Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown (at least by me) rootkit


  • This topic is locked This topic is locked
20 replies to this topic

#1 Alberto L

Alberto L

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:26 AM

Posted 26 November 2009 - 05:59 PM

Hi,

I´ve got a severe warning after running GMER. I suspect of some malware lurking on my system after watching some suspicious activity on our ISA Server traffic log over several strange sites.


The GMER.log says:
GMER 1.0.15.15252 - [url="http://www.gmer.net"]http://www.gmer.net[/url]Rootkit quick scan 2009-11-26 18:21:44Windows 5.1.2600 Service Pack 3Running: gmer (rootkit detector).exe; Driver: C:\DOCUME~1\Alberto\CONFIG~1\Temp\fwtdipoc.sys---- System - GMER 1.0.15 ----SSDT            sptd.sys                                           ZwEnumerateKey [0xB9EC3FB2]SSDT            sptd.sys                                           ZwEnumerateValueKey [0xB9EC4340]---- Devices - GMER 1.0.15 ----Device          \FileSystem\Ntfs \Ntfs                             8A64D1E8Device          \FileSystem\Fastfat \Fat                           8A382790AttachedDevice  \FileSystem\Fastfat \Fat                           fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)---- Services - GMER 1.0.15 ----Service         C:\WINDOWS\system32\svchost.exe (*** hidden *** )  [AUTO] duwdpry                                                           <-- ROOTKIT !!!Service         C:\WINDOWS\system32\svchost.exe (*** hidden *** )  [AUTO] ebtwroyp                                                          <-- ROOTKIT !!!Service         C:\WINDOWS\system32\svchost.exe (*** hidden *** )  [AUTO] udmddyzg                                                          <-- ROOTKIT !!!---- EOF - GMER 1.0.15 ----

According to your preparation guide, I´m pasting/attaching the logs.

Do I really have got a rootkit ? GMER provides a "delete" right menu option ? Is it safe ? How do I proceed ??

Thanks a lot for your help !!!


Alberto

==============================================================================================
DDS (Ver_09-11-24.02) - NTFSx86
Run by Alberto at 19:17:29.47 on 26/11/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.54.3082.18.2022.891 [GMT -3:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\ARCHIV~1\AVG\AVG8\avgwdsvc.exe
svchost.exe
C:\Archivos de programa\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
c:\Archivos de programa\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Archivos de programa\SigmaTel\C-Major Audio\WDM\STacSV.exe
C:\ARCHIV~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Archivos de programa\UltraVNC\WinVNC.exe
C:\Archivos de programa\Live Mesh\Remote Desktop\wlcrasvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Archivos de programa\Microsoft IntelliType Pro\itype.exe
C:\ARCHIV~1\AVG\AVG8\avgtray.exe
C:\Archivos de programa\Archivos comunes\Nokia\MPlatform\NokiaMServer.exe
C:\Archivos de programa\PowerISO\PWRISOVM.EXE
C:\Archivos de programa\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\Alberto\Mis documentos\Downloads\QuickSoundSwitch.exe
C:\Archivos de programa\Windows Live\Messenger\msnmsgr.exe
C:\Documents and Settings\Alberto\Configuración local\Datos de programa\Microsoft\Live Mesh\Bin\Servicing\0.9.4014.7\MoeMonitor.exe
C:\Archivos de programa\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Archivos de programa\Nokia\Nokia PC Suite 7\PCSuite.exe
C:\Archivos de programa\Nokia\Nokia PC Suite 7\PcSync2.exe
C:\Archivos de programa\PC Connectivity Solution\ServiceLayer.exe
C:\Archivos de programa\PC Connectivity Solution\Transports\NclMSBTSrv.exe
C:\Documents and Settings\Alberto\Configuración local\Datos de programa\Microsoft\Live Mesh\GacBase\Moe.exe
C:\Archivos de programa\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Archivos de programa\PC Connectivity Solution\Transports\NclBCBTSrv.exe
C:\ARCHIV~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Archivos de programa\Archivos comunes\Nokia\MPAPI\MPAPI3s.exe
C:\Archivos de programa\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Archivos de programa\Microsoft Office\Office12\OUTLOOK.EXE
C:\Archivos de programa\Microsoft Office\Office12\ONENOTEM.EXE
C:\Archivos de programa\Windows Live\Contacts\wlcomm.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Archivos de programa\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Alberto\Mis documentos\Downloads\Anti Virus-Spyware\gmer (rootkit detector).exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Alberto\Escritorio\Anti Virus Spyware\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://intranet:8080/default.aspx
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\archivos de programa\avg\avg8\toolbar\IEToolbar.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\archivos de programa\archivos comunes\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\archivos de programa\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\archiv~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Microsoft Web Test Recorder Helper: {62355041-605d-4469-84fd-5d66ed67a7e3} - c:\archivos de programa\microsoft visual studio 8\common7\ide\privateassemblies\Microsoft.VisualStudio.QualityTools.RecorderBarBHO.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\archivos de programa\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\archivos de programa\java\jre6\bin\ssv.dll
BHO: {78875F5C-A685-4405-8DC5-D48DC65452B0} - No File
BHO: Windows Live Aplicación auxiliar de inicio de sesión: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\archivos de programa\archivos comunes\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: ShowDHLToolbar Class: {905bedef-14b4-4b49-a97a-875326a61911} - c:\archivos de programa\dhl\dhltoolbar\DHL Worldwide Airwaybill Tracking Toolbar.dll
BHO: FoxmarksDLLBHO Class: {a2a71aba-3939-43b2-bd8f-8c1767ef9020} - c:\archivos de programa\xmarks\ie extension\foxmarksdll.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\archivos de programa\google\googletoolbar1.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\archivos de programa\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\archivos de programa\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\archivos de programa\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\archivos de programa\google\googletoolbar1.dll
TB: DHL Toolbar: {82cc2983-ca87-4d46-b33b-d285bd667a56} - c:\archivos de programa\dhl\dhltoolbar\DHL Worldwide Airwaybill Tracking Toolbar.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
TB: {61D1C847-DF80-423A-8C6D-DC03B97E6EBE} - No File
EB: &Referencia: {ff059e31-cc5a-4e2e-bf3b-96e929d65503} - c:\archiv~1\micros~3\office12\REFIEBAR.DLL
uRun: [swg] "c:\archivos de programa\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [QuickSoundSwitch] "c:\documents and settings\alberto\mis documentos\downloads\QuickSoundSwitch.exe"
uRun: [MsnMsgr] "c:\archivos de programa\windows live\messenger\msnmsgr.exe" /background
uRun: [SpybotSD TeaTimer] c:\archivos de programa\spybot - search & destroy\TeaTimer.exe
uRun: [MoeMonitor.exe] "c:\documents and settings\alberto\configuración local\datos de programa\microsoft\live mesh\bin\servicing\0.9.4014.7\MoeMonitor.exe"
uRun: [SUPERAntiSpyware] c:\archivos de programa\superantispyware\SUPERAntiSpyware.exe
uRun: [PC Suite Tray] "c:\archivos de programa\nokia\nokia pc suite 7\PCSuite.exe" -onlytray
uRun: [Nokia.PCSync] "c:\archivos de programa\nokia\nokia pc suite 7\PcSync2.exe" /NoDialog
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [itype] "c:\archivos de programa\microsoft intellitype pro\itype.exe"
mRun: [Google Desktop Search] "c:\archivos de programa\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [AVG8_TRAY] c:\archiv~1\avg\avg8\avgtray.exe
mRun: [NokiaMServer] c:\archivos de programa\archivos comunes\nokia\mplatform\NokiaMServer /watchfiles
mRun: [Adobe Reader Speed Launcher] "c:\archivos de programa\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\archivos de programa\archivos comunes\adobe\arm\1.0\AdobeARM.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\archivos de programa\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [PWRISOVM.EXE] c:\archivos de programa\poweriso\PWRISOVM.EXE
StartupFolder: c:\docume~1\alberto\menini~1\progra~1\inicio\micros~1.lnk - c:\windows\installer\{91120000-002e-0000-0000-0000000ff1ce}\outicon.exe
StartupFolder: c:\docume~1\alberto\menini~1\progra~1\inicio\recort~1.lnk - c:\archivos de programa\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\menini~1\progra~1\inicio\blueto~1.lnk - c:\archivos de programa\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\documents and settings\all users\menú inicio\programas\inicio\Gladinet Cloud Desktop.lnk.disabled
StartupFolder: c:\docume~1\alluse~1\menini~1\progra~1\inicio\micros~1.lnk - c:\archivos de programa\microsoft office\office\OSA9.EXE
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xportar a Microsoft Excel - c:\archiv~1\micros~3\office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\archivos de programa\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\archivos de programa\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\archivos de programa\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\archiv~1\micros~3\office12\ONBttnIE.dll
IE: {82CC2983-CA87-4D46-B33B-D285BD667A56} - {82CC2983-CA87-4D46-B33B-D285BD667A56} - c:\archivos de programa\dhl\dhltoolbar\DHL Worldwide Airwaybill Tracking Toolbar.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\archiv~1\micros~3\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\archiv~1\spybot~1\SDHelper.dll
Trusted Zone: 23m008
DPF: {00000045-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/sg726acm.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {22611F8E-2FC5-4440-B261-C52A420B8D2A} - hxxp://xpw150/VortexIPFrontEnd/VortexIP-ActiveXLive.CAB
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab}
DPF: {33636E16-9C2B-41DE-9D32-C185A975D95B} - hxxp://craig.dyndns.ws:35990/DVRViewer/DVRViewer.cab
DPF: {474F00F5-3853-492C-AC3A-476512BBC336} - hxxp://picasaweb.google.com/s/v/32.67/uploader2.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://www.bitdefender.es/scan_es/scan8/oscan8.cab
DPF: {66D393D5-4D80-497C-9F4F-F3839E090202} - hxxp://www.pysoft.com/Downloads/WebCamPlayerOCX.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1176398613194
DPF: {7A408D93-67FD-43FC-8DD4-D46701A7A07D} - hxxp://192.168.0.32/nvEPLMedia.dll
DPF: {7B133798-FAA8-4A7E-950D-BEB35D3363AF} - hxxp://craig.dyndns.ws:36000/img/LinksysViewer.cab
DPF: {86F01A24-1CE1-47A9-ABCC-9BDCFCDEBE4D} - hxxp://xpw150/VortexIPFrontEnd/VortexIP-ActiveXPlayer.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://sdlc-esd.sun.com/ESD5/JSCDL/jre/6u11-b90/jinstall-6u11-windows-i586-jc.cab?AuthParam=1231874205_0f3a7cc1c4db77bd0cbad4052ff87e35&GroupName=JSC&FilePath=/ESD5/JSCDL/jre/6u11-b90/jinstall-6u11-windows-i586-jc.cab&File=jinstall-6u11-windows-i586-jc.cab&BHost=javadl.sun.com
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {A3E21079-7F41-4125-9EBB-FD44CFCC0AC1} - hxxps://www.mesh.com/0.9.3424.31/TSWeb.cab
DPF: {A6F36F3F-3AE0-458B-AFC4-AA82565E0BF8} - hxxp://www.ipstreamingservice.com/download/TCP_2.0/nvUnifiedControl.Dll
DPF: {B0C77EBC-5250-4913-A245-BFA796A36C72} - hxxp://toolbar.dhl.com/setup_ext_v1.cab
DPF: {B91012E3-3DC4-442B-B5C7-35BF3857D215} - hxxp://192.168.0.133/nvEncoderMedia.dll
DPF: {BC165EA0-F79E-4F12-8493-80679EB5BEC2} - hxxp://ishwood.selfip.com:8080/applet/XCast.cab
DPF: {BE30D547-EE96-4D6B-B9A3-57777E9F0A9C} - hxxp://127.0.0.1/tcpaswtu/activex/common/bin/go1984Viewer.ocx
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D37BB1D6-A878-4721-9A64-77E6C9D44865} - hxxps://wsec02.bancogalicia.com.ar/scripts/components/cryptoclient/GalCryptoComponents1019.cab
DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} - hxxp://upload.mediamax.com/Upload/XUpload.ocx
DPF: {FA91DF8D-53AB-455D-AB20-F2F023E498D3} - hxxp://23m008/ReportServer/Reserved.ReportViewerWebControl.axd?ExecutionID=joqxqp45qcpm5x55bxnbql45&ControlID=69b8f4e5-be34-4eae-9204-be5363ae7610&Culture=11274&UICulture=10&ReportStack=1&OpType=PrintCab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\archivos de programa\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\archivos de programa\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\archivos de programa\superantispyware\SASWINLO.DLL
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
Notify: wlcrdplauncher - c:\archivos de programa\live mesh\remote desktop\wlcrdplauncher.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\archivos de programa\microsoft office\office12\GrooveShellExtensions.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\archivos de programa\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\alberto\datosd~1\mozilla\firefox\profiles\i1zj7ibr.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://intranet:8080/default.aspx|http://www.google.com.ar/ig?hl=es&source=iglk
FF - component: c:\archivos de programa\nokia\nokia pc suite 7\bkmrksync\components\BkMrkExt.dll
FF - component: c:\documents and settings\alberto\datos de programa\mozilla\firefox\profiles\i1zj7ibr.default\extensions\support@lastpass.com\platform\winnt_x86-msvc\components\lpxpcom.dll
FF - plugin: c:\archivos de programa\google\picasa3\npPicasa3.dll
FF - plugin: c:\archivos de programa\microsoft\office live\npOLW.dll
FF - plugin: c:\archivos de programa\mozilla firefox\plugins\npsharedview.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-6-27 335240]
R1 SASDIFSV;SASDIFSV;c:\archivos de programa\superantispyware\sasdifsv.sys [2009-3-23 9968]
R1 SASKUTIL;SASKUTIL;c:\archivos de programa\superantispyware\SASKUTIL.SYS [2009-3-23 74480]
R2 altio;altio;c:\windows\system32\altio.sys [2008-1-16 3200]
R2 avg8wd;AVG8 WatchDog;c:\archiv~1\avg\avg8\avgwdsvc.exe [2009-2-3 297752]
R2 vnccom;vnccom;c:\windows\system32\drivers\vnccom.SYS [2007-4-30 6016]
R2 wlcrasvc;Live Mesh Remote Desktop;c:\archivos de programa\live mesh\remote desktop\wlcrasvc.exe [2009-4-3 44880]
R3 PAC207;VideoCAM GE111;c:\windows\system32\drivers\PFC027.sys [2005-4-8 162176]
R3 RDPDISPM;RDPDISPM;c:\windows\system32\drivers\rdpdispm.sys [2009-4-3 9024]
R3 RDPVDD;RDPVDD;c:\windows\system32\drivers\rdpvmp.sys [2009-4-3 19392]
R3 SASENUM;SASENUM;c:\archivos de programa\superantispyware\SASENUM.SYS [2009-3-23 7408]
S2 duwdpry;Update Image;c:\windows\system32\svchost.exe -k netsvcs [2004-8-20 14336]
S2 ebtwroyp;Universal Image;c:\windows\system32\svchost.exe -k netsvcs [2004-8-20 14336]
S2 udmddyzg;Manager Installer;c:\windows\system32\svchost.exe -k netsvcs [2004-8-20 14336]
S3 DCMService;DivX Content Management Service;c:\archivos de programa\divx\divx connected\bin\divx connected\DivXConnectedService.exe [2008-1-29 49152]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2009-8-18 136704]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [2009-8-18 8320]
S3 tap08168;Gladinet Virtual Adapter;c:\windows\system32\drivers\tap08168.sys [2009-3-12 30544]
S3 VSPerfDrv;Performance Tools Driver;c:\archivos de programa\microsoft visual studio 8\team tools\performance tools\VSPerfDrv.sys [2006-12-2 48128]
S4 AxSVCControladorAccesoRemoto;Axoft - Controlador de Acceso Remoto;c:\archivos de programa\tango gestion\cliente\exe\AxServicioControladorAccesoRemoto.Exe [2007-4-12 1603584]
S4 AxSVCPlanificador;Axoft - Servicio de Ejecución Planificada;c:\archivos de programa\tango gestion\cliente\exe\AxServicioPlanificador.Exe [2007-4-12 2108416]
S4 GoogleDesktopManager-061008-081103;Administrador de Google Desktop 5.7.806.10245;c:\archivos de programa\google\google desktop search\GoogleDesktop.exe [2007-5-24 29744]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\archivos de programa\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2006-12-2 2805000]

=============== Created Last 30 ================

2009-11-26 19:53:55 0 d-sha-r- C:\cmdcons
2009-11-26 19:53:03 98816 ----a-w- c:\windows\sed.exe
2009-11-26 19:53:03 77312 ----a-w- c:\windows\MBR.exe
2009-11-26 19:53:03 260608 ----a-w- c:\windows\PEV.exe
2009-11-26 19:53:03 161792 ----a-w- c:\windows\SWREG.exe
2009-11-26 19:50:20 0 d-----w- C:\ComboFix
2009-11-26 19:26:04 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-26 19:26:03 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-26 19:26:03 0 d-----w- c:\archivos de programa\Malwarebytes' Anti-Malware
2009-11-16 19:03:52 0 d-----w- c:\archivos de programa\TreePadLite4
2009-11-16 18:59:31 0 d-----w- c:\archivos de programa\Swift To-Do List

==================== Find3M ====================

2009-11-23 17:02:58 304160 ----a-w- C:\StiImg.dat
2009-10-08 20:34:12 558592 ----a-w- c:\windows\system32\perfh00A.dat
2009-10-08 20:34:12 110864 ----a-w- c:\windows\system32\perfc00A.dat
2009-03-12 15:56:32 374197 ----a-w- c:\archivos de programa\wmvmuxer-final-1.0.zip
2006-05-03 10:06:54 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 11:47:16 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 13:30:52 216064 --sh--r- c:\windows\system32\nbDX.dll
2009-01-19 14:27:11 32768 --sha-w- c:\windows\system32\config\systemprofile\configuración local\historial\history.ie5\mshist012009011920090120\index.dat

============= FINISH: 19:17:52.12 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:05:26 AM

Posted 01 December 2009 - 11:52 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#3 Alberto L

Alberto L
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:26 AM

Posted 01 December 2009 - 05:21 PM

Hi,

Thanks for your time and no need to apology at all. I am borrowing YOUR time after all.

I´m not seeing any particular anomalous behaivior in this PC right now. This PC (my PC) is just one of many that have been watched having strange traffic over the company ISA server to suspicious sites. That traffic is HTTP type so it can not be blocked by port.

After notced that, I ran GMER on this PC (we plan to use this PC as a diagnostic base and if something comes out, then replicate the cleaning on the others) and got the log posted on my first message.

According to some information gattered around there on the net (Wikipedia among other sites) we think there´s a potential risk of having some PCs stealthy hijacked by a rootkit. I realize it may not be evident at this moment, but we are affraid it could be in a future. Besides that, we are affraid this hijack could be stealing sensitive information from the PCs it may have infected (some of the traffic were directed to sites recording financial information) as an example, some traffic were detected to www.fxido.com/span.html and at that time the IP was 208.51.98.11 (a couple of days after that IP changed)

I´m attaching the requested DDS logs.

Thanks a lot !!


Alberto

=================================================================
DDS (Ver_09-12-01.01) - NTFSx86
Run by Alberto at 19:07:02.48 on 01/12/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.54.3082.18.2022.709 [GMT -3:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\ARCHIV~1\AVG\AVG8\avgwdsvc.exe
svchost.exe
C:\Archivos de programa\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
c:\Archivos de programa\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Archivos de programa\SigmaTel\C-Major Audio\WDM\STacSV.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\ARCHIV~1\AVG\AVG8\avgrsx.exe
C:\Archivos de programa\UltraVNC\WinVNC.exe
C:\Archivos de programa\Live Mesh\Remote Desktop\wlcrasvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Archivos de programa\Microsoft IntelliType Pro\itype.exe
C:\ARCHIV~1\AVG\AVG8\avgtray.exe
C:\Archivos de programa\Archivos comunes\Nokia\MPlatform\NokiaMServer.exe
C:\Archivos de programa\PowerISO\PWRISOVM.EXE
C:\Archivos de programa\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\Alberto\Mis documentos\Downloads\QuickSoundSwitch.exe
C:\Archivos de programa\Windows Live\Messenger\msnmsgr.exe
C:\Archivos de programa\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\Alberto\Configuración local\Datos de programa\Microsoft\Live Mesh\Bin\Servicing\0.9.4014.7\MoeMonitor.exe
C:\Archivos de programa\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Archivos de programa\Nokia\Nokia PC Suite 7\PCSuite.exe
C:\Archivos de programa\Nokia\Nokia PC Suite 7\PcSync2.exe
C:\Documents and Settings\Alberto\Configuración local\Datos de programa\Microsoft\Live Mesh\GacBase\Moe.exe
C:\Archivos de programa\PC Connectivity Solution\ServiceLayer.exe
C:\Archivos de programa\PC Connectivity Solution\Transports\NclMSBTSrv.exe
C:\Archivos de programa\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Archivos de programa\PC Connectivity Solution\Transports\NclBCBTSrv.exe
C:\Archivos de programa\Archivos comunes\Nokia\MPAPI\MPAPI3s.exe
C:\ARCHIV~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Archivos de programa\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Archivos de programa\Microsoft Office\Office12\OUTLOOK.EXE
C:\Archivos de programa\Microsoft Office\Office12\ONENOTEM.EXE
C:\Archivos de programa\Windows Live\Contacts\wlcomm.exe
C:\Archivos de programa\Mozilla Firefox\firefox.exe
C:\Archivos de programa\AVG\AVG8\avgui.exe
C:\Documents and Settings\Alberto\Escritorio\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://intranet:8080/default.aspx
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\archivos de programa\avg\avg8\toolbar\IEToolbar.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\archivos de programa\archivos comunes\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\archivos de programa\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\archiv~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Microsoft Web Test Recorder Helper: {62355041-605d-4469-84fd-5d66ed67a7e3} - c:\archivos de programa\microsoft visual studio 8\common7\ide\privateassemblies\Microsoft.VisualStudio.QualityTools.RecorderBarBHO.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\archivos de programa\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\archivos de programa\java\jre6\bin\ssv.dll
BHO: {78875F5C-A685-4405-8DC5-D48DC65452B0} - No File
BHO: Windows Live Aplicación auxiliar de inicio de sesión: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\archivos de programa\archivos comunes\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: ShowDHLToolbar Class: {905bedef-14b4-4b49-a97a-875326a61911} - c:\archivos de programa\dhl\dhltoolbar\DHL Worldwide Airwaybill Tracking Toolbar.dll
BHO: FoxmarksDLLBHO Class: {a2a71aba-3939-43b2-bd8f-8c1767ef9020} - c:\archivos de programa\xmarks\ie extension\foxmarksdll.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\archivos de programa\google\googletoolbar1.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\archivos de programa\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\archivos de programa\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\archivos de programa\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\archivos de programa\google\googletoolbar1.dll
TB: DHL Toolbar: {82cc2983-ca87-4d46-b33b-d285bd667a56} - c:\archivos de programa\dhl\dhltoolbar\DHL Worldwide Airwaybill Tracking Toolbar.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
TB: {61D1C847-DF80-423A-8C6D-DC03B97E6EBE} - No File
EB: &Referencia: {ff059e31-cc5a-4e2e-bf3b-96e929d65503} - c:\archiv~1\micros~3\office12\REFIEBAR.DLL
uRun: [swg] "c:\archivos de programa\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [QuickSoundSwitch] "c:\documents and settings\alberto\mis documentos\downloads\QuickSoundSwitch.exe"
uRun: [MsnMsgr] "c:\archivos de programa\windows live\messenger\msnmsgr.exe" /background
uRun: [SpybotSD TeaTimer] c:\archivos de programa\spybot - search & destroy\TeaTimer.exe
uRun: [MoeMonitor.exe] "c:\documents and settings\alberto\configuración local\datos de programa\microsoft\live mesh\bin\servicing\0.9.4014.7\MoeMonitor.exe"
uRun: [SUPERAntiSpyware] c:\archivos de programa\superantispyware\SUPERAntiSpyware.exe
uRun: [PC Suite Tray] "c:\archivos de programa\nokia\nokia pc suite 7\PCSuite.exe" -onlytray
uRun: [Nokia.PCSync] "c:\archivos de programa\nokia\nokia pc suite 7\PcSync2.exe" /NoDialog
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [itype] "c:\archivos de programa\microsoft intellitype pro\itype.exe"
mRun: [Google Desktop Search] "c:\archivos de programa\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [AVG8_TRAY] c:\archiv~1\avg\avg8\avgtray.exe
mRun: [NokiaMServer] c:\archivos de programa\archivos comunes\nokia\mplatform\NokiaMServer /watchfiles
mRun: [Adobe Reader Speed Launcher] "c:\archivos de programa\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\archivos de programa\archivos comunes\adobe\arm\1.0\AdobeARM.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\archivos de programa\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [PWRISOVM.EXE] c:\archivos de programa\poweriso\PWRISOVM.EXE
StartupFolder: c:\docume~1\alberto\menini~1\progra~1\inicio\micros~1.lnk - c:\windows\installer\{91120000-002e-0000-0000-0000000ff1ce}\outicon.exe
StartupFolder: c:\docume~1\alberto\menini~1\progra~1\inicio\recort~1.lnk - c:\archivos de programa\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\menini~1\progra~1\inicio\blueto~1.lnk - c:\archivos de programa\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\documents and settings\all users\menú inicio\programas\inicio\Gladinet Cloud Desktop.lnk.disabled
StartupFolder: c:\docume~1\alluse~1\menini~1\progra~1\inicio\micros~1.lnk - c:\archivos de programa\microsoft office\office\OSA9.EXE
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xportar a Microsoft Excel - c:\archiv~1\micros~3\office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\archivos de programa\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\archivos de programa\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\archivos de programa\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\archiv~1\micros~3\office12\ONBttnIE.dll
IE: {82CC2983-CA87-4D46-B33B-D285BD667A56} - {82CC2983-CA87-4D46-B33B-D285BD667A56} - c:\archivos de programa\dhl\dhltoolbar\DHL Worldwide Airwaybill Tracking Toolbar.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\archiv~1\micros~3\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\archiv~1\spybot~1\SDHelper.dll
Trusted Zone: 23m008
DPF: {00000045-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/sg726acm.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {22611F8E-2FC5-4440-B261-C52A420B8D2A} - hxxp://xpw150/VortexIPFrontEnd/VortexIP-ActiveXLive.CAB
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab}
DPF: {33636E16-9C2B-41DE-9D32-C185A975D95B} - hxxp://craig.dyndns.ws:35990/DVRViewer/DVRViewer.cab
DPF: {474F00F5-3853-492C-AC3A-476512BBC336} - hxxp://picasaweb.google.com/s/v/32.67/uploader2.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://www.bitdefender.es/scan_es/scan8/oscan8.cab
DPF: {66D393D5-4D80-497C-9F4F-F3839E090202} - hxxp://www.pysoft.com/Downloads/WebCamPlayerOCX.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1176398613194
DPF: {7A408D93-67FD-43FC-8DD4-D46701A7A07D} - hxxp://192.168.0.32/nvEPLMedia.dll
DPF: {7B133798-FAA8-4A7E-950D-BEB35D3363AF} - hxxp://craig.dyndns.ws:36000/img/LinksysViewer.cab
DPF: {86F01A24-1CE1-47A9-ABCC-9BDCFCDEBE4D} - hxxp://xpw150/VortexIPFrontEnd/VortexIP-ActiveXPlayer.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://sdlc-esd.sun.com/ESD5/JSCDL/jre/6u11-b90/jinstall-6u11-windows-i586-jc.cab?AuthParam=1231874205_0f3a7cc1c4db77bd0cbad4052ff87e35&GroupName=JSC&FilePath=/ESD5/JSCDL/jre/6u11-b90/jinstall-6u11-windows-i586-jc.cab&File=jinstall-6u11-windows-i586-jc.cab&BHost=javadl.sun.com
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {A3E21079-7F41-4125-9EBB-FD44CFCC0AC1} - hxxps://www.mesh.com/0.9.3424.31/TSWeb.cab
DPF: {A6F36F3F-3AE0-458B-AFC4-AA82565E0BF8} - hxxp://www.ipstreamingservice.com/download/TCP_2.0/nvUnifiedControl.Dll
DPF: {B0C77EBC-5250-4913-A245-BFA796A36C72} - hxxp://toolbar.dhl.com/setup_ext_v1.cab
DPF: {B91012E3-3DC4-442B-B5C7-35BF3857D215} - hxxp://192.168.0.133/nvEncoderMedia.dll
DPF: {BC165EA0-F79E-4F12-8493-80679EB5BEC2} - hxxp://ishwood.selfip.com:8080/applet/XCast.cab
DPF: {BE30D547-EE96-4D6B-B9A3-57777E9F0A9C} - hxxp://127.0.0.1/tcpaswtu/activex/common/bin/go1984Viewer.ocx
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D37BB1D6-A878-4721-9A64-77E6C9D44865} - hxxps://wsec02.bancogalicia.com.ar/scripts/components/cryptoclient/GalCryptoComponents1019.cab
DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} - hxxp://upload.mediamax.com/Upload/XUpload.ocx
DPF: {FA91DF8D-53AB-455D-AB20-F2F023E498D3} - hxxp://23m008/ReportServer/Reserved.ReportViewerWebControl.axd?ExecutionID=joqxqp45qcpm5x55bxnbql45&ControlID=69b8f4e5-be34-4eae-9204-be5363ae7610&Culture=11274&UICulture=10&ReportStack=1&OpType=PrintCab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\archivos de programa\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\archivos de programa\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\archivos de programa\superantispyware\SASWINLO.DLL
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
Notify: wlcrdplauncher - c:\archivos de programa\live mesh\remote desktop\wlcrdplauncher.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\archivos de programa\microsoft office\office12\GrooveShellExtensions.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\archivos de programa\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\alberto\datosd~1\mozilla\firefox\profiles\i1zj7ibr.default\
FF - prefs.js: browser.search.selectedEngine - Google Argentina
FF - prefs.js: browser.startup.homepage - hxxp://intranet:8080/default.aspx|http://www.google.com.ar/ig?hl=es&source=iglk
FF - component: c:\archivos de programa\nokia\nokia pc suite 7\bkmrksync\components\BkMrkExt.dll
FF - component: c:\documents and settings\alberto\datos de programa\mozilla\firefox\profiles\i1zj7ibr.default\extensions\support@lastpass.com\platform\winnt_x86-msvc\components\lpxpcom.dll
FF - plugin: c:\archivos de programa\google\picasa3\npPicasa3.dll
FF - plugin: c:\archivos de programa\microsoft\office live\npOLW.dll
FF - plugin: c:\archivos de programa\mozilla firefox\plugins\npsharedview.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-6-27 335240]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2007-5-11 27784]
R1 SASDIFSV;SASDIFSV;c:\archivos de programa\superantispyware\sasdifsv.sys [2009-3-23 9968]
R1 SASKUTIL;SASKUTIL;c:\archivos de programa\superantispyware\SASKUTIL.SYS [2009-3-23 74480]
R2 altio;altio;c:\windows\system32\altio.sys [2008-1-16 3200]
R2 avg8wd;AVG8 WatchDog;c:\archiv~1\avg\avg8\avgwdsvc.exe [2009-2-3 297752]
R2 vnccom;vnccom;c:\windows\system32\drivers\vnccom.SYS [2007-4-30 6016]
R2 wlcrasvc;Live Mesh Remote Desktop;c:\archivos de programa\live mesh\remote desktop\wlcrasvc.exe [2009-4-3 44880]
R3 PAC207;VideoCAM GE111;c:\windows\system32\drivers\PFC027.sys [2005-4-8 162176]
R3 RDPDISPM;RDPDISPM;c:\windows\system32\drivers\rdpdispm.sys [2009-4-3 9024]
R3 RDPVDD;RDPVDD;c:\windows\system32\drivers\rdpvmp.sys [2009-4-3 19392]
R3 SASENUM;SASENUM;c:\archivos de programa\superantispyware\SASENUM.SYS [2009-3-23 7408]
S2 duwdpry;Update Image;c:\windows\system32\svchost.exe -k netsvcs [2004-8-20 14336]
S2 ebtwroyp;Universal Image;c:\windows\system32\svchost.exe -k netsvcs [2004-8-20 14336]
S2 udmddyzg;Manager Installer;c:\windows\system32\svchost.exe -k netsvcs [2004-8-20 14336]
S3 DCMService;DivX Content Management Service;c:\archivos de programa\divx\divx connected\bin\divx connected\DivXConnectedService.exe [2008-1-29 49152]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2009-8-18 136704]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [2009-8-18 8320]
S3 tap08168;Gladinet Virtual Adapter;c:\windows\system32\drivers\tap08168.sys [2009-3-12 30544]
S3 VSPerfDrv;Performance Tools Driver;c:\archivos de programa\microsoft visual studio 8\team tools\performance tools\VSPerfDrv.sys [2006-12-2 48128]
S4 AxSVCControladorAccesoRemoto;Axoft - Controlador de Acceso Remoto;c:\archivos de programa\tango gestion\cliente\exe\AxServicioControladorAccesoRemoto.Exe [2007-4-12 1603584]
S4 AxSVCPlanificador;Axoft - Servicio de Ejecución Planificada;c:\archivos de programa\tango gestion\cliente\exe\AxServicioPlanificador.Exe [2007-4-12 2108416]
S4 GoogleDesktopManager-061008-081103;Administrador de Google Desktop 5.7.806.10245;c:\archivos de programa\google\google desktop search\GoogleDesktop.exe [2007-5-24 29744]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\archivos de programa\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2006-12-2 2805000]
S4 StarWindServiceAE;StarWind AE Service;c:\archivos de programa\alcohol soft\alcohol 120\starwind\StarWindServiceAE.exe [2007-5-28 275968]

=============== Created Last 30 ================

2009-11-26 19:53:55 0 d-sha-r- C:\cmdcons
2009-11-26 19:53:03 98816 ----a-w- c:\windows\sed.exe
2009-11-26 19:53:03 77312 ----a-w- c:\windows\MBR.exe
2009-11-26 19:53:03 260608 ----a-w- c:\windows\PEV.exe
2009-11-26 19:53:03 161792 ----a-w- c:\windows\SWREG.exe
2009-11-26 19:50:20 0 d-----w- C:\ComboFix
2009-11-26 19:26:04 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-26 19:26:03 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-26 19:26:03 0 d-----w- c:\archivos de programa\Malwarebytes' Anti-Malware
2009-11-16 19:03:52 0 d-----w- c:\archivos de programa\TreePadLite4
2009-11-16 18:59:31 0 d-----w- c:\archivos de programa\Swift To-Do List

==================== Find3M ====================

2009-11-23 17:02:58 304160 ----a-w- C:\StiImg.dat
2009-10-08 20:34:12 558592 ----a-w- c:\windows\system32\perfh00A.dat
2009-10-08 20:34:12 110864 ----a-w- c:\windows\system32\perfc00A.dat
2009-03-12 15:56:32 374197 ----a-w- c:\archivos de programa\wmvmuxer-final-1.0.zip
2006-05-03 10:06:54 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 11:47:16 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 13:30:52 216064 --sh--r- c:\windows\system32\nbDX.dll
2009-01-19 14:27:11 32768 --sha-w- c:\windows\system32\config\systemprofile\configuración local\historial\history.ie5\mshist012009011920090120\index.dat

============= FINISH: 19:07:51.33 ===============

Attached Files



#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:26 AM

Posted 04 December 2009 - 10:13 AM

Hello.

Let's run a new scan with GMER please,

Download and Run Scan with GMER

We will use GMER to scan for rootkits.This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop. Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • Close any and all open programs, as this process may crash your computer.
  • Double click Posted Image or Posted Image on your desktop.
  • When you have done this, close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program. Right-click and select Run As Administrator... if you are using Vista
  • Allow the gmer.sys driver to load if asked.
    If it detects rootkit activity, you will receive a prompt (refer below) to run a full scan. Click NO..
    Posted Image
  • In the right panel, you will see several boxes that have been checked. Please UNCHECK the following:
    • Sections
    • IAT/EAT
    • Registry
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show all (Don't miss this one!)
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.

If GMER doesn't work in Normal Mode try running it in Safe Mode

Note: Do Not run any program while GMER is running
*Note*: Rootkit scans often produce false positives. Do NOT take any actions on "<--- ROOKIT" entries

Post the log once done and take a new DDS run for me and post back with both the DDS and Attach logs.

Thanks.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 Alberto L

Alberto L
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:26 AM

Posted 05 December 2009 - 06:00 PM

Hi extremeboy !! Thank you very much four help and support !!

Here we go with the logs (it will a loooong post)

Thanks again !!!

Alberto

=================== GMER.LOG =============================
GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2009-12-05 16:20:16
Windows 5.1.2600 Service Pack 3
Running: zed6fgbn.exe; Driver: C:\DOCUME~1\Alberto\CONFIG~1\Temp\fwtdipoc.sys


---- System - GMER 1.0.15 ----

SSDT sptd.sys ZwCreateKey [0xB9EBE0D0]
SSDT sptd.sys ZwEnumerateKey [0xB9EC3FB2]
SSDT sptd.sys ZwEnumerateValueKey [0xB9EC4340]
SSDT sptd.sys ZwOpenKey [0xB9EBE0B0]
SSDT sptd.sys ZwQueryKey [0xB9EC4418]
SSDT sptd.sys ZwQueryValueKey [0xB9EC4298]
SSDT sptd.sys ZwSetValueKey [0xB9EC44AA]
SSDT \??\C:\Archivos de programa\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xA739B0B0]

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8A6701E8
Device \FileSystem\Fastfat \FatCdrom 8A2AD5F8
Device \Driver\usbuhci \Device\USBPDO-0 8A5251E8
Device \Driver\usbuhci \Device\USBPDO-1 8A5251E8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8A6E31E8
Device \Driver\dmio \Device\DmControl\DmConfig 8A6E31E8
Device \Driver\dmio \Device\DmControl\DmPnP 8A6E31E8
Device \Driver\dmio \Device\DmControl\DmInfo 8A6E31E8
Device \Driver\usbehci \Device\USBPDO-2 8A3231E8
Device \Driver\usbuhci \Device\USBPDO-3 8A5251E8
Device \Driver\usbuhci \Device\USBPDO-4 8A5251E8
Device \Driver\usbuhci \Device\USBPDO-5 8A5251E8
Device \Driver\usbehci \Device\USBPDO-6 8A3231E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 8A6721E8
Device \Driver\PCI_NTPNP5998 \Device\00000058 sptd.sys
Device \Driver\Cdrom \Device\CdRom0 8A50C1E8
Device \Driver\Cdrom \Device\CdRom1 8A50C1E8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [B9E11B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort0 [B9E11B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort1 [B9E11B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort2 [B9E11B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort3 [B9E11B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort4 [B9E11B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort5 [B9E11B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP5T0L0-16 [B9E11B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\NetBT \Device\NetBt_Wins_Export 8A44C438
Device \Driver\NetBT \Device\NetbiosSmb 8A44C438
Device \Driver\usbuhci \Device\USBFDO-0 8A5251E8
Device \Driver\usbuhci \Device\USBFDO-1 8A5251E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8A463340
Device \Driver\usbehci \Device\USBFDO-2 8A3231E8
Device \Driver\NetBT \Device\NetBT_Tcpip_{578B007C-BF95-446E-9DE6-56D4651D8C4A} 8A44C438
Device \FileSystem\MRxSmb \Device\LanmanRedirector 8A463340
Device \Driver\usbuhci \Device\USBFDO-3 8A5251E8
Device \Driver\usbuhci \Device\USBFDO-4 8A5251E8
Device \Driver\Ftdisk \Device\FtControl 8A6721E8
Device \Driver\usbuhci \Device\USBFDO-5 8A5251E8
Device \Driver\usbehci \Device\USBFDO-6 8A3231E8
Device \Driver\asdm2epe \Device\Scsi\asdm2epe1Port6Path0Target0Lun0 8A2FA1E8
Device \Driver\asdm2epe \Device\Scsi\asdm2epe1 8A2FA1E8
Device \FileSystem\Fastfat \Fat 8A2AD5F8

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs 8A207340

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] duwdpry <-- ROOTKIT !!!
Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] ebtwroyp <-- ROOTKIT !!!
Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] udmddyzg <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----
================ END OF GMER.LOG ===========================

==================== DDS.LOG =============================

DDS (Ver_09-11-24.02) - NTFSx86
Run by Alberto at 16:23:10.40 on 05/12/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.54.3082.18.2022.637 [GMT -3:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\ARCHIV~1\AVG\AVG8\avgwdsvc.exe
svchost.exe
C:\Archivos de programa\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
c:\Archivos de programa\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Archivos de programa\SigmaTel\C-Major Audio\WDM\STacSV.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\ARCHIV~1\AVG\AVG8\avgrsx.exe
C:\Archivos de programa\UltraVNC\WinVNC.exe
C:\Archivos de programa\Live Mesh\Remote Desktop\wlcrasvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Archivos de programa\Microsoft IntelliType Pro\itype.exe
C:\ARCHIV~1\AVG\AVG8\avgtray.exe
C:\Archivos de programa\Archivos comunes\Nokia\MPlatform\NokiaMServer.exe
C:\Archivos de programa\PowerISO\PWRISOVM.EXE
C:\Archivos de programa\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\Alberto\Mis documentos\Downloads\QuickSoundSwitch.exe
C:\Archivos de programa\Spybot - Search & Destroy\TeaTimer.exe
C:\Archivos de programa\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Archivos de programa\PC Connectivity Solution\ServiceLayer.exe
C:\Archivos de programa\PC Connectivity Solution\Transports\NclMSBTSrv.exe
C:\Archivos de programa\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Archivos de programa\PC Connectivity Solution\Transports\NclBCBTSrv.exe
C:\ARCHIV~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Archivos de programa\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Archivos de programa\Microsoft Office\Office12\ONENOTEM.EXE
C:\Archivos de programa\Mozilla Firefox\firefox.exe
C:\Archivos de programa\Live Mesh\Remote Desktop\wlcrdpsystem.exe
C:\Archivos de programa\Live Mesh\Remote Desktop\wlcrdpuser.exe
C:\Documents and Settings\Alberto\Escritorio\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://intranet:8080/default.aspx
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\archivos de programa\avg\avg8\toolbar\IEToolbar.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\archivos de programa\archivos comunes\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\archivos de programa\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\archiv~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Microsoft Web Test Recorder Helper: {62355041-605d-4469-84fd-5d66ed67a7e3} - c:\archivos de programa\microsoft visual studio 8\common7\ide\privateassemblies\Microsoft.VisualStudio.QualityTools.RecorderBarBHO.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\archivos de programa\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\archivos de programa\java\jre6\bin\ssv.dll
BHO: {78875F5C-A685-4405-8DC5-D48DC65452B0} - No File
BHO: Windows Live Aplicación auxiliar de inicio de sesión: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\archivos de programa\archivos comunes\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: ShowDHLToolbar Class: {905bedef-14b4-4b49-a97a-875326a61911} - c:\archivos de programa\dhl\dhltoolbar\DHL Worldwide Airwaybill Tracking Toolbar.dll
BHO: FoxmarksDLLBHO Class: {a2a71aba-3939-43b2-bd8f-8c1767ef9020} - c:\archivos de programa\xmarks\ie extension\foxmarksdll.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\archivos de programa\google\googletoolbar1.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\archivos de programa\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\archivos de programa\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\archivos de programa\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\archivos de programa\google\googletoolbar1.dll
TB: DHL Toolbar: {82cc2983-ca87-4d46-b33b-d285bd667a56} - c:\archivos de programa\dhl\dhltoolbar\DHL Worldwide Airwaybill Tracking Toolbar.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
TB: {61D1C847-DF80-423A-8C6D-DC03B97E6EBE} - No File
EB: &Referencia: {ff059e31-cc5a-4e2e-bf3b-96e929d65503} - c:\archiv~1\micros~3\office12\REFIEBAR.DLL
uRun: [swg] "c:\archivos de programa\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [QuickSoundSwitch] "c:\documents and settings\alberto\mis documentos\downloads\QuickSoundSwitch.exe"
uRun: [MsnMsgr] "c:\archivos de programa\windows live\messenger\msnmsgr.exe" /background
uRun: [SpybotSD TeaTimer] c:\archivos de programa\spybot - search & destroy\TeaTimer.exe
uRun: [MoeMonitor.exe] "c:\documents and settings\alberto\configuración local\datos de programa\microsoft\live mesh\bin\servicing\0.9.4014.7\MoeMonitor.exe"
uRun: [SUPERAntiSpyware] c:\archivos de programa\superantispyware\SUPERAntiSpyware.exe
uRun: [PC Suite Tray] "c:\archivos de programa\nokia\nokia pc suite 7\PCSuite.exe" -onlytray
uRun: [Nokia.PCSync] "c:\archivos de programa\nokia\nokia pc suite 7\PcSync2.exe" /NoDialog
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [itype] "c:\archivos de programa\microsoft intellitype pro\itype.exe"
mRun: [Google Desktop Search] "c:\archivos de programa\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [AVG8_TRAY] c:\archiv~1\avg\avg8\avgtray.exe
mRun: [NokiaMServer] c:\archivos de programa\archivos comunes\nokia\mplatform\NokiaMServer /watchfiles
mRun: [Adobe Reader Speed Launcher] "c:\archivos de programa\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\archivos de programa\archivos comunes\adobe\arm\1.0\AdobeARM.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\archivos de programa\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [PWRISOVM.EXE] c:\archivos de programa\poweriso\PWRISOVM.EXE
StartupFolder: c:\docume~1\alberto\menini~1\progra~1\inicio\micros~1.lnk - c:\windows\installer\{91120000-002e-0000-0000-0000000ff1ce}\outicon.exe
StartupFolder: c:\docume~1\alberto\menini~1\progra~1\inicio\recort~1.lnk - c:\archivos de programa\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\menini~1\progra~1\inicio\blueto~1.lnk - c:\archivos de programa\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\documents and settings\all users\menú inicio\programas\inicio\Gladinet Cloud Desktop.lnk.disabled
StartupFolder: c:\docume~1\alluse~1\menini~1\progra~1\inicio\micros~1.lnk - c:\archivos de programa\microsoft office\office\OSA9.EXE
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xportar a Microsoft Excel - c:\archiv~1\micros~3\office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\archivos de programa\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\archivos de programa\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\archivos de programa\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\archiv~1\micros~3\office12\ONBttnIE.dll
IE: {82CC2983-CA87-4D46-B33B-D285BD667A56} - {82CC2983-CA87-4D46-B33B-D285BD667A56} - c:\archivos de programa\dhl\dhltoolbar\DHL Worldwide Airwaybill Tracking Toolbar.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\archiv~1\micros~3\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\archiv~1\spybot~1\SDHelper.dll
Trusted Zone: 23m008
DPF: {00000045-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/sg726acm.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {22611F8E-2FC5-4440-B261-C52A420B8D2A} - hxxp://xpw150/VortexIPFrontEnd/VortexIP-ActiveXLive.CAB
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab}
DPF: {33636E16-9C2B-41DE-9D32-C185A975D95B} - hxxp://craig.dyndns.ws:35990/DVRViewer/DVRViewer.cab
DPF: {474F00F5-3853-492C-AC3A-476512BBC336} - hxxp://picasaweb.google.com/s/v/32.67/uploader2.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://www.bitdefender.es/scan_es/scan8/oscan8.cab
DPF: {66D393D5-4D80-497C-9F4F-F3839E090202} - hxxp://www.pysoft.com/Downloads/WebCamPlayerOCX.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1176398613194
DPF: {7A408D93-67FD-43FC-8DD4-D46701A7A07D} - hxxp://192.168.0.32/nvEPLMedia.dll
DPF: {7B133798-FAA8-4A7E-950D-BEB35D3363AF} - hxxp://craig.dyndns.ws:36000/img/LinksysViewer.cab
DPF: {86F01A24-1CE1-47A9-ABCC-9BDCFCDEBE4D} - hxxp://xpw150/VortexIPFrontEnd/VortexIP-ActiveXPlayer.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://sdlc-esd.sun.com/ESD5/JSCDL/jre/6u11-b90/jinstall-6u11-windows-i586-jc.cab?AuthParam=1231874205_0f3a7cc1c4db77bd0cbad4052ff87e35&GroupName=JSC&FilePath=/ESD5/JSCDL/jre/6u11-b90/jinstall-6u11-windows-i586-jc.cab&File=jinstall-6u11-windows-i586-jc.cab&BHost=javadl.sun.com
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {A3E21079-7F41-4125-9EBB-FD44CFCC0AC1} - hxxps://www.mesh.com/0.9.3424.31/TSWeb.cab
DPF: {A6F36F3F-3AE0-458B-AFC4-AA82565E0BF8} - hxxp://www.ipstreamingservice.com/download/TCP_2.0/nvUnifiedControl.Dll
DPF: {B0C77EBC-5250-4913-A245-BFA796A36C72} - hxxp://toolbar.dhl.com/setup_ext_v1.cab
DPF: {B91012E3-3DC4-442B-B5C7-35BF3857D215} - hxxp://192.168.0.133/nvEncoderMedia.dll
DPF: {BC165EA0-F79E-4F12-8493-80679EB5BEC2} - hxxp://ishwood.selfip.com:8080/applet/XCast.cab
DPF: {BE30D547-EE96-4D6B-B9A3-57777E9F0A9C} - hxxp://127.0.0.1/tcpaswtu/activex/common/bin/go1984Viewer.ocx
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D37BB1D6-A878-4721-9A64-77E6C9D44865} - hxxps://wsec02.bancogalicia.com.ar/scripts/components/cryptoclient/GalCryptoComponents1019.cab
DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} - hxxp://upload.mediamax.com/Upload/XUpload.ocx
DPF: {FA91DF8D-53AB-455D-AB20-F2F023E498D3} - hxxp://23m008/ReportServer/Reserved.ReportViewerWebControl.axd?ExecutionID=joqxqp45qcpm5x55bxnbql45&ControlID=69b8f4e5-be34-4eae-9204-be5363ae7610&Culture=11274&UICulture=10&ReportStack=1&OpType=PrintCab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\archivos de programa\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\archivos de programa\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\archivos de programa\superantispyware\SASWINLO.DLL
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
Notify: wlcrdplauncher - c:\archivos de programa\live mesh\remote desktop\wlcrdplauncher.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\archivos de programa\microsoft office\office12\GrooveShellExtensions.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\archivos de programa\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\alberto\datosd~1\mozilla\firefox\profiles\i1zj7ibr.default\
FF - prefs.js: browser.search.selectedEngine - Google Argentina
FF - prefs.js: browser.startup.homepage - hxxp://intranet:8080/default.aspx|http://www.google.com.ar/ig?hl=es&source=iglk
FF - component: c:\archivos de programa\nokia\nokia pc suite 7\bkmrksync\components\BkMrkExt.dll
FF - component: c:\documents and settings\alberto\datos de programa\mozilla\firefox\profiles\i1zj7ibr.default\extensions\support@lastpass.com\platform\winnt_x86-msvc\components\lpxpcom.dll
FF - plugin: c:\archivos de programa\google\picasa3\npPicasa3.dll
FF - plugin: c:\archivos de programa\microsoft\office live\npOLW.dll
FF - plugin: c:\archivos de programa\mozilla firefox\plugins\npsharedview.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-6-27 335240]
R1 SASDIFSV;SASDIFSV;c:\archivos de programa\superantispyware\sasdifsv.sys [2009-3-23 9968]
R1 SASKUTIL;SASKUTIL;c:\archivos de programa\superantispyware\SASKUTIL.SYS [2009-3-23 74480]
R2 altio;altio;c:\windows\system32\altio.sys [2008-1-16 3200]
R2 avg8wd;AVG8 WatchDog;c:\archiv~1\avg\avg8\avgwdsvc.exe [2009-2-3 297752]
R2 vnccom;vnccom;c:\windows\system32\drivers\vnccom.SYS [2007-4-30 6016]
R2 wlcrasvc;Live Mesh Remote Desktop;c:\archivos de programa\live mesh\remote desktop\wlcrasvc.exe [2009-4-3 44880]
R3 PAC207;VideoCAM GE111;c:\windows\system32\drivers\PFC027.sys [2005-4-8 162176]
R3 RDPDISPM;RDPDISPM;c:\windows\system32\drivers\rdpdispm.sys [2009-4-3 9024]
R3 RDPVDD;RDPVDD;c:\windows\system32\drivers\rdpvmp.sys [2009-4-3 19392]
R3 SASENUM;SASENUM;c:\archivos de programa\superantispyware\SASENUM.SYS [2009-3-23 7408]
S2 duwdpry;Update Image;c:\windows\system32\svchost.exe -k netsvcs [2004-8-20 14336]
S2 ebtwroyp;Universal Image;c:\windows\system32\svchost.exe -k netsvcs [2004-8-20 14336]
S2 udmddyzg;Manager Installer;c:\windows\system32\svchost.exe -k netsvcs [2004-8-20 14336]
S3 DCMService;DivX Content Management Service;c:\archivos de programa\divx\divx connected\bin\divx connected\DivXConnectedService.exe [2008-1-29 49152]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2009-8-18 136704]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [2009-8-18 8320]
S3 tap08168;Gladinet Virtual Adapter;c:\windows\system32\drivers\tap08168.sys [2009-3-12 30544]
S3 VSPerfDrv;Performance Tools Driver;c:\archivos de programa\microsoft visual studio 8\team tools\performance tools\VSPerfDrv.sys [2006-12-2 48128]
S4 AxSVCControladorAccesoRemoto;Axoft - Controlador de Acceso Remoto;c:\archivos de programa\tango gestion\cliente\exe\AxServicioControladorAccesoRemoto.Exe [2007-4-12 1603584]
S4 AxSVCPlanificador;Axoft - Servicio de Ejecución Planificada;c:\archivos de programa\tango gestion\cliente\exe\AxServicioPlanificador.Exe [2007-4-12 2108416]
S4 GoogleDesktopManager-061008-081103;Administrador de Google Desktop 5.7.806.10245;c:\archivos de programa\google\google desktop search\GoogleDesktop.exe [2007-5-24 29744]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\archivos de programa\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2006-12-2 2805000]

=============== Created Last 30 ================

2009-11-26 19:53:55 0 d-sha-r- C:\cmdcons
2009-11-26 19:53:03 98816 ----a-w- c:\windows\sed.exe
2009-11-26 19:53:03 77312 ----a-w- c:\windows\MBR.exe
2009-11-26 19:53:03 260608 ----a-w- c:\windows\PEV.exe
2009-11-26 19:53:03 161792 ----a-w- c:\windows\SWREG.exe
2009-11-26 19:50:20 0 d-----w- C:\ComboFix
2009-11-26 19:26:04 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-26 19:26:03 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-26 19:26:03 0 d-----w- c:\archivos de programa\Malwarebytes' Anti-Malware
2009-11-16 19:03:52 0 d-----w- c:\archivos de programa\TreePadLite4
2009-11-16 18:59:31 0 d-----w- c:\archivos de programa\Swift To-Do List

==================== Find3M ====================

2009-11-23 17:02:58 304160 ----a-w- C:\StiImg.dat
2009-10-08 20:34:12 558592 ----a-w- c:\windows\system32\perfh00A.dat
2009-10-08 20:34:12 110864 ----a-w- c:\windows\system32\perfc00A.dat
2009-03-12 15:56:32 374197 ----a-w- c:\archivos de programa\wmvmuxer-final-1.0.zip
2006-05-03 10:06:54 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 11:47:16 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 13:30:52 216064 --sh--r- c:\windows\system32\nbDX.dll
2009-01-19 14:27:11 32768 --sha-w- c:\windows\system32\config\systemprofile\configuración local\historial\history.ie5\mshist012009011920090120\index.dat

============= FINISH: 16:23:59.40 ===============
================= END OF DDS.LOG ===========================

Attached Files



#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:26 AM

Posted 05 December 2009 - 06:07 PM

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page on instructions on doing so.

Please include the C:\ComboFix.txt in your next reply for further review.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 Alberto L

Alberto L
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:26 AM

Posted 05 December 2009 - 07:20 PM

Hi extremeboy !!

Surprised to see you working on Saturday :( I'm not the only one !!! :(

Here goes the ComboFix log. Did it do anything ?? I'm not quite sure beeing able to understand it fully, but seen it deleted some stuff on my PC. Is my PC in a better shape now ?

Thanks for your help !!

Alberto

============================ COMBOFIX LOG ===============================
ComboFix 09-12-05.03 - Alberto 05/12/2009 20:39.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.54.3082.18.2022.1360 [GMT -3:00]
Running from: c:\documents and settings\Alberto\Escritorio\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Datos de programa\Microsoft\WLSetup
c:\documents and settings\All Users\Datos de programa\Microsoft\WLSetup\Logs\2009-02-16_13-35_2828-iqbet82i.log
c:\documents and settings\All Users\Datos de programa\Microsoft\WLSetup\Logs\2009-03-25_14-33_f10-m0r65gdt.log
c:\documents and settings\All Users\Datos de programa\Microsoft\WLSetup\Logs\2009-03-25_14-50_364-7ina35ec.log
c:\documents and settings\All Users\Datos de programa\Microsoft\WLSetup\Logs\2009-03-25_14-57_bf8-7wuhf04m.log
c:\documents and settings\All Users\Datos de programa\Microsoft\WLSetup\Logs\2009-03-25_16-44_7c0-zhhe9mtg.log
c:\documents and settings\All Users\Datos de programa\Microsoft\WLSetup\Logs\2009-11-18_20-31_1854-x2cbnpd6.log
c:\windows\YAHELITE.INI

.
((((((((((((((((((((((((( Files Created from 2009-11-05 to 2009-12-05 )))))))))))))))))))))))))))))))
.

2009-11-26 19:26 . 2009-09-10 17:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-26 19:26 . 2009-11-26 19:26 -------- d-----w- c:\archivos de programa\Malwarebytes' Anti-Malware
2009-11-26 19:26 . 2009-09-10 17:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-26 01:53 . 2009-11-06 02:30 2064152 ----a-w- c:\documents and settings\All Users\Datos de programa\avg8\update\backup\avgcorex.dll
2009-11-16 19:03 . 2009-11-16 19:03 -------- d-----w- c:\archivos de programa\TreePadLite4
2009-11-16 18:59 . 2009-11-16 19:03 -------- d-----w- c:\archivos de programa\Swift To-Do List
2009-11-12 15:32 . 2009-10-30 01:56 613888 ----a-w- c:\documents and settings\Alberto\Datos de programa\Mozilla\Firefox\Profiles\i1zj7ibr.default\extensions\support@lastpass.com\platform\WINNT_x86-msvc\components\lpxpcom.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-23 17:02 . 2007-10-05 13:16 304160 ----a-w- C:\StiImg.dat
2009-11-18 23:46 . 2009-02-16 15:45 -------- d-----w- c:\archivos de programa\Microsoft
2009-11-17 16:18 . 2007-04-11 18:06 -------- d--h--w- c:\archivos de programa\InstallShield Installation Information
2009-11-17 16:08 . 2007-12-12 19:31 -------- d-----w- c:\archivos de programa\Digicard Sistemas
2009-11-16 13:34 . 2009-04-28 19:26 -------- d-----w- c:\archivos de programa\SUPERAntiSpyware
2009-11-06 21:02 . 2009-03-17 17:32 -------- d-----w- c:\documents and settings\Alberto\Datos de programa\Skype
2009-11-06 02:31 . 2008-06-27 14:00 -------- d-----w- c:\documents and settings\All Users\Datos de programa\avg8
2009-11-03 19:17 . 2007-04-12 14:39 -------- d-----w- c:\documents and settings\All Users\Datos de programa\Microsoft Help
2009-11-03 19:08 . 2009-07-30 14:59 -------- d-----w- c:\documents and settings\Alberto\Datos de programa\authorPOINT
2009-10-30 13:03 . 2007-05-10 22:59 -------- d-----w- c:\documents and settings\All Users\Datos de programa\Installations
2009-10-30 13:02 . 2007-11-20 19:17 -------- d-----w- c:\archivos de programa\Archivos comunes\Nokia
2009-10-30 12:54 . 2009-10-30 12:54 3351812 ----a-w- c:\documents and settings\All Users\Datos de programa\Installations\{4C911A61-39EA-41CC-AB3C-FE3BFFDB5F78}\Installer\CommonCustomActions\msxml6Exec.exe
2009-10-30 12:54 . 2009-10-30 12:54 36864 ----a-w- c:\documents and settings\All Users\Datos de programa\Installations\{4C911A61-39EA-41CC-AB3C-FE3BFFDB5F78}\Installer\CommonCustomActions\Sleep.exe
2009-10-30 12:54 . 2009-10-30 12:54 3203453 ----a-w- c:\documents and settings\All Users\Datos de programa\Installations\{4C911A61-39EA-41CC-AB3C-FE3BFFDB5F78}\Installer\CommonCustomActions\vcredistExec.exe
2009-10-30 12:54 . 2009-10-30 13:01 24416256 ----a-w- c:\documents and settings\All Users\Datos de programa\Installations\{4C911A61-39EA-41CC-AB3C-FE3BFFDB5F78}\NokiaSoftwareUpdaterSetup_1.8.10ES.exe
2009-10-23 20:53 . 2009-10-23 20:53 851968 ----a-w- c:\documents and settings\Alberto\Datos de programa\Sun\Java\Deployment\cache\6.0\30\58313d1e-7e35afb2-n\dsj.dll
2009-10-23 17:25 . 2009-10-23 17:24 165232 ---ha-w- c:\documents and settings\Alberto\Datos de programa\Microsoft\Virtual PC\VPCKeyboard.dll
2009-10-22 20:26 . 2007-05-11 18:52 -------- d-----w- c:\archivos de programa\Spybot - Search & Destroy
2009-10-22 20:17 . 2007-05-11 18:52 -------- d-----w- c:\documents and settings\All Users\Datos de programa\Spybot - Search & Destroy
2009-10-22 19:52 . 2009-04-28 19:29 117760 ----a-w- c:\documents and settings\Alberto\Datos de programa\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-10-21 14:24 . 2007-04-12 16:00 -------- d-----w- c:\archivos de programa\Archivos comunes\Adobe
2009-10-08 20:34 . 2004-08-20 12:00 558592 ----a-w- c:\windows\system32\perfh00A.dat
2009-10-08 20:34 . 2004-08-20 12:00 110864 ----a-w- c:\windows\system32\perfc00A.dat
2009-10-08 20:33 . 2009-10-08 20:33 -------- d-----w- c:\archivos de programa\Microsoft Virtual PC
2009-09-15 17:06 . 2009-09-15 17:06 1925024 ------w- c:\documents and settings\All Users\Datos de programa\NOS\Adobe_Downloads\install_flash_player.exe
2009-03-12 15:56 . 2009-03-12 16:18 374197 ----a-w- c:\archivos de programa\wmvmuxer-final-1.0.zip
2006-05-03 10:06 . 2009-03-12 16:56 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 11:47 . 2009-03-12 16:56 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 13:30 . 2009-03-12 16:56 216064 --sh--r- c:\windows\system32\nbDX.dll
.

------- Sigcheck -------

[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys
[-] 2008-06-20 . CBEEBEB899E31EF52B962CB31FC8CA5C . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys
[7] 2008-06-20 . 2A5554FC5B1E04E131230E3CE035C3F9 . 360320 . . [5.1.2600.3394] . . c:\windows\$NtServicePackUninstall$\tcpip.sys
[7] 2008-06-20 . 744E57C99232201AE98C49168B918F48 . 360960 . . [5.1.2600.3394] . . c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB951748$\tcpip.sys
[7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\tcpip.sys
[-] 2007-10-30 . 90CAFF4B094573449A0872A0F919B178 . 360064 . . [5.1.2600.3244] . . c:\windows\$NtUninstallKB951748_0$\tcpip.sys
[-] 2007-10-30 . 64798ECFA43D78C7178375FCDD16D8C8 . 360832 . . [5.1.2600.3244] . . c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
[-] 2007-07-24 . 8D8949936913B041C6A0E184FBF1030B . 359808 . . [5.1.2600.2892] . . c:\windows\$NtUninstallKB941644$\tcpip.sys
[-] 2006-04-20 . B2220C618B42A2212A59D91EBD6FC4B4 . 360576 . . [5.1.2600.2892] . . c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
[7] 2004-08-20 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB917953$\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GladinetIconOverlay]
@="{3C3DC57A-7535-48AF-BB9E-C3576A4F34D0}"
[HKEY_CLASSES_ROOT\CLSID\{3C3DC57A-7535-48AF-BB9E-C3576A4F34D0}]
2009-01-29 01:22 41680 ----a-w- c:\archivos de programa\Gladinet\Gladinet Cloud Desktop\GlOverlayIcon.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\archivos de programa\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-04 68856]
"QuickSoundSwitch"="c:\documents and settings\Alberto\Mis documentos\Downloads\QuickSoundSwitch.exe" [2007-04-05 110592]
"MsnMsgr"="c:\archivos de programa\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"SpybotSD TeaTimer"="c:\archivos de programa\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"MoeMonitor.exe"="c:\documents and settings\Alberto\Configuración local\Datos de programa\Microsoft\Live Mesh\Bin\Servicing\0.9.4014.7\MoeMonitor.exe" [2009-06-26 1315152]
"SUPERAntiSpyware"="c:\archivos de programa\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-11-16 2001648]
"PC Suite Tray"="c:\archivos de programa\Nokia\Nokia PC Suite 7\PCSuite.exe" [2009-06-25 1414144]
"Nokia.PCSync"="c:\archivos de programa\Nokia\Nokia PC Suite 7\PcSync2.exe" [2009-06-23 745472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NokiaMServer"="c:\archivos de programa\Archivos comunes\Nokia\MPlatform\NokiaMServer" [X]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-02-26 131072]
"itype"="c:\archivos de programa\Microsoft IntelliType Pro\itype.exe" [2006-11-21 813912]
"Google Desktop Search"="c:\archivos de programa\Google\Google Desktop Search\GoogleDesktop.exe" [2008-09-27 29744]
"AVG8_TRAY"="c:\archiv~1\AVG\AVG8\avgtray.exe" [2009-11-26 2029336]
"Adobe Reader Speed Launcher"="c:\archivos de programa\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-10-03 39792]
"Adobe ARM"="c:\archivos de programa\Archivos comunes\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"Malwarebytes Anti-Malware (reboot)"="c:\archivos de programa\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"PWRISOVM.EXE"="c:\archivos de programa\PowerISO\PWRISOVM.EXE" [2008-03-14 233472]

c:\documents and settings\Alberto\Men£ Inicio\Programas\Inicio\
Microsoft Office Outlook 2007.lnk - c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\outicon.exe [2007-4-13 845584]
Recorte de pantalla e Inicio r pido de OneNote 2007.lnk - c:\archivos de programa\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]

c:\documents and settings\All Users\Men£ Inicio\Programas\Inicio\
Bluetooth.lnk - c:\archivos de programa\WIDCOMM\Bluetooth Software\BTTray.exe [2006-4-12 643133]
Gladinet Cloud Desktop.lnk.disabled [2009-11-12 2501]
Microsoft Office.lnk - c:\archivos de programa\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\3]
Source= c:\documents and settings\Alberto\Mis documentos\SnowReport-Las Leñas.html
FriendlyName=

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\archivos de programa\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-10-22 19:51 548352 ----a-w- c:\archivos de programa\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wlcrdplauncher]
2009-06-26 14:37 21840 ----a-w- c:\archivos de programa\Live Mesh\Remote Desktop\wlcrdplauncher.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-15 01:42 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Microsoft Office Groove Audit Service"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"iPod Service"=3 (0x3)
"gusvc"=3 (0x3)
"GoogleDesktopManager-061008-081103"=3 (0x3)
"AxSVCPlanificador"=3 (0x3)
"AxSVCControladorAccesoRemoto"=3 (0x3)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"amok ante"=c:\docume~1\Alberto\DATOSD~1\MPEGBO~1\Online Camp.exe
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
"aff"=c:\archivos de programa\aRGENTeaM\aRGENTeaM File Feeder\aff.exe
"Xmarks"=c:\archivos de programa\Xmarks\IE Extension\xmarkssync.exe -q

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="c:\archivos de programa\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"Adobe Photo Downloader"="c:\archivos de programa\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
"QuickTime Task"="c:\archivos de programa\QuickTime\qttask.exe" -atboottime
"SunJavaUpdateSched"="c:\archivos de programa\Java\jre1.6.0_07\bin\jusched.exe"
"iTunesHelper"="c:\archivos de programa\iTunes\iTunesHelper.exe"
"Family Tree Builder Update"=c:\archivos de programa\MyHeritage\Bin\FTBCheckUpdates.exe
"Persistence"=c:\windows\system32\igfxpers.exe
"HotKeysCmds"=c:\windows\system32\hkcmd.exe
"NeroFilterCheck"=c:\windows\system32\NeroCheck.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Archivos de programa\\iTunes\\iTunes.exe"=
"c:\\Archivos de programa\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Archivos de programa\\uTorrent\\uTorrent.exe"=
"c:\\Archivos de programa\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Archivos de programa\\Gladinet\\Gladinet Cloud Desktop\\GladinetClient.exe"=
"c:\\Archivos de programa\\Live Mesh\\Remote Desktop\\wlcrasvc.exe"=
"c:\\Documents and Settings\\Alberto\\Configuración local\\Datos de programa\\Microsoft\\Live Mesh\\GacBase\\Moe.exe"=
"c:\\Archivos de programa\\Windows Live\\Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [27/06/2008 11:01 335240]
R1 SASDIFSV;SASDIFSV;c:\archivos de programa\SUPERAntiSpyware\sasdifsv.sys [23/03/2009 14:07 9968]
R1 SASKUTIL;SASKUTIL;c:\archivos de programa\SUPERAntiSpyware\SASKUTIL.SYS [23/03/2009 14:07 74480]
R2 altio;altio;c:\windows\system32\altio.sys [16/01/2008 11:27 3200]
R2 avg8wd;AVG8 WatchDog;c:\archiv~1\AVG\AVG8\avgwdsvc.exe [03/02/2009 22:12 297752]
R2 vnccom;vnccom;c:\windows\system32\drivers\vnccom.SYS [30/04/2007 13:04 6016]
R2 wlcrasvc;Live Mesh Remote Desktop;c:\archivos de programa\Live Mesh\Remote Desktop\wlcrasvc.exe [03/04/2009 13:26 44880]
R3 PAC207;VideoCAM GE111;c:\windows\system32\drivers\PFC027.sys [08/04/2005 10:46 162176]
R3 RDPDISPM;RDPDISPM;c:\windows\system32\drivers\rdpdispm.sys [03/04/2009 13:26 9024]
R3 RDPVDD;RDPVDD;c:\windows\system32\drivers\rdpvmp.sys [03/04/2009 13:26 19392]
R3 SASENUM;SASENUM;c:\archivos de programa\SUPERAntiSpyware\SASENUM.SYS [23/03/2009 14:07 7408]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [22/11/2007 11:52 685816]
S2 duwdpry;Update Image;c:\windows\system32\svchost.exe -k netsvcs [20/08/2004 09:00 14336]
S2 ebtwroyp;Universal Image;c:\windows\system32\svchost.exe -k netsvcs [20/08/2004 09:00 14336]
S2 udmddyzg;Manager Installer;c:\windows\system32\svchost.exe -k netsvcs [20/08/2004 09:00 14336]
S3 DCMService;DivX Content Management Service;c:\archivos de programa\DivX\DivX Connected\Bin\DivX Connected\DivXConnectedService.exe [29/01/2008 14:59 49152]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [18/08/2009 11:07 136704]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [18/08/2009 11:07 8320]
S3 tap08168;Gladinet Virtual Adapter;c:\windows\system32\drivers\tap08168.sys [12/03/2009 09:22 30544]
S3 VSPerfDrv;Performance Tools Driver;c:\archivos de programa\Microsoft Visual Studio 8\Team Tools\Performance Tools\VSPerfDrv.sys [02/12/2006 03:10 48128]
S4 AxSVCControladorAccesoRemoto;Axoft - Controlador de Acceso Remoto;c:\archivos de programa\TANGO GESTION\Cliente\EXE\AxServicioControladorAccesoRemoto.Exe [12/04/2007 10:28 1603584]
S4 AxSVCPlanificador;Axoft - Servicio de Ejecución Planificada;c:\archivos de programa\TANGO GESTION\Cliente\EXE\AxServicioPlanificador.Exe [12/04/2007 10:28 2108416]
S4 GoogleDesktopManager-061008-081103;Administrador de Google Desktop 5.7.806.10245;c:\archivos de programa\Google\Google Desktop Search\GoogleDesktop.exe [24/05/2007 17:35 29744]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\archivos de programa\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [02/12/2006 06:17 2805000]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
ebtwroyp
udmddyzg
duwdpry
.
------- Supplementary Scan -------
.
uStart Page = hxxp://intranet:8080/default.aspx
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xportar a Microsoft Excel - c:\archiv~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\archivos de programa\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
Trusted Zone: 23m008
DPF: {22611F8E-2FC5-4440-B261-C52A420B8D2A} - hxxp://xpw150/VortexIPFrontEnd/VortexIP-ActiveXLive.CAB
DPF: {33636E16-9C2B-41DE-9D32-C185A975D95B} - hxxp://craig.dyndns.ws:35990/DVRViewer/DVRViewer.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://www.bitdefender.es/scan_es/scan8/oscan8.cab
DPF: {66D393D5-4D80-497C-9F4F-F3839E090202} - hxxp://www.pysoft.com/Downloads/WebCamPlayerOCX.cab
DPF: {7A408D93-67FD-43FC-8DD4-D46701A7A07D} - hxxp://192.168.0.32/nvEPLMedia.dll
DPF: {7B133798-FAA8-4A7E-950D-BEB35D3363AF} - hxxp://craig.dyndns.ws:36000/img/LinksysViewer.cab
DPF: {86F01A24-1CE1-47A9-ABCC-9BDCFCDEBE4D} - hxxp://xpw150/VortexIPFrontEnd/VortexIP-ActiveXPlayer.CAB
DPF: {A3E21079-7F41-4125-9EBB-FD44CFCC0AC1} - hxxps://www.mesh.com/0.9.3424.31/TSWeb.cab
DPF: {A6F36F3F-3AE0-458B-AFC4-AA82565E0BF8} - hxxp://www.ipstreamingservice.com/download/TCP_2.0/nvUnifiedControl.Dll
DPF: {B0C77EBC-5250-4913-A245-BFA796A36C72} - hxxp://toolbar.dhl.com/setup_ext_v1.cab
DPF: {B91012E3-3DC4-442B-B5C7-35BF3857D215} - hxxp://192.168.0.133/nvEncoderMedia.dll
DPF: {BC165EA0-F79E-4F12-8493-80679EB5BEC2} - hxxp://ishwood.selfip.com:8080/applet/XCast.cab
DPF: {BE30D547-EE96-4D6B-B9A3-57777E9F0A9C} - hxxp://127.0.0.1/tcpaswtu/activex/common/bin/go1984Viewer.ocx
DPF: {D37BB1D6-A878-4721-9A64-77E6C9D44865} - hxxps://wsec02.bancogalicia.com.ar/scripts/components/cryptoclient/GalCryptoComponents1019.cab
FF - ProfilePath - c:\documents and settings\Alberto\Datos de programa\Mozilla\Firefox\Profiles\i1zj7ibr.default\
FF - prefs.js: browser.search.selectedEngine - Google Argentina
FF - prefs.js: browser.startup.homepage - hxxp://intranet:8080/default.aspx|http://www.google.com.ar/ig?hl=es&source=iglk
FF - component: c:\archivos de programa\Nokia\Nokia PC Suite 7\bkmrksync\components\BkMrkExt.dll
FF - component: c:\documents and settings\Alberto\Datos de programa\Mozilla\Firefox\Profiles\i1zj7ibr.default\extensions\support@lastpass.com\platform\WINNT_x86-msvc\components\lpxpcom.dll
FF - plugin: c:\archivos de programa\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\archivos de programa\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\archivos de programa\Mozilla Firefox\plugins\npsharedview.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-05 20:54
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\duwdpry]
"ServiceDll"="c:\windows\system32\zattgcc.dll"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ebtwroyp]
"ServiceDll"="c:\windows\system32\zattgcc.dll"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\udmddyzg]
"ServiceDll"="c:\windows\system32\zattgcc.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-181276381-474613590-122644288-1002\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{4A659FFE-0202-6123-A7C7-97578F4922DC}*]
"iaklbpdmloadfaeghd"=hex:6b,61,66,6c,6e,61,62,70,66,6d,66,63,6e,62,70,68,6e,61,
62,66,67,6f,00,7c
"jaallfhnkolecbjikcaf"=hex:6b,61,65,6c,6d,61,70,62,6f,6e,70,66,68,6c,62,6b,6d,
69,67,68,67,70,00,7c

[HKEY_USERS\S-1-5-21-181276381-474613590-122644288-1002\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{E09BFD2B-2E0F-2968-B3E5-1E0D85C40F4A}*]
"iamjbdgoghnbacppnn"=hex:6b,61,6a,6f,6a,6d,62,68,63,63,69,69,69,6b,70,63,64,66,
61,69,63,6c,00,00
"hakjmmcimnffojbn"=hex:6b,61,6a,6f,6a,6d,62,68,63,63,69,69,69,6b,70,63,64,66,
61,69,63,6c,00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(948)
c:\archivos de programa\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\igfxdev.dll
.
Completion time: 2009-12-05 20:57
ComboFix-quarantined-files.txt 2009-12-05 23:57
ComboFix2.txt 2009-11-26 20:24

Pre-Run: 47 559 335 936 bytes libres
Post-Run: 47 552 745 472 bytes libres

- - End Of File - - 602EF6849A29D5D0BE3DFA4E7BECBF56
========================= END OF COMBOFIX LOG ===============================

#8 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:26 AM

Posted 05 December 2009 - 09:56 PM

Hello.

Surprised to see you working on Saturday. Is my PC in a better shape now ?

Not the first time I worked on Saturdays :( Better, but not 100% complete or clean yet. ;)

Run ComboFix with CFScript

We will run ComboFix again. This time, the instructions are slightly different.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the quotebox below into it:
    Registry::
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NokiaMServer"=-
    Driver::
    duwdpry
    ebtwroyp
    udmddyzg
    Netsvc::
    ebtwroyp
    udmddyzg
    duwdpry
    File::
    c:\windows\system32\zattgcc.dll
    RegNull::
    [HKEY_USERS\S-1-5-21-181276381-474613590-122644288-1002\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{E09BFD2B-2E0F-2968-B3E5-1E0D85C40F4A}*]
    [HKEY_USERS\S-1-5-21-181276381-474613590-122644288-1002\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{4A659FFE-0202-6123-A7C7-97578F4922DC}*]
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

Download and run MalwareBytes Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link

Run a new scan with GMER and post the log for me to review please.

Looking good so far.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#9 Alberto L

Alberto L
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:26 AM

Posted 06 December 2009 - 12:04 AM

Well ... MBAM says no malware was detected, and GMER doesn't show any suspicious entry !!! Wow !!!!

Anyway, I'm pasting the ComboFix and GMER logs as requested.

I really apppreciate your help. You are a genious !!!

Could you explain me a bit the kind of animal you have help me to kill ??

How may I got it ?

How may I prevent to reappear ?

What's the damage it could have done ?

I guess the same kind of bug may be on other PCs on our LAN. May I follow the same steps on the other machines ? Or we should start a post requesting help for everyone ?

Thank you very much for your help !!!


Forever gratefull,

Alberto.

================= MBAM LOG ===============
Malwarebytes' Anti-Malware 1.42
Database version: 3303
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

06/12/2009 01:42:06
mbam-log-2009-12-06 (01-42-06).txt

Scan type: Quick Scan
Objects scanned: 141977
Time elapsed: 4 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
============== END OF MBAM LOG ===============

================= GMER LOG ===============
GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2009-12-06 01:53:16
Windows 5.1.2600 Service Pack 3
Running: zed6fgbn.exe; Driver: C:\DOCUME~1\Alberto\CONFIG~1\Temp\fwtdipoc.sys


---- System - GMER 1.0.15 ----

SSDT sptd.sys ZwCreateKey [0xB9EBE0D0]
SSDT sptd.sys ZwEnumerateKey [0xB9EC3FB2]
SSDT sptd.sys ZwEnumerateValueKey [0xB9EC4340]
SSDT sptd.sys ZwOpenKey [0xB9EBE0B0]
SSDT sptd.sys ZwQueryKey [0xB9EC4418]
SSDT sptd.sys ZwQueryValueKey [0xB9EC4298]
SSDT sptd.sys ZwSetValueKey [0xB9EC44AA]
SSDT \??\C:\Archivos de programa\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xA8BB90B0]

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8A6701E8
Device \FileSystem\Fastfat \FatCdrom 8A2AC448
Device \Driver\usbuhci \Device\USBPDO-0 8A4B01E8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8A6E31E8
Device \Driver\dmio \Device\DmControl\DmConfig 8A6E31E8
Device \Driver\dmio \Device\DmControl\DmPnP 8A6E31E8
Device \Driver\dmio \Device\DmControl\DmInfo 8A6E31E8
Device \Driver\usbuhci \Device\USBPDO-1 8A4B01E8
Device \Driver\usbehci \Device\USBPDO-2 8A499790
Device \Driver\usbuhci \Device\USBPDO-3 8A4B01E8
Device \Driver\usbuhci \Device\USBPDO-4 8A4B01E8
Device \Driver\usbuhci \Device\USBPDO-5 8A4B01E8
Device \Driver\usbehci \Device\USBPDO-6 8A499790
Device \Driver\Ftdisk \Device\HarddiskVolume1 8A6721E8
Device \Driver\PCI_NTPNP0756 \Device\00000058 sptd.sys
Device \Driver\Cdrom \Device\CdRom0 8A4741E8
Device \Driver\Cdrom \Device\CdRom1 8A4741E8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [B9E11B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort0 [B9E11B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort1 [B9E11B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort2 [B9E11B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort3 [B9E11B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort4 [B9E11B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort5 [B9E11B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP5T0L0-16 [B9E11B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\NetBT \Device\NetBt_Wins_Export 8A1EB790
Device \Driver\NetBT \Device\NetbiosSmb 8A1EB790
Device \Driver\usbuhci \Device\USBFDO-0 8A4B01E8
Device \Driver\usbuhci \Device\USBFDO-1 8A4B01E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8A38F690
Device \Driver\usbehci \Device\USBFDO-2 8A499790
Device \FileSystem\MRxSmb \Device\LanmanRedirector 8A38F690
Device \Driver\NetBT \Device\NetBT_Tcpip_{578B007C-BF95-446E-9DE6-56D4651D8C4A} 8A1EB790
Device \Driver\usbuhci \Device\USBFDO-3 8A4B01E8
Device \Driver\usbuhci \Device\USBFDO-4 8A4B01E8
Device \Driver\Ftdisk \Device\FtControl 8A6721E8
Device \Driver\usbuhci \Device\USBFDO-5 8A4B01E8
Device \Driver\usbehci \Device\USBFDO-6 8A499790
Device \Driver\aunmb3am \Device\Scsi\aunmb3am1Port6Path0Target0Lun0 8A4311E8
Device \Driver\aunmb3am \Device\Scsi\aunmb3am1 8A4311E8
Device \FileSystem\Fastfat \Fat 8A2AC448

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs 8A2BE418

---- EOF - GMER 1.0.15 ----
============== END OF GMER LOG ===============

#10 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:26 AM

Posted 06 December 2009 - 10:23 AM

Hello.

Could you explain me a bit the kind of animal you have help me to kill ??

You have a few infections on your system, but the main "animal" we removed appears to be related to the conficker infection.

How may I got it ?

You could of got it through a variety of ways. This worm mainly spreads over network. It can spread via removable drives (autoplay/run) and P2P programs. I will provide you with some prevention tips at the end to help reduce such once we are done. :(

I guess the same kind of bug may be on other PCs on our LAN. May I follow the same steps on the other machines ? Or we should start a post requesting help for everyone ?

If there's other computer you want to check, it would be better if you start a new topic.

What's the damage it could have done ?

I would stronglly recommend you:

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable.

--

Thanks for those logs, but I think you forgot to post the Combofix log. ;)

It's in your C:\ drive.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#11 Alberto L

Alberto L
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:26 AM

Posted 06 December 2009 - 11:14 AM

Hi extremeboy,

Sorry for the delay. I took some time to sleep (my last post waiting for the scans to complete was 2 AM here in Buenos Aires)


Thanks for those logs, but I think you forgot to post the Combofix log. ;)

It's in your C:\ drive.<\


Ohh, I'm sorry !! Posted. In the meantime i'll do some googling for "conficker" Intrigued !! :( :(

Thank you very much !!!


Alberto


======================== COMBOFIX LOG =============================
ComboFix 09-12-05.03 - Alberto 06/12/2009 0:15.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.54.3082.18.2022.1257 [GMT -3:00]
Running from: c:\documents and settings\Alberto\Escritorio\ComboFix.exe
Command switches used :: c:\documents and settings\Alberto\Escritorio\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
"c:\windows\system32\zattgcc.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DUWDPRY
-------\Legacy_EBTWROYP
-------\Legacy_UDMDDYZG
-------\Service_duwdpry
-------\Service_ebtwroyp
-------\Service_udmddyzg


((((((((((((((((((((((((( Files Created from 2009-11-06 to 2009-12-06 )))))))))))))))))))))))))))))))
.

2009-11-26 19:26 . 2009-09-10 17:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-26 19:26 . 2009-11-26 19:26 -------- d-----w- c:\archivos de programa\Malwarebytes' Anti-Malware
2009-11-26 19:26 . 2009-09-10 17:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-26 01:53 . 2009-11-06 02:30 2064152 ----a-w- c:\documents and settings\All Users\Datos de programa\avg8\update\backup\avgcorex.dll
2009-11-16 19:03 . 2009-11-16 19:03 -------- d-----w- c:\archivos de programa\TreePadLite4
2009-11-16 18:59 . 2009-11-16 19:03 -------- d-----w- c:\archivos de programa\Swift To-Do List
2009-11-12 15:32 . 2009-10-30 01:56 613888 ----a-w- c:\documents and settings\Alberto\Datos de programa\Mozilla\Firefox\Profiles\i1zj7ibr.default\extensions\support@lastpass.com\platform\WINNT_x86-msvc\components\lpxpcom.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-23 17:02 . 2007-10-05 13:16 304160 ----a-w- C:\StiImg.dat
2009-11-18 23:46 . 2009-02-16 15:45 -------- d-----w- c:\archivos de programa\Microsoft
2009-11-17 16:18 . 2007-04-11 18:06 -------- d--h--w- c:\archivos de programa\InstallShield Installation Information
2009-11-17 16:08 . 2007-12-12 19:31 -------- d-----w- c:\archivos de programa\Digicard Sistemas
2009-11-16 13:34 . 2009-04-28 19:26 -------- d-----w- c:\archivos de programa\SUPERAntiSpyware
2009-11-06 21:02 . 2009-03-17 17:32 -------- d-----w- c:\documents and settings\Alberto\Datos de programa\Skype
2009-11-06 02:31 . 2008-06-27 14:00 -------- d-----w- c:\documents and settings\All Users\Datos de programa\avg8
2009-11-03 19:17 . 2007-04-12 14:39 -------- d-----w- c:\documents and settings\All Users\Datos de programa\Microsoft Help
2009-11-03 19:08 . 2009-07-30 14:59 -------- d-----w- c:\documents and settings\Alberto\Datos de programa\authorPOINT
2009-10-30 13:03 . 2007-05-10 22:59 -------- d-----w- c:\documents and settings\All Users\Datos de programa\Installations
2009-10-30 13:02 . 2007-11-20 19:17 -------- d-----w- c:\archivos de programa\Archivos comunes\Nokia
2009-10-30 12:54 . 2009-10-30 12:54 3351812 ----a-w- c:\documents and settings\All Users\Datos de programa\Installations\{4C911A61-39EA-41CC-AB3C-FE3BFFDB5F78}\Installer\CommonCustomActions\msxml6Exec.exe
2009-10-30 12:54 . 2009-10-30 12:54 36864 ----a-w- c:\documents and settings\All Users\Datos de programa\Installations\{4C911A61-39EA-41CC-AB3C-FE3BFFDB5F78}\Installer\CommonCustomActions\Sleep.exe
2009-10-30 12:54 . 2009-10-30 12:54 3203453 ----a-w- c:\documents and settings\All Users\Datos de programa\Installations\{4C911A61-39EA-41CC-AB3C-FE3BFFDB5F78}\Installer\CommonCustomActions\vcredistExec.exe
2009-10-30 12:54 . 2009-10-30 13:01 24416256 ----a-w- c:\documents and settings\All Users\Datos de programa\Installations\{4C911A61-39EA-41CC-AB3C-FE3BFFDB5F78}\NokiaSoftwareUpdaterSetup_1.8.10ES.exe
2009-10-23 20:53 . 2009-10-23 20:53 851968 ----a-w- c:\documents and settings\Alberto\Datos de programa\Sun\Java\Deployment\cache\6.0\30\58313d1e-7e35afb2-n\dsj.dll
2009-10-23 17:25 . 2009-10-23 17:24 165232 ---ha-w- c:\documents and settings\Alberto\Datos de programa\Microsoft\Virtual PC\VPCKeyboard.dll
2009-10-22 20:26 . 2007-05-11 18:52 -------- d-----w- c:\archivos de programa\Spybot - Search & Destroy
2009-10-22 20:17 . 2007-05-11 18:52 -------- d-----w- c:\documents and settings\All Users\Datos de programa\Spybot - Search & Destroy
2009-10-22 19:52 . 2009-04-28 19:29 117760 ----a-w- c:\documents and settings\Alberto\Datos de programa\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-10-21 14:24 . 2007-04-12 16:00 -------- d-----w- c:\archivos de programa\Archivos comunes\Adobe
2009-10-08 20:34 . 2004-08-20 12:00 558592 ----a-w- c:\windows\system32\perfh00A.dat
2009-10-08 20:34 . 2004-08-20 12:00 110864 ----a-w- c:\windows\system32\perfc00A.dat
2009-10-08 20:33 . 2009-10-08 20:33 -------- d-----w- c:\archivos de programa\Microsoft Virtual PC
2009-09-15 17:06 . 2009-09-15 17:06 1925024 ------w- c:\documents and settings\All Users\Datos de programa\NOS\Adobe_Downloads\install_flash_player.exe
2009-03-12 15:56 . 2009-03-12 16:18 374197 ----a-w- c:\archivos de programa\wmvmuxer-final-1.0.zip
2006-05-03 10:06 . 2009-03-12 16:56 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 11:47 . 2009-03-12 16:56 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 13:30 . 2009-03-12 16:56 216064 --sh--r- c:\windows\system32\nbDX.dll
.

------- Sigcheck -------

[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys
[-] 2008-06-20 . CBEEBEB899E31EF52B962CB31FC8CA5C . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys
[7] 2008-06-20 . 2A5554FC5B1E04E131230E3CE035C3F9 . 360320 . . [5.1.2600.3394] . . c:\windows\$NtServicePackUninstall$\tcpip.sys
[7] 2008-06-20 . 744E57C99232201AE98C49168B918F48 . 360960 . . [5.1.2600.3394] . . c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB951748$\tcpip.sys
[7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\tcpip.sys
[-] 2007-10-30 . 90CAFF4B094573449A0872A0F919B178 . 360064 . . [5.1.2600.3244] . . c:\windows\$NtUninstallKB951748_0$\tcpip.sys
[-] 2007-10-30 . 64798ECFA43D78C7178375FCDD16D8C8 . 360832 . . [5.1.2600.3244] . . c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
[-] 2007-07-24 . 8D8949936913B041C6A0E184FBF1030B . 359808 . . [5.1.2600.2892] . . c:\windows\$NtUninstallKB941644$\tcpip.sys
[-] 2006-04-20 . B2220C618B42A2212A59D91EBD6FC4B4 . 360576 . . [5.1.2600.2892] . . c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
[7] 2004-08-20 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB917953$\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GladinetIconOverlay]
@="{3C3DC57A-7535-48AF-BB9E-C3576A4F34D0}"
[HKEY_CLASSES_ROOT\CLSID\{3C3DC57A-7535-48AF-BB9E-C3576A4F34D0}]
2009-01-29 01:22 41680 ----a-w- c:\archivos de programa\Gladinet\Gladinet Cloud Desktop\GlOverlayIcon.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\archivos de programa\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-04 68856]
"QuickSoundSwitch"="c:\documents and settings\Alberto\Mis documentos\Downloads\QuickSoundSwitch.exe" [2007-04-05 110592]
"MsnMsgr"="c:\archivos de programa\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"SpybotSD TeaTimer"="c:\archivos de programa\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"MoeMonitor.exe"="c:\documents and settings\Alberto\Configuración local\Datos de programa\Microsoft\Live Mesh\Bin\Servicing\0.9.4014.7\MoeMonitor.exe" [2009-06-26 1315152]
"SUPERAntiSpyware"="c:\archivos de programa\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-11-16 2001648]
"PC Suite Tray"="c:\archivos de programa\Nokia\Nokia PC Suite 7\PCSuite.exe" [2009-06-25 1414144]
"Nokia.PCSync"="c:\archivos de programa\Nokia\Nokia PC Suite 7\PcSync2.exe" [2009-06-23 745472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-02-26 131072]
"itype"="c:\archivos de programa\Microsoft IntelliType Pro\itype.exe" [2006-11-21 813912]
"Google Desktop Search"="c:\archivos de programa\Google\Google Desktop Search\GoogleDesktop.exe" [2008-09-27 29744]
"AVG8_TRAY"="c:\archiv~1\AVG\AVG8\avgtray.exe" [2009-11-26 2029336]
"Adobe Reader Speed Launcher"="c:\archivos de programa\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-10-03 39792]
"Adobe ARM"="c:\archivos de programa\Archivos comunes\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"Malwarebytes Anti-Malware (reboot)"="c:\archivos de programa\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"PWRISOVM.EXE"="c:\archivos de programa\PowerISO\PWRISOVM.EXE" [2008-03-14 233472]

c:\documents and settings\Alberto\Men£ Inicio\Programas\Inicio\
Microsoft Office Outlook 2007.lnk - c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\outicon.exe [2007-4-13 845584]
Recorte de pantalla e Inicio r pido de OneNote 2007.lnk - c:\archivos de programa\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]

c:\documents and settings\All Users\Men£ Inicio\Programas\Inicio\
Bluetooth.lnk - c:\archivos de programa\WIDCOMM\Bluetooth Software\BTTray.exe [2006-4-12 643133]
Gladinet Cloud Desktop.lnk.disabled [2009-11-12 2501]
Microsoft Office.lnk - c:\archivos de programa\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\3]
Source= c:\documents and settings\Alberto\Mis documentos\SnowReport-Las Leñas.html
FriendlyName=

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\archivos de programa\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-10-22 19:51 548352 ----a-w- c:\archivos de programa\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wlcrdplauncher]
2009-06-26 14:37 21840 ----a-w- c:\archivos de programa\Live Mesh\Remote Desktop\wlcrdplauncher.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-15 01:42 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Microsoft Office Groove Audit Service"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"iPod Service"=3 (0x3)
"gusvc"=3 (0x3)
"GoogleDesktopManager-061008-081103"=3 (0x3)
"AxSVCPlanificador"=3 (0x3)
"AxSVCControladorAccesoRemoto"=3 (0x3)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"amok ante"=c:\docume~1\Alberto\DATOSD~1\MPEGBO~1\Online Camp.exe
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
"aff"=c:\archivos de programa\aRGENTeaM\aRGENTeaM File Feeder\aff.exe
"Xmarks"=c:\archivos de programa\Xmarks\IE Extension\xmarkssync.exe -q

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="c:\archivos de programa\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"Adobe Photo Downloader"="c:\archivos de programa\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
"QuickTime Task"="c:\archivos de programa\QuickTime\qttask.exe" -atboottime
"SunJavaUpdateSched"="c:\archivos de programa\Java\jre1.6.0_07\bin\jusched.exe"
"iTunesHelper"="c:\archivos de programa\iTunes\iTunesHelper.exe"
"Family Tree Builder Update"=c:\archivos de programa\MyHeritage\Bin\FTBCheckUpdates.exe
"Persistence"=c:\windows\system32\igfxpers.exe
"HotKeysCmds"=c:\windows\system32\hkcmd.exe
"NeroFilterCheck"=c:\windows\system32\NeroCheck.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Archivos de programa\\iTunes\\iTunes.exe"=
"c:\\Archivos de programa\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Archivos de programa\\uTorrent\\uTorrent.exe"=
"c:\\Archivos de programa\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Archivos de programa\\Gladinet\\Gladinet Cloud Desktop\\GladinetClient.exe"=
"c:\\Archivos de programa\\Live Mesh\\Remote Desktop\\wlcrasvc.exe"=
"c:\\Documents and Settings\\Alberto\\Configuración local\\Datos de programa\\Microsoft\\Live Mesh\\GacBase\\Moe.exe"=
"c:\\Archivos de programa\\Windows Live\\Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [22/11/2007 11:52 685816]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [27/06/2008 11:01 335240]
R1 SASDIFSV;SASDIFSV;c:\archivos de programa\SUPERAntiSpyware\sasdifsv.sys [23/03/2009 14:07 9968]
R1 SASKUTIL;SASKUTIL;c:\archivos de programa\SUPERAntiSpyware\SASKUTIL.SYS [23/03/2009 14:07 74480]
R2 altio;altio;c:\windows\system32\altio.sys [16/01/2008 11:27 3200]
R2 avg8wd;AVG8 WatchDog;c:\archiv~1\AVG\AVG8\avgwdsvc.exe [03/02/2009 22:12 297752]
R2 vnccom;vnccom;c:\windows\system32\drivers\vnccom.SYS [30/04/2007 13:04 6016]
R2 wlcrasvc;Live Mesh Remote Desktop;c:\archivos de programa\Live Mesh\Remote Desktop\wlcrasvc.exe [03/04/2009 13:26 44880]
R3 PAC207;VideoCAM GE111;c:\windows\system32\drivers\PFC027.sys [08/04/2005 10:46 162176]
R3 RDPDISPM;RDPDISPM;c:\windows\system32\drivers\rdpdispm.sys [03/04/2009 13:26 9024]
R3 RDPVDD;RDPVDD;c:\windows\system32\drivers\rdpvmp.sys [03/04/2009 13:26 19392]
R3 SASENUM;SASENUM;c:\archivos de programa\SUPERAntiSpyware\SASENUM.SYS [23/03/2009 14:07 7408]
S3 DCMService;DivX Content Management Service;c:\archivos de programa\DivX\DivX Connected\Bin\DivX Connected\DivXConnectedService.exe [29/01/2008 14:59 49152]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [18/08/2009 11:07 136704]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [18/08/2009 11:07 8320]
S3 tap08168;Gladinet Virtual Adapter;c:\windows\system32\drivers\tap08168.sys [12/03/2009 09:22 30544]
S3 VSPerfDrv;Performance Tools Driver;c:\archivos de programa\Microsoft Visual Studio 8\Team Tools\Performance Tools\VSPerfDrv.sys [02/12/2006 03:10 48128]
S4 AxSVCControladorAccesoRemoto;Axoft - Controlador de Acceso Remoto;c:\archivos de programa\TANGO GESTION\Cliente\EXE\AxServicioControladorAccesoRemoto.Exe [12/04/2007 10:28 1603584]
S4 AxSVCPlanificador;Axoft - Servicio de Ejecución Planificada;c:\archivos de programa\TANGO GESTION\Cliente\EXE\AxServicioPlanificador.Exe [12/04/2007 10:28 2108416]
S4 GoogleDesktopManager-061008-081103;Administrador de Google Desktop 5.7.806.10245;c:\archivos de programa\Google\Google Desktop Search\GoogleDesktop.exe [24/05/2007 17:35 29744]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\archivos de programa\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [02/12/2006 06:17 2805000]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
------- Supplementary Scan -------
.
uStart Page = hxxp://intranet:8080/default.aspx
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xportar a Microsoft Excel - c:\archiv~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\archivos de programa\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
Trusted Zone: 23m008
DPF: {22611F8E-2FC5-4440-B261-C52A420B8D2A} - hxxp://xpw150/VortexIPFrontEnd/VortexIP-ActiveXLive.CAB
DPF: {33636E16-9C2B-41DE-9D32-C185A975D95B} - hxxp://craig.dyndns.ws:35990/DVRViewer/DVRViewer.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://www.bitdefender.es/scan_es/scan8/oscan8.cab
DPF: {66D393D5-4D80-497C-9F4F-F3839E090202} - hxxp://www.pysoft.com/Downloads/WebCamPlayerOCX.cab
DPF: {7A408D93-67FD-43FC-8DD4-D46701A7A07D} - hxxp://192.168.0.32/nvEPLMedia.dll
DPF: {7B133798-FAA8-4A7E-950D-BEB35D3363AF} - hxxp://craig.dyndns.ws:36000/img/LinksysViewer.cab
DPF: {86F01A24-1CE1-47A9-ABCC-9BDCFCDEBE4D} - hxxp://xpw150/VortexIPFrontEnd/VortexIP-ActiveXPlayer.CAB
DPF: {A3E21079-7F41-4125-9EBB-FD44CFCC0AC1} - hxxps://www.mesh.com/0.9.3424.31/TSWeb.cab
DPF: {A6F36F3F-3AE0-458B-AFC4-AA82565E0BF8} - hxxp://www.ipstreamingservice.com/download/TCP_2.0/nvUnifiedControl.Dll
DPF: {B0C77EBC-5250-4913-A245-BFA796A36C72} - hxxp://toolbar.dhl.com/setup_ext_v1.cab
DPF: {B91012E3-3DC4-442B-B5C7-35BF3857D215} - hxxp://192.168.0.133/nvEncoderMedia.dll
DPF: {BC165EA0-F79E-4F12-8493-80679EB5BEC2} - hxxp://ishwood.selfip.com:8080/applet/XCast.cab
DPF: {BE30D547-EE96-4D6B-B9A3-57777E9F0A9C} - hxxp://127.0.0.1/tcpaswtu/activex/common/bin/go1984Viewer.ocx
DPF: {D37BB1D6-A878-4721-9A64-77E6C9D44865} - hxxps://wsec02.bancogalicia.com.ar/scripts/components/cryptoclient/GalCryptoComponents1019.cab
FF - ProfilePath - c:\documents and settings\Alberto\Datos de programa\Mozilla\Firefox\Profiles\i1zj7ibr.default\
FF - prefs.js: browser.search.selectedEngine - Google Argentina
FF - prefs.js: browser.startup.homepage - hxxp://intranet:8080/default.aspx|http://www.google.com.ar/ig?hl=es&source=iglk
FF - component: c:\archivos de programa\Nokia\Nokia PC Suite 7\bkmrksync\components\BkMrkExt.dll
FF - component: c:\documents and settings\Alberto\Datos de programa\Mozilla\Firefox\Profiles\i1zj7ibr.default\extensions\support@lastpass.com\platform\WINNT_x86-msvc\components\lpxpcom.dll
FF - plugin: c:\archivos de programa\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\archivos de programa\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\archivos de programa\Mozilla Firefox\plugins\npsharedview.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-06 00:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys sptd.sys >>UNKNOWN [0x8A6708AC]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba10cf28
\Driver\ACPI -> ACPI.sys @ 0xb9e7ccb8
\Driver\atapi -> atapi.sys @ 0xb9e11b40
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Intel® 82566DC Gigabit Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xb9d07bb0
PacketIndicateHandler -> NDIS.sys @ 0xb9d14a21
SendHandler -> NDIS.sys @ 0xb9cf287b
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(992)
c:\archivos de programa\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\igfxdev.dll

- - - - - - - > 'explorer.exe'(4800)
c:\windows\system32\WININET.dll
c:\archivos de programa\Gladinet\Gladinet Cloud Desktop\GlOverlayIcon.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\archivos de programa\Nokia\Nokia PC Suite 7\PhoneBrowser.dll
c:\archivos de programa\Nokia\Nokia PC Suite 7\NGSCM.DLL
c:\archivos de programa\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_spa.nlr
c:\archivos de programa\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
c:\archivos de programa\Microsoft Virtual PC\VPCShExH.DLL
c:\documents and settings\Alberto\Configuración local\Datos de programa\Microsoft\Live Mesh\Bin\WLCShell.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\documents and settings\Alberto\Configuración local\Datos de programa\Microsoft\Live Mesh\GacBase\MoeHostPS.dll
.
------------------------ Other Running Processes ------------------------
.
c:\archivos de programa\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\mdm.exe
c:\archivos de programa\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\archivos de programa\SigmaTel\C-Major Audio\WDM\STacSV.exe
c:\archiv~1\AVG\AVG8\avgrsx.exe
c:\windows\System32\PAStiSvc.exe
c:\archivos de programa\UltraVNC\WinVNC.exe
c:\archiv~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
c:\documents and settings\Alberto\Configuración local\Datos de programa\Microsoft\Live Mesh\GacBase\Moe.exe
c:\archivos de programa\PC Connectivity Solution\ServiceLayer.exe
c:\archivos de programa\PC Connectivity Solution\Transports\NclMSBTSrv.exe
c:\archivos de programa\PC Connectivity Solution\Transports\NclUSBSrv.exe
c:\archivos de programa\Archivos comunes\Nokia\MPAPI\MPAPI3s.exe
c:\archivos de programa\PC Connectivity Solution\Transports\NclBCBTSrv.exe
c:\archivos de programa\Windows Live\Contacts\wlcomm.exe
c:\archivos de programa\Live Mesh\Remote Desktop\wlcrdpsystem.exe
c:\archivos de programa\Live Mesh\Remote Desktop\wlcrdpuser.exe
.
**************************************************************************
.
Completion time: 2009-12-06 00:58 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-06 03:58
ComboFix2.txt 2009-11-26 20:24

Pre-Run: 47 558 131 712 bytes libres
Post-Run: 47 517 544 448 bytes libres

- - End Of File - - 2B8AF2F511A6B54BC76E7EB353CC55DC
==================== END OF COMBOFIX LOG =============================

#12 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:26 AM

Posted 06 December 2009 - 11:24 AM

Hello.

That looks good.

Let's run an online scan. Try Kaspersky...

Run Scan with Kaspersky

Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Open the Kaspersky WebScanner
    page.
  • Click on the Posted Image button on the main page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the Posted Image button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the Posted Image ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the Posted Image button, if you made any changes.
  • Now under the Scan section on the left:

    Select My Computer
  • The program will now start and scan your system. This will run for a while, be patient and let it finish.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis if needed.

If Kaspersky doesn't work run ESET...

Run ESET Online Scan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
You can refer to this animation by neomage if needed.

Take a new DDS run afterward and post back with both the DDS and Attach logs in your next reply. Also, let me know how your computer is running and if you have any more problems, issues or symptoms left.

Thanks.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#13 Alberto L

Alberto L
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:26 AM

Posted 07 December 2009 - 09:16 AM

Hi extremeboy !

Now back at my office, I´m posting the ESET (Kapersky refused to run) and DDS logs. The ESET log points to a bunch of archives collected over the time from the net but not neccesarily ever opened. Anyway, they all were deleted by ESET Online Scanner.

Besides that, I don´t detect any strange symptom on the PC. I´ll check it for a couple of days anyway.

I highly appreciatte your help !!!!

How are we going ?


Alberto

====================== ESET LOG ==========================
C:\Documents and Settings\Alberto\Mis documentos\Documents\Flash\VNC\k\alogger.exe Win32/Spy.KeyLogger.CA trojan deleted - quarantined
C:\Documents and Settings\Alberto\Mis documentos\Documents\Flash\VNC\k\xpcspyp2.51.exe Win32/Spy.Delf.DU trojan deleted - quarantined
C:\Documents and Settings\Alberto\Mis documentos\Documents\Flash\VNC\k\Yahoo-Message-Archive-Decoder-Setup.exe probably a variant of Win32/Spy.Agent trojan cleaned by deleting - quarantined
C:\Documents and Settings\Alberto\Mis documentos\Downloads\Acemoney Full\acemoney v3 9 + keygen [multilanguaje][por vistitor].rar probably a variant of Win32/Agent trojan deleted - quarantined
C:\Documents and Settings\Alberto\Mis documentos\Downloads\BananaScreen Face Recog Login 1.2.2 (Taringa).rar probably a variant of Win32/Injector.RH trojan deleted - quarantined
C:\Documents and Settings\Alberto\Mis documentos\Downloads\Microsoft_Windows_Universal.zip probably a variant of Win32/Agent trojan deleted - quarantined
C:\Documents and Settings\Alberto\Mis documentos\Downloads\eMule\Acronis.Disk.Director.Suite.v9.0.537.Incl.[k]eymaker-ZWT.zip a variant of Win32/TrojanDropper.Agent.AWK trojan deleted - quarantined
C:\Documents and Settings\Alberto\Mis documentos\Downloads\Face LogOn\Face (Taringa).rar probably a variant of Win32/Injector.RH trojan deleted - quarantined
C:\Documents and Settings\Alberto\Mis documentos\Downloads\Gadgets\Crack Roadsync.zip probably a variant of Win32/Agent trojan deleted - quarantined
C:\Documents and Settings\Alberto\Mis documentos\Downloads\IMate SP5\smartphone_soft.rar probably a variant of Win32/Agent trojan deleted - quarantined
C:\Documents and Settings\Alberto\Mis documentos\Downloads\Nokia\3rd_App_Col.rar multiple threats deleted - quarantined
C:\Documents and Settings\Alberto\Mis documentos\Downloads\Nokia\3rd_App_Col\best crypto s60 3rd .rar probably a variant of Win32/Agent trojan deleted - quarantined
C:\Documents and Settings\Alberto\Mis documentos\Downloads\Nokia\3rd_App_Col\Smartphoneware.Best.CallRecorder.v1.0.S60v3.SymbianOS9.1.incl.Keygen-HSpda.zip probably a variant of Win32/Agent trojan deleted - quarantined
C:\Documents and Settings\Alberto\Mis documentos\Downloads\Nokia\3rd_App_Col\Smartphoneware.Best.Crypto.v1.0.S60v3.SymbianOS9.1.incl.Keygen-HSpda.rar probably a variant of Win32/Agent trojan deleted - quarantined
C:\Documents and Settings\Alberto\Mis documentos\Downloads\Nokia\3rd_App_Col\Smartphoneware.Best.FsClock.v1.0.S60v3.SymbianOS9.1.incl.Keygen-HSpda.rar probably a variant of Win32/Agent trojan deleted - quarantined
C:\Documents and Settings\Alberto\Mis documentos\Downloads\Nokia\3rd_App_Col\Smartphoneware.Best.FsClock.v1.0.S60v3.SymbianOS9.1.incl.Keygen-HSpda.zip probably a variant of Win32/Agent trojan deleted - quarantined
C:\Documents and Settings\Alberto\Mis documentos\Downloads\Nokia\3rd_App_Col\Smartphoneware.Best.TaskMan.v1.0.S60v3.SymbianOS9.1.incl.Keygen-HSpda.rar probably a variant of Win32/Agent trojan deleted - quarantined
C:\Documents and Settings\Alberto\Mis documentos\Downloads\Nokia\__N97\_2_Test\From S60 Fede\Recopilacion 5800 XM Mayo 2009\aplicaciones\Programas\BestReminder.v.1.0.Spanish_MAIKEL8_US.rar probably a variant of Win32/Agent trojan deleted - quarantined
C:\Documents and Settings\Alberto\Mis documentos\Downloads\Nokia\best_call_recorder_s60v3_keygen_included.rar probably a variant of Win32/Agent trojan deleted - quarantined
C:\Documents and Settings\Alberto\Mis documentos\Downloads\Nokia\Flashing\JAF\JAF_Suite_Setup_1.0.0.exe a variant of Win32/Packed.Themida application deleted - quarantined
C:\Documents and Settings\Alberto\Mis documentos\Downloads\Nokia\Flashing\JAF\OGM_JAF_PKEY_Emulator_v 5.exe a variant of Win32/Packed.Themida application cleaned by deleting - quarantined
C:\Documents and Settings\Alberto\Mis documentos\Downloads\Nokia\FS Caller 2.0.rar probably a variant of Win32/Agent trojan deleted - quarantined
C:\Documents and Settings\Alberto\Mis documentos\Downloads\Nokia\fscaller_3.04.rar probably a variant of Win32/Agent trojan deleted - quarantined
C:\Documents and Settings\Alberto\Mis documentos\Downloads\Nokia\JUEGOS NOKIA N80 + 135 GAMES SYMBIAN OS 9.1 3RD EDITION spanish english por NENE.rar probably a variant of Win32/Agent trojan deleted - quarantined
C:\Documents and Settings\Alberto\Mis documentos\Downloads\Nokia\JUEGOS NOKIA N80 + 135 GAMES SYMBIAN OS 9.1 3RD EDITION spanish english por NENE\JUEGOS\Best Kamsutra\keygen.exe probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\Documents and Settings\Alberto\Mis documentos\Downloads\Nokia\Nokia n70 & n90 Pack 2005.zip probably a variant of Win32/Agent trojan deleted - quarantined
C:\Documents and Settings\Alberto\Mis documentos\Downloads\Nokia\S60v3[1].39.Programs.rar probably a variant of Win32/Agent trojan deleted - quarantined
C:\Documents and Settings\Alberto\Mis documentos\Downloads\Nokia\symbian 3rd\best crypto s60 3rd by mantrinilesh.rar probably a variant of Win32/Agent trojan deleted - quarantined
C:\Documents and Settings\Alberto\Mis documentos\Downloads\Nokia\symbian 3rd\best kamsutra full by mantrinilesh.rar probably a variant of Win32/Agent trojan deleted - quarantined
C:\Documents and Settings\Alberto\Mis documentos\Downloads\Nokia\symbian 3rd\best safe by mantrinilesh s60v 3.rar probably a variant of Win32/Agent trojan deleted - quarantined
C:\Documents and Settings\Alberto\Mis documentos\Downloads\Nokia\symbian 3rd\fs caller by mantrinilesh.rar probably a variant of Win32/Agent trojan deleted - quarantined
C:\Documents and Settings\Alberto\Mis documentos\Downloads\Nokia\symbian 3rd\mmcexpress.exe probably unknown NewHeur_PE virus deleted - quarantined
C:\Documents and Settings\Alberto\Mis documentos\Downloads\Nokia\symbian 3rd\Smartphoneware.Best.CallRecorder.v1.0.S60v3by mantrinilesh.rar probably a variant of Win32/Agent trojan deleted - quarantined
C:\Documents and Settings\Alberto\Mis documentos\Downloads\Nokia\WR Nokia N70 & N90 Pack\APPLICATIONS\Symbian\SeleQ v1_65i %2B keygen\SeleQ.1.20.7650.exe probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\Documents and Settings\Alberto\Mis documentos\Downloads\PDF995 Printer Driver v7.4s+Free Converter incl Keymaker by ARL.rar probably a variant of Win32/Agent trojan deleted - quarantined
C:\Documents and Settings\Alberto\Mis documentos\Downloads\simpleftpclientsetup.exe multiple threats deleted - quarantined
C:\Documents and Settings\Alberto\Mis documentos\Downloads\uTorrent\Completed\Todo NoKiA By XeXaRMiLo.rar multiple threats deleted - quarantined
C:\Documents and Settings\Alberto\Mis documentos\Downloads\Virtual PC\Virtual Machines\Win uE SP3 2009 (ISO)\WinXP_Sp3_uE_-_Bj_-_Spanish.part1.rar a variant of Win32/Adware.ADON application deleted - quarantined
C:\Documents and Settings\Alberto\Mis documentos\Downloads\windowsxpantiproductactivationcrackv1.1cw2k.zip probably a variant of Win32/Agent trojan deleted - quarantined
C:\Documents and Settings\Alberto\Mis documentos\Downloads\winzix-1.0-setup-0395.exe Win32/Obfuscated.A1 trojan deleted - quarantined
C:\Documents and Settings\Alberto\Mis documentos\Downloads\Yahoo\+++ Venom Bomber 3.0 Final +++ (HS).zip a variant of Win32/Flooder.IM.VB.A trojan deleted - quarantined
C:\Documents and Settings\Alberto\Mis documentos\Live Mesh\S60\Flashing\JAF\JAF_Suite_Setup_1.0.0.exe a variant of Win32/Packed.Themida application deleted - quarantined
C:\System Volume Information\_restore{54DB7609-AC9B-49BE-B7FA-BEA6A9060D3D}\RP21\A0003766.exe a variant of Win32/Packed.Themida application cleaned by deleting - quarantined
====================== END OF ESET LOG =====================

====================== DDS LOG ==========================

DDS (Ver_09-11-24.02) - NTFSx86
Run by Alberto at 10:54:48.41 on 07/12/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.54.3082.18.2022.742 [GMT -3:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\ARCHIV~1\AVG\AVG8\avgwdsvc.exe
svchost.exe
C:\Archivos de programa\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
c:\Archivos de programa\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Archivos de programa\SigmaTel\C-Major Audio\WDM\STacSV.exe
C:\ARCHIV~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Archivos de programa\UltraVNC\WinVNC.exe
C:\Archivos de programa\Live Mesh\Remote Desktop\wlcrasvc.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\Microsoft IntelliType Pro\itype.exe
C:\ARCHIV~1\AVG\AVG8\avgtray.exe
C:\Archivos de programa\PowerISO\PWRISOVM.EXE
C:\Archivos de programa\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\Alberto\Mis documentos\Downloads\QuickSoundSwitch.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Archivos de programa\Windows Live\Messenger\msnmsgr.exe
C:\Archivos de programa\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\Alberto\Configuración local\Datos de programa\Microsoft\Live Mesh\Bin\Servicing\0.9.4014.7\MoeMonitor.exe
C:\Archivos de programa\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Archivos de programa\Nokia\Nokia PC Suite 7\PCSuite.exe
C:\Archivos de programa\Nokia\Nokia PC Suite 7\PcSync2.exe
C:\Archivos de programa\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Archivos de programa\PC Connectivity Solution\ServiceLayer.exe
C:\ARCHIV~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Documents and Settings\Alberto\Configuración local\Datos de programa\Microsoft\Live Mesh\GacBase\Moe.exe
C:\Archivos de programa\PC Connectivity Solution\Transports\NclMSBTSrv.exe
C:\Archivos de programa\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Archivos de programa\PC Connectivity Solution\Transports\NclBCBTSrv.exe
C:\Archivos de programa\Archivos comunes\Nokia\MPAPI\MPAPI3s.exe
C:\Archivos de programa\Microsoft Office\Office12\ONENOTEM.EXE
C:\Archivos de programa\Windows Live\Contacts\wlcomm.exe
C:\Archivos de programa\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Alberto\Escritorio\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://intranet:8080/default.aspx
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\archivos de programa\avg\avg8\toolbar\IEToolbar.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\archivos de programa\archivos comunes\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\archivos de programa\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\archiv~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Microsoft Web Test Recorder Helper: {62355041-605d-4469-84fd-5d66ed67a7e3} - c:\archivos de programa\microsoft visual studio 8\common7\ide\privateassemblies\Microsoft.VisualStudio.QualityTools.RecorderBarBHO.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\archivos de programa\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\archivos de programa\java\jre6\bin\ssv.dll
BHO: {78875F5C-A685-4405-8DC5-D48DC65452B0} - No File
BHO: Windows Live Aplicación auxiliar de inicio de sesión: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\archivos de programa\archivos comunes\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: ShowDHLToolbar Class: {905bedef-14b4-4b49-a97a-875326a61911} - c:\archivos de programa\dhl\dhltoolbar\DHL Worldwide Airwaybill Tracking Toolbar.dll
BHO: FoxmarksDLLBHO Class: {a2a71aba-3939-43b2-bd8f-8c1767ef9020} - c:\archivos de programa\xmarks\ie extension\foxmarksdll.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\archivos de programa\google\googletoolbar1.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\archivos de programa\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\archivos de programa\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\archivos de programa\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\archivos de programa\google\googletoolbar1.dll
TB: DHL Toolbar: {82cc2983-ca87-4d46-b33b-d285bd667a56} - c:\archivos de programa\dhl\dhltoolbar\DHL Worldwide Airwaybill Tracking Toolbar.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
TB: {61D1C847-DF80-423A-8C6D-DC03B97E6EBE} - No File
EB: &Referencia: {ff059e31-cc5a-4e2e-bf3b-96e929d65503} - c:\archiv~1\micros~3\office12\REFIEBAR.DLL
uRun: [swg] "c:\archivos de programa\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [QuickSoundSwitch] "c:\documents and settings\alberto\mis documentos\downloads\QuickSoundSwitch.exe"
uRun: [MsnMsgr] "c:\archivos de programa\windows live\messenger\msnmsgr.exe" /background
uRun: [SpybotSD TeaTimer] c:\archivos de programa\spybot - search & destroy\TeaTimer.exe
uRun: [MoeMonitor.exe] "c:\documents and settings\alberto\configuración local\datos de programa\microsoft\live mesh\bin\servicing\0.9.4014.7\MoeMonitor.exe"
uRun: [SUPERAntiSpyware] c:\archivos de programa\superantispyware\SUPERAntiSpyware.exe
uRun: [PC Suite Tray] "c:\archivos de programa\nokia\nokia pc suite 7\PCSuite.exe" -onlytray
uRun: [Nokia.PCSync] "c:\archivos de programa\nokia\nokia pc suite 7\PcSync2.exe" /NoDialog
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [itype] "c:\archivos de programa\microsoft intellitype pro\itype.exe"
mRun: [Google Desktop Search] "c:\archivos de programa\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [AVG8_TRAY] c:\archiv~1\avg\avg8\avgtray.exe
mRun: [Adobe Reader Speed Launcher] "c:\archivos de programa\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\archivos de programa\archivos comunes\adobe\arm\1.0\AdobeARM.exe"
mRun: [PWRISOVM.EXE] c:\archivos de programa\poweriso\PWRISOVM.EXE
StartupFolder: c:\docume~1\alberto\menini~1\progra~1\inicio\micros~1.lnk - c:\windows\installer\{91120000-002e-0000-0000-0000000ff1ce}\outicon.exe
StartupFolder: c:\docume~1\alberto\menini~1\progra~1\inicio\recort~1.lnk - c:\archivos de programa\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\menini~1\progra~1\inicio\blueto~1.lnk - c:\archivos de programa\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\documents and settings\all users\menú inicio\programas\inicio\Gladinet Cloud Desktop.lnk.disabled
StartupFolder: c:\docume~1\alluse~1\menini~1\progra~1\inicio\micros~1.lnk - c:\archivos de programa\microsoft office\office\OSA9.EXE
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xportar a Microsoft Excel - c:\archiv~1\micros~3\office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\archivos de programa\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\archivos de programa\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\archivos de programa\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\archiv~1\micros~3\office12\ONBttnIE.dll
IE: {82CC2983-CA87-4D46-B33B-D285BD667A56} - {82CC2983-CA87-4D46-B33B-D285BD667A56} - c:\archivos de programa\dhl\dhltoolbar\DHL Worldwide Airwaybill Tracking Toolbar.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\archiv~1\micros~3\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\archiv~1\spybot~1\SDHelper.dll
Trusted Zone: 23m008
DPF: {00000045-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/sg726acm.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {22611F8E-2FC5-4440-B261-C52A420B8D2A} - hxxp://xpw150/VortexIPFrontEnd/VortexIP-ActiveXLive.CAB
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab}
DPF: {33636E16-9C2B-41DE-9D32-C185A975D95B} - hxxp://craig.dyndns.ws:35990/DVRViewer/DVRViewer.cab
DPF: {474F00F5-3853-492C-AC3A-476512BBC336} - hxxp://picasaweb.google.com/s/v/32.67/uploader2.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://www.bitdefender.es/scan_es/scan8/oscan8.cab
DPF: {66D393D5-4D80-497C-9F4F-F3839E090202} - hxxp://www.pysoft.com/Downloads/WebCamPlayerOCX.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1176398613194
DPF: {7A408D93-67FD-43FC-8DD4-D46701A7A07D} - hxxp://192.168.0.32/nvEPLMedia.dll
DPF: {7B133798-FAA8-4A7E-950D-BEB35D3363AF} - hxxp://craig.dyndns.ws:36000/img/LinksysViewer.cab
DPF: {86F01A24-1CE1-47A9-ABCC-9BDCFCDEBE4D} - hxxp://xpw150/VortexIPFrontEnd/VortexIP-ActiveXPlayer.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://sdlc-esd.sun.com/ESD5/JSCDL/jre/6u11-b90/jinstall-6u11-windows-i586-jc.cab?AuthParam=1231874205_0f3a7cc1c4db77bd0cbad4052ff87e35&GroupName=JSC&FilePath=/ESD5/JSCDL/jre/6u11-b90/jinstall-6u11-windows-i586-jc.cab&File=jinstall-6u11-windows-i586-jc.cab&BHost=javadl.sun.com
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {A3E21079-7F41-4125-9EBB-FD44CFCC0AC1} - hxxps://www.mesh.com/0.9.3424.31/TSWeb.cab
DPF: {A6F36F3F-3AE0-458B-AFC4-AA82565E0BF8} - hxxp://www.ipstreamingservice.com/download/TCP_2.0/nvUnifiedControl.Dll
DPF: {B0C77EBC-5250-4913-A245-BFA796A36C72} - hxxp://toolbar.dhl.com/setup_ext_v1.cab
DPF: {B91012E3-3DC4-442B-B5C7-35BF3857D215} - hxxp://192.168.0.133/nvEncoderMedia.dll
DPF: {BC165EA0-F79E-4F12-8493-80679EB5BEC2} - hxxp://ishwood.selfip.com:8080/applet/XCast.cab
DPF: {BE30D547-EE96-4D6B-B9A3-57777E9F0A9C} - hxxp://127.0.0.1/tcpaswtu/activex/common/bin/go1984Viewer.ocx
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D37BB1D6-A878-4721-9A64-77E6C9D44865} - hxxps://wsec02.bancogalicia.com.ar/scripts/components/cryptoclient/GalCryptoComponents1019.cab
DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} - hxxp://upload.mediamax.com/Upload/XUpload.ocx
DPF: {FA91DF8D-53AB-455D-AB20-F2F023E498D3} - hxxp://23m008/ReportServer/Reserved.ReportViewerWebControl.axd?ExecutionID=joqxqp45qcpm5x55bxnbql45&ControlID=69b8f4e5-be34-4eae-9204-be5363ae7610&Culture=11274&UICulture=10&ReportStack=1&OpType=PrintCab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\archivos de programa\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\archivos de programa\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\archivos de programa\superantispyware\SASWINLO.DLL
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
Notify: wlcrdplauncher - c:\archivos de programa\live mesh\remote desktop\wlcrdplauncher.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\archivos de programa\microsoft office\office12\GrooveShellExtensions.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\archivos de programa\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\alberto\datosd~1\mozilla\firefox\profiles\i1zj7ibr.default\
FF - prefs.js: browser.search.selectedEngine - Google Argentina
FF - prefs.js: browser.startup.homepage - hxxp://intranet:8080/default.aspx|http://www.google.com.ar/ig?hl=es&source=iglk
FF - component: c:\archivos de programa\nokia\nokia pc suite 7\bkmrksync\components\BkMrkExt.dll
FF - component: c:\documents and settings\alberto\datos de programa\mozilla\firefox\profiles\i1zj7ibr.default\extensions\support@lastpass.com\platform\winnt_x86-msvc\components\lpxpcom.dll
FF - plugin: c:\archivos de programa\google\picasa3\npPicasa3.dll
FF - plugin: c:\archivos de programa\microsoft\office live\npOLW.dll
FF - plugin: c:\archivos de programa\mozilla firefox\plugins\npsharedview.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-6-27 335240]
R1 SASDIFSV;SASDIFSV;c:\archivos de programa\superantispyware\sasdifsv.sys [2009-3-23 9968]
R1 SASKUTIL;SASKUTIL;c:\archivos de programa\superantispyware\SASKUTIL.SYS [2009-3-23 74480]
R2 altio;altio;c:\windows\system32\altio.sys [2008-1-16 3200]
R2 avg8wd;AVG8 WatchDog;c:\archiv~1\avg\avg8\avgwdsvc.exe [2009-2-3 297752]
R2 vnccom;vnccom;c:\windows\system32\drivers\vnccom.SYS [2007-4-30 6016]
R2 wlcrasvc;Live Mesh Remote Desktop;c:\archivos de programa\live mesh\remote desktop\wlcrasvc.exe [2009-4-3 44880]
R3 PAC207;VideoCAM GE111;c:\windows\system32\drivers\PFC027.sys [2005-4-8 162176]
R3 RDPDISPM;RDPDISPM;c:\windows\system32\drivers\rdpdispm.sys [2009-4-3 9024]
R3 RDPVDD;RDPVDD;c:\windows\system32\drivers\rdpvmp.sys [2009-4-3 19392]
R3 SASENUM;SASENUM;c:\archivos de programa\superantispyware\SASENUM.SYS [2009-3-23 7408]
S3 DCMService;DivX Content Management Service;c:\archivos de programa\divx\divx connected\bin\divx connected\DivXConnectedService.exe [2008-1-29 49152]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2009-8-18 136704]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [2009-8-18 8320]
S3 tap08168;Gladinet Virtual Adapter;c:\windows\system32\drivers\tap08168.sys [2009-3-12 30544]
S3 VSPerfDrv;Performance Tools Driver;c:\archivos de programa\microsoft visual studio 8\team tools\performance tools\VSPerfDrv.sys [2006-12-2 48128]
S4 AxSVCControladorAccesoRemoto;Axoft - Controlador de Acceso Remoto;c:\archivos de programa\tango gestion\cliente\exe\AxServicioControladorAccesoRemoto.Exe [2007-4-12 1603584]
S4 AxSVCPlanificador;Axoft - Servicio de Ejecución Planificada;c:\archivos de programa\tango gestion\cliente\exe\AxServicioPlanificador.Exe [2007-4-12 2108416]
S4 GoogleDesktopManager-061008-081103;Administrador de Google Desktop 5.7.806.10245;c:\archivos de programa\google\google desktop search\GoogleDesktop.exe [2007-5-24 29744]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\archivos de programa\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2006-12-2 2805000]

=============== Created Last 30 ================

2009-12-06 19:18:29 0 d-----w- c:\archivos de programa\ESET
2009-12-06 04:20:46 696832 ----a-w- c:\windows\isRS-000.tmp
2009-11-26 19:53:55 0 d-sha-r- C:\cmdcons
2009-11-26 19:53:03 98816 ----a-w- c:\windows\sed.exe
2009-11-26 19:53:03 77312 ----a-w- c:\windows\MBR.exe
2009-11-26 19:53:03 260608 ----a-w- c:\windows\PEV.exe
2009-11-26 19:53:03 161792 ----a-w- c:\windows\SWREG.exe
2009-11-26 19:26:04 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-26 19:26:03 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-26 19:26:03 0 d-----w- c:\archivos de programa\Malwarebytes' Anti-Malware
2009-11-16 19:03:52 0 d-----w- c:\archivos de programa\TreePadLite4
2009-11-16 18:59:31 0 d-----w- c:\archivos de programa\Swift To-Do List

==================== Find3M ====================

2009-11-23 17:02:58 304160 ----a-w- C:\StiImg.dat
2009-10-08 20:34:12 558592 ----a-w- c:\windows\system32\perfh00A.dat
2009-10-08 20:34:12 110864 ----a-w- c:\windows\system32\perfc00A.dat
2009-03-12 15:56:32 374197 ----a-w- c:\archivos de programa\wmvmuxer-final-1.0.zip
2006-05-03 10:06:54 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 11:47:16 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 13:30:52 216064 --sh--r- c:\windows\system32\nbDX.dll
2009-01-19 14:27:11 32768 --sha-w- c:\windows\system32\config\systemprofile\configuración local\historial\history.ie5\mshist012009011920090120\index.dat

============= FINISH: 10:55:46.30 ===============
====================== END OF DDS LOG =====================

Attached Files



#14 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:26 AM

Posted 07 December 2009 - 04:04 PM

Hello.

From the ESET log I see a few keygene related files. Did you download those?

--

Peer-to-Peer Programs Warning

Your log shows that you are using so called peer-to-peer or file-sharing programs (in your case UTorrent). These programs allow to share files between users as the name(s) suggest. In today's world cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: File-Sharing, otherwise known as Peer To Peer and Risks of File-Sharing Technology.

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organizations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."

It is your decision whether or not you wish to keep your program(s) but I suggest you remove it via add/remove. However, please refrain from using them until your computer has been declared clean.

I highly recommend you uninstall UTOrrent.

Update Java to Version 6 Update 17

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for Java Runtime Environment (JRE) JRE 6 Update 17.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u17-windows-i586-p.exe to install the newest version.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#15 Alberto L

Alberto L
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:26 AM

Posted 09 December 2009 - 10:50 AM

Hi extremeboy,

Thanks for your help.

From the ESET log I see a few keygene related files. Did you download those?


Not to my knowledge but, I may have downloaded some RAR or ZIP packs with several file inside or they may come from the former user of this PC. I don´t really know. Anyway, they were deleted by the ESET scanner.


I highly recommend you uninstall UTOrrent.


Next thing to do after replying this.


Update Java to Version 6 Update 17


Next thing to do after uninstalling uTorrent.

Thaks a lot for your help.

Alberto




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users