Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

USB memory trojan/virus infection


  • This topic is locked This topic is locked
14 replies to this topic

#1 morba

morba

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:57 PM

Posted 23 June 2009 - 02:18 PM

Infected by USB key. Have run AVG, Malwarebytes and Kaspersky online-diagnosis. AVG and Malwarebytes state computer is clean. Kas. says there are some problems but it was not able to fix them. No major problem other than the fact that IE autoruns on startup(twice), sometimes after closing IE my computer crashes gives a drwtsn32.exe problem. Tried solving this problems through MsConfig but read on Majorgeeks I shouldn't mess with MsConfig for that (back to normal settings) also it didn't solve the issue. Hope someone is able to help me. *** update I reviewed my AVG virus vault it indicates that I was infected by Win32/Heur


DDS (Ver_09-05-14.01) - NTFSx86
Run by Francisco Morales at 14:05:14.98 on 23/06/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.34.3082.18.1014.415 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\ARCHIV~1\AVG\AVG8\avgtray.exe
C:\Archivos de programa\Nero\Nero 7\InCD\NBHGui.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\sm56hlpr.exe
C:\Archivos de programa\Java\jre6\bin\jusched.exe
C:\Archivos de programa\IUSACELL\CDU680DORA\BIN\RDVCHG.EXE
C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe
C:\Archivos de programa\CyberLink\PowerDVD\PDVDServ.exe
C:\Archivos de programa\lg_fwupdate\fwupdate.exe
C:\Archivos de programa\Nero\Nero 7\InCD\InCD.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Nokia\Nokia PC Suite 7\PCSuite.exe
C:\Archivos de programa\Windows Live\Messenger\MsnMsgr.Exe
svchost.exe
C:\Archivos de programa\AskBarDis\bar\bin\AskService.exe
C:\Archivos de programa\AskBarDis\bar\bin\ASKUpgrade.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\ARCHIV~1\AVG\AVG8\avgwdsvc.exe
C:\Archivos de programa\Lenovo\Bluetooth Software\BTTray.exe
C:\Archivos de programa\WinZip\WZQKPICK.EXE
C:\Archivos de programa\Lenovo\Bluetooth Software\bin\btwdins.exe
C:\Archivos de programa\Nero\Nero 7\InCD\InCDsrv.exe
C:\Archivos de programa\Java\jre6\bin\jqs.exe
C:\Archivos de programa\CyberLink\Shared Files\RichVideo.exe
C:\ARCHIV~1\Lenovo\BLUETO~1\BTSTAC~1.EXE
C:\ARCHIV~1\AVG\AVG8\avgrsx.exe
C:\Archivos de programa\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Archivos de programa\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Archivos de programa\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Archivos de programa\PC Connectivity Solution\Transports\NclBCBTSrv.exe
C:\Archivos de programa\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Francisco Morales\Escritorio\dds.scr

============== Pseudo HJT Report ===============

mDefault_Search_URL = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=10615&gct=&gc=1&q=
uSearchURL,(Default) = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=10615&gct=&gc=1&q=%s
uURLSearchHooks: DefaultSearchHook Class: {c94e154b-1459-4a47-966b-4b843befc7db} - c:\archivos de programa\asksearch\bin\DefaultSearch.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\archivos de programa\archivos comunes\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\archivos de programa\askbardis\bar\bin\askBar.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\archivos de programa\avg\avg8\avgssie.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\archivos de programa\java\jre6\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Aplicación auxiliar de inicio de sesión: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\archivos de programa\archivos comunes\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\archivos de programa\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\archivos de programa\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\archivos de programa\askbardis\bar\bin\askBar.dll
TB: ncikuToolBar: {77d8dc41-9ce3-42e2-af46-84f9686bfe21} - c:\archivos de programa\nciku\toolbar\ncikuToolbar_0_5_1_74.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [PC Suite Tray] "c:\archivos de programa\nokia\nokia pc suite 7\PCSuite.exe" -onlytray
uRun: [MSMSGS] "c:\archivos de programa\messenger\msmsgs.exe" /background
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [AVG8_TRAY] c:\archiv~1\avg\avg8\avgtray.exe
mRun: [SecurDisc] c:\archivos de programa\nero\nero 7\incd\NBHGui.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [SMSERIAL] c:\windows\sm56hlpr.exe
mRun: [SunJavaUpdateSched] "c:\archivos de programa\java\jre6\bin\jusched.exe"
mRun: [IUSACELL_CDU680] c:\archivos de programa\iusacell\cdu680dora\bin\RDVCHG.EXE
mRun: [TkBellExe] "c:\archivos de programa\archivos comunes\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\archivos de programa\quicktime\QTTask.exe" -atboottime
mRun: [RemoteControl] "c:\archivos de programa\cyberlink\powerdvd\PDVDServ.exe"
mRun: [LanguageShortcut] "c:\archivos de programa\cyberlink\powerdvd\language\Language.exe"
mRun: [LGODDFU] "c:\archivos de programa\lg_fwupdate\fwupdate.exe" blrun
mRun: [Adobe Reader Speed Launcher] "c:\archivos de programa\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [NeroFilterCheck] c:\archivos de programa\archivos comunes\ahead\lib\NeroCheck.exe
mRun: [Internet Explorer] iexplore.exe
mRun: [InCD] c:\archivos de programa\nero\nero 7\incd\InCD.exe
mRunServices: [Internet Explorer] iexplore.exe
mRunServices: [Services Control] iexplore.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
mExplorerRun: [Services Control] iexplore.exe
StartupFolder: c:\docume~1\alluse~1\menini~1\progra~1\inicio\bttray.lnk - c:\archivos de programa\lenovo\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\menini~1\progra~1\inicio\winzip~1.lnk - c:\archivos de programa\winzip\WZQKPICK.EXE
IE: E&xportar a Microsoft Excel - c:\archiv~1\micros~2\office12\EXCEL.EXE/3000
IE: Enviar a &Bluetooth - c:\archivos de programa\lenovo\bluetooth software\btsendto_ie_ctx.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\archivos de programa\lenovo\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\archivos de programa\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\archiv~1\micros~2\office12\REFIEBAR.DLL
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} - hxxp://www.kaspersky.com/kos/spanish/kavwebscan_unicode.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229386718875
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1229454182609
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\archivos de programa\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\archiv~1\archiv~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\archivos de programa\superantispyware\SASWINLO.DLL
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\archivos de programa\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\franci~1\datosd~1\mozilla\firefox\profiles\tlzh5o3w.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.eficienciainformativa.com/mm/
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=10615&gct=&gc=1&q=
FF - component: c:\archivos de programa\nokia\nokia pc suite 7\bkmrksync\components\BkMrkExt.dll
FF - plugin: c:\archivos de programa\opera\program\plugins\npdivx32.dll
FF - plugin: c:\documents and settings\francisco morales\datos de programa\mozilla\firefox\profiles\tlzh5o3w.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071301000019.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-12-15 325896]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-12-15 27784]
R1 SASDIFSV;SASDIFSV;c:\archivos de programa\superantispyware\SASDIFSV.SYS [2008-12-4 9968]
R1 SASKUTIL;SASKUTIL;c:\archivos de programa\superantispyware\SASKUTIL.SYS [2008-12-4 55024]
R2 ASKService;ASKService;c:\archivos de programa\askbardis\bar\bin\AskService.exe [2009-2-7 464264]
R2 ASKUpgrade;ASKUpgrade;c:\archivos de programa\askbardis\bar\bin\ASKUpgrade.exe [2009-2-7 234888]
R2 avg8wd;AVG8 WatchDog;c:\archiv~1\avg\avg8\avgwdsvc.exe [2009-1-29 298776]
S3 cmusbser;%CMUSBSER%;c:\windows\system32\drivers\cmusbser.sys [2009-1-13 87040]
S3 SASENUM;SASENUM;c:\archivos de programa\superantispyware\SASENUM.SYS [2008-12-4 7408]

=============== Created Last 30 ================

2009-06-23 14:01 <DIR> --d----- c:\windows\system32\appmgmt
2009-06-23 13:50 <DIR> --d----- c:\archivos de programa\Trend Micro
2009-06-23 13:38 268 a---h--- C:\sqmdata13.sqm
2009-06-23 13:38 244 a---h--- C:\sqmnoopt13.sqm
2009-06-20 09:51 <DIR> --d----- c:\archivos de programa\Free PDF to Word Doc Converter
2009-06-01 16:57 10,368 ac------ c:\windows\system32\dllcache\hidusb.sys
2009-06-01 16:57 10,368 a------- c:\windows\system32\drivers\hidusb.sys
2009-05-27 15:31 <DIR> --d----- c:\windows\system32\Kaspersky Lab
2009-05-26 12:51 <DIR> --d----- c:\documents and settings\francisco morales\Bluetooth Software
2009-05-26 12:51 12,416 ac------ c:\windows\system32\dllcache\mouhid.sys
2009-05-26 12:51 12,416 a------- c:\windows\system32\drivers\mouhid.sys
2009-05-26 12:49 <DIR> --d----- c:\archivos de programa\Lenovo
2009-05-26 12:28 <DIR> --d----- c:\archivos de programa\archivos comunes\PCSuite
2009-05-26 12:28 <DIR> --d----- c:\archivos de programa\archivos comunes\Nokia
2009-05-26 12:28 18,816 a------- c:\windows\system32\drivers\pccsmcfd.sys
2009-05-26 12:27 <DIR> --d----- c:\archivos de programa\PC Connectivity Solution
2009-05-26 12:27 91,136 a------- c:\windows\system32\nmwcdcls.dll
2009-05-26 12:27 <DIR> --d----- c:\archivos de programa\Nokia
2009-05-25 12:18 <DIR> --d----- c:\docume~1\franci~1\datosd~1\Malwarebytes
2009-05-25 12:18 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-05-25 12:18 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-25 12:18 <DIR> --d----- c:\docume~1\alluse~1\datosd~1\Malwarebytes
2009-05-25 12:18 <DIR> --d----- c:\archivos de programa\Malwarebytes' Anti-Malware
2009-05-25 12:11 <DIR> --d----- c:\archivos de programa\CCleaner

==================== Find3M ====================

2009-06-23 12:59 365,802 a------- c:\windows\system32\perfh00A.dat
2009-06-23 12:59 52,236 a------- c:\windows\system32\perfc00A.dat
2009-05-10 13:15 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-05-10 13:15 325,896 a------- c:\windows\system32\drivers\avgldx86.sys
2009-05-07 10:33 347,648 a------- c:\windows\system32\localspl.dll
2009-04-28 23:34 669,184 a------- c:\windows\system32\wininet.dll
2009-04-28 23:34 81,920 a------- c:\windows\system32\ieencode.dll
2009-04-19 14:50 1,847,296 a------- c:\windows\system32\win32k.sys
2009-04-15 09:54 585,216 a------- c:\windows\system32\rpcrt4.dll

============= FINISH: 14:05:34.01 ===============

Attached Files


Edited by morba, 24 June 2009 - 12:45 PM.


BC AdBot (Login to Remove)

 


#2 morba

morba
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:57 PM

Posted 26 June 2009 - 05:28 PM

I guess I should be more patient. Was looking more into my startup processes. Realized iexplore.exe should not be on it unless manually added. Thus, even though my antivirus have not registered this I believe I was probably infected W32/Rbot-EY

#3 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:07:57 PM

Posted 27 June 2009 - 01:25 PM

Hello morba and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

Edited by schrauber, 27 June 2009 - 01:29 PM.

regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#4 morba

morba
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:57 PM

Posted 28 June 2009 - 10:30 AM

Hello Schrauber,

Yesterday I decided to try to solve the problem by myself. (I keep a weekly backup of my computer) Through HJT and in safe mode I eliminated the 04 processes iexplore.exe (there were three of them), I also emptied my AVG virus vault (which had the Win 32 / Heur) virus. Afterwards I runed AVG and Malawarebyte on safe mode and it all seems to be fine. IE explorer has not reopened ever since, and my computer is working great.

Thanks for your help, perhaps I didn't get my answer through this forum but the HJT description on the site are very useful.

Morba

attached is my DDS log, please do tell me if you think there is any other action I should take.


DDS (Ver_09-06-26.01) - NTFSx86
Run by Francisco Morales at 10:27:45.45 on 28/06/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Professional 5.1.2600.3.1252.34.3082.18.1014.480 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Archivos de programa\Lenovo\Bluetooth Software\bin\btwdins.exe
C:\Archivos de programa\Nero\Nero 7\InCD\InCDsrv.exe
C:\Archivos de programa\Java\jre6\bin\jqs.exe
C:\Archivos de programa\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\ARCHIV~1\AVG\AVG8\avgtray.exe
C:\Archivos de programa\Nero\Nero 7\InCD\NBHGui.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\sm56hlpr.exe
C:\Archivos de programa\IUSACELL\CDU680DORA\BIN\RDVCHG.EXE
C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe
C:\Archivos de programa\Nero\Nero 7\InCD\InCD.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\Archivos de programa\Lenovo\Bluetooth Software\BTTray.exe
C:\ARCHIV~1\Lenovo\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Archivos de programa\Mozilla Firefox\firefox.exe
C:\ARCHIV~1\AVG\AVG8\avgwdsvc.exe
C:\ARCHIV~1\AVG\AVG8\avgrsx.exe
C:\Documents and Settings\Francisco Morales\Escritorio\dds.scr

============== Pseudo HJT Report ===============

mDefault_Search_URL = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=10615&gct=&gc=1&q=
uSearchURL,(Default) = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=10615&gct=&gc=1&q=%s
uURLSearchHooks: DefaultSearchHook Class: {c94e154b-1459-4a47-966b-4b843befc7db} - c:\archivos de programa\asksearch\bin\DefaultSearch.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\archivos de programa\archivos comunes\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\archivos de programa\avg\avg8\avgssie.dll
BHO: Windows Live Aplicación auxiliar de inicio de sesión: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\archivos de programa\archivos comunes\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\archivos de programa\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\archivos de programa\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: ncikuToolBar: {77d8dc41-9ce3-42e2-af46-84f9686bfe21} - c:\archivos de programa\nciku\toolbar\ncikuToolbar_0_5_1_74.dll
TB: {3041D03E-FD4B-44E0-B742-2D9B88305F98} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\archivos de programa\messenger\msmsgs.exe" /background
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [AVG8_TRAY] c:\archiv~1\avg\avg8\avgtray.exe
mRun: [SecurDisc] c:\archivos de programa\nero\nero 7\incd\NBHGui.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [SMSERIAL] c:\windows\sm56hlpr.exe
mRun: [IUSACELL_CDU680] c:\archivos de programa\iusacell\cdu680dora\bin\RDVCHG.EXE
mRun: [TkBellExe] "c:\archivos de programa\archivos comunes\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\archivos de programa\quicktime\QTTask.exe" -atboottime
mRun: [LanguageShortcut] "c:\archivos de programa\cyberlink\powerdvd\language\Language.exe"
mRun: [Adobe Reader Speed Launcher] "c:\archivos de programa\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [NeroFilterCheck] c:\archivos de programa\archivos comunes\ahead\lib\NeroCheck.exe
mRun: [InCD] c:\archivos de programa\nero\nero 7\incd\InCD.exe
mRun: [SunJavaUpdateSched] "c:\archivos de programa\java\jre6\bin\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\menini~1\progra~1\inicio\bttray.lnk - c:\archivos de programa\lenovo\bluetooth software\BTTray.exe
IE: E&xportar a Microsoft Excel - c:\archiv~1\micros~2\office12\EXCEL.EXE/3000
IE: Enviar a &Bluetooth - c:\archivos de programa\lenovo\bluetooth software\btsendto_ie_ctx.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\archivos de programa\lenovo\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\archivos de programa\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\archiv~1\micros~2\office12\REFIEBAR.DLL
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} - hxxp://www.kaspersky.com/kos/spanish/kavwebscan_unicode.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229386718875
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1229454182609
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\archivos de programa\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\archiv~1\archiv~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\archivos de programa\superantispyware\SASWINLO.DLL
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\archivos de programa\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\franci~1\datosd~1\mozilla\firefox\profiles\tlzh5o3w.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.eficienciainformativa.com/mm/
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=10615&gct=&gc=1&q=
FF - component: c:\archivos de programa\nokia\nokia pc suite 7\bkmrksync\components\BkMrkExt.dll
FF - plugin: c:\archivos de programa\opera\program\plugins\npdivx32.dll
FF - plugin: c:\documents and settings\francisco morales\datos de programa\mozilla\firefox\profiles\tlzh5o3w.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071301000019.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\archivos de programa\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-12-15 327688]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-12-15 27784]
R1 SASDIFSV;SASDIFSV;c:\archivos de programa\superantispyware\SASDIFSV.SYS [2008-12-4 9968]
R1 SASKUTIL;SASKUTIL;c:\archivos de programa\superantispyware\SASKUTIL.SYS [2008-12-4 55024]
R2 avg8wd;AVG8 WatchDog;c:\archiv~1\avg\avg8\avgwdsvc.exe [2009-1-29 298776]
S3 cmusbser;%CMUSBSER%;c:\windows\system32\drivers\cmusbser.sys [2009-1-13 87040]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\16.tmp --> c:\windows\system32\16.tmp [?]
S3 SASENUM;SASENUM;c:\archivos de programa\superantispyware\SASENUM.SYS [2008-12-4 7408]
S4 ASKService;ASKService;c:\archivos de programa\askbardis\bar\bin\AskService.exe [2009-2-7 464264]
S4 ASKUpgrade;ASKUpgrade;c:\archivos de programa\askbardis\bar\bin\ASKUpgrade.exe [2009-2-7 234888]

=============== Created Last 30 ================

2009-06-26 21:24 73,728 a------- c:\windows\system32\javacpl.cpl
2009-06-26 21:00 <DIR> --d----- c:\archivos de programa\Sophos
2009-06-23 17:53 268 a---h--- C:\sqmdata14.sqm
2009-06-23 17:53 244 a---h--- C:\sqmnoopt14.sqm
2009-06-23 14:01 <DIR> --d----- c:\windows\system32\appmgmt
2009-06-23 13:50 <DIR> --d----- c:\archivos de programa\Trend Micro
2009-06-23 13:38 268 a---h--- C:\sqmdata13.sqm
2009-06-23 13:38 244 a---h--- C:\sqmnoopt13.sqm
2009-06-20 09:51 <DIR> --d----- c:\archivos de programa\Free PDF to Word Doc Converter
2009-06-01 16:57 10,368 ac------ c:\windows\system32\dllcache\hidusb.sys
2009-06-01 16:57 10,368 a------- c:\windows\system32\drivers\hidusb.sys

==================== Find3M ====================

2009-06-28 10:19 327,688 a------- c:\windows\system32\drivers\avgldx86.sys
2009-06-28 10:19 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-06-26 21:24 410,984 a------- c:\windows\system32\deploytk.dll
2009-06-26 20:49 366,400 a------- c:\windows\system32\perfh00A.dat
2009-06-26 20:49 52,652 a------- c:\windows\system32\perfc00A.dat
2009-05-07 10:33 347,648 a------- c:\windows\system32\localspl.dll
2009-04-28 23:34 669,184 a------- c:\windows\system32\wininet.dll
2009-04-28 23:34 81,920 a------- c:\windows\system32\ieencode.dll
2009-04-19 14:50 1,847,296 a------- c:\windows\system32\win32k.sys
2009-04-15 09:54 585,216 a------- c:\windows\system32\rpcrt4.dll

============= FINISH: 10:28:06.17 ===============

Attached Files



#5 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:57 PM

Posted 29 June 2009 - 01:21 PM

Hello.

It looks like the active infection was removed successfully.

There are components of AskBar on your computer. These are considered adware, though they don't do anything "bad". Would you like to remove them?

Download and Run FlashDisinfector
You may have had a flash drive infection. These worms travel through your portable drives. If they have been connected to other machines, they may now be infected.
  • Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.

Submit File to Online Scanner
There is a file that I would like you to check out for me using an online scanner.
  • Open VirusTotal, Jotti or VirSCAN. If one site is busy or down, try the other
  • At the top of the page you'll see a box. Paste in the following line(s) (do one line at a time).
  • c:\archivos de programa\nciku\toolbar\ncikuToolbar_0_5_1_74.dll
  • Click Submit.
  • Wait for the scan to finish.
  • Copy Scanner Results into your next reply.
  • If more than one file was listed, repeat for each of them.
Run Scan with Kaspersky
Please do a scan with Kaspersky Online Scanner.

If you are using Windows Vista, open your browser by right-clicking on its icon and select Run as administrator to perform this scan.
  • Please disable your realtime protection software before proceeding. Refer to this page if you are unsure how.
  • Open the Kaspersky Scanner page.
  • Click on Accept and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis.

This scanner will only scan. It does not remove any malware it finds.
.[/list]
With Regards,
The Panda

#6 morba

morba
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:57 PM

Posted 29 June 2009 - 03:35 PM

Hey Panda,

Thanks for your time. Please do tell me how to get read of the Askbar, I find it incredibly annoying.

1. I ran Flash_disinfector.exe told me everything was fine.

2. I ran the Virustotal check on the NCIKU toolbar, its a program I added to explorer (its a chinese-english dictionary). No problems were found with the file

3. Lastly this is my log for my kaspersky virus check (I live in Mexico, hope you don't mind the spanish; no virus/threats were detected)

Best regards,

Morba

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER INFORME
lunes, 29 de junio de 2009 15:25:59
Sistema operativo: Microsoft Windows XP Professional, Service Pack 3 (Build 2600)
Kaspersky Online Scanner versión: 5.0.84.2
Ultima actualización: 29/06/2009
Registros en la base antivirus: 2173460
-------------------------------------------------------------------------------

Configuración del análisis:
Analizar usando las siguientes bases: standard
Analizar archivos: verdadero
Analizar bases de correo: verdadero

Objetivo a analizar - Mi PC:
C:\
D:\

Estadísticas:
Número de objeros analizados: 47487
Virus encontrados: 0
Objetos infectados: 0 / 0
Objetos sospechosos: 0
Duración del análisis: 01:07:57

Bombre del objeto infectado / Nombre del virus / Última acción
C:\autorun.inf\lpt3.This folder was created by Flash_Disinfector Object is locked saltado
C:\Documents and Settings\All Users\Datos de programa\avg8\Log\avgcore.log Object is locked saltado
C:\Documents and Settings\All Users\Datos de programa\avg8\Log\avgrs.log Object is locked saltado
C:\Documents and Settings\All Users\Datos de programa\avg8\Log\avgui.log Object is locked saltado
C:\Documents and Settings\Francisco Morales\Configuración local\Archivos temporales de Internet\Content.IE5\index.dat Object is locked saltado
C:\Documents and Settings\Francisco Morales\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat Object is locked saltado
C:\Documents and Settings\Francisco Morales\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat.LOG Object is locked saltado
C:\Documents and Settings\Francisco Morales\Configuración local\Historial\History.IE5\index.dat Object is locked saltado
C:\Documents and Settings\Francisco Morales\Configuración local\Historial\History.IE5\MSHist012009062920090630\index.dat Object is locked saltado
C:\Documents and Settings\Francisco Morales\Configuración local\Temp\Perflib_Perfdata_7f4.dat Object is locked saltado
C:\Documents and Settings\Francisco Morales\Cookies\index.dat Object is locked saltado
C:\Documents and Settings\Francisco Morales\ntuser.dat Object is locked saltado
C:\Documents and Settings\Francisco Morales\ntuser.dat.LOG Object is locked saltado
C:\Documents and Settings\LocalService\Configuración local\Archivos temporales de Internet\Content.IE5\index.dat Object is locked saltado
C:\Documents and Settings\LocalService\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat Object is locked saltado
C:\Documents and Settings\LocalService\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat.LOG Object is locked saltado
C:\Documents and Settings\LocalService\Configuración local\Historial\History.IE5\index.dat Object is locked saltado
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked saltado
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked saltado
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked saltado
C:\Documents and Settings\NetworkService\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat Object is locked saltado
C:\Documents and Settings\NetworkService\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat.LOG Object is locked saltado
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked saltado
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked saltado
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked saltado
C:\WINDOWS\Debug\PASSWD.LOG Object is locked saltado
C:\WINDOWS\SchedLgU.Txt Object is locked saltado
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked saltado
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked saltado
C:\WINDOWS\system32\config\default Object is locked saltado
C:\WINDOWS\system32\config\default.LOG Object is locked saltado
C:\WINDOWS\system32\config\ODiag.evt Object is locked saltado
C:\WINDOWS\system32\config\OSession.evt Object is locked saltado
C:\WINDOWS\system32\config\SAM Object is locked saltado
C:\WINDOWS\system32\config\SAM.LOG Object is locked saltado
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked saltado
C:\WINDOWS\system32\config\SECURITY Object is locked saltado
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked saltado
C:\WINDOWS\system32\config\software Object is locked saltado
C:\WINDOWS\system32\config\software.LOG Object is locked saltado
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked saltado
C:\WINDOWS\system32\config\system Object is locked saltado
C:\WINDOWS\system32\config\system.LOG Object is locked saltado
C:\WINDOWS\system32\h323log.txt Object is locked saltado
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked saltado
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked saltado
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked saltado
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked saltado
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked saltado
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked saltado
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked saltado
C:\WINDOWS\Temp\Perflib_Perfdata_4c0.dat Object is locked saltado
C:\WINDOWS\WindowsUpdate.log Object is locked saltado

Análisis completado.

Edited by morba, 29 June 2009 - 03:36 PM.


#7 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:57 PM

Posted 29 June 2009 - 05:55 PM

Hello.

Let's remove the AskBar components then. It's a bit annoying since it doesn't register in the Add/Remove Programs.

Install ERUNT
This tool will create a complete backup of your registry. After every reboot, a new backup is created to ensure we have a safety net after each step. Do not delete these backups until we are finished.

Do not use the NTREGOPT that comes with the installation package.
  • Please download erunt-setup.exe to your desktop.
  • Double click erunt-setup.exe. If you are using Windows Vista, right click the icon and select "Run As Administrator." Follow the prompts and allow ERUNT to be installed with the settings at default. If you do not want a Desktop icon, feel free to uncheck that. When asked if you want to create an ERUNT entry in the startup folder, answer Yes only if you are using Windows XP. You can delete the installation file after use.
  • Erunt will open when the installation is finished. Check all items to be backed up in the default location and click OK.
You can find a complete guide to using the program here:
http://www.larshederer.homepage.t-online.de/erunt/erunt.txt

When we are finished, you may, remove ERUNT using Add/Remove Programs.

Download and Run OTMoveIT
  • Please download OTM by OldTimer to your desktop. If you have already used the program, there is no need to download a new one.
  • Double-click OTMoveIt3.exe to run it. If you are running on Vista, right click on the file and choose Run As Administrator.
  • Copy the lines in the codebox below. Do not copy the word "code".
    :services
    ASKService
    ASKUpgrade
    
    :processes
    iexplore.exe
    
    :reg
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main]
    "Default_Search_URL"=-
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer]
    "SearchURL"=-
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks]
     "{c94e154b-1459-4a47-966b-4b843befc7db}"=-
    [-HKEY_CLASSES_ROOT\CLSID\{c94e154b-1459-4a47-966b-4b843befc7db}]
    
    :files
    c:\archivos de programa\askbardis\
    c:\archivos de programa\asksearch\
  • Return to OTMoveIt3, right click in the Paste List Of Files/Patterns To Move window (under the yellow bar) and choose Paste.
  • Close all open windows expect OTMoveIt.
  • Click the Posted Image button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3.
Note: If a file or folder cannot be moved immediately, you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key. Navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest ".log" file present, and copy/paste the contents of that document back here in your next post.

Create and Run Batch Script
  • Copy the following into a notepad (Start>Run>"notepad"). Do not copy the word "code".
    @ECHO OFF
    TYPE "c:\docume~1\franci~1\datosd~1\mozilla\firefox\profiles\tlzh5o3w.default\prefs.js" > "c:\docume~1\franci~1\datosd~1\mozilla\firefox\profiles\tlzh5o3w.default\prefs.js.backup"
    FINDSTR.EXE /l /v /i /c:"keyword.URL - http://toolbar.ask.com/toolbarv/askRedirect?o=10615&gct=&gc=1&q=" "c:\docume~1\franci~1\datosd~1\mozilla\firefox\profiles\tlzh5o3w.default\prefs.js.backup" > "c:\docume~1\franci~1\datosd~1\mozilla\firefox\profiles\tlzh5o3w.default\prefs.js"
    DEL %0
  • Click File, then Save As... .
  • Click Desktop on the left.
  • Under the Save as type dropdown, select All Files.
  • In the box File Name, input fix.bat
  • Hit OK.
When done properly, the icon should look like Posted Image.

Double click Fix.bat. A command prompt window will flash open and close quickly.
Take a new DDS.txt log after please.

With Regards,
The Panda

#8 morba

morba
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:57 PM

Posted 29 June 2009 - 10:39 PM

Hey Panda thanks,

Here are my results:

1. OTM


========== SERVICES/DRIVERS ==========

Service\Driver ASKService deleted successfully.

Service\Driver ASKUpgrade deleted successfully.
========== PROCESSES ==========
No active process named iexplore.exe was found!
========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\\Default_Search_URL deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\\SearchURL not found.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\\{c94e154b-1459-4a47-966b-4b843befc7db} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c94e154b-1459-4a47-966b-4b843befc7db}\ deleted successfully.
Registry key HKEY_CLASSES_ROOT\CLSID\{c94e154b-1459-4a47-966b-4b843befc7db}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c94e154b-1459-4a47-966b-4b843befc7db}\ not found.
========== FILES ==========
c:\archivos de programa\AskBarDis\bar\Settings moved successfully.
c:\archivos de programa\AskBarDis\bar\History moved successfully.
c:\archivos de programa\AskBarDis\bar\Cache moved successfully.
c:\archivos de programa\AskBarDis\bar\bin moved successfully.
c:\archivos de programa\AskBarDis\bar moved successfully.
c:\archivos de programa\AskBarDis moved successfully.
c:\archivos de programa\AskSearch\bin moved successfully.
c:\archivos de programa\AskSearch moved successfully.

OTM by OldTimer - Version 3.0.0.2 log created on 06292009_222706

2. DDS log


DDS (Ver_09-06-26.01) - NTFSx86
Run by Francisco Morales at 22:33:54.31 on 29/06/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Professional 5.1.2600.3.1252.34.3082.18.1014.574 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\ARCHIV~1\AVG\AVG8\avgtray.exe
C:\Archivos de programa\Nero\Nero 7\InCD\NBHGui.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\sm56hlpr.exe
svchost.exe
C:\Archivos de programa\IUSACELL\CDU680DORA\BIN\RDVCHG.EXE
C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe
C:\Archivos de programa\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Archivos de programa\Nero\Nero 7\InCD\InCD.exe
C:\Archivos de programa\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\Archivos de programa\Lenovo\Bluetooth Software\BTTray.exe
C:\ARCHIV~1\AVG\AVG8\avgwdsvc.exe
C:\Archivos de programa\Lenovo\Bluetooth Software\bin\btwdins.exe
C:\Archivos de programa\Nero\Nero 7\InCD\InCDsrv.exe
C:\Archivos de programa\Java\jre6\bin\jqs.exe
C:\Archivos de programa\CyberLink\Shared Files\RichVideo.exe
C:\ARCHIV~1\Lenovo\BLUETO~1\BTSTAC~1.EXE
C:\ARCHIV~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Francisco Morales\Escritorio\dds.scr

============== Pseudo HJT Report ===============

uSearchURL,(Default) = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=10615&gct=&gc=1&q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\archivos de programa\archivos comunes\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\archivos de programa\avg\avg8\avgssie.dll
BHO: Windows Live Aplicación auxiliar de inicio de sesión: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\archivos de programa\archivos comunes\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\archivos de programa\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\archivos de programa\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: ncikuToolBar: {77d8dc41-9ce3-42e2-af46-84f9686bfe21} - c:\archivos de programa\nciku\toolbar\ncikuToolbar_0_5_1_74.dll
TB: {3041D03E-FD4B-44E0-B742-2D9B88305F98} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\archivos de programa\messenger\msmsgs.exe" /background
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [AVG8_TRAY] c:\archiv~1\avg\avg8\avgtray.exe
mRun: [SecurDisc] c:\archivos de programa\nero\nero 7\incd\NBHGui.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [SMSERIAL] c:\windows\sm56hlpr.exe
mRun: [IUSACELL_CDU680] c:\archivos de programa\iusacell\cdu680dora\bin\RDVCHG.EXE
mRun: [TkBellExe] "c:\archivos de programa\archivos comunes\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\archivos de programa\quicktime\QTTask.exe" -atboottime
mRun: [LanguageShortcut] "c:\archivos de programa\cyberlink\powerdvd\language\Language.exe"
mRun: [Adobe Reader Speed Launcher] "c:\archivos de programa\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [NeroFilterCheck] c:\archivos de programa\archivos comunes\ahead\lib\NeroCheck.exe
mRun: [InCD] c:\archivos de programa\nero\nero 7\incd\InCD.exe
mRun: [SunJavaUpdateSched] "c:\archivos de programa\java\jre6\bin\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\franci~1\menini~1\progra~1\inicio\erunta~1.lnk - c:\archivos de programa\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\menini~1\progra~1\inicio\bttray.lnk - c:\archivos de programa\lenovo\bluetooth software\BTTray.exe
IE: E&xportar a Microsoft Excel - c:\archiv~1\micros~2\office12\EXCEL.EXE/3000
IE: Enviar a &Bluetooth - c:\archivos de programa\lenovo\bluetooth software\btsendto_ie_ctx.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\archivos de programa\lenovo\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\archivos de programa\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\archiv~1\micros~2\office12\REFIEBAR.DLL
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} - hxxp://www.kaspersky.com/kos/spanish/kavwebscan_unicode.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229386718875
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1229454182609
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\archivos de programa\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\archiv~1\archiv~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\archivos de programa\superantispyware\SASWINLO.DLL
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\archivos de programa\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\franci~1\datosd~1\mozilla\firefox\profiles\tlzh5o3w.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.eficienciainformativa.com/mm/
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=10615&gct=&gc=1&q=
FF - component: c:\archivos de programa\nokia\nokia pc suite 7\bkmrksync\components\BkMrkExt.dll
FF - plugin: c:\archivos de programa\opera\program\plugins\npdivx32.dll
FF - plugin: c:\documents and settings\francisco morales\datos de programa\mozilla\firefox\profiles\tlzh5o3w.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071301000019.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\archivos de programa\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-12-15 327688]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-12-15 27784]
R1 SASDIFSV;SASDIFSV;c:\archivos de programa\superantispyware\SASDIFSV.SYS [2008-12-4 9968]
R1 SASKUTIL;SASKUTIL;c:\archivos de programa\superantispyware\SASKUTIL.SYS [2008-12-4 55024]
R2 avg8wd;AVG8 WatchDog;c:\archiv~1\avg\avg8\avgwdsvc.exe [2009-1-29 298776]
S3 cmusbser;%CMUSBSER%;c:\windows\system32\drivers\cmusbser.sys [2009-1-13 87040]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\16.tmp --> c:\windows\system32\16.tmp [?]
S3 SASENUM;SASENUM;c:\archivos de programa\superantispyware\SASENUM.SYS [2008-12-4 7408]

=============== Created Last 30 ================

2009-06-29 22:27 <DIR> --d----- C:\_OTM
2009-06-29 14:14 <DIR> --ds---- c:\documents and settings\francisco morales\UserData
2009-06-29 13:58 <DIR> a-dshr-- C:\autorun.inf
2009-06-26 21:24 73,728 a------- c:\windows\system32\javacpl.cpl
2009-06-26 21:00 <DIR> --d----- c:\archivos de programa\Sophos
2009-06-23 17:53 268 a---h--- C:\sqmdata14.sqm
2009-06-23 17:53 244 a---h--- C:\sqmnoopt14.sqm
2009-06-23 14:01 <DIR> --d----- c:\windows\system32\appmgmt
2009-06-23 13:50 <DIR> --d----- c:\archivos de programa\Trend Micro
2009-06-23 13:38 268 a---h--- C:\sqmdata13.sqm
2009-06-23 13:38 244 a---h--- C:\sqmnoopt13.sqm
2009-06-20 09:51 <DIR> --d----- c:\archivos de programa\Free PDF to Word Doc Converter
2009-06-01 16:57 10,368 ac------ c:\windows\system32\dllcache\hidusb.sys
2009-06-01 16:57 10,368 a------- c:\windows\system32\drivers\hidusb.sys

==================== Find3M ====================

2009-06-28 10:19 327,688 a------- c:\windows\system32\drivers\avgldx86.sys
2009-06-28 10:19 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-06-26 21:24 410,984 a------- c:\windows\system32\deploytk.dll
2009-06-26 20:49 366,400 a------- c:\windows\system32\perfh00A.dat
2009-06-26 20:49 52,652 a------- c:\windows\system32\perfc00A.dat
2009-05-07 10:33 347,648 a------- c:\windows\system32\localspl.dll
2009-04-28 23:34 669,184 a------- c:\windows\system32\wininet.dll
2009-04-28 23:34 81,920 a------- c:\windows\system32\ieencode.dll
2009-04-19 14:50 1,847,296 a------- c:\windows\system32\win32k.sys
2009-04-15 09:54 585,216 a------- c:\windows\system32\rpcrt4.dll

============= FINISH: 22:34:15.64 ===============

#9 morba

morba
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:57 PM

Posted 29 June 2009 - 10:42 PM

So I think we got rid of it from IE but still nagging me on Firefox, which is unfortunate because it is the browser I use. The fit.bat icon looked exactly as you told me it would and when I ran it flashed once and then closed.

#10 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:57 PM

Posted 30 June 2009 - 08:54 AM

Hello.

Please run this batch script and take a new DDS log after.

TYPE "c:\docume~1\franci~1\datosd~1\mozilla\firefox\profiles\tlzh5o3w.default\prefs.js" > "c:\docume~1\franci~1\datosd~1\mozilla\firefox\profiles\tlzh5o3w.default\prefs.js.backup"
FINDSTR.EXE /i /l /v /c:"toolbar.ask.com" "c:\docume~1\franci~1\datosd~1\mozilla\firefox\profiles\tlzh5o3w.default\prefs.js.backup" > "c:\docume~1\franci~1\datosd~1\mozilla\firefox\profiles\tlzh5o3w.default\prefs.js"

With Regards,
The Panda

#11 morba

morba
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:57 PM

Posted 30 June 2009 - 03:28 PM

Hey Panda,

I think we got rid of it.

Thanks for all of your help!

DDS (Ver_09-06-26.01) - NTFSx86
Run by Francisco Morales at 10:28:31.17 on 30/06/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Professional 5.1.2600.3.1252.34.3082.18.1014.570 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\ARCHIV~1\AVG\AVG8\avgwdsvc.exe
C:\Archivos de programa\Lenovo\Bluetooth Software\bin\btwdins.exe
C:\Archivos de programa\Nero\Nero 7\InCD\InCDsrv.exe
C:\Archivos de programa\Java\jre6\bin\jqs.exe
C:\Archivos de programa\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\Explorer.EXE
C:\ARCHIV~1\AVG\AVG8\avgrsx.exe
C:\ARCHIV~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\ARCHIV~1\AVG\AVG8\avgtray.exe
C:\Archivos de programa\Nero\Nero 7\InCD\NBHGui.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\sm56hlpr.exe
C:\Archivos de programa\IUSACELL\CDU680DORA\BIN\RDVCHG.EXE
C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe
C:\Archivos de programa\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Archivos de programa\Nero\Nero 7\InCD\InCD.exe
C:\Archivos de programa\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\Archivos de programa\Lenovo\Bluetooth Software\BTTray.exe
C:\ARCHIV~1\Lenovo\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Documents and Settings\Francisco Morales\Escritorio\dds.scr

============== Pseudo HJT Report ===============

uSearchURL,(Default) = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=10615&gct=&gc=1&q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\archivos de programa\archivos comunes\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\archivos de programa\avg\avg8\avgssie.dll
BHO: Windows Live Aplicación auxiliar de inicio de sesión: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\archivos de programa\archivos comunes\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\archivos de programa\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\archivos de programa\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: ncikuToolBar: {77d8dc41-9ce3-42e2-af46-84f9686bfe21} - c:\archivos de programa\nciku\toolbar\ncikuToolbar_0_5_1_74.dll
TB: {3041D03E-FD4B-44E0-B742-2D9B88305F98} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\archivos de programa\messenger\msmsgs.exe" /background
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [AVG8_TRAY] c:\archiv~1\avg\avg8\avgtray.exe
mRun: [SecurDisc] c:\archivos de programa\nero\nero 7\incd\NBHGui.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [SMSERIAL] c:\windows\sm56hlpr.exe
mRun: [IUSACELL_CDU680] c:\archivos de programa\iusacell\cdu680dora\bin\RDVCHG.EXE
mRun: [TkBellExe] "c:\archivos de programa\archivos comunes\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\archivos de programa\quicktime\QTTask.exe" -atboottime
mRun: [LanguageShortcut] "c:\archivos de programa\cyberlink\powerdvd\language\Language.exe"
mRun: [Adobe Reader Speed Launcher] "c:\archivos de programa\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [NeroFilterCheck] c:\archivos de programa\archivos comunes\ahead\lib\NeroCheck.exe
mRun: [InCD] c:\archivos de programa\nero\nero 7\incd\InCD.exe
mRun: [SunJavaUpdateSched] "c:\archivos de programa\java\jre6\bin\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\franci~1\menini~1\progra~1\inicio\erunta~1.lnk - c:\archivos de programa\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\menini~1\progra~1\inicio\bttray.lnk - c:\archivos de programa\lenovo\bluetooth software\BTTray.exe
IE: E&xportar a Microsoft Excel - c:\archiv~1\micros~2\office12\EXCEL.EXE/3000
IE: Enviar a &Bluetooth - c:\archivos de programa\lenovo\bluetooth software\btsendto_ie_ctx.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\archivos de programa\lenovo\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\archivos de programa\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\archiv~1\micros~2\office12\REFIEBAR.DLL
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} - hxxp://www.kaspersky.com/kos/spanish/kavwebscan_unicode.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229386718875
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1229454182609
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\archivos de programa\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\archiv~1\archiv~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\archivos de programa\superantispyware\SASWINLO.DLL
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\archivos de programa\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\franci~1\datosd~1\mozilla\firefox\profiles\tlzh5o3w.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.eficienciainformativa.com/mm/
FF - component: c:\archivos de programa\nokia\nokia pc suite 7\bkmrksync\components\BkMrkExt.dll
FF - plugin: c:\archivos de programa\opera\program\plugins\npdivx32.dll
FF - plugin: c:\documents and settings\francisco morales\datos de programa\mozilla\firefox\profiles\tlzh5o3w.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071301000019.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\archivos de programa\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-12-15 327688]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-12-15 27784]
R1 SASDIFSV;SASDIFSV;c:\archivos de programa\superantispyware\SASDIFSV.SYS [2008-12-4 9968]
R1 SASKUTIL;SASKUTIL;c:\archivos de programa\superantispyware\SASKUTIL.SYS [2008-12-4 55024]
R2 avg8wd;AVG8 WatchDog;c:\archiv~1\avg\avg8\avgwdsvc.exe [2009-1-29 298776]
S3 cmusbser;%CMUSBSER%;c:\windows\system32\drivers\cmusbser.sys [2009-1-13 87040]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\16.tmp --> c:\windows\system32\16.tmp [?]
S3 SASENUM;SASENUM;c:\archivos de programa\superantispyware\SASENUM.SYS [2008-12-4 7408]

=============== Created Last 30 ================

2009-06-29 22:27 <DIR> --d----- C:\_OTM
2009-06-29 14:14 <DIR> --ds---- c:\documents and settings\francisco morales\UserData
2009-06-29 13:58 <DIR> a-dshr-- C:\autorun.inf
2009-06-26 21:24 73,728 a------- c:\windows\system32\javacpl.cpl
2009-06-26 21:00 <DIR> --d----- c:\archivos de programa\Sophos
2009-06-23 17:53 268 a---h--- C:\sqmdata14.sqm
2009-06-23 17:53 244 a---h--- C:\sqmnoopt14.sqm
2009-06-23 14:01 <DIR> --d----- c:\windows\system32\appmgmt
2009-06-23 13:50 <DIR> --d----- c:\archivos de programa\Trend Micro
2009-06-23 13:38 268 a---h--- C:\sqmdata13.sqm
2009-06-23 13:38 244 a---h--- C:\sqmnoopt13.sqm
2009-06-20 09:51 <DIR> --d----- c:\archivos de programa\Free PDF to Word Doc Converter
2009-06-01 16:57 10,368 ac------ c:\windows\system32\dllcache\hidusb.sys
2009-06-01 16:57 10,368 a------- c:\windows\system32\drivers\hidusb.sys

==================== Find3M ====================

2009-06-28 10:19 327,688 a------- c:\windows\system32\drivers\avgldx86.sys
2009-06-28 10:19 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-06-26 21:24 410,984 a------- c:\windows\system32\deploytk.dll
2009-06-26 20:49 366,400 a------- c:\windows\system32\perfh00A.dat
2009-06-26 20:49 52,652 a------- c:\windows\system32\perfc00A.dat
2009-05-07 10:33 347,648 a------- c:\windows\system32\localspl.dll
2009-04-28 23:34 669,184 a------- c:\windows\system32\wininet.dll
2009-04-28 23:34 81,920 a------- c:\windows\system32\ieencode.dll
2009-04-19 14:50 1,847,296 a------- c:\windows\system32\win32k.sys
2009-04-15 09:54 585,216 a------- c:\windows\system32\rpcrt4.dll

============= FINISH: 10:29:02.45 ===============

#12 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:57 PM

Posted 01 July 2009 - 08:37 AM

Hello.

That looks good. Unless there are any issues at the moment, we can wrap up.

Run Cleanup! with OTMoveIt
Let's clear out the tools we've used.
  • Double click the OTM.exe icon on your desktop to start the program.
  • Click Posted Image.
  • A pop-up box will appear asking "Begin Removal Process?". Click Yes.
  • Click Yes when asked to reboot.
Set New System Restore Point
Now you should set a Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, tools cannot access it to delete these bad files, which sometimes can reinfect your system. Setting a new restore point after cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click System Restore.
  • Choose the radio button marked Create a Restore Point on the first screen then click Next. Give the Restore Point a name then click Create.
  • Then, click on Start > Run and type:
    cleanmgr
  • Click OK > More Options tab.
  • Click Clean Up in the System Restore section to remove all previous restore points except the newly created one.
Preventing Malware Infection in the Future
Please take some time to look at the following links, giving some advice and suggestions for preventing future infections: For general slowness problems that you may have, take a look at Slow Computer/browser? It May Not Be Malware. Read How to use the Startup Database to identify and disable uneeded processes and increase the amount of available resources.

Do you have any questions or concerns?

With Regards,
The Panda

#13 morba

morba
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:57 PM

Posted 01 July 2009 - 01:31 PM

Hey Panda,

I took care of the OTM.

I didn't do a new system restore because I have the system restore disabled in my computer. I believe my Win XP runs faster like this, and I keep a regular backup of my computer (everyweek). Do you think I should have my system restore active?

Also, after reading the links you point me to, I was wondering is it much better to have a firewall other than the WIN XP SP3 firewall?

Morba

#14 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:57 PM

Posted 01 July 2009 - 04:57 PM

Hello Morba.

System Restore will keep a copy of parts of the registry as well as program files.

If you image the whole disk, then there is no need to enable it. Otherwise, I would suggest you enable it. It's better to have a bit of slowness then an irrecoverable machine, however unlikely.

Any of the following firewalls are good choices.The main reason you would prefer a third-party firewall over the Windows XP Firewall is because Windows Firewall only stops incoming signals from accessing your computer. However, it will not stop programs (possibly ones that could intrude your privacy) from sending outgoing signals to the Internet or to other networks. You can read this article for more.

After you have installed one of the above firewalls, please disable your Windows Firewall, if you had it enabled.

With Regards,
The Panda

#15 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:57 PM

Posted 10 July 2009 - 08:11 AM

Hello.

Since this issue appears to be resolved, this topic is now closed.
If you are the topic starter and need this topic reopened, send me a message.

Everyone else, please begin a new topic.

With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users