I am not at my home right now nor will be until JUN 2nd, and there is where I have my original operating system disks.

  • Hopefully we will not need your original operating disks. :step1:
Doc.

#5 JASH

JASH
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:07:04 AM

Posted 13 May 2009 - 08:41 PM

Dear Doc,

I have had an alert from AVG antivirus about a Trojan in a system restore executable. I think I would have to move the threat to the vault,but I am concerned because I do not know if this would interfere with your help!
I attach an image with the message I got.

I clicked Omitir (Omit in English).

Tell me if I have to rescan this file and to repair or move to the vault.

thanks for your help.

Attached Files



#6 JASH

JASH
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:07:04 AM

Posted 14 May 2009 - 12:38 AM

Hi, Doc.

I was downloading a keygen for a software and I am not sure if it was ArcPad. I am trying to find it again in p2p Emule, where I downloaded it, but at the moment with no success.
It look suspicious to me because it was 1.2 (if I remember well) MB, but I dared to execute it.
I noticed something was going strange, unusual, because when I run it, nothing happened. Nothing, what is not normal. Some time later, when my wife was using my computer, Internet Explorer begun to open popups and my AVG started to complain about infected files.

I never use IE. Almost, actually, because some pages are not well designed nor designed taking firefox into account. But this occur seldom. this is how I guessed there was an infection.

I still have some of the infected dlls in my vault and I know I deleted some others with "fancy" names like "sarapoga.dll" and so. I had sarapoga.dll file esnt to Virus Total, an online scanning page. (I attach the results)

Also, for the first time in my computing life, at startup the windows program prtcfg triggered the message box for programs that have not been certified to be safe (you know, those that usually appear when you are installing new software) It was so unusual to me (I supposed it came with Windows, so it would not need to be installed again) that I sent this file to a page where they scanned it, and the said that it has an infection.

There is another two strange behaviours of my comp- I can not open task manager and at the very startup (even prior to load the graphic card's settings, because this message appears in 800x600 pix resolution) there is a message saying %systemroot%\windows\system32\AutoChk.exe could not be found and that it would not be loaded. The path is not the one where system32 folder is. My %systemroot% is windows2, and the path to AutoChk.ece is c:\windows2\system32\autochk.exe. Looks like a standard message or too as a non supervised change in some part of the startup process (It resembles me changes in the old Windows3.0 and DOS files like win.ini, autoexe.bat, etc.).
I have searched my registry for a string "\windows\system32" and nothing appears. I can find \windows2\system32", obviously, as it is the XP "home" folder.

I have digged in my computer and in recent files, history of Windows Explorer and found the file that I opened this fatidic day: "(2008) Arcpad.rar". Inside, a program called Setup.exe, I think.

#7 DocSatan

DocSatan

    Bleepin' Wanna-Be


  • Members
  • 2,156 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, Ma.
  • Local time:10:04 AM

Posted 14 May 2009 - 01:28 PM

Hello JASH,

I'm nearly finished with analyzing your DDS Log, but just wanted to address some of your previous comments/questions. :step4:

Also, in order to keep some information in one place, can you tell me what issues you are experiencing with this computer as of now?

I have had an alert from AVG antivirus about a Trojan in a system restore executable. I think I would have to move the threat to the vault,but I am concerned because I do not know if this would interfere with your help!

  • If it pops up again you can choose to delete it with AVG. Must have been from your earlier infection that quietman7 helped you with.

I was downloading a keygen for a software...

  • This is probably where you got infected from.
  • Using Cracks, KeyGens, etc. opens your computer to any thinkable malware out there, not to mention being illegal :) .
  • Using P2P programs also creates the same vulnerable situation for your computer. I would advise not to use P2P Programs and definitely not to use KeyGens and Cracks. There's just no way to know absolutely for sure that what you are downloading is safe.
  • Here is some information on the Dangers of using P2P:
  • P2P Programs: Popular and Perilous
  • P2P Downloads Fuel Spyware
  • The dangers of P2P networks
I will be posting a "FIX" shortly. :thumbup2:

Doc.

#8 JASH

JASH
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:07:04 AM

Posted 14 May 2009 - 10:06 PM

good night, Doc

In relation to the AVG Alert, AVG did momved the file to the vault by itself, in the everyday analisys it performs as I scheduled.

About which issues, here you are:

At the beginning, the message saying that %systemroot%\windows\system32\AutoChk.exe is not found and it won't be run. This is abormal, since I do not have windows installed under "c:\windows" directory, as you can tell in the logs. When I search for the lacking file, I find it in several places, all appearing to be legitimate (system32, servicepack files, and some of those folders taht windows update create with replaced files. I can not manually run or execute these files because they seem not to be conceived to be run manually. I receive an error message stating that this appication can not be run in Win32 mode. The file is where it should be, but the startup processes are looking in a wrong and inexisting path.

My computer is sooooooooooooooo much more slow, like a snail. Buy this has a pattern: it is normal and after thre or four seconds, it gets really slow, and a many seconds (sometimes minutes) later, it keeps fast for about another four or five seconds.

The most annoying:
I can not launch Taskmanager. When I try to run it using any shortcut or key combination, nothing happens. When I try to launch manually from Windows directory, I get the message that says "Windows could not find the file 'C:\Windows2\system32\taskmgr.exe' Make sure that the path and filename are correctly written and try again. To search a file, click in Start button and then in Find...' I have just clicked on the file in the system32folder!

Sometimes the left button of my mouse does not work easyly. I have to right click in other window and then back to the prior to continue working, until the next time it happens again. It does not happen always, but three days ago, I had to alternately right click and leftclick to access, for instance, the links in my browser.

I have two new directories: 834ff1c239e348b4534f5cbc and I have no access to its content (I used to have control of the owners of the files, but now that I wanted to see the permissions of this folder, I cannot find the way to do ths.)
and
4856a24d24f35f4f28 and I had no access to its content, At least, I could remove it.

sometimes I get small empty tip squares instead of the usual calling tips when I hold the cursor on an element of the, let's say, taskbar.

I got rid of some other issues with the help of quietman7.

#9 DocSatan

DocSatan

    Bleepin' Wanna-Be


  • Members
  • 2,156 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, Ma.
  • Local time:10:04 AM

Posted 16 May 2009 - 12:38 PM

Hello JASH,

1. Please Download ComboFix
Here is a Tutorial on using ComboFix: A guide and tutorial on using ComboFix
  • Save it to your Desktop
  • Do NOT run ComboFix yet
  • Here are some alternative links to download ComboFix, if the above one is not working for you:
  • Link 1
    Link 2
2. Disable Your AntiVirus and AntiSpyware Programs
  • You should be able to Right-Click on the program's icon in the System Tray and get an option to shut-down/disable each program.
  • These programs may interfere with our fix. We will re-enable them when we are done.
3. Double click on ComboFix.exe that you just saved to your Desktop
  • Follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. The Recovery Console will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • It is strongly recommended to have the Recovery Console installed on your machine before doing any malware removal.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

Posted Image

NOTE: If the Microsoft Windows Recovery Console is already installed, you will not receive a prompt from ComboFix regarding the Recovery Console.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image

  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.
4. Re-enable Your AntiVirus and AntiSpyware Programs That You Disabled in Step 2.

5. What I need in Your Next Reply:
  • ComboFix.txt
Doc.

#10 JASH

JASH
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:07:04 AM

Posted 16 May 2009 - 09:30 PM

I have not got the recovery console already installed, but Combo Fix didn't ask me to install it.



Here goes the ComboFix log:

ComboFix 09-05-16.01 - JASH 16/05/2009 20:33.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.34.3082.18.1023.266 [GMT 1:00]
Running from: c:\jash_d\download\ComboFix.exe
AV: AVG Anti-Virus *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
ADS - WINDOWS2: deleted 8 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\archiv~1\ARCHIV~1\{64EA7~1
c:\documents and settings\All Users.WINDOWS2\Datos de programa\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users.WINDOWS2\Datos de programa\Microsoft\Network\Downloader\qmgr1.dat
c:\recycler\S-1-5-21-1354023463-2391713017-1751774234-1005\Dc1.lnk
c:\recycler\S-1-5-21-1354023463-2391713017-1751774234-1005\INFO2
c:\recycler\S-1-5-21-343818398-1563985344-1343024091-500\Dc10.tmp
c:\recycler\S-1-5-21-343818398-1563985344-1343024091-500\Dc11.tmp
c:\recycler\S-1-5-21-343818398-1563985344-1343024091-500\Dc12.tmp
c:\recycler\S-1-5-21-343818398-1563985344-1343024091-500\Dc13.tmp
c:\recycler\S-1-5-21-343818398-1563985344-1343024091-500\Dc14.tmp
c:\recycler\S-1-5-21-343818398-1563985344-1343024091-500\Dc15.tmp
c:\recycler\S-1-5-21-343818398-1563985344-1343024091-500\Dc16.tmp
c:\recycler\S-1-5-21-343818398-1563985344-1343024091-500\Dc17.tmp
c:\recycler\S-1-5-21-343818398-1563985344-1343024091-500\Dc18.tmp
c:\recycler\S-1-5-21-343818398-1563985344-1343024091-500\Dc19.tmp
c:\recycler\S-1-5-21-343818398-1563985344-1343024091-500\Dc20.tmp
c:\recycler\S-1-5-21-343818398-1563985344-1343024091-500\Dc21.tmp
c:\recycler\S-1-5-21-343818398-1563985344-1343024091-500\Dc22.log
c:\recycler\S-1-5-21-343818398-1563985344-1343024091-500\Dc23.log
c:\recycler\S-1-5-21-343818398-1563985344-1343024091-500\Dc24.log
c:\recycler\S-1-5-21-343818398-1563985344-1343024091-500\Dc25.log
c:\recycler\S-1-5-21-343818398-1563985344-1343024091-500\Dc26.log
c:\recycler\S-1-5-21-343818398-1563985344-1343024091-500\Dc27.log
c:\recycler\S-1-5-21-343818398-1563985344-1343024091-500\Dc28.log
c:\recycler\S-1-5-21-343818398-1563985344-1343024091-500\Dc29.log
c:\recycler\S-1-5-21-343818398-1563985344-1343024091-500\Dc30.log
c:\recycler\S-1-5-21-343818398-1563985344-1343024091-500\Dc31.log
c:\recycler\S-1-5-21-343818398-1563985344-1343024091-500\Dc32.log
c:\recycler\S-1-5-21-343818398-1563985344-1343024091-500\Dc33.log
c:\recycler\S-1-5-21-343818398-1563985344-1343024091-500\Dc34.log
c:\recycler\S-1-5-21-343818398-1563985344-1343024091-500\Dc35.log
c:\recycler\S-1-5-21-343818398-1563985344-1343024091-500\Dc36.log
c:\recycler\S-1-5-21-343818398-1563985344-1343024091-500\Dc37.log
c:\recycler\S-1-5-21-343818398-1563985344-1343024091-500\Dc38.log
c:\recycler\S-1-5-21-343818398-1563985344-1343024091-500\Dc39.LOG
c:\recycler\S-1-5-21-343818398-1563985344-1343024091-500\Dc40.LOG
c:\recycler\S-1-5-21-343818398-1563985344-1343024091-500\Dc41.log
c:\recycler\S-1-5-21-343818398-1563985344-1343024091-500\Dc42.log
c:\recycler\S-1-5-21-343818398-1563985344-1343024091-500\Dc43.LOG
c:\recycler\S-1-5-21-343818398-1563985344-1343024091-500\Dc44.LOG
c:\recycler\S-1-5-21-343818398-1563985344-1343024091-500\Dc45.log
c:\recycler\S-1-5-21-343818398-1563985344-1343024091-500\Dc46.log
c:\recycler\S-1-5-21-343818398-1563985344-1343024091-500\Dc47.LOG
c:\recycler\S-1-5-21-343818398-1563985344-1343024091-500\Dc48.log
c:\recycler\S-1-5-21-343818398-1563985344-1343024091-500\Dc49.LOG
c:\recycler\S-1-5-21-343818398-1563985344-1343024091-500\Dc50.log
c:\recycler\S-1-5-21-343818398-1563985344-1343024091-500\Dc51\GeoDa 0.9.5-i (Beta).msi
c:\recycler\S-1-5-21-343818398-1563985344-1343024091-500\Dc52\0x0409.ini
c:\recycler\S-1-5-21-343818398-1563985344-1343024091-500\Dc52\CuteFTP 6 Professional.msi
c:\recycler\S-1-5-21-343818398-1563985344-1343024091-500\Dc53\Microsoft AntiSpyware.msi
c:\recycler\S-1-5-21-343818398-1563985344-1343024091-500\Dc55\medctrro.ungaelicum.exe
c:\recycler\S-1-5-21-343818398-1563985344-1343024091-500\Dc6.tmp
c:\recycler\S-1-5-21-343818398-1563985344-1343024091-500\Dc7.tmp
c:\recycler\S-1-5-21-343818398-1563985344-1343024091-500\Dc8.tmp
c:\recycler\S-1-5-21-343818398-1563985344-1343024091-500\Dc9.tmp
c:\recycler\S-1-5-21-343818398-1563985344-1343024091-500\INFO2
c:\windows2\IE4 Error Log.txt
c:\windows2\system32\AutoRun.inf
c:\windows2\system32\Cache
c:\windows2\TEMP\logishrd\LVPrcInj03.dll

----- BITS: Possible infected sites -----

hxxp://83.149.105.228
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_WINLOGIN


((((((((((((((((((((((((( Files Created from 2009-04-16 to 2009-05-16 )))))))))))))))))))))))))))))))
.

2009-05-10 01:30 . 2004-01-13 14:07 991232 ----a-w c:\windows2\system32\W22MLRES.dll
2009-04-29 18:13 . 2009-04-29 19:26 -------- d-----w C:\SReng2
2009-04-29 00:41 . 2009-04-29 00:41 -------- d-----w c:\documents and settings\JASH\Datos de programa\Malwarebytes
2009-04-29 00:41 . 2009-04-06 14:32 15504 ----a-w c:\windows2\system32\drivers\mbam.sys
2009-04-29 00:41 . 2009-04-06 14:32 38496 ----a-w c:\windows2\system32\drivers\mbamswissarmy.sys
2009-04-29 00:41 . 2009-04-29 00:41 -------- d-----w c:\documents and settings\All Users.WINDOWS2\Datos de programa\Malwarebytes
2009-04-27 19:48 . 2009-04-27 19:50 -------- d-----w C:\834ff1c239e348b4534f5cbc_JASH
2009-04-27 18:04 . 2009-04-27 23:04 -------- d-----w c:\documents and settings\Administrador.D8YBGC1J\Datos de programa\skypePM
2009-04-27 18:03 . 2009-04-28 01:09 -------- d-----w c:\documents and settings\Administrador.D8YBGC1J\Datos de programa\Skype
2009-04-27 09:51 . 2009-04-27 09:51 23 --sha-w c:\windows2\system32\dcadfebec7_x.dat
2009-04-27 09:50 . 2009-04-27 09:51 -------- d-----w c:\archivos de programa\jv16 PowerTools 2009
2009-04-27 05:49 . 2001-08-17 21:07 101888 -c--a-w c:\windows2\system32\dllcache\adpu160m.sys
2009-04-27 05:49 . 2001-08-17 19:11 46112 -c--a-w c:\windows2\system32\dllcache\adptsf50.sys
2009-04-27 05:49 . 2002-08-28 22:00 10880 -c--a-w c:\windows2\system32\dllcache\admjoy.sys
2009-04-27 05:49 . 2001-08-17 19:19 747392 -c--a-w c:\windows2\system32\dllcache\adm8830.sys
2009-04-27 05:49 . 2001-08-17 19:19 553984 -c--a-w c:\windows2\system32\dllcache\adm8820.sys
2009-04-27 05:49 . 2001-08-17 19:19 584448 -c--a-w c:\windows2\system32\dllcache\adm8810.sys
2009-04-27 05:49 . 2001-08-17 19:11 20160 -c--a-w c:\windows2\system32\dllcache\adm8511.sys
2009-04-27 05:49 . 2001-08-17 20:53 7424 -c--a-w c:\windows2\system32\dllcache\adicvls.sys
2009-04-27 05:49 . 2001-08-22 21:15 61952 -c--a-w c:\windows2\system32\dllcache\acerscad.dll
2009-04-27 05:46 . 2001-08-22 21:14 66048 -c--a-w c:\windows2\system32\dllcache\s3legacy.dll
2009-04-25 04:07 . 2009-04-25 04:07 -------- d-----w c:\archivos de programa\Microsoft SQL Server Compact Edition
2009-04-25 04:06 . 2009-04-25 04:09 -------- d-----w c:\archivos de programa\ArcPad 7.1
2009-04-22 04:39 . 2009-04-22 04:39 166912 ----a-w c:\windows2\pdf2txt.exe
2009-04-22 04:37 . 2009-04-22 04:39 -------- d-----w c:\archivos de programa\Language Reader
2009-04-22 03:54 . 2009-04-22 03:54 -------- d-----w c:\windows2\lhsp
2009-04-22 03:53 . 2009-04-22 03:54 -------- d-----w c:\windows2\speech
2009-04-19 14:17 . 2009-04-19 14:57 -------- d-----w c:\temp\tt7
2009-04-17 05:41 . 2009-02-06 10:10 227840 -c----w c:\windows2\system32\dllcache\wmiprvse.exe
2009-04-17 05:41 . 2009-03-06 14:20 286720 -c----w c:\windows2\system32\dllcache\pdh.dll
2009-04-17 05:41 . 2009-02-09 11:23 111104 -c----w c:\windows2\system32\dllcache\services.exe
2009-04-17 05:41 . 2009-02-09 10:52 401408 -c----w c:\windows2\system32\dllcache\rpcss.dll
2009-04-17 05:41 . 2009-02-09 10:52 473600 -c----w c:\windows2\system32\dllcache\fastprox.dll
2009-04-17 05:41 . 2009-02-09 10:52 685056 -c----w c:\windows2\system32\dllcache\advapi32.dll
2009-04-17 05:41 . 2009-02-09 10:52 453120 -c----w c:\windows2\system32\dllcache\wmiprvsd.dll
2009-04-17 05:32 . 2008-04-21 21:15 219136 -c----w c:\windows2\system32\dllcache\wordpad.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-16 19:12 . 2005-08-10 15:43 114114 ----a-w c:\windows2\system32\nvModes.dat
2009-05-12 23:51 . 2008-03-13 19:14 1324 ----a-w c:\windows2\system32\d3d9caps.dat
2009-05-12 02:55 . 2008-10-25 17:48 102400 ----a-w c:\windows2\DreamAquarium.scr
2009-05-10 06:07 . 2004-11-18 19:51 -------- d-----w c:\archivos de programa\Intel
2009-05-10 05:51 . 2003-07-23 16:34 18944 ----a-w c:\windows2\system32\taskman.exe
2009-04-29 04:34 . 2009-04-07 06:48 -------- d-----w c:\archivos de programa\DNA
2009-04-27 20:02 . 2009-04-27 19:46 5232 ----a-w c:\windows2\system32\PerfStringBackup.TMP
2009-04-25 04:49 . 2004-12-10 14:52 -------- d-----w c:\archivos de programa\Microsoft ActiveSync
2009-04-25 04:06 . 2006-04-02 16:55 -------- d-----w c:\archivos de programa\ArcPad 7.0
2009-04-24 16:47 . 2008-07-22 21:03 11952 ----a-w c:\windows2\system32\avgrsstx.dll
2009-04-24 16:47 . 2008-07-22 21:03 325896 ----a-w c:\windows2\system32\drivers\avgldx86.sys
2009-04-24 16:46 . 2008-07-22 21:03 12552 ----a-w c:\windows2\system32\drivers\avgrkx86.sys
2009-04-24 16:44 . 2008-07-22 21:03 108552 ----a-w c:\windows2\system32\drivers\avgtdix.sys
2009-04-22 04:30 . 2008-03-25 21:58 -------- d-----w c:\archivos de programa\Windows Sidebar
2009-04-15 00:36 . 2009-04-15 00:36 -------- d-----w c:\archivos de programa\RocketDock
2009-04-12 23:28 . 2009-04-12 23:28 -------- d-----w c:\archivos de programa\NutsAboutNets
2009-04-12 01:00 . 2009-03-06 05:54 -------- d-----w c:\archivos de programa\PDF Editor Objects 2
2009-04-10 05:55 . 2009-04-10 05:54 -------- d-----w c:\archivos de programa\JRE
2009-04-10 05:54 . 2009-03-23 00:43 -------- d-----w c:\archivos de programa\OpenOffice.org 3
2009-04-07 20:25 . 2009-04-12 01:02 87696 ----a-w c:\windows2\system32\drivers\VBoxNetFlt.sys
2009-04-07 20:25 . 2009-04-11 08:51 79888 ----a-w c:\windows2\system32\drivers\VBoxNetAdp.sys
2009-04-07 20:25 . 2009-04-11 08:48 31952 ----a-w c:\windows2\system32\drivers\VBoxUSB.sys
2009-04-07 20:25 . 2008-03-01 22:03 41424 ----a-w c:\windows2\system32\drivers\VBoxUSBMon.sys
2009-04-07 20:25 . 2008-03-01 22:03 100944 ----a-w c:\windows2\system32\drivers\VBoxDrv.sys
2009-04-07 20:25 . 2009-04-12 01:02 133648 ----a-w c:\windows2\system32\VBoxNetFltNotify.dll
2009-04-07 06:47 . 2009-04-07 06:47 -------- d-----w c:\archivos de programa\AskSearch
2009-04-06 22:58 . 2004-11-18 19:48 -------- d-----w c:\archivos de programa\Java
2009-03-29 18:57 . 2009-03-29 18:57 -------- d-----w c:\archivos de programa\Archivos comunes\Skype
2009-03-23 00:41 . 2008-05-07 20:19 -------- d-----w c:\archivos de programa\OpenOffice.org 2.4
2009-03-09 04:19 . 2008-12-15 08:04 410984 ----a-w c:\windows2\system32\deploytk.dll
2009-03-06 14:20 . 2003-07-23 16:26 286720 ----a-w c:\windows2\system32\pdh.dll
2009-03-06 05:54 . 2009-03-06 05:54 75264 ----a-w c:\windows2\cadkasdeinst01e.exe
2009-02-20 08:10 . 2005-06-17 23:25 668672 ----a-w c:\windows2\system32\wininet.dll
2009-02-20 08:10 . 2004-08-19 22:42 81920 ------w c:\windows2\system32\ieencode.dll
2009-02-16 16:06 . 2009-02-16 16:06 195728 ----a-w c:\windows2\system32\drivers\VBoxSF.sys
2009-02-16 16:06 . 2008-01-02 03:41 39696 ----a-w c:\windows2\system32\drivers\VBoxMouse.sys
2009-02-16 16:05 . 2009-02-16 16:05 1063440 ----a-w c:\windows2\system32\VBoxService.exe
2009-02-16 16:05 . 2009-02-16 16:05 674320 ----a-w c:\windows2\system32\VBoxMRXNP.dll
2009-02-16 16:04 . 2009-02-16 16:04 65552 ----a-w c:\windows2\system32\VBoxHook.dll
2009-02-16 16:04 . 2009-02-16 16:04 317968 ----a-w c:\windows2\system32\VBoxOGL.dll
2009-02-16 16:04 . 2009-02-16 16:04 100880 ----a-w c:\windows2\system32\VBoxOGLpassthroughspu.dll
2009-02-16 16:04 . 2009-02-16 16:04 2046480 ----a-w c:\windows2\system32\VBoxOGLpackspu.dll
2009-02-16 16:03 . 2009-02-16 16:03 494096 ----a-w c:\windows2\system32\VBoxOGLarrayspu.dll
2009-02-16 16:03 . 2009-02-16 16:03 133648 ----a-w c:\windows2\system32\VBoxOGLerrorspu.dll
2009-02-16 16:03 . 2009-02-16 16:03 207376 ----a-w c:\windows2\system32\VBoxOGLcrutil.dll
2007-07-24 20:39 . 2007-07-24 20:39 8 --sha-r c:\windows2\neoqaz2.dll
2002-07-31 18:55 . 2006-11-28 09:14 104 --sh--w c:\windows2\WSYS049.SYS
2008-04-14 02:19 . 2008-03-25 21:53 60416 --sha-w c:\windows2\ISSO\Respaldo\msimn.exe
.

------- Sigcheck -------

[-] 2005-03-02 18:10 578048 DDA46F3DBCF32727E93976B09FBB0E83 c:\windows2\$hf_mig$\KB890859\SP2GDR\user32.dll
[-] 2005-03-02 18:20 578048 37CE819E8ECB3517B9981A886876EF72 c:\windows2\$hf_mig$\KB890859\SP2QFE\user32.dll
[-] 2007-03-08 15:50 579072 237FB93C6B4330D8EE7D2448CF71C5ED c:\windows2\$hf_mig$\KB925902\SP2QFE\user32.dll
[-] 2007-03-08 15:36 497152 A5A451EDBEA7D8FC093FB96A499D39CF c:\windows2\$NtServicePackUninstall$\user32.dll
[7] 2008-04-14 02:18 579584 DA8898129E0075C7DE4DEE457514A73C c:\windows2\ISSO\Respaldo\user32.dll
[-] 2008-04-14 02:18 498176 A7ED5C30084060A92F0F60D462DF784F c:\windows2\ServicePackFiles\i386\user32.dll
[7] 2003-07-23 16:36 561152 1B1A3353911321ADC0D42E8F236B0B31 c:\windows2\SoftwareDistribution\Download\S-1-5-18\f47326a4fddf205482e86afde6226e27\backup\user32.dll
[-] 2008-04-14 02:18 498176 A7ED5C30084060A92F0F60D462DF784F c:\windows2\system32\user32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2008-09-07 07:20 143360 ----a-w c:\software\internet\Dropbox\DropboxExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2008-09-07 07:20 143360 ----a-w c:\software\internet\Dropbox\DropboxExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2008-09-07 07:20 143360 ----a-w c:\software\internet\Dropbox\DropboxExt.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows2\system32\ctfmon.exe" [2008-04-14 15360]
"ISUSPM"="c:\archivos de programa\Archivos comunes\InstallShield\UpdateService\ISUSPM.exe" [2007-08-30 205480]
"msnmsgr"="c:\archivos de programa\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"RocketDock"="c:\archivos de programa\RocketDock\RocketDock.exe" [2007-09-02 495616]
"H/PC Connection Agent"="c:\archivos de programa\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\archivos de programa\Apoint\Apoint.exe" [2005-10-07 176128]
"EPSON Stylus Photo R320 Series"="c:\windows2\System32\spool\DRIVERS\W32X86\3\E_FATI9XE.EXE" [2004-12-16 98304]
"\\Ps-58c34f\epson_R320"="c:\windows2\System32\spool\DRIVERS\W32X86\3\E_FATI9XE.EXE" [2004-12-16 98304]
"NvCplDaemon"="c:\windows2\system32\NvCpl.dll" [2005-07-06 7118848]
"Acrobat Assistant 8.0"="c:\archivos de programa\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-14 623992]
"\\192.168.2.3\epson_R320"="c:\windows2\System32\spool\DRIVERS\W32X86\3\E_FATI9XE.EXE" [2004-12-16 98304]
"AVG8_TRAY"="c:\archiv~1\Grisoft\AVG8\avgtray.exe" [2009-04-24 1947928]
"Dell QuickSet"="c:\archivos de programa\Dell\QuickSet\Quickset.exe" [2006-06-29 1032192]
"HP Software Update"="c:\software\dispositivos\HP Scanner\HP Software Update\HPWuSchd2.exe" [2007-03-11 49152]
"LWBMOUSE"="c:\software\drivers\Belkin\Wireless Mouse Driver\MOUSE32A.EXE" [2001-11-09 356352]
"SigmaTel StacMon"="c:\archivos de programa\SigmaTel\Controladores de sonido SigmaTel AC97\stacmon.exe" [2004-04-29 90169]
"SunJavaUpdateSched"="c:\archivos de programa\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"nwiz"="nwiz.exe" - c:\windows2\system32\nwiz.exe [2005-07-06 1519616]
"NvMediaCenter"="NvMCTray.dll" - c:\windows2\system32\nvmctray.dll [2005-07-06 86016]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows2\system32\bthprops.cpl [2008-04-14 110592]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows2\System32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\JASH\Men£ Inicio\Programas\Inicio\AutorunsDisabled
VistaStart.lnk - c:\windows2\Resources\Themes\YAFVC3\VistaStart\VistaStart1.3.exe [2006-3-21 510464]

c:\documents and settings\All Users.WINDOWS2\Men£ Inicio\Programas\Inicio\
BTTray.lnk - c:\archivos de programa\Dell\Software Bluetooth\BTTray.exe [2006-7-22 561213]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoChangeAnimation"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-04-24 16:47 11952 ----a-w c:\windows2\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WLANKEEPER"=2 (0x2)
"EvtEng"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableUnicastResponsesToMulticastBroadcast"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS2\\system32\\sessmgr.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Archivos de programa\\Grisoft\\AVG8\\avgemc.exe"=
"c:\\Archivos de programa\\Grisoft\\AVG8\\avgupd.exe"=
"c:\\Archivos de programa\\Grisoft\\AVG8\\avgnsx.exe"=
"c:\\Archivos de programa\\Adobe\\Acrobat 8.0\\Acrobat\\Acrobat.exe"=
"c:\archivos de programa\Microsoft ActiveSync\WCESMgr.exe"= c:\archivos de programa\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Disabled:ActiveSync Application
"c:\archivos de programa\Microsoft ActiveSync\wcescomm.exe"= c:\archivos de programa\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Disabled:ActiveSync Connection Manager
"c:\archivos de programa\Microsoft ActiveSync\rapimgr.exe"= c:\archivos de programa\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Disabled:ActiveSync RAPI Manager
"c:\\Archivos de programa\\DNA\\btdna.exe"=
"c:\\software\\internet\\Mozilla Firefox\\firefox.exe"=
"c:\\software\\internet\\Netscape\\ThunderBird\\thunderbird.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Disabled:ActiveSync Service

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowOutboundDestinationUnreachable"= 0 (0x0)
"AllowOutboundSourceQuench"= 0 (0x0)
"AllowOutboundParameterProblem"= 0 (0x0)
"AllowOutboundTimeExceeded"= 0 (0x0)

R0 AvgRkx86;avgrkx86.sys;c:\windows2\system32\drivers\avgrkx86.sys [22/07/2008 22:03 12552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows2\system32\drivers\avgldx86.sys [22/07/2008 22:03 325896]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows2\system32\drivers\avgtdix.sys [22/07/2008 22:03 108552]
R1 VBoxDrv;VirtualBox Service;c:\windows2\system32\drivers\VBoxDrv.sys [01/03/2008 23:03 100944]
R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows2\system32\drivers\VBoxUSBMon.sys [01/03/2008 23:03 41424]
R2 ArcGIS License Manager;ArcGIS License Manager;c:\archivos de programa\ESRI\License\arcgis9x\lmgrd.exe [15/08/2005 23:51 467968]
R2 avg8emc;AVG8 E-mail Scanner;c:\archiv~1\Grisoft\AVG8\avgemc.exe [22/07/2008 22:03 908568]
R2 avg8wd;AVG8 WatchDog;c:\archiv~1\Grisoft\AVG8\avgwdsvc.exe [22/07/2008 22:03 298776]
R2 P1C1394;Phase One 1394 Camera Driver;c:\windows2\system32\drivers\p1c1394.sys [15/05/2008 13:20 23168]
R3 GTICARD;GTICARD;c:\windows2\system32\drivers\gticard.sys [06/02/2003 19:23 59328]
R3 VBoxMouse;VirtualBox Guest Mouse Service;c:\windows2\system32\drivers\VBoxMouse.sys [02/01/2008 4:41 39696]
R3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows2\system32\drivers\VBoxNetAdp.sys [11/04/2009 9:51 79888]
R3 VBoxNetFlt;VBoxNetFlt Service;c:\windows2\system32\drivers\VBoxNetFlt.sys [12/04/2009 2:02 87696]
S1 VBoxSF;VirtualBox Shared Folders;c:\windows2\system32\drivers\VBoxSF.sys [16/02/2009 17:06 195728]
S2 FLUSBDRV;3Com ADSL-150 USB Driver;c:\windows2\system32\drivers\3CF002LD.sys [10/08/2005 17:04 21414]
S2 gupdate1c9a2bcebc1a270;Google Update Service (gupdate1c9a2bcebc1a270);c:\archivos de programa\Google\Update\GoogleUpdate.exe [12/03/2009 3:47 133104]
S2 IWPORT;IWPORT;\??\c:\windows2\SYSTEM32\DRIVERS\IWPORT.SYS --> c:\windows2\SYSTEM32\DRIVERS\IWPORT.SYS [?]
S2 VBoxService;VirtualBox Guest Additions Service;system32\VBoxService.exe --> system32\VBoxService.exe [?]
S3 dcdbas;System Management Driver;c:\windows2\system32\DRIVERS\dcdbas32.sys --> c:\windows2\system32\DRIVERS\dcdbas32.sys [?]
S3 NANMp50;NANMp50 NDIS Protocol Driver;c:\windows2\system32\Drivers\NANMp50.sys --> c:\windows2\system32\Drivers\NANMp50.sys [?]
S3 NANSp50;NANSp50 NDIS Protocol Driver;c:\windows2\system32\Drivers\NANSp50.sys --> c:\windows2\system32\Drivers\NANSp50.sys [?]
S3 usb2vcom;Nokia CA-42 USB;c:\windows2\system32\drivers\usb2vcom.sys [18/12/2006 17:10 30272]
S3 USBLC6X0100;%USBLC6X0100.DispName%;c:\windows2\system32\drivers\3cusblr.sys [10/08/2005 17:07 309700]
S3 VBoxTAP;VirtualBox TAP Adapter;c:\windows2\system32\drivers\VBoxTAP.sys [01/03/2008 23:08 47552]
S3 VBoxUSB;VirtualBox USB;c:\windows2\system32\drivers\VBoxUSB.sys [11/04/2009 9:48 31952]
S4 ERMLicSrv_ATL70;ERMLicSrv_ATL70;c:\windows2\system32\ERM\7.0\ERMLicSrv_ATL70.exe [09/01/2008 0:38 94208]
S4 FME_License_service;FME_License_service;c:\archivos de programa\ESRI\License\arcgis9x\lmgrd.exe [15/08/2005 23:51 467968]
S4 SASDIFSV;SASDIFSV;\??\c:\software\antivirus\SUPERAntiSpyware\SASDIFSV.SYS --> c:\software\antivirus\SUPERAntiSpyware\SASDIFSV.SYS [?]
S4 SASENUM;SASENUM;\??\c:\software\antivirus\SUPERAntiSpyware\SASENUM.SYS --> c:\software\antivirus\SUPERAntiSpyware\SASENUM.SYS [?]
S4 SASKUTIL;SASKUTIL;\??\c:\software\antivirus\SUPERAntiSpyware\SASKUTIL.sys --> c:\software\antivirus\SUPERAntiSpyware\SASKUTIL.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\AutorunsDisabled\{6B9228DA-9C15-419e-856C-19E768A13BDC}]
"c:\windows2\system32\regsvr32.exe" /s sbdrop.dll
.
Contents of the 'Scheduled Tasks' folder

2009-05-16 c:\windows2\Tasks\GoogleUpdateTaskMachine.job
- c:\archivos de programa\Google\Update\GoogleUpdate.exe [2009-03-12 02:47]

2007-03-27 c:\windows2\Tasks\shutdown.job
- c:\windows2\system32\shutdown.exe [2003-07-23 02:19]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = 195.76.153.201:3128
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Anexar a PDF existente - c:\archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convertir a Adobe PDF - c:\archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convertir destino de vínculo a PDF existente - c:\archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convertir destino de vínculo en archivo Adobe PDF - c:\archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convertir selección a Adobe PDF - c:\archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convertir selección a archivo PDF existente - c:\archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convertir vínculos seleccionados a Adobe PDF - c:\archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convertir vínculos seleccionados a PDF existente - c:\archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: E&xport to Microsoft Excel - c:\archiv~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Enviar a &Bluetooth - c:\archivos de programa\Dell\Software Bluetooth\btsendto_ie_ctx.htm
TCP: interfaces = 152.158.2.48,165.87.201.244
DPF: Microsoft XML Parser for Java - file://c:\windows2\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\JASH\Datos de programa\Mozilla\Firefox\Profiles\k4uv1kov.default\
FF - prefs.js: browser.search.selectedEngine - Ask
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=101757&gct=&gc=1&q=
FF - prefs.js: network.proxy.ftp - 195.76.153.201
FF - prefs.js: network.proxy.ftp_port - 3128
FF - prefs.js: network.proxy.gopher - 195.76.153.201
FF - prefs.js: network.proxy.gopher_port - 3128
FF - prefs.js: network.proxy.http - 195.76.153.201
FF - prefs.js: network.proxy.http_port - 3128
FF - prefs.js: network.proxy.socks - 195.76.153.201
FF - prefs.js: network.proxy.socks_port - 3128
FF - prefs.js: network.proxy.ssl - 195.76.153.201
FF - prefs.js: network.proxy.ssl_port - 3128
FF - prefs.js: network.proxy.type - 4
FF - component: c:\archivos de programa\Grisoft\AVG8\Firefox\components\avgssff.dll
FF - component: c:\documents and settings\JASH\Datos de programa\Mozilla\Firefox\Profiles\k4uv1kov.default\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\platform\WINNT_x86-msvc\components\SSSLauncher.dll
FF - component: c:\documents and settings\JASH\Datos de programa\Mozilla\Firefox\Profiles\k4uv1kov.default\extensions\{81BF1D23-5F17-408D-AC6B-BD6DF7CAF670}\components\XpcomOpusConnector.dll
FF - plugin: c:\archivos de programa\Google\Update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\archivos de programa\Skyhook Wireless\Loki Browser Plugin\nploki.dll
FF - plugin: c:\software\graficos\QuickTime\Plugins\npqtplugin.dll
FF - plugin: c:\software\graficos\QuickTime\Plugins\npqtplugin2.dll
FF - plugin: c:\software\graficos\QuickTime\Plugins\npqtplugin3.dll
FF - plugin: c:\software\graficos\QuickTime\Plugins\npqtplugin4.dll
FF - plugin: c:\software\graficos\QuickTime\Plugins\npqtplugin5.dll
FF - plugin: c:\software\graficos\QuickTime\Plugins\npqtplugin6.dll
FF - plugin: c:\software\graficos\QuickTime\Plugins\npqtplugin7.dll
FF - plugin: c:\software\graficos\realplayer\Netscape6\nppl3260.dll
FF - plugin: c:\software\graficos\realplayer\Netscape6\nprjplug.dll
FF - plugin: c:\software\graficos\realplayer\Netscape6\nprpjplug.dll
FF - plugin: c:\software\graficos\VideoLAN\VLC\npvlc.dll
FF - plugin: c:\software\internet\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\software\internet\Mozilla Firefox\plugins\npgato.dll
FF - plugin: c:\software\internet\Mozilla Firefox\plugins\nppdf32(2).dll

---- FIREFOX POLICIES ----
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-16 20:49
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Iomega Activity Disk2]
"ImagePath"="\"\""
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-343818398-1563985344-1343024091-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-343818398-1563985344-1343024091-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{479D21BD-C969-E2AF-0F4D-0D83E225CD0C}*]
"gaoohofafljjof"=hex:61,61,00,7c
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1272)
c:\windows2\system32\SETUPAPI.dll
c:\windows2\system32\cscui.dll

- - - - - - - > 'lsass.exe'(1328)
c:\windows2\system32\SETUPAPI.dll

- - - - - - - > 'explorer.exe'(4844)
c:\windows2\TEMP\logishrd\LVPrcInj01.dll
c:\archivos de programa\RocketDock\RocketDock.dll
c:\software\internet\Dropbox\DropboxExt.dll
c:\windows2\System32\cscui.dll
c:\windows2\system32\LINKINFO.dll
c:\windows2\system32\ntshrui.dll
c:\windows2\system32\SETUPAPI.dll
c:\windows2\system32\NETSHELL.dll
c:\windows2\system32\credui.dll
c:\software\drivers\Belkin\Wireless Mouse Driver\MOUDL32A.DLL
c:\windows2\system32\WPDShServiceObj.dll
c:\windows2\system32\btncopy.dll
c:\software\dispositivos\Roxio\Drag-to-Disc\Shellex.dll
c:\archivos de programa\Archivos comunes\Roxio Shared\9.0\DLLShared\DLAAPI_W.DLL
c:\software\dispositivos\Roxio\Drag-to-Disc\ShellRes.dll
c:\windows2\system32\PortableDeviceTypes.dll
c:\windows2\system32\PortableDeviceApi.dll
c:\windows2\system32\VBoxMRXNP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows2\system32\scardsvr.exe
c:\windows2\system32\rundll32.exe
c:\archiv~1\MICROS~2\rapimgr.exe
c:\archivos de programa\Apoint\hidfind.exe
c:\archiv~1\Dell\SOFTWA~1\BTSTAC~1.EXE
c:\windows2\system32\netdde.exe
c:\archivos de programa\Apoint\ApntEx.exe
c:\archivos de programa\ESRI\License\arcgis9x\ARCGIS.exe
c:\archivos de programa\Dell\Software Bluetooth\bin\btwdins.exe
c:\windows2\system32\E_S00RP1.EXE
c:\archivos de programa\Java\jre6\bin\jqs.exe
c:\archiv~1\Grisoft\AVG8\avgam.exe
c:\archivos de programa\Archivos comunes\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\archivos de programa\Grisoft\AVG8\avgrsx.exe
c:\archiv~1\Grisoft\AVG8\avgnsx.exe
c:\archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
c:\archivos de programa\Dell\QuickSet\NicConfigSvc.exe
c:\windows2\system32\nvsvc32.exe
c:\windows2\system32\SAgent4.exe
c:\archivos de programa\Grisoft\AVG8\avgcsrvx.exe
c:\archivos de programa\Archivos comunes\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\windows2\system32\wscntfy.exe
c:\archivos de programa\Archivos comunes\InstallShield\UpdateService\agent.exe
.
**************************************************************************
.
Completion time: 2009-05-16 20:59 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-16 19:59

Pre-Run: 15.912.452.096 bytes libres
Post-Run: 16.140.984.320 bytes libres

425 --- E O F --- 2009-05-02 13:59

===============================================================================================================================================
===============================================================================================================================================
============================================== HIJACK THIS LOG ====================================================================
===============================================================================================================================================
===============================================================================================================================================


And here goes the HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:26:57, on 17/05/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS2\System32\smss.exe
C:\WINDOWS2\system32\winlogon.exe
C:\WINDOWS2\system32\services.exe
C:\WINDOWS2\system32\lsass.exe
C:\WINDOWS2\system32\svchost.exe
C:\WINDOWS2\System32\svchost.exe
C:\WINDOWS2\system32\spoolsv.exe
C:\Archivos de programa\Google\Update\GoogleUpdate.exe
C:\WINDOWS2\system32\ctfmon.exe
C:\Archivos de programa\Apoint\Apoint.exe
C:\WINDOWS2\system32\rundll32.exe
C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\ARCHIV~1\Grisoft\AVG8\avgtray.exe
C:\Archivos de programa\Dell\QuickSet\Quickset.exe
C:\software\dispositivos\HP Scanner\HP Software Update\HPWuSchd2.exe
C:\software\drivers\Belkin\Wireless Mouse Driver\MOUSE32A.EXE
C:\Archivos de programa\SigmaTel\Controladores de sonido SigmaTel AC97\stacmon.exe
C:\Archivos de programa\Java\jre6\bin\jusched.exe
C:\Archivos de programa\Archivos comunes\InstallShield\UpdateService\ISUSPM.exe
C:\Archivos de programa\Windows Live\Messenger\MsnMsgr.Exe
C:\Archivos de programa\RocketDock\RocketDock.exe
C:\Archivos de programa\Microsoft ActiveSync\Wcescomm.exe
C:\Archivos de programa\Dell\Software Bluetooth\BTTray.exe
C:\ARCHIV~1\MICROS~2\rapimgr.exe
C:\Archivos de programa\Apoint\HidFind.exe
C:\ARCHIV~1\Dell\SOFTWA~1\BTSTAC~1.EXE
C:\WINDOWS2\system32\netdde.exe
C:\Archivos de programa\Apoint\Apntex.exe
C:\Archivos de programa\ESRI\License\arcgis9x\lmgrd.exe
C:\ARCHIV~1\Grisoft\AVG8\avgwdsvc.exe
C:\Archivos de programa\ESRI\License\arcgis9x\ARCGIS.EXE
C:\Archivos de programa\Dell\Software Bluetooth\bin\btwdins.exe
C:\WINDOWS2\system32\E_S00RP1.EXE
C:\WINDOWS2\system32\svchost.exe
C:\WINDOWS2\system32\svchost.exe
C:\Archivos de programa\Java\jre6\bin\jqs.exe
C:\ARCHIV~1\Grisoft\AVG8\avgam.exe
C:\Archivos de programa\Archivos comunes\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\ARCHIV~1\Grisoft\AVG8\avgrsx.exe
C:\ARCHIV~1\Grisoft\AVG8\avgnsx.exe
c:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
C:\Archivos de programa\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS2\system32\nvsvc32.exe
C:\WINDOWS2\system32\SAgent4.exe
C:\WINDOWS2\System32\svchost.exe
C:\ARCHIV~1\Grisoft\AVG8\avgemc.exe
C:\Archivos de programa\Grisoft\AVG8\avgcsrvx.exe
C:\Archivos de programa\Archivos comunes\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS2\system32\wscntfy.exe
C:\WINDOWS2\explorer.exe
C:\WINDOWS2\system32\notepad.exe
C:\software\internet\Mozilla Firefox\firefox.exe
C:\software\util\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 195.76.153.201:3128
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: Aplicación auxiliar de vínculos de Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Archivos comunes\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Archivos de programa\Grisoft\AVG8\avgssie.dll
O2 - BHO: Windows Live Aplicación auxiliar de inicio de sesión - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Archivos de programa\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Archivos de programa\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Archivos de programa\Styler\TB\StylerTB.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [Apoint] C:\Archivos de programa\Apoint\Apoint.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R320 Series] C:\WINDOWS2\System32\spool\DRIVERS\W32X86\3\E_FATI9XE.EXE /P30 "EPSON Stylus Photo R320 Series" /O6 "USB001" /M "Stylus Photo R320"
O4 - HKLM\..\Run: [\\Ps-58c34f\epson_R320] C:\WINDOWS2\System32\spool\DRIVERS\W32X86\3\E_FATI9XE.EXE /P22 "\\Ps-58c34f\epson_R320" /O22 "\\PS-58C34F\epson_R320" /M "Stylus Photo R320"
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS2\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [\\192.168.2.3\epson_R320] C:\WINDOWS2\System32\spool\DRIVERS\W32X86\3\E_FATI9XE.EXE /P24 "\\192.168.2.3\epson_R320" /O24 "\\192.168.2.3\epson_R320" /M "Stylus Photo R320"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\ARCHIV~1\Grisoft\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Archivos de programa\Dell\QuickSet\Quickset.exe
O4 - HKLM\..\Run: [HP Software Update] C:\software\dispositivos\HP Scanner\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\software\drivers\Belkin\Wireless Mouse Driver\MOUSE32A.EXE
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Archivos de programa\SigmaTel\Controladores de sonido SigmaTel AC97\stacmon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS2\system32\ctfmon.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Archivos de programa\Archivos comunes\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [msnmsgr] "C:\Archivos de programa\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [RocketDock] "C:\Archivos de programa\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Archivos de programa\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS2\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS2\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: AutorunsDisabled
O4 - Global Startup: BTTray.lnk = ?
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: Anexar a PDF existente - res://C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convertir a Adobe PDF - res://C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convertir destino de vínculo a PDF existente - res://C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convertir destino de vínculo en archivo Adobe PDF - res://C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convertir selección a Adobe PDF - res://C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convertir selección a archivo PDF existente - res://C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convertir vínculos seleccionados a Adobe PDF - res://C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convertir vínculos seleccionados a PDF existente - res://C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\ARCHIV~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Enviar a &Bluetooth - C:\Archivos de programa\Dell\Software Bluetooth\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\ARCHIV~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\ARCHIV~1\MICROS~2\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\ARCHIV~1\MICROS~2\INetRepl.dll
O9 - Extra button: Portafolios de HP - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\software\dispositivos\HP Scanner\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Selección inteligente de HP - {700259D7-1666-479a-93B1-3250410481E8} - C:\software\dispositivos\HP Scanner\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Archivos de programa\Dell\Software Bluetooth\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Archivos de programa\Dell\Software Bluetooth\btsendto_ie.htm
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Archivos de programa\Grisoft\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARCHIV~1\ARCHIV~1\Skype\Skype4COM.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS2\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Archivos de programa\Archivos comunes\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ArcGIS License Manager - Unknown owner - C:\Archivos de programa\ESRI\License\arcgis9x\lmgrd.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\ARCHIV~1\Grisoft\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\ARCHIV~1\Grisoft\AVG8\avgwdsvc.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Archivos de programa\Dell\Software Bluetooth\bin\btwdins.exe
O23 - Service: EPSON V3 Service2(03) (EPSON_PM_RPCV2_01) - SEIKO EPSON CORPORATION - C:\WINDOWS2\system32\E_S00RP1.EXE
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Archivos de programa\Archivos comunes\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1c9a2bcebc1a270) (gupdate1c9a2bcebc1a270) - Google Inc. - C:\Archivos de programa\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Archivos de programa\Archivos comunes\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Archivos de programa\Java\jre6\bin\jqs.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Archivos de programa\Archivos comunes\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Archivos de programa\Archivos comunes\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Archivos de programa\Archivos comunes\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Archivos de programa\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS2\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Archivos de programa\Archivos comunes\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SonicStage Back-End Service - Sony Corporation - C:\Archivos de programa\Archivos comunes\Sony Shared\AVLib\SsBeSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Archivos de programa\Archivos comunes\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Archivos de programa\Archivos comunes\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Epson Printer Status Agent4 (StatusAgent4) - SEIKO EPSON CORPORATION - C:\WINDOWS2\system32\SAgent4.exe
O23 - Service: VirtualBox Guest Additions Service (VBoxService) - Sun Microsystems, Inc. - C:\WINDOWS2\system32\VBoxService.exe

--
End of file - 12689 bytes

#11 DocSatan

DocSatan

    Bleepin' Wanna-Be


  • Members
  • 2,156 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, Ma.
  • Local time:10:04 AM

Posted 18 May 2009 - 08:29 AM

Hello JASH,

ComboFix got rid of a lot of stuff. Were you having problems accessing any drives (C:, D:, USB, etc.) before?
How is your computer running now?
Are you able to get in to Task Manger?

1. Install Recovery Console

Download the tools needed to a flash drive or other removable media, and transfer them to the infected computer.

***************************************************

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

With malware infections being as they are today, it's strongly recommended to have the Windows Recovery Console pre-installed on your machine before doing any malware removal.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.


Go to Microsoft's website => http://support.microsoft.com/kb/310994

Select the download that's appropriate for your Operating System

Posted Image


Download the file & save it as it's originally named.


---------------------------------------------------------------------

Transfer all files you just downloaded, to the desktop of the infected computer.

--------------------------------------------------------------------


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

Posted Image

  • Drag the setup package onto ComboFix.exe and drop it.

  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.


    Posted Image


  • At the next prompt, click 'Yes' to run the full ComboFix scan.

  • When the tool is finished, it will produce a report for you.
Please post the C:\ComboFix.txt in your next reply.


2. Please download gmer.zip and save to your desktop.
  • Extract (unzip) the file to its own folder such as C:\Gmer. (Click here for information on how to do this if not sure.)
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • You may be prompted to scan immediately if GMER detects rootkit activity.
  • If you are prompted to scan your system click "Yes" to begin the scan.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as gmer.log and copy/paste the contents in your next reply.
  • Exit GMER and re-enable all active protection when done.
3. What I need in your next reply
  • New ComboFix.txt (after installing RC)
  • gmer.log
  • Ansewrs to my questions at the top of this post
Doc.

#12 JASH

JASH
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:07:04 AM

Posted 18 May 2009 - 08:42 PM

Hi Doc,

I sometimes have had problems with USB drives, as I sometimes receive a message saying that an external drive was exceeded the power capacity of the USB port (or socket, I do not remember), but I thought it had something to do with power delivery through USB ports. that is all, I think.

One question, doc: How do you tell that ComboFix fixed a lot of stuff? I know that you are a trained helper and that you are not here to teach me all your knowledge, but I was curious because I tried to verify what did ComboFix fixed and I was unable to o so. I would be grateful if you give me some clues or explanations.

My computer looks to be working agile, but I have not had enough time to let the problems appear. I will let you know if tonight, that I am staying working some hours, I have any slugh behaviour.

Thanks, Task Manager is working. Fast and promptly. Again, what was the problem with it and what did ComboFix do to unblock it?.


The onlything that remains unsolved is the strange message at startup, before the nvidia driver is loaded, stating that it was impossible to execute \systemroot\windows\system32\autochck.exe. This message appears so shortly that I am not sure that I will be able to take a picture, but if you need it, I will try. (note that it says "\systemroot\", and not "%systemroot%", as I said in my prior messages).

Another question is: Why is it so importnt to download to the desktop? I use to leave my desktop empty of things and have FF set so it downloads always to a custom folder, where I always know things are stored. I have not downloaded nor run the programs that you and your co-helpers have said (the desktop). I hope I am not interfering your work.

I will do what you recommend and post the logs as soon as I have them. I have a pendrive (16 GB) and an external drive (160 GB), so it may take a long time and maybe I let the scanning occur overnght.

Thanks again for your clarity and patience.

#13 JASH

JASH
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:07:04 AM

Posted 19 May 2009 - 09:55 PM

Hi, Doc.

This is to post the ComboFix and Gmer logs.
Also I will tell you that I still have the same message at the very start about autochk.exe. It says that I does not find the file, so Autocheck is not performed.

ComboFix log:

ComboFix 09-05-16.05 - JASH 19/05/2009 3:17.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.34.3082.18.1023.497 [GMT 1:00]
Running from: c:\jash_d\download\ComboFix.exe
Command switches used :: c:\jash_d\download\WindowsXP-KB310994-SP2-Pro-BootDisk-ESN.exe
AV: AVG Anti-Virus *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows2\TEMP\logishrd\LVPrcInj01.dll
E:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2009-04-19 to 2009-05-19 )))))))))))))))))))))))))))))))
.

2009-05-19 01:53 . 2009-05-19 01:53 -------- d-----w C:\gmer
2009-05-10 01:30 . 2004-01-13 14:07 991232 ----a-w c:\windows2\system32\W22MLRES.dll
2009-04-29 18:13 . 2009-04-29 19:26 -------- d-----w C:\SReng2
2009-04-29 00:41 . 2009-04-29 00:41 -------- d-----w c:\documents and settings\JASH\Datos de programa\Malwarebytes
2009-04-29 00:41 . 2009-04-06 14:32 15504 ----a-w c:\windows2\system32\drivers\mbam.sys
2009-04-29 00:41 . 2009-04-06 14:32 38496 ----a-w c:\windows2\system32\drivers\mbamswissarmy.sys
2009-04-29 00:41 . 2009-04-29 00:41 -------- d-----w c:\documents and settings\All Users.WINDOWS2\Datos de programa\Malwarebytes
2009-04-27 19:48 . 2009-04-27 19:50 -------- d-----w C:\834ff1c239e348b4534f5cbc_JASH
2009-04-27 18:04 . 2009-04-27 23:04 -------- d-----w c:\documents and settings\Administrador.D8YBGC1J\Datos de programa\skypePM
2009-04-27 18:03 . 2009-04-28 01:09 -------- d-----w c:\documents and settings\Administrador.D8YBGC1J\Datos de programa\Skype
2009-04-27 09:51 . 2009-04-27 09:51 23 --sha-w c:\windows2\system32\dcadfebec7_x.dat
2009-04-27 09:50 . 2009-04-27 09:51 -------- d-----w c:\archivos de programa\jv16 PowerTools 2009
2009-04-27 05:49 . 2001-08-17 21:07 101888 -c--a-w c:\windows2\system32\dllcache\adpu160m.sys
2009-04-27 05:49 . 2001-08-17 19:11 46112 -c--a-w c:\windows2\system32\dllcache\adptsf50.sys
2009-04-27 05:49 . 2002-08-28 22:00 10880 -c--a-w c:\windows2\system32\dllcache\admjoy.sys
2009-04-27 05:49 . 2001-08-17 19:19 747392 -c--a-w c:\windows2\system32\dllcache\adm8830.sys
2009-04-27 05:49 . 2001-08-17 19:19 553984 -c--a-w c:\windows2\system32\dllcache\adm8820.sys
2009-04-27 05:49 . 2001-08-17 19:19 584448 -c--a-w c:\windows2\system32\dllcache\adm8810.sys
2009-04-27 05:49 . 2001-08-17 19:11 20160 -c--a-w c:\windows2\system32\dllcache\adm8511.sys
2009-04-27 05:49 . 2001-08-17 20:53 7424 -c--a-w c:\windows2\system32\dllcache\adicvls.sys
2009-04-27 05:49 . 2001-08-22 21:15 61952 -c--a-w c:\windows2\system32\dllcache\acerscad.dll
2009-04-27 05:46 . 2001-08-22 21:14 66048 -c--a-w c:\windows2\system32\dllcache\s3legacy.dll
2009-04-25 04:07 . 2009-04-25 04:07 -------- d-----w c:\archivos de programa\Microsoft SQL Server Compact Edition
2009-04-25 04:06 . 2009-04-25 04:09 -------- d-----w c:\archivos de programa\ArcPad 7.1
2009-04-22 04:39 . 2009-04-22 04:39 166912 ----a-w c:\windows2\pdf2txt.exe
2009-04-22 04:37 . 2009-04-22 04:39 -------- d-----w c:\archivos de programa\Language Reader
2009-04-22 03:54 . 2009-04-22 03:54 -------- d-----w c:\windows2\lhsp
2009-04-22 03:53 . 2009-04-22 03:54 -------- d-----w c:\windows2\speech
2009-04-19 14:17 . 2009-04-19 14:57 -------- d-----w c:\temp\tt7

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-17 02:19 . 2005-08-10 15:43 114114 ----a-w c:\windows2\system32\nvModes.dat
2009-05-12 23:51 . 2008-03-13 19:14 1324 ----a-w c:\windows2\system32\d3d9caps.dat
2009-05-12 02:55 . 2008-10-25 17:48 102400 ----a-w c:\windows2\DreamAquarium.scr
2009-05-10 06:07 . 2004-11-18 19:51 -------- d-----w c:\archivos de programa\Intel
2009-05-10 05:51 . 2003-07-23 16:34 18944 ----a-w c:\windows2\system32\taskman.exe
2009-04-29 04:34 . 2009-04-07 06:48 -------- d-----w c:\archivos de programa\DNA
2009-04-27 20:02 . 2009-04-27 19:46 5232 ----a-w c:\windows2\system32\PerfStringBackup.TMP
2009-04-25 04:49 . 2004-12-10 14:52 -------- d-----w c:\archivos de programa\Microsoft ActiveSync
2009-04-25 04:06 . 2006-04-02 16:55 -------- d-----w c:\archivos de programa\ArcPad 7.0
2009-04-24 16:47 . 2008-07-22 21:03 11952 ----a-w c:\windows2\system32\avgrsstx.dll
2009-04-24 16:47 . 2008-07-22 21:03 325896 ----a-w c:\windows2\system32\drivers\avgldx86.sys
2009-04-24 16:46 . 2008-07-22 21:03 12552 ----a-w c:\windows2\system32\drivers\avgrkx86.sys
2009-04-24 16:44 . 2008-07-22 21:03 108552 ----a-w c:\windows2\system32\drivers\avgtdix.sys
2009-04-22 04:30 . 2008-03-25 21:58 -------- d-----w c:\archivos de programa\Windows Sidebar
2009-04-15 00:36 . 2009-04-15 00:36 -------- d-----w c:\archivos de programa\RocketDock
2009-04-12 23:28 . 2009-04-12 23:28 -------- d-----w c:\archivos de programa\NutsAboutNets
2009-04-12 01:00 . 2009-03-06 05:54 -------- d-----w c:\archivos de programa\PDF Editor Objects 2
2009-04-10 05:55 . 2009-04-10 05:54 -------- d-----w c:\archivos de programa\JRE
2009-04-10 05:54 . 2009-03-23 00:43 -------- d-----w c:\archivos de programa\OpenOffice.org 3
2009-04-07 20:25 . 2009-04-12 01:02 87696 ----a-w c:\windows2\system32\drivers\VBoxNetFlt.sys
2009-04-07 20:25 . 2009-04-11 08:51 79888 ----a-w c:\windows2\system32\drivers\VBoxNetAdp.sys
2009-04-07 20:25 . 2009-04-11 08:48 31952 ----a-w c:\windows2\system32\drivers\VBoxUSB.sys
2009-04-07 20:25 . 2008-03-01 22:03 41424 ----a-w c:\windows2\system32\drivers\VBoxUSBMon.sys
2009-04-07 20:25 . 2008-03-01 22:03 100944 ----a-w c:\windows2\system32\drivers\VBoxDrv.sys
2009-04-07 20:25 . 2009-04-12 01:02 133648 ----a-w c:\windows2\system32\VBoxNetFltNotify.dll
2009-04-07 06:47 . 2009-04-07 06:47 -------- d-----w c:\archivos de programa\AskSearch
2009-04-06 22:58 . 2004-11-18 19:48 -------- d-----w c:\archivos de programa\Java
2009-03-29 18:57 . 2009-03-29 18:57 -------- d-----w c:\archivos de programa\Archivos comunes\Skype
2009-03-23 00:41 . 2008-05-07 20:19 -------- d-----w c:\archivos de programa\OpenOffice.org 2.4
2009-03-09 04:19 . 2008-12-15 08:04 410984 ----a-w c:\windows2\system32\deploytk.dll
2009-03-06 14:20 . 2003-07-23 16:26 286720 ----a-w c:\windows2\system32\pdh.dll
2009-03-06 05:54 . 2009-03-06 05:54 75264 ----a-w c:\windows2\cadkasdeinst01e.exe
2009-02-20 08:10 . 2005-06-17 23:25 668672 ----a-w c:\windows2\system32\wininet.dll
2009-02-20 08:10 . 2004-08-19 22:42 81920 ------w c:\windows2\system32\ieencode.dll
2007-07-24 20:39 . 2007-07-24 20:39 8 --sha-r c:\windows2\neoqaz2.dll
2002-07-31 18:55 . 2006-11-28 09:14 104 --sh--w c:\windows2\WSYS049.SYS
2008-04-14 02:19 . 2008-03-25 21:53 60416 --sha-w c:\windows2\ISSO\Respaldo\msimn.exe
.

------- Sigcheck -------

[-] 2005-03-02 18:10 578048 DDA46F3DBCF32727E93976B09FBB0E83 c:\windows2\$hf_mig$\KB890859\SP2GDR\user32.dll
[-] 2005-03-02 18:20 578048 37CE819E8ECB3517B9981A886876EF72 c:\windows2\$hf_mig$\KB890859\SP2QFE\user32.dll
[-] 2007-03-08 15:50 579072 237FB93C6B4330D8EE7D2448CF71C5ED c:\windows2\$hf_mig$\KB925902\SP2QFE\user32.dll
[-] 2007-03-08 15:36 497152 A5A451EDBEA7D8FC093FB96A499D39CF c:\windows2\$NtServicePackUninstall$\user32.dll
[7] 2008-04-14 02:18 579584 DA8898129E0075C7DE4DEE457514A73C c:\windows2\ISSO\Respaldo\user32.dll
[-] 2008-04-14 02:18 498176 A7ED5C30084060A92F0F60D462DF784F c:\windows2\ServicePackFiles\i386\user32.dll
[7] 2003-07-23 16:36 561152 1B1A3353911321ADC0D42E8F236B0B31 c:\windows2\SoftwareDistribution\Download\S-1-5-18\f47326a4fddf205482e86afde6226e27\backup\user32.dll
[-] 2008-04-14 02:18 498176 A7ED5C30084060A92F0F60D462DF784F c:\windows2\system32\user32.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-05-16_19.50.42 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-19 02:25 . 2009-05-19 02:25 16384 c:\windows2\Temp\Perflib_Perfdata_e8c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2008-09-07 07:20 143360 ----a-w c:\software\internet\Dropbox\DropboxExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2008-09-07 07:20 143360 ----a-w c:\software\internet\Dropbox\DropboxExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2008-09-07 07:20 143360 ----a-w c:\software\internet\Dropbox\DropboxExt.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows2\system32\ctfmon.exe" [2008-04-14 15360]
"ISUSPM"="c:\archivos de programa\Archivos comunes\InstallShield\UpdateService\ISUSPM.exe" [2007-08-30 205480]
"msnmsgr"="c:\archivos de programa\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"RocketDock"="c:\archivos de programa\RocketDock\RocketDock.exe" [2007-09-02 495616]
"H/PC Connection Agent"="c:\archivos de programa\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\archivos de programa\Apoint\Apoint.exe" [2005-10-07 176128]
"EPSON Stylus Photo R320 Series"="c:\windows2\System32\spool\DRIVERS\W32X86\3\E_FATI9XE.EXE" [2004-12-16 98304]
"\\Ps-58c34f\epson_R320"="c:\windows2\System32\spool\DRIVERS\W32X86\3\E_FATI9XE.EXE" [2004-12-16 98304]
"NvCplDaemon"="c:\windows2\system32\NvCpl.dll" [2005-07-06 7118848]
"Acrobat Assistant 8.0"="c:\archivos de programa\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-14 623992]
"\\192.168.2.3\epson_R320"="c:\windows2\System32\spool\DRIVERS\W32X86\3\E_FATI9XE.EXE" [2004-12-16 98304]
"AVG8_TRAY"="c:\archiv~1\Grisoft\AVG8\avgtray.exe" [2009-04-24 1947928]
"Dell QuickSet"="c:\archivos de programa\Dell\QuickSet\Quickset.exe" [2006-06-29 1032192]
"HP Software Update"="c:\software\dispositivos\HP Scanner\HP Software Update\HPWuSchd2.exe" [2007-03-11 49152]
"LWBMOUSE"="c:\software\drivers\Belkin\Wireless Mouse Driver\MOUSE32A.EXE" [2001-11-09 356352]
"SigmaTel StacMon"="c:\archivos de programa\SigmaTel\Controladores de sonido SigmaTel AC97\stacmon.exe" [2004-04-29 90169]
"SunJavaUpdateSched"="c:\archivos de programa\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"nwiz"="nwiz.exe" - c:\windows2\system32\nwiz.exe [2005-07-06 1519616]
"NvMediaCenter"="NvMCTray.dll" - c:\windows2\system32\nvmctray.dll [2005-07-06 86016]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows2\system32\bthprops.cpl [2008-04-14 110592]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows2\System32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\JASH\Men£ Inicio\Programas\Inicio\AutorunsDisabled
VistaStart.lnk - c:\windows2\Resources\Themes\YAFVC3\VistaStart\VistaStart1.3.exe [2006-3-21 510464]

c:\documents and settings\All Users.WINDOWS2\Men£ Inicio\Programas\Inicio\
BTTray.lnk - c:\archivos de programa\Dell\Software Bluetooth\BTTray.exe [2006-7-22 561213]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoChangeAnimation"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-04-24 16:47 11952 ----a-w c:\windows2\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WLANKEEPER"=2 (0x2)
"EvtEng"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableUnicastResponsesToMulticastBroadcast"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS2\\system32\\sessmgr.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Archivos de programa\\Grisoft\\AVG8\\avgemc.exe"=
"c:\\Archivos de programa\\Grisoft\\AVG8\\avgupd.exe"=
"c:\\Archivos de programa\\Grisoft\\AVG8\\avgnsx.exe"=
"c:\\Archivos de programa\\Adobe\\Acrobat 8.0\\Acrobat\\Acrobat.exe"=
"c:\archivos de programa\Microsoft ActiveSync\WCESMgr.exe"= c:\archivos de programa\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Disabled:ActiveSync Application
"c:\archivos de programa\Microsoft ActiveSync\wcescomm.exe"= c:\archivos de programa\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Disabled:ActiveSync Connection Manager
"c:\archivos de programa\Microsoft ActiveSync\rapimgr.exe"= c:\archivos de programa\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Disabled:ActiveSync RAPI Manager
"c:\\Archivos de programa\\DNA\\btdna.exe"=
"c:\\software\\internet\\Mozilla Firefox\\firefox.exe"=
"c:\\software\\internet\\Netscape\\ThunderBird\\thunderbird.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Disabled:ActiveSync Service

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowOutboundDestinationUnreachable"= 0 (0x0)
"AllowOutboundSourceQuench"= 0 (0x0)
"AllowOutboundParameterProblem"= 0 (0x0)
"AllowOutboundTimeExceeded"= 0 (0x0)

R0 AvgRkx86;avgrkx86.sys;c:\windows2\system32\drivers\avgrkx86.sys [22/07/2008 22:03 12552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows2\system32\drivers\avgldx86.sys [22/07/2008 22:03 325896]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows2\system32\drivers\avgtdix.sys [22/07/2008 22:03 108552]
R1 VBoxDrv;VirtualBox Service;c:\windows2\system32\drivers\VBoxDrv.sys [01/03/2008 23:03 100944]
R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows2\system32\drivers\VBoxUSBMon.sys [01/03/2008 23:03 41424]
R2 ArcGIS License Manager;ArcGIS License Manager;c:\archivos de programa\ESRI\License\arcgis9x\lmgrd.exe [15/08/2005 23:51 467968]
R2 avg8emc;AVG8 E-mail Scanner;c:\archiv~1\Grisoft\AVG8\avgemc.exe [22/07/2008 22:03 908568]
R2 avg8wd;AVG8 WatchDog;c:\archiv~1\Grisoft\AVG8\avgwdsvc.exe [22/07/2008 22:03 298776]
R2 P1C1394;Phase One 1394 Camera Driver;c:\windows2\system32\drivers\p1c1394.sys [15/05/2008 13:20 23168]
R3 GTICARD;GTICARD;c:\windows2\system32\drivers\gticard.sys [06/02/2003 19:23 59328]
R3 VBoxMouse;VirtualBox Guest Mouse Service;c:\windows2\system32\drivers\VBoxMouse.sys [02/01/2008 4:41 39696]
R3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows2\system32\drivers\VBoxNetAdp.sys [11/04/2009 9:51 79888]
R3 VBoxNetFlt;VBoxNetFlt Service;c:\windows2\system32\drivers\VBoxNetFlt.sys [12/04/2009 2:02 87696]
S1 VBoxSF;VirtualBox Shared Folders;c:\windows2\system32\drivers\VBoxSF.sys [16/02/2009 17:06 195728]
S2 FLUSBDRV;3Com ADSL-150 USB Driver;c:\windows2\system32\drivers\3CF002LD.sys [10/08/2005 17:04 21414]
S2 gupdate1c9a2bcebc1a270;Google Update Service (gupdate1c9a2bcebc1a270);c:\archivos de programa\Google\Update\GoogleUpdate.exe [12/03/2009 3:47 133104]
S2 IWPORT;IWPORT;\??\c:\windows2\SYSTEM32\DRIVERS\IWPORT.SYS --> c:\windows2\SYSTEM32\DRIVERS\IWPORT.SYS [?]
S2 VBoxService;VirtualBox Guest Additions Service;system32\VBoxService.exe --> system32\VBoxService.exe [?]
S3 dcdbas;System Management Driver;c:\windows2\system32\DRIVERS\dcdbas32.sys --> c:\windows2\system32\DRIVERS\dcdbas32.sys [?]
S3 NANMp50;NANMp50 NDIS Protocol Driver;c:\windows2\system32\Drivers\NANMp50.sys --> c:\windows2\system32\Drivers\NANMp50.sys [?]
S3 NANSp50;NANSp50 NDIS Protocol Driver;c:\windows2\system32\Drivers\NANSp50.sys --> c:\windows2\system32\Drivers\NANSp50.sys [?]
S3 usb2vcom;Nokia CA-42 USB;c:\windows2\system32\drivers\usb2vcom.sys [18/12/2006 17:10 30272]
S3 USBLC6X0100;%USBLC6X0100.DispName%;c:\windows2\system32\drivers\3cusblr.sys [10/08/2005 17:07 309700]
S3 VBoxTAP;VirtualBox TAP Adapter;c:\windows2\system32\drivers\VBoxTAP.sys [01/03/2008 23:08 47552]
S3 VBoxUSB;VirtualBox USB;c:\windows2\system32\drivers\VBoxUSB.sys [11/04/2009 9:48 31952]
S4 ERMLicSrv_ATL70;ERMLicSrv_ATL70;c:\windows2\system32\ERM\7.0\ERMLicSrv_ATL70.exe [09/01/2008 0:38 94208]
S4 FME_License_service;FME_License_service;c:\archivos de programa\ESRI\License\arcgis9x\lmgrd.exe [15/08/2005 23:51 467968]
S4 SASDIFSV;SASDIFSV;\??\c:\software\antivirus\SUPERAntiSpyware\SASDIFSV.SYS --> c:\software\antivirus\SUPERAntiSpyware\SASDIFSV.SYS [?]
S4 SASENUM;SASENUM;\??\c:\software\antivirus\SUPERAntiSpyware\SASENUM.SYS --> c:\software\antivirus\SUPERAntiSpyware\SASENUM.SYS [?]
S4 SASKUTIL;SASKUTIL;\??\c:\software\antivirus\SUPERAntiSpyware\SASKUTIL.sys --> c:\software\antivirus\SUPERAntiSpyware\SASKUTIL.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\AutorunsDisabled\{6B9228DA-9C15-419e-856C-19E768A13BDC}]
"c:\windows2\system32\regsvr32.exe" /s sbdrop.dll
.
Contents of the 'Scheduled Tasks' folder

2009-05-19 c:\windows2\Tasks\GoogleUpdateTaskMachine.job
- c:\archivos de programa\Google\Update\GoogleUpdate.exe [2009-03-12 02:47]

2007-03-27 c:\windows2\Tasks\shutdown.job
- c:\windows2\system32\shutdown.exe [2003-07-23 02:19]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = 195.76.153.201:3128
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Anexar a PDF existente - c:\archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convertir a Adobe PDF - c:\archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convertir destino de vínculo a PDF existente - c:\archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convertir destino de vínculo en archivo Adobe PDF - c:\archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convertir selección a Adobe PDF - c:\archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convertir selección a archivo PDF existente - c:\archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convertir vínculos seleccionados a Adobe PDF - c:\archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convertir vínculos seleccionados a PDF existente - c:\archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: E&xport to Microsoft Excel - c:\archiv~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Enviar a &Bluetooth - c:\archivos de programa\Dell\Software Bluetooth\btsendto_ie_ctx.htm
TCP: interfaces = 152.158.2.48,165.87.201.244
DPF: Microsoft XML Parser for Java - file://c:\windows2\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\JASH\Datos de programa\Mozilla\Firefox\Profiles\k4uv1kov.default\
FF - prefs.js: browser.search.selectedEngine - Ask
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=101757&gct=&gc=1&q=
FF - prefs.js: network.proxy.ftp - 195.76.153.201
FF - prefs.js: network.proxy.ftp_port - 3128
FF - prefs.js: network.proxy.gopher - 195.76.153.201
FF - prefs.js: network.proxy.gopher_port - 3128
FF - prefs.js: network.proxy.http - 195.76.153.201
FF - prefs.js: network.proxy.http_port - 3128
FF - prefs.js: network.proxy.socks - 195.76.153.201
FF - prefs.js: network.proxy.socks_port - 3128
FF - prefs.js: network.proxy.ssl - 195.76.153.201
FF - prefs.js: network.proxy.ssl_port - 3128
FF - prefs.js: network.proxy.type - 4
FF - component: c:\archivos de programa\Grisoft\AVG8\Firefox\components\avgssff.dll
FF - component: c:\documents and settings\JASH\Datos de programa\Mozilla\Firefox\Profiles\k4uv1kov.default\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\platform\WINNT_x86-msvc\components\SSSLauncher.dll
FF - component: c:\documents and settings\JASH\Datos de programa\Mozilla\Firefox\Profiles\k4uv1kov.default\extensions\{81BF1D23-5F17-408D-AC6B-BD6DF7CAF670}\components\XpcomOpusConnector.dll
FF - plugin: c:\archivos de programa\Google\Update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\archivos de programa\Skyhook Wireless\Loki Browser Plugin\nploki.dll
FF - plugin: c:\software\graficos\QuickTime\Plugins\npqtplugin.dll
FF - plugin: c:\software\graficos\QuickTime\Plugins\npqtplugin2.dll
FF - plugin: c:\software\graficos\QuickTime\Plugins\npqtplugin3.dll
FF - plugin: c:\software\graficos\QuickTime\Plugins\npqtplugin4.dll
FF - plugin: c:\software\graficos\QuickTime\Plugins\npqtplugin5.dll
FF - plugin: c:\software\graficos\QuickTime\Plugins\npqtplugin6.dll
FF - plugin: c:\software\graficos\QuickTime\Plugins\npqtplugin7.dll
FF - plugin: c:\software\graficos\realplayer\Netscape6\nppl3260.dll
FF - plugin: c:\software\graficos\realplayer\Netscape6\nprjplug.dll
FF - plugin: c:\software\graficos\realplayer\Netscape6\nprpjplug.dll
FF - plugin: c:\software\graficos\VideoLAN\VLC\npvlc.dll
FF - plugin: c:\software\internet\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\software\internet\Mozilla Firefox\plugins\npgato.dll
FF - plugin: c:\software\internet\Mozilla Firefox\plugins\nppdf32(2).dll

---- FIREFOX POLICIES ----
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-19 03:26
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Iomega Activity Disk2]
"ImagePath"="\"\""
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-343818398-1563985344-1343024091-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-343818398-1563985344-1343024091-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{479D21BD-C969-E2AF-0F4D-0D83E225CD0C}*]
"gaoohofafljjof"=hex:61,61,00,7c
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1272)
c:\windows2\system32\SETUPAPI.dll
c:\windows2\system32\cscui.dll

- - - - - - - > 'lsass.exe'(1328)
c:\windows2\system32\SETUPAPI.dll

- - - - - - - > 'explorer.exe'(7892)
c:\windows2\TEMP\logishrd\LVPrcInj01.dll
c:\archivos de programa\RocketDock\RocketDock.dll
c:\software\internet\Dropbox\DropboxExt.dll
c:\windows2\System32\cscui.dll
c:\windows2\system32\LINKINFO.dll
c:\windows2\system32\ntshrui.dll
c:\windows2\system32\SETUPAPI.dll
c:\windows2\system32\WPDShServiceObj.dll
c:\windows2\system32\btncopy.dll
c:\software\dispositivos\Roxio\Drag-to-Disc\Shellex.dll
c:\archivos de programa\Archivos comunes\Roxio Shared\9.0\DLLShared\DLAAPI_W.DLL
c:\software\dispositivos\Roxio\Drag-to-Disc\ShellRes.dll
c:\windows2\system32\PortableDeviceTypes.dll
c:\windows2\system32\PortableDeviceApi.dll
c:\windows2\system32\NETSHELL.dll
c:\windows2\system32\credui.dll
c:\software\drivers\Belkin\Wireless Mouse Driver\MOUDL32A.DLL
c:\windows2\system32\VBoxMRXNP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows2\system32\scardsvr.exe
c:\windows2\system32\rundll32.exe
c:\archiv~1\MICROS~2\rapimgr.exe
c:\archiv~1\Dell\SOFTWA~1\BTSTAC~1.EXE
c:\archivos de programa\Apoint\hidfind.exe
c:\archivos de programa\Apoint\ApntEx.exe
c:\windows2\system32\netdde.exe
c:\archivos de programa\ESRI\License\arcgis9x\ARCGIS.exe
c:\archivos de programa\Dell\Software Bluetooth\bin\btwdins.exe
c:\windows2\system32\E_S00RP1.EXE
c:\archiv~1\Grisoft\AVG8\avgam.exe
c:\archivos de programa\Grisoft\AVG8\avgrsx.exe
c:\archiv~1\Grisoft\AVG8\avgnsx.exe
c:\archivos de programa\Java\jre6\bin\jqs.exe
c:\archivos de programa\Archivos comunes\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
c:\archivos de programa\Dell\QuickSet\NicConfigSvc.exe
c:\windows2\system32\nvsvc32.exe
c:\windows2\system32\SAgent4.exe
c:\archivos de programa\Grisoft\AVG8\avgcsrvx.exe
c:\archivos de programa\Archivos comunes\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\windows2\system32\wscntfy.exe
c:\archivos de programa\Grisoft\AVG8\avgscanx.exe
c:\archivos de programa\Grisoft\AVG8\avgcsrvx.exe
c:\archivos de programa\Archivos comunes\InstallShield\UpdateService\agent.exe
.
**************************************************************************
.
Completion time: 2009-05-19 3:34 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-19 02:34
ComboFix2.txt 2009-05-16 19:59

Pre-Run: 16.170.491.904 bytes libres
Post-Run: 16.145.272.832 bytes libres

WindowsXP-KB310994-SP2-Pro-BootDisk-ESN.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS2
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS2="Microsoft Windows XP Professional" /fastdetect /NoExecute=AlwaysOff
[no sirven]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="(no usar) Microsoft Windows XP Professional" /fastdetect

359 --- E O F --- 2009-05-02 13:59

===========================================================================================
===========================================================================================
========================= GMER log ===============================
===========================================================================================
===========================================================================================
GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-05-20 01:46:34
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

INT 0x06 \??\C:\WINDOWS2\system32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems) F1C1816D
INT 0x0E \??\C:\WINDOWS2\system32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems) F1C17FC2

---- User code sections - GMER 1.0.15 ----

.text C:\Archivos de programa\Windows Live\Messenger\MsnMsgr.Exe[1200] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 5 Bytes JMP 0056DBBD C:\Archivos de programa\Windows Live\Messenger\MsnMsgr.Exe (Windows Live Messenger/Microsoft Corporation)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS2\Explorer.EXE[732] @ C:\WINDOWS2\Explorer.EXE [KERNEL32.dll!GetProcAddress] [5CF67774] C:\WINDOWS2\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWS2\Explorer.EXE[732] @ C:\WINDOWS2\system32\kernel32.dll [ntdll.dll!NtCreateFile] [02192F20] C:\WINDOWS2\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS2\Explorer.EXE[732] @ C:\WINDOWS2\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [02192C90] C:\WINDOWS2\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS2\Explorer.EXE[732] @ C:\WINDOWS2\system32\kernel32.dll [ntdll.dll!NtClose] [02192CF0] C:\WINDOWS2\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS2\Explorer.EXE[732] @ C:\WINDOWS2\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [02192CC0] C:\WINDOWS2\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS2\Explorer.EXE[732] @ C:\WINDOWS2\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [5CF67774] C:\WINDOWS2\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWS2\Explorer.EXE[732] @ C:\WINDOWS2\system32\RPCRT4.dll [KERNEL32.dll!GetProcAddress] [5CF67774] C:\WINDOWS2\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWS2\Explorer.EXE[732] @ C:\WINDOWS2\system32\Secur32.dll [KERNEL32.dll!GetProcAddress] [5CF67774] C:\WINDOWS2\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWS2\Explorer.EXE[732] @ C:\WINDOWS2\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [5CF67774] C:\WINDOWS2\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWS2\Explorer.EXE[732] @ C:\WINDOWS2\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [5CF67774] C:\WINDOWS2\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWS2\Explorer.EXE[732] @ C:\WINDOWS2\system32\msvcrt.dll [KERNEL32.dll!GetProcAddress] [5CF67774] C:\WINDOWS2\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWS2\Explorer.EXE[732] @ C:\WINDOWS2\system32\ole32.dll [KERNEL32.dll!GetProcAddress] [5CF67774] C:\WINDOWS2\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWS2\Explorer.EXE[732] @ C:\WINDOWS2\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [5CF67774] C:\WINDOWS2\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWS2\Explorer.EXE[732] @ C:\WINDOWS2\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [5CF67774] C:\WINDOWS2\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWS2\Explorer.EXE[732] @ C:\WINDOWS2\system32\NETAPI32.dll [KERNEL32.dll!GetProcAddress] [5CF67774] C:\WINDOWS2\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWS2\Explorer.EXE[732] @ C:\WINDOWS2\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [5CF67774] C:\WINDOWS2\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWS2\Explorer.EXE[732] @ C:\WINDOWS2\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [5CF67774] C:\WINDOWS2\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWS2\Explorer.EXE[732] @ C:\WINDOWS2\system32\USERENV.dll [KERNEL32.dll!GetProcAddress] [5CF67774] C:\WINDOWS2\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWS2\Explorer.EXE[732] @ C:\WINDOWS2\System32\PSAPI.DLL [KERNEL32.dll!GetProcAddress] [5CF67774] C:\WINDOWS2\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWS2\Explorer.EXE[732] @ C:\WINDOWS2\system32\WS2_32.dll [KERNEL32.dll!GetProcAddress] [5CF67774] C:\WINDOWS2\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWS2\Explorer.EXE[732] @ C:\WINDOWS2\system32\WS2HELP.dll [KERNEL32.dll!GetProcAddress] [5CF67774] C:\WINDOWS2\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWS2\Explorer.EXE[732] @ C:\WINDOWS2\system32\iphlpapi.dll [KERNEL32.dll!GetProcAddress] [5CF67774] C:\WINDOWS2\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\Archivos de programa\Windows Live\Messenger\MsnMsgr.Exe[1200] @ C:\WINDOWS2\system32\kernel32.dll [ntdll.dll!NtCreateFile] [02082F20] C:\WINDOWS2\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Archivos de programa\Windows Live\Messenger\MsnMsgr.Exe[1200] @ C:\WINDOWS2\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [02082C90] C:\WINDOWS2\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Archivos de programa\Windows Live\Messenger\MsnMsgr.Exe[1200] @ C:\WINDOWS2\system32\kernel32.dll [ntdll.dll!NtClose] [02082CF0] C:\WINDOWS2\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Archivos de programa\Windows Live\Messenger\MsnMsgr.Exe[1200] @ C:\WINDOWS2\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [02082CC0] C:\WINDOWS2\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\0010c652941e
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\0010c652941e
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\0010c652941e@0010c661ba02 0x1C 0x6D 0x32 0xB3 ...
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\0010c652941e@000b0d152a74 0x7E 0x0E 0xF2 0xF0 ...
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\0010c652941e@00175ca2e126 0x41 0x86 0x3E 0x15 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0010c652941e
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0010c652941e@0010c661ba02 0x1C 0x6D 0x32 0xB3 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0010c652941e@000b0d152a74 0x7E 0x0E 0xF2 0xF0 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0010c652941e@00175ca2e126 0x41 0x86 0x3E 0x15 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{479D21BD-C969-E2AF-0F4D-0D83E225CD0C}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{479D21BD-C969-E2AF-0F4D-0D83E225CD0C}@gaoohofafljjof 0x61 0x61 0x00 0x7C

---- EOF - GMER 1.0.15 ----

#14 DocSatan

DocSatan

    Bleepin' Wanna-Be


  • Members
  • 2,156 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, Ma.
  • Local time:10:04 AM

Posted 20 May 2009 - 05:57 AM

Hello JASH,

Question:

Do you use an IP address from the Netherlands (83.149.105.228)?

To answer some of your questions:

How do you tell that ComboFix fixed a lot of stuff?

  • After the "Header" information there is a section called "Other Deletions." Here is where you can see what files/folders have been deleted by ComboFix. :thumbup2:

Task Manager is working. Fast and promptly. Again, what was the problem with it and what did ComboFix do to unblock it?

  • Not sure exactly. Your log showed signs of a possible Conficker infection (which we will address shortly). Symptoms of this infection include not being able to open Task Manager, as well as not being able to "double-click" on drives to open them. ComboFix deleted a file usually associated with this infection, so that may have been the reason. :)
Now on to the Fix:

1. View All Hidden Files and Folders
  • Open My Computer
  • Click on Tools and choose Folder Options from the drop down list
  • In the window that opens, click on the View tab
  • Under Hidden files and folders, place a tick mar next to Show hidden files and folders
  • Click on Apply then OK
2. Please upload the following files to Jotti.org
  • Click HERE
  • At the top of the page that opens, Click on Browse
  • Navigate to this file: user32.dll found here: c:\windows2\$hf_mig$\KB890859\SP2GDR\user32.dll
  • Double click on user32.dll
  • Now click on Submit at the top of the Jotti web page.
  • The file will now be scanned by Jotti. The web page will change during the scanning process.
  • When the scan is finished, there will be 2 different sections on the page: Additional Info and Scanners.
  • Copy and Paste both sections into your next reply here.
  • Follow the same directions for the following files as well (The File name is the same as above, but in different locations):
    • c:\windows2\$hf_mig$\KB890859\SP2QFE\user32.dll
    • c:\windows2\$hf_mig$\KB925902\SP2QFE\user32.dll
    • c:\windows2\$NtServicePackUninstall$\user32.dll
    • c:\windows2\ServicePackFiles\i386\user32.dll
    • c:\windows2\system32\user32.dll
  • When you paste your reply, please use the File's Path as a header so that I know which Location the Report/Results are for. Example:c:\windows2\$hf_mig$\KB890859\SP2GDR\user32.dll
    File size: 21254 bytes
    Filetype: OpenDocument Text
    MD5: d499e922a6c11edda120d9a62d86a8d0
    SHA1: 6d40b92893be0fc54499b0ee446df2529183195b

    [ArcaVir]
    2009-05-18 Found nothing
    [F-Secure Anti-Virus]
    2009-05-18 Found nothing
    Etc.
3. Run a CFScript
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the quotebox below into it:

    DirLook::
    c:\windows2\lhsp
    c:\temp\tt7

    RegLock::
    [HKEY_USERS\S-1-5-21-343818398-1563985344-1343024091-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{479D21BD-C969-E2AF-0F4D-0D83E225CD0C}*]

  • Save this as CFScript.txt, in the same location as ComboFix.exe
    Posted Image
  • Refering to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
4. What I need in Your Next Reply
  • Results from Jotti (6 files)
  • New ComboFix.txt
  • Answer regarding that IP
Doc.

#15 JASH

JASH
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:07:04 AM

Posted 20 May 2009 - 05:50 PM

Jotti results:
c:\windows2\$hf_mig$\KB890859\SP2GDR\user32.dll =================================================================
File size: 578048 bytes
Filetype: PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit
MD5: dda46f3dbcf32727e93976b09fbb0e83
SHA1: 72b6efa20e63bc507feb56f2e8a54fe51c6c130e

[ArcaVir] 2009-05-20 Found nothing
[F-Secure Anti-Virus] 2009-05-20 Found nothing
[Emsisoft A-squared] 2009-05-20 Found nothing
[Ikarus] 2009-05-20 Found nothing
[Avast! antivirus] 2009-05-19 Found nothing
[Kaspersky Anti-Virus] 2009-05-20 Found nothing
[Grisoft AVG Anti-Virus] 2009-05-20 Found nothing
[ESET NOD32] 2009-05-20 Found nothing
[Avira AntiVir] 2009-05-20 Found nothing
[Norman Virus Control] 2009-05-20 Found nothing
[Softwin BitDefender] 2009-05-20 Found nothing
[Panda Antivirus] 2009-05-19 Found nothing
[ClamAV] 2009-05-20 Found nothing
[Quick Heal] 2009-05-20 Found nothing
[CPsecure] 2009-05-20 Found nothing
[Sophos] 2009-05-20 Found nothing
[Dr.Web] 2009-05-20 Found nothing
[VirusBlokAda VBA32] 2009-05-19 Found nothing
[Frisk F-Prot Antivirus] 2009-05-19 Found nothing
[VirusBuster] 2009-05-20 Found nothing

c:\windows2\$hf_mig$\KB890859\SP2QFE\user32.dll =================================================================
File size: 578048 bytes
Filetype: PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit
MD5: 37ce819e8ecb3517b9981a886876ef72
SHA1: a3c7bc170d986da2336078f7b99bfb429e76c25f

scanners
[ArcaVir] 2009-05-20 Found nothing
F-Secure Anti-Virus] 2009-05-20 Found nothing
[Emsisoft A-squared] 2009-05-20 Found nothing
[Ikarus] 2009-05-20 Found nothing
[Avast! antivirus] 2009-05-19 Found nothing
[Kaspersky Anti-Virus] 2009-05-20 Found nothing
[Grisoft AVG Anti-Virus] 2009-05-20 Found nothing
[ESET NOD32] 2009-05-20 Found nothing
[Avira AntiVir] 2009-05-20 Found nothing
[Norman Virus Control] 2009-05-20 Found nothing
[Softwin BitDefender] 2009-05-20 Found nothing
[Panda Antivirus] 2009-05-19 Found nothing
[ClamAV] 2009-05-20 Found nothing
[Quick Heal] 2009-05-20 Found nothing
[CPsecure] 2009-05-20 Found nothing
[Sophos] 2009-05-20 Found nothing
[Dr.Web] 2009-05-20 Found nothing
[VirusBlokAda VBA32] 2009-05-19 Found nothing
[Frisk F-Prot Antivirus] 2009-05-19 Found nothing
[VirusBuster] 2009-05-20 Found nothing

c:\windows2\$hf_mig$\KB925902\SP2QFE\user32.dll =================================================================
File size: 579072 bytes
Filetype: PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit
MD5: 237fb93c6b4330d8ee7d2448cf71c5ed
SHA1: 26835f62482f370122b345e24a80edeaecb217de

Scanners
[ArcaVir] 2009-05-20 Found nothing
[F-Secure Anti-Virus] 2009-05-20 Found nothing
[Emsisoft A-squared] 2009-05-20 Found nothing
[Ikarus] 2009-05-20 Found nothing
[Avast! antivirus] 2009-05-19 Found nothing
[Kaspersky Anti-Virus] 2009-05-20 Found nothing
[Grisoft AVG Anti-Virus] 2009-05-20 Found nothing
[ESET NOD32] 2009-05-20 Found nothing
[Avira AntiVir] 2009-05-20 Found nothing
[Norman Virus Control] 2009-05-20 Found nothing
[Softwin BitDefender] 2009-05-20 Found nothing
[Panda Antivirus] 2009-05-19 Found nothing
[ClamAV] 2009-05-20 Found nothing
[Quick Heal] 2009-05-20 Found nothing
[CPsecure] 2009-05-20 Found nothing
[Sophos] 2009-05-20 Found nothing
[Dr.Web] 2009-05-20 Found nothing
[VirusBlokAda VBA32] 2009-05-19 Found nothing
[Frisk F-Prot Antivirus] 2009-05-19 Found nothing
[VirusBuster] 2009-05-20 Found nothing

c:\windows2\$NtServicePackUninstall$\user32.dll =================================================================

File size: 497152 bytes
Filetype: PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit
MD5: a5a451edbea7d8fc093fb96a499d39cf
SHA1: fa16a6546932fd88845ec9a0593290adb2a16951

Scanners
[ArcaVir] 2009-05-20 Found nothing
[F-Secure Anti-Virus] 2009-05-20 Found nothing
[Emsisoft A-squared] 2009-05-20 Found nothing
[Ikarus] Operation timed out
[Avast! antivirus] 2009-05-19 Found nothing
[Kaspersky Anti-Virus] Operation timed out
[Grisoft AVG Anti-Virus] Operation timed out
[ESET NOD32] 2009-05-20 Found nothing
[Avira AntiVir] 2009-05-20 Found nothing
[Norman Virus Control] Operation timed out
[Softwin BitDefender] 2009-05-20 Found nothing
[Panda Antivirus] Operation timed out
[ClamAV] 2009-05-20 Found nothing
[Quick Heal] 2009-05-20 Found nothing
[CPsecure] Operation timed out
[Sophos] 2009-05-20 Found nothing
[Dr.Web] Operation timed out
[VirusBlokAda VBA32] 2009-05-19 Found nothing
[Frisk F-Prot Antivirus] 2009-05-19 Found nothing
[VirusBuster] 2009-05-20 Found nothing

# c:\windows2\ServicePackFiles\i386\user32.dll =================================================================
File size: 498176 bytes
Filetype: PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit
MD5: a7ed5c30084060a92f0f60d462df784f
SHA1: 89f2ff89d5491202b13830cac157c98b4b0ce3e1

Scanners
[ArcaVir] 2009-05-20 Found nothing
[F-Secure Anti-Virus] 2009-05-20 Found nothing
[Emsisoft A-squared] 2009-05-20 Found nothing
[Ikarus] 2009-05-20 Found nothing
[Avast! antivirus] 2009-05-19 Found nothing
[Kaspersky Anti-Virus] 2009-05-20 Found nothing
[Grisoft AVG Anti-Virus] 2009-05-20 Found nothing
[ESET NOD32] 2009-05-20 Found nothing
[Avira AntiVir] 2009-05-20 Found nothing
[Norman Virus Control] 2009-05-20 Found nothing
[Softwin BitDefender] 2009-05-20 Found nothing
[Panda Antivirus] 2009-05-19 Found nothing
[ClamAV] 2009-05-20 Found nothing
[Quick Heal] 2009-05-20 Found nothing
[CPsecure] 2009-05-20 Found nothing
[Sophos] 2009-05-20 Found nothing
[Dr.Web] 2009-05-20 Found nothing
[VirusBlokAda VBA32] 2009-05-19 Found nothing
[Frisk F-Prot Antivirus] 2009-05-19 Found nothing
[VirusBuster] 2009-05-20 Found nothing


c:\windows2\system32\user32.dll =================================================================

File size: 498176 bytes
Filetype: PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit
MD5: a7ed5c30084060a92f0f60d462df784f
SHA1: 89f2ff89d5491202b13830cac157c98b4b0ce3e1

Scanners
[ArcaVir] 2009-05-20 Found nothing
[F-Secure Anti-Virus] 2009-05-20 Found nothing
[Emsisoft A-squared] 2009-05-20 Found nothing
[Ikarus] 2009-05-20 Found nothing
[Avast! antivirus] 2009-05-19 Found nothing
[Kaspersky Anti-Virus] 2009-05-20 Found nothing
[Grisoft AVG Anti-Virus] 2009-05-20 Found nothing
[ESET NOD32] 2009-05-20 Found nothing
[Avira AntiVir] 2009-05-20 Found nothing
[Norman Virus Control] 2009-05-20 Found nothing
[Softwin BitDefender] 2009-05-20 Found nothing
[Panda Antivirus] 2009-05-19 Found nothing
[ClamAV] 2009-05-20 Found nothing
[Quick Heal] 2009-05-20 Found nothing
[CPsecure] 2009-05-20 Found nothing
[Sophos] 2009-05-20 Found nothing
[Dr.Web] 2009-05-20 Found nothing
[VirusBlokAda VBA32] 2009-05-19 Found nothing
[Frisk F-Prot Antivirus] 2009-05-19 Found nothing
[VirusBuster] 2009-05-20 Found nothing

====================================================================

Now, comboFix log:

====================================================================

ComboFix 09-05-16.05 - JASH 20/05/2009 22:09.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.34.3082.18.1023.275 [GMT 1:00]
Running from: c:\jash_d\download\ComboFix.exe
Command switches used :: c:\jash_d\download\CFScript.txt
AV: AVG Anti-Virus *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2009-04-20 to 2009-05-20 )))))))))))))))))))))))))))))))
.

2009-05-19 01:53 . 2009-05-20 00:46 -------- d-----w C:\gmer
2009-05-10 01:30 . 2004-01-13 14:07 991232 ----a-w c:\windows2\system32\W22MLRES.dll
2009-04-29 18:13 . 2009-04-29 19:26 -------- d-----w C:\SReng2
2009-04-29 00:41 . 2009-04-29 00:41 -------- d-----w c:\documents and settings\JASH\Datos de programa\Malwarebytes
2009-04-29 00:41 . 2009-04-06 14:32 15504 ----a-w c:\windows2\system32\drivers\mbam.sys
2009-04-29 00:41 . 2009-04-06 14:32 38496 ----a-w c:\windows2\system32\drivers\mbamswissarmy.sys
2009-04-29 00:41 . 2009-04-29 00:41 -------- d-----w c:\documents and settings\All Users.WINDOWS2\Datos de programa\Malwarebytes
2009-04-27 19:48 . 2009-04-27 19:50 -------- d-----w C:\834ff1c239e348b4534f5cbc_JASH
2009-04-27 18:04 . 2009-04-27 23:04 -------- d-----w c:\documents and settings\Administrador.D8YBGC1J\Datos de programa\skypePM
2009-04-27 18:03 . 2009-04-28 01:09 -------- d-----w c:\documents and settings\Administrador.D8YBGC1J\Datos de programa\Skype
2009-04-27 09:51 . 2009-04-27 09:51 23 --sha-w c:\windows2\system32\dcadfebec7_x.dat
2009-04-27 09:50 . 2009-04-27 09:51 -------- d-----w c:\archivos de programa\jv16 PowerTools 2009
2009-04-27 05:49 . 2001-08-17 21:07 101888 -c--a-w c:\windows2\system32\dllcache\adpu160m.sys
2009-04-27 05:49 . 2001-08-17 19:11 46112 -c--a-w c:\windows2\system32\dllcache\adptsf50.sys
2009-04-27 05:49 . 2002-08-28 22:00 10880 -c--a-w c:\windows2\system32\dllcache\admjoy.sys
2009-04-27 05:49 . 2001-08-17 19:19 747392 -c--a-w c:\windows2\system32\dllcache\adm8830.sys
2009-04-27 05:49 . 2001-08-17 19:19 553984 -c--a-w c:\windows2\system32\dllcache\adm8820.sys
2009-04-27 05:49 . 2001-08-17 19:19 584448 -c--a-w c:\windows2\system32\dllcache\adm8810.sys
2009-04-27 05:49 . 2001-08-17 19:11 20160 -c--a-w c:\windows2\system32\dllcache\adm8511.sys
2009-04-27 05:49 . 2001-08-17 20:53 7424 -c--a-w c:\windows2\system32\dllcache\adicvls.sys
2009-04-27 05:49 . 2001-08-22 21:15 61952 -c--a-w c:\windows2\system32\dllcache\acerscad.dll
2009-04-27 05:46 . 2001-08-22 21:14 66048 -c--a-w c:\windows2\system32\dllcache\s3legacy.dll
2009-04-25 04:07 . 2009-04-25 04:07 -------- d-----w c:\archivos de programa\Microsoft SQL Server Compact Edition
2009-04-25 04:06 . 2009-04-25 04:09 -------- d-----w c:\archivos de programa\ArcPad 7.1
2009-04-22 04:39 . 2009-04-22 04:39 166912 ----a-w c:\windows2\pdf2txt.exe
2009-04-22 04:37 . 2009-04-22 04:39 -------- d-----w c:\archivos de programa\Language Reader
2009-04-22 03:54 . 2009-04-22 03:54 -------- d-----w c:\windows2\lhsp
2009-04-22 03:53 . 2009-04-22 03:54 -------- d-----w c:\windows2\speech

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-17 02:19 . 2005-08-10 15:43 114114 ----a-w c:\windows2\system32\nvModes.dat
2009-05-12 23:51 . 2008-03-13 19:14 1324 ----a-w c:\windows2\system32\d3d9caps.dat
2009-05-12 02:55 . 2008-10-25 17:48 102400 ----a-w c:\windows2\DreamAquarium.scr
2009-05-10 06:07 . 2004-11-18 19:51 -------- d-----w c:\archivos de programa\Intel
2009-05-10 05:51 . 2003-07-23 16:34 18944 ----a-w c:\windows2\system32\taskman.exe
2009-04-29 04:34 . 2009-04-07 06:48 -------- d-----w c:\archivos de programa\DNA
2009-04-27 20:02 . 2009-04-27 19:46 5232 ----a-w c:\windows2\system32\PerfStringBackup.TMP
2009-04-25 04:49 . 2004-12-10 14:52 -------- d-----w c:\archivos de programa\Microsoft ActiveSync
2009-04-25 04:06 . 2006-04-02 16:55 -------- d-----w c:\archivos de programa\ArcPad 7.0
2009-04-24 16:47 . 2008-07-22 21:03 11952 ----a-w c:\windows2\system32\avgrsstx.dll
2009-04-24 16:47 . 2008-07-22 21:03 325896 ----a-w c:\windows2\system32\drivers\avgldx86.sys
2009-04-24 16:46 . 2008-07-22 21:03 12552 ----a-w c:\windows2\system32\drivers\avgrkx86.sys
2009-04-24 16:44 . 2008-07-22 21:03 108552 ----a-w c:\windows2\system32\drivers\avgtdix.sys
2009-04-22 04:30 . 2008-03-25 21:58 -------- d-----w c:\archivos de programa\Windows Sidebar
2009-04-15 00:36 . 2009-04-15 00:36 -------- d-----w c:\archivos de programa\RocketDock
2009-04-12 23:28 . 2009-04-12 23:28 -------- d-----w c:\archivos de programa\NutsAboutNets
2009-04-12 01:00 . 2009-03-06 05:54 -------- d-----w c:\archivos de programa\PDF Editor Objects 2
2009-04-10 05:55 . 2009-04-10 05:54 -------- d-----w c:\archivos de programa\JRE
2009-04-10 05:54 . 2009-03-23 00:43 -------- d-----w c:\archivos de programa\OpenOffice.org 3
2009-04-07 20:25 . 2009-04-12 01:02 87696 ----a-w c:\windows2\system32\drivers\VBoxNetFlt.sys
2009-04-07 20:25 . 2009-04-11 08:51 79888 ----a-w c:\windows2\system32\drivers\VBoxNetAdp.sys
2009-04-07 20:25 . 2009-04-11 08:48 31952 ----a-w c:\windows2\system32\drivers\VBoxUSB.sys
2009-04-07 20:25 . 2008-03-01 22:03 41424 ----a-w c:\windows2\system32\drivers\VBoxUSBMon.sys
2009-04-07 20:25 . 2008-03-01 22:03 100944 ----a-w c:\windows2\system32\drivers\VBoxDrv.sys
2009-04-07 20:25 . 2009-04-12 01:02 133648 ----a-w c:\windows2\system32\VBoxNetFltNotify.dll
2009-04-07 06:47 . 2009-04-07 06:47 -------- d-----w c:\archivos de programa\AskSearch
2009-04-06 22:58 . 2004-11-18 19:48 -------- d-----w c:\archivos de programa\Java
2009-03-29 18:57 . 2009-03-29 18:57 -------- d-----w c:\archivos de programa\Archivos comunes\Skype
2009-03-23 00:41 . 2008-05-07 20:19 -------- d-----w c:\archivos de programa\OpenOffice.org 2.4
2009-03-09 04:19 . 2008-12-15 08:04 410984 ----a-w c:\windows2\system32\deploytk.dll
2009-03-06 14:20 . 2003-07-23 16:26 286720 ----a-w c:\windows2\system32\pdh.dll
2009-03-06 05:54 . 2009-03-06 05:54 75264 ----a-w c:\windows2\cadkasdeinst01e.exe
2009-02-20 08:10 . 2005-06-17 23:25 668672 ----a-w c:\windows2\system32\wininet.dll
2009-02-20 08:10 . 2004-08-19 22:42 81920 ------w c:\windows2\system32\ieencode.dll
2007-07-24 20:39 . 2007-07-24 20:39 8 --sha-r c:\windows2\neoqaz2.dll
2002-07-31 18:55 . 2006-11-28 09:14 104 --sh--w c:\windows2\WSYS049.SYS
2008-04-14 02:19 . 2008-03-25 21:53 60416 --sha-w c:\windows2\ISSO\Respaldo\msimn.exe
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\temp\tt7 ----


---- Directory of c:\windows2\lhsp ----

1998-09-30 09:09 . 1998-09-30 09:09 1276416 ----a-w c:\windows2\lhsp\tv\tv_enua.dll
1998-09-24 14:15 . 1998-09-24 14:15 40960 ----a-w c:\windows2\lhsp\tv\tvenuax.dll
1998-03-30 12:26 . 1998-03-30 12:26 12000 ----a-w c:\windows2\lhsp\help\tv_enua.hlp


------- Sigcheck -------

[-] 2005-03-02 18:10 578048 DDA46F3DBCF32727E93976B09FBB0E83 c:\windows2\$hf_mig$\KB890859\SP2GDR\user32.dll
[-] 2005-03-02 18:20 578048 37CE819E8ECB3517B9981A886876EF72 c:\windows2\$hf_mig$\KB890859\SP2QFE\user32.dll
[-] 2007-03-08 15:50 579072 237FB93C6B4330D8EE7D2448CF71C5ED c:\windows2\$hf_mig$\KB925902\SP2QFE\user32.dll
[-] 2007-03-08 15:36 497152 A5A451EDBEA7D8FC093FB96A499D39CF c:\windows2\$NtServicePackUninstall$\user32.dll
[7] 2008-04-14 02:18 579584 DA8898129E0075C7DE4DEE457514A73C c:\windows2\ISSO\Respaldo\user32.dll
[-] 2008-04-14 02:18 498176 A7ED5C30084060A92F0F60D462DF784F c:\windows2\ServicePackFiles\i386\user32.dll
[7] 2003-07-23 16:36 561152 1B1A3353911321ADC0D42E8F236B0B31 c:\windows2\SoftwareDistribution\Download\S-1-5-18\f47326a4fddf205482e86afde6226e27\backup\user32.dll
[-] 2008-04-14 02:18 498176 A7ED5C30084060A92F0F60D462DF784F c:\windows2\system32\user32.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-05-16_19.50.42 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-19 21:38 . 2009-05-19 21:38 16384 c:\windows2\Temp\Perflib_Perfdata_cd0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2008-09-07 07:20 143360 ----a-w c:\software\internet\Dropbox\DropboxExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2008-09-07 07:20 143360 ----a-w c:\software\internet\Dropbox\DropboxExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2008-09-07 07:20 143360 ----a-w c:\software\internet\Dropbox\DropboxExt.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows2\system32\ctfmon.exe" [2008-04-14 15360]
"ISUSPM"="c:\archivos de programa\Archivos comunes\InstallShield\UpdateService\ISUSPM.exe" [2007-08-30 205480]
"msnmsgr"="c:\archivos de programa\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"RocketDock"="c:\archivos de programa\RocketDock\RocketDock.exe" [2007-09-02 495616]
"H/PC Connection Agent"="c:\archivos de programa\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\archivos de programa\Apoint\Apoint.exe" [2005-10-07 176128]
"EPSON Stylus Photo R320 Series"="c:\windows2\System32\spool\DRIVERS\W32X86\3\E_FATI9XE.EXE" [2004-12-16 98304]
"\\Ps-58c34f\epson_R320"="c:\windows2\System32\spool\DRIVERS\W32X86\3\E_FATI9XE.EXE" [2004-12-16 98304]
"NvCplDaemon"="c:\windows2\system32\NvCpl.dll" [2005-07-06 7118848]
"Acrobat Assistant 8.0"="c:\archivos de programa\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-14 623992]
"\\192.168.2.3\epson_R320"="c:\windows2\System32\spool\DRIVERS\W32X86\3\E_FATI9XE.EXE" [2004-12-16 98304]
"AVG8_TRAY"="c:\archiv~1\Grisoft\AVG8\avgtray.exe" [2009-04-24 1947928]
"Dell QuickSet"="c:\archivos de programa\Dell\QuickSet\Quickset.exe" [2006-06-29 1032192]
"HP Software Update"="c:\software\dispositivos\HP Scanner\HP Software Update\HPWuSchd2.exe" [2007-03-11 49152]
"LWBMOUSE"="c:\software\drivers\Belkin\Wireless Mouse Driver\MOUSE32A.EXE" [2001-11-09 356352]
"SigmaTel StacMon"="c:\archivos de programa\SigmaTel\Controladores de sonido SigmaTel AC97\stacmon.exe" [2004-04-29 90169]
"SunJavaUpdateSched"="c:\archivos de programa\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"nwiz"="nwiz.exe" - c:\windows2\system32\nwiz.exe [2005-07-06 1519616]
"NvMediaCenter"="NvMCTray.dll" - c:\windows2\system32\nvmctray.dll [2005-07-06 86016]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows2\system32\bthprops.cpl [2008-04-14 110592]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows2\System32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\JASH\Men£ Inicio\Programas\Inicio\AutorunsDisabled
VistaStart.lnk - c:\windows2\Resources\Themes\YAFVC3\VistaStart\VistaStart1.3.exe [2006-3-21 510464]

c:\documents and settings\All Users.WINDOWS2\Men£ Inicio\Programas\Inicio\
BTTray.lnk - c:\archivos de programa\Dell\Software Bluetooth\BTTray.exe [2006-7-22 561213]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoChangeAnimation"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-04-24 16:47 11952 ----a-w c:\windows2\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WLANKEEPER"=2 (0x2)
"EvtEng"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS2\\system32\\sessmgr.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Archivos de programa\\Grisoft\\AVG8\\avgemc.exe"=
"c:\\Archivos de programa\\Grisoft\\AVG8\\avgupd.exe"=
"c:\\Archivos de programa\\Grisoft\\AVG8\\avgnsx.exe"=
"c:\\Archivos de programa\\Adobe\\Acrobat 8.0\\Acrobat\\Acrobat.exe"=
"c:\archivos de programa\Microsoft ActiveSync\WCESMgr.exe"= c:\archivos de programa\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Disabled:ActiveSync Application
"c:\archivos de programa\Microsoft ActiveSync\wcescomm.exe"= c:\archivos de programa\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Disabled:ActiveSync Connection Manager
"c:\archivos de programa\Microsoft ActiveSync\rapimgr.exe"= c:\archivos de programa\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Disabled:ActiveSync RAPI Manager
"c:\\Archivos de programa\\DNA\\btdna.exe"=
"c:\\software\\internet\\Mozilla Firefox\\firefox.exe"=
"c:\\software\\internet\\Netscape\\ThunderBird\\thunderbird.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Disabled:ActiveSync Service

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowOutboundDestinationUnreachable"= 0 (0x0)
"AllowOutboundSourceQuench"= 0 (0x0)
"AllowOutboundParameterProblem"= 0 (0x0)
"AllowOutboundTimeExceeded"= 0 (0x0)

R0 AvgRkx86;avgrkx86.sys;c:\windows2\system32\drivers\avgrkx86.sys [22/07/2008 22:03 12552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows2\system32\drivers\avgldx86.sys [22/07/2008 22:03 325896]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows2\system32\drivers\avgtdix.sys [22/07/2008 22:03 108552]
R1 VBoxDrv;VirtualBox Service;c:\windows2\system32\drivers\VBoxDrv.sys [01/03/2008 23:03 100944]
R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows2\system32\drivers\VBoxUSBMon.sys [01/03/2008 23:03 41424]
R2 ArcGIS License Manager;ArcGIS License Manager;c:\archivos de programa\ESRI\License\arcgis9x\lmgrd.exe [15/08/2005 23:51 467968]
R2 avg8emc;AVG8 E-mail Scanner;c:\archiv~1\Grisoft\AVG8\avgemc.exe [22/07/2008 22:03 908568]
R2 avg8wd;AVG8 WatchDog;c:\archiv~1\Grisoft\AVG8\avgwdsvc.exe [22/07/2008 22:03 298776]
R2 P1C1394;Phase One 1394 Camera Driver;c:\windows2\system32\drivers\p1c1394.sys [15/05/2008 13:20 23168]
R3 GTICARD;GTICARD;c:\windows2\system32\drivers\gticard.sys [06/02/2003 19:23 59328]
R3 VBoxMouse;VirtualBox Guest Mouse Service;c:\windows2\system32\drivers\VBoxMouse.sys [02/01/2008 4:41 39696]
R3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows2\system32\drivers\VBoxNetAdp.sys [11/04/2009 9:51 79888]
R3 VBoxNetFlt;VBoxNetFlt Service;c:\windows2\system32\drivers\VBoxNetFlt.sys [12/04/2009 2:02 87696]
S1 VBoxSF;VirtualBox Shared Folders;c:\windows2\system32\drivers\VBoxSF.sys [16/02/2009 17:06 195728]
S2 FLUSBDRV;3Com ADSL-150 USB Driver;c:\windows2\system32\drivers\3CF002LD.sys [10/08/2005 17:04 21414]
S2 gupdate1c9a2bcebc1a270;Google Update Service (gupdate1c9a2bcebc1a270);c:\archivos de programa\Google\Update\GoogleUpdate.exe [12/03/2009 3:47 133104]
S2 IWPORT;IWPORT;\??\c:\windows2\SYSTEM32\DRIVERS\IWPORT.SYS --> c:\windows2\SYSTEM32\DRIVERS\IWPORT.SYS [?]
S2 VBoxService;VirtualBox Guest Additions Service;system32\VBoxService.exe --> system32\VBoxService.exe [?]
S3 dcdbas;System Management Driver;c:\windows2\system32\DRIVERS\dcdbas32.sys --> c:\windows2\system32\DRIVERS\dcdbas32.sys [?]
S3 NANMp50;NANMp50 NDIS Protocol Driver;c:\windows2\system32\Drivers\NANMp50.sys --> c:\windows2\system32\Drivers\NANMp50.sys [?]
S3 NANSp50;NANSp50 NDIS Protocol Driver;c:\windows2\system32\Drivers\NANSp50.sys --> c:\windows2\system32\Drivers\NANSp50.sys [?]
S3 usb2vcom;Nokia CA-42 USB;c:\windows2\system32\drivers\usb2vcom.sys [18/12/2006 17:10 30272]
S3 USBLC6X0100;%USBLC6X0100.DispName%;c:\windows2\system32\drivers\3cusblr.sys [10/08/2005 17:07 309700]
S3 VBoxTAP;VirtualBox TAP Adapter;c:\windows2\system32\drivers\VBoxTAP.sys [01/03/2008 23:08 47552]
S3 VBoxUSB;VirtualBox USB;c:\windows2\system32\drivers\VBoxUSB.sys [11/04/2009 9:48 31952]
S4 ERMLicSrv_ATL70;ERMLicSrv_ATL70;c:\windows2\system32\ERM\7.0\ERMLicSrv_ATL70.exe [09/01/2008 0:38 94208]
S4 FME_License_service;FME_License_service;c:\archivos de programa\ESRI\License\arcgis9x\lmgrd.exe [15/08/2005 23:51 467968]
S4 SASDIFSV;SASDIFSV;\??\c:\software\antivirus\SUPERAntiSpyware\SASDIFSV.SYS --> c:\software\antivirus\SUPERAntiSpyware\SASDIFSV.SYS [?]
S4 SASENUM;SASENUM;\??\c:\software\antivirus\SUPERAntiSpyware\SASENUM.SYS --> c:\software\antivirus\SUPERAntiSpyware\SASENUM.SYS [?]
S4 SASKUTIL;SASKUTIL;\??\c:\software\antivirus\SUPERAntiSpyware\SASKUTIL.sys --> c:\software\antivirus\SUPERAntiSpyware\SASKUTIL.sys [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - mpaotqup

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\AutorunsDisabled\{6B9228DA-9C15-419e-856C-19E768A13BDC}]
"c:\windows2\system32\regsvr32.exe" /s sbdrop.dll
.
Contents of the 'Scheduled Tasks' folder

2009-05-19 c:\windows2\Tasks\GoogleUpdateTaskMachine.job
- c:\archivos de programa\Google\Update\GoogleUpdate.exe [2009-03-12 02:47]

2007-03-27 c:\windows2\Tasks\shutdown.job
- c:\windows2\system32\shutdown.exe [2003-07-23 02:19]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = 195.76.153.201:3128
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Anexar a PDF existente - c:\archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convertir a Adobe PDF - c:\archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convertir destino de vínculo a PDF existente - c:\archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convertir destino de vínculo en archivo Adobe PDF - c:\archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convertir selección a Adobe PDF - c:\archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convertir selección a archivo PDF existente - c:\archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convertir vínculos seleccionados a Adobe PDF - c:\archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convertir vínculos seleccionados a PDF existente - c:\archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: E&xport to Microsoft Excel - c:\archiv~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Enviar a &Bluetooth - c:\archivos de programa\Dell\Software Bluetooth\btsendto_ie_ctx.htm
TCP: interfaces = 152.158.2.48,165.87.201.244
DPF: Microsoft XML Parser for Java - file://c:\windows2\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\JASH\Datos de programa\Mozilla\Firefox\Profiles\k4uv1kov.default\
FF - prefs.js: browser.search.selectedEngine - Ask
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=101757&gct=&gc=1&q=
FF - prefs.js: network.proxy.ftp - 195.76.153.201
FF - prefs.js: network.proxy.ftp_port - 3128
FF - prefs.js: network.proxy.gopher - 195.76.153.201
FF - prefs.js: network.proxy.gopher_port - 3128
FF - prefs.js: network.proxy.http - 195.76.153.201
FF - prefs.js: network.proxy.http_port - 3128
FF - prefs.js: network.proxy.socks - 195.76.153.201
FF - prefs.js: network.proxy.socks_port - 3128
FF - prefs.js: network.proxy.ssl - 195.76.153.201
FF - prefs.js: network.proxy.ssl_port - 3128
FF - prefs.js: network.proxy.type - 4
FF - component: c:\archivos de programa\Grisoft\AVG8\Firefox\components\avgssff.dll
FF - component: c:\documents and settings\JASH\Datos de programa\Mozilla\Firefox\Profiles\k4uv1kov.default\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\platform\WINNT_x86-msvc\components\SSSLauncher.dll
FF - component: c:\documents and settings\JASH\Datos de programa\Mozilla\Firefox\Profiles\k4uv1kov.default\extensions\{81BF1D23-5F17-408D-AC6B-BD6DF7CAF670}\components\XpcomOpusConnector.dll
FF - plugin: c:\archivos de programa\Google\Update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\archivos de programa\Skyhook Wireless\Loki Browser Plugin\nploki.dll
FF - plugin: c:\software\graficos\QuickTime\Plugins\npqtplugin.dll
FF - plugin: c:\software\graficos\QuickTime\Plugins\npqtplugin2.dll
FF - plugin: c:\software\graficos\QuickTime\Plugins\npqtplugin3.dll
FF - plugin: c:\software\graficos\QuickTime\Plugins\npqtplugin4.dll
FF - plugin: c:\software\graficos\QuickTime\Plugins\npqtplugin5.dll
FF - plugin: c:\software\graficos\QuickTime\Plugins\npqtplugin6.dll
FF - plugin: c:\software\graficos\QuickTime\Plugins\npqtplugin7.dll
FF - plugin: c:\software\graficos\realplayer\Netscape6\nppl3260.dll
FF - plugin: c:\software\graficos\realplayer\Netscape6\nprjplug.dll
FF - plugin: c:\software\graficos\realplayer\Netscape6\nprpjplug.dll
FF - plugin: c:\software\graficos\VideoLAN\VLC\npvlc.dll
FF - plugin: c:\software\internet\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\software\internet\Mozilla Firefox\plugins\npgato.dll
FF - plugin: c:\software\internet\Mozilla Firefox\plugins\nppdf32(2).dll

---- FIREFOX POLICIES ----
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-20 22:13
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Iomega Activity Disk2]
"ImagePath"="\"\""
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-343818398-1563985344-1343024091-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-343818398-1563985344-1343024091-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{479D21BD-C969-E2AF-0F4D-0D83E225CD0C}*]
"gaoohofafljjof"=hex:61,61,00,7c
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1264)
c:\windows2\system32\SETUPAPI.dll
c:\windows2\system32\cscui.dll

- - - - - - - > 'lsass.exe'(1332)
c:\windows2\system32\SETUPAPI.dll

- - - - - - - > 'explorer.exe'(4332)
c:\archivos de programa\RocketDock\RocketDock.dll
c:\software\internet\Dropbox\DropboxExt.dll
c:\windows2\System32\cscui.dll
c:\windows2\system32\shimgvw.dll
c:\archiv~1\ARCHIV~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
c:\archiv~1\ARCHIV~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
c:\windows2\system32\LINKINFO.dll
c:\windows2\system32\ntshrui.dll
c:\windows2\system32\NETSHELL.dll
c:\windows2\system32\credui.dll
c:\windows2\system32\SETUPAPI.dll
c:\windows2\system32\WPDShServiceObj.dll
c:\windows2\system32\PortableDeviceTypes.dll
c:\windows2\system32\PortableDeviceApi.dll
c:\software\drivers\Belkin\Wireless Mouse Driver\MOUDL32A.DLL
c:\windows2\system32\VBoxMRXNP.dll
.
Completion time: 2009-05-20 22:16
ComboFix-quarantined-files.txt 2009-05-20 21:15
ComboFix2.txt 2009-05-19 02:34
ComboFix3.txt 2009-05-16 19:59

Pre-Run: 16.130.150.400 bytes libres
Post-Run: 16.105.058.304 bytes libres

323 --- E O F --- 2009-05-02 13:59

=========================================================

Answers: I do not have anything to do with a IP address from Holland, as far as I know.

I use to live in Spain but, for this year and the next I am living in Davis, California. Now I am in The Bahamas for work reasons and my connection is provided by the owner of the apartment I am living in (the same for California) and I do not think the are related to Holland.


=========================================================
Things in my computer:
1: This morning I had a BSOD and it suggested me to review physical memory. I did but did not find anything wrong.
2: I have an issue that I forgot when I make the list of issues in my comp.: sometimes my mouses left button seems not to work: i cannot leftclick in any link in my browser, nor select any text wit the cursor and so on. To be able to do this I have to A) change to another application :thumbup2: rightclick in the area of the menu bar or the tool bar of the applications, or in the Windows task bar an then go back to the prior application where I liked to leftclick. But this only works for the first click. After this, I have to repeat the steps if I want to leftclick again. When this occurs, everytime I pass the mouse cursor over a tab in the taskbar or over a button in the toolbar (or similars), wherever there shoud pop up a labeltip, there is only a small and empty square, like if the system tried to write the complete label but something stops the action. Where this is more noticeably is in the browser, IE or FF, does not matter.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users