Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Tifaut.C


  • This topic is locked This topic is locked
16 replies to this topic

#1 Mint Condish

Mint Condish

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:56 PM

Posted 23 January 2011 - 11:57 PM

Hey Golden Gods,

A week ago, after restarting my PC, I noticed StartupMonitor had gone bonkers: it told me several programs had decided to run at startup, and when I tried to stop them, StartupMonitor simply asked me the same again and again. I had to stop SM, and after running a deep scan with NOD32, two files were detected on C:WINDOWS/system32 ("autorun.i" and "autorun.in") as infected with what the antivirus called the "Win32/Tifaut.C" worm. NOD32 says it deleted the files, but after a new reboot the problem persisted, and subsequent scans have come up with nothing.

To be more precise, the "problem" I mention consists basically in a series of registry changes each time the computer is turned on. The most noticeable (for a layman like me, at least) are the autostarts of uTorrent, YouSendIt Express and Xmarks for Internet Explorer, although I believe I have taken care of the last one by removing that program altogether, which I should have done long ago anyway since I don't use IE. Speaking of, Lavasoft Ad-Watch shows me that the worm sure loves to change IE's home page, default search URL and shenanigans by the like.

I also want to mention something that may turn out to be irrelevant, but since there's a chance it might play a role in solving this friggin' sitch, here it is: apparently, I don't have administrator privileges. I don't understand how this can be, considering there are no other accounts in this computer - just "Administrator", without password. I no longer have the WindowsXP installation disc that was used on this machine, but now I suspect it may not have been truly kosher or the installation itself was faulty.

A MILLION THANKS in advance for any help you can send my way.

-Mint Condish


DDS (Ver_10-12-12.02) - NTFSx86
Run by Administrador at 0:09:55,64 on 24/01/2011
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_23
Microsoft Windows XP Professional 5.1.2600.2.1252.34.3082.18.991.465 [GMT -3:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Archivos de programa\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\Ask & Record Toolbar\FLVSrvc.exe
C:\Archivos de programa\Archivos comunes\Java\Java Update\jusched.exe
C:\Archivos de programa\TaskSwitchXP\TaskSwitchXP.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Archivos de programa\Eset\nod32kui.exe
C:\Archivos de programa\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\Archivos de programa\uTorrent\uTorrent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\Archivos de programa\Java\jre6\bin\jqs.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Archivos de programa\Eset\nod32krn.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Archivos de programa\Viewpoint\Common\ViewpointService.exe
C:\Archivos de programa\Lavasoft\Ad-Aware\AAWTray.exe
C:\Archivos de programa\Mozilla Firefox\firefox.exe
C:\Archivos de programa\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\Administrador\Escritorio\dds.scr

============== Pseudo HJT Report ===============

mWinlogon: UIHost=XPize_Logon.exe
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\archivos de programa\orbitdownloader\orbitcth.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\archivos de programa\archivos comunes\adobe\acrobat\activex\AcroIEHelper.dll
BHO: ClickCatcher MSIE handler: {16664845-0e00-11d2-8059-000000000000} - c:\archivos de programa\archivos comunes\reget shared\Catcher.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\archivos de programa\archivos comunes\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: FoxmarksDLLBHO Class: {a2a71aba-3939-43b2-bd8f-8c1767ef9020} - c:\archivos de programa\xmarks\ie extension\foxmarksdll.dll
BHO: CoolIrisIEHelperObject.CoolIrisIEBHO: {ad0bab4b-212d-45d7-9e5b-cb1579132715} - c:\archivos de programa\cooliris\CoolIrisIEHelperObject.dll
BHO: Ask and Record Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\archivos de programa\ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\archivos de programa\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\archivos de programa\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: ReGet Bar: {17939a30-18e2-471e-9d3a-56dd725f1215} - c:\archivos de programa\regetdx\iebar.dll
TB: Ask and Record Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\archivos de programa\ask.com\GenericAskToolbar.dll
TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\archivos de programa\orbitdownloader\GrabPro.dll
uRun: [TaskSwitchXP] c:\archivos de programa\taskswitchxp\TaskSwitchXP.exe
uRun: [Sound Effect] c:\windows\SOUNDMAN.EXE
uRun: [NOD32kui] c:\archivos de programa\eset\nod32kui.exe /WAITSERVICE
uRun: [AWMON] "c:\archivos de programa\lavasoft\ad-aware se professional\Ad-Watch.exe"
uRun: [Aim6]
uRun: [ares] "c:\archivos de programa\ares\Ares.exe" -h
uRun: [Xmarks] c:\archivos de programa\xmarks\ie extension\xmarkssync.exe -q
uRun: [YouSendIt.exe] c:\archivos de programa\yousendit\express\YouSendIt.exe -ui none
uRun: [uTorrent] "c:\archivos de programa\utorrent\uTorrent.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Ink Monitor] c:\archivos de programa\epson\ink monitor\InkMonitor.exe
mRun: [Ask and Record FLV Service] "c:\archivos de programa\ask & record toolbar\FLVSrvc.exe" /run
mRun: [SunJavaUpdateSched] "c:\archivos de programa\archivos comunes\java\java update\jusched.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [Run StartupMonitor] StartupMonitor.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dPolicies-explorer: NoSMHelp = 1 (0x1)
dPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
dPolicies-explorer: NoSMMyPictures = 1 (0x1)
dPolicies-explorer: NoResolveTrack = 1 (0x1)
IE: &Download by Orbit - c:\archivos de programa\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\archivos de programa\orbitdownloader\orbitmxt.dll/204
IE: Do&wnload by ReGet Deluxe - c:\archivos de programa\archivos comunes\reget shared\CC_Link.htm
IE: Do&wnload selected by Orbit - c:\archivos de programa\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\archivos de programa\orbitdownloader\orbitmxt.dll/202
IE: Download A&ll by ReGet Deluxe - c:\archivos de programa\archivos comunes\reget shared\CC_All.htm
IE: E&xportar a Microsoft Excel - c:\archiv~1\micros~1\office11\EXCEL.EXE/3000
IE: {449DB14A-F988-4fd8-9361-F212D7B6414B} - c:\archivos de programa\cooliris\CoolIrisPreferences.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\archiv~1\micros~1\office11\REFIEBAR.DLL
LSP: c:\windows\system32\imon.dll
DPF: {001000AF-2DEF-0206-10B6-DC5BA692C858} - hxxp://gate.x10.com/control/xvidnx.cab
DPF: {3334504D-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/C/8/0C8EDFAB-30BC-4792-898E-2DABE27B2C4D/mp43dmo.CAB
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1188515240890
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
Notify: !SASWinLogon - c:\archivos de programa\superantispyware\SASWINLO.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\archivos de programa\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\datosd~1\mozilla\firefox\profiles\afps0tyu.default user\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - about:blank
FF - plugin: c:\archivos de programa\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\archivos de programa\viewpoint\viewpoint media player\npViewpoint.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\archivos de programa\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - c:\archivos de programa\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\archivos de programa\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\archivos de programa\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\archivos de programa\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\archivos de programa\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\archivos de programa\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\archivos de programa\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\archivos de programa\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\archivos de programa\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\archivos de programa\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Xmarks: foxmarks@kei.com - %profile%\extensions\foxmarks@kei.com
FF - Ext: LiveClick: {d166ee2a-36bb-4f33-aff7-e85f912df509} - %profile%\extensions\{d166ee2a-36bb-4f33-aff7-e85f912df509}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Ask and Record Toolbar: toolbar@ask.com - %profile%\extensions\toolbar@ask.com
FF - Ext: Java Quick Starter: jqs@sun.com - c:\archivos de programa\java\jre6\lib\deploy\jqs\ff

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-8-22 64160]
R1 SASDIFSV;SASDIFSV;c:\archivos de programa\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\archivos de programa\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 DVDAccss;DVDAccss;c:\windows\system32\drivers\DVDAccss.sys [2009-9-16 29156]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\archivos de programa\lavasoft\ad-aware\AAWService.exe [2009-7-3 1029456]
R2 NOD32krn;NOD32 Kernel Service;c:\archivos de programa\eset\nod32krn.exe [2007-8-8 507904]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\archivos de programa\viewpoint\common\ViewpointService.exe [2009-8-2 24652]
S3 EverestDriver;Lavalys EVEREST Kernel Driver;\??\c:\archivos de programa\lavalys\everest ultimate edition\kerneld.wnt --> c:\archivos de programa\lavalys\everest ultimate edition\kerneld.wnt [?]
S3 UfasoftSnifDriver4;Ufasoft Snif Driver v4;c:\archivos de programa\ufasoft\sniffer\usft_sn4.sys [2008-1-9 23200]

=============== Created Last 30 ================

2011-01-24 02:51:14 -------- d-----w- c:\docume~1\admini~1\config~1\datosd~1\Safe mirror
2011-01-24 02:50:58 -------- d-----w- c:\archivos de programa\Cobian Backup 10
2011-01-21 00:23:28 -------- d-----w- c:\docume~1\alluse~1\datosd~1\SUPERAntiSpyware.com
2011-01-21 00:23:28 -------- d-----w- c:\docume~1\admini~1\datosd~1\SUPERAntiSpyware.com
2011-01-21 00:23:20 -------- d-----w- c:\archivos de programa\SUPERAntiSpyware
2011-01-20 22:06:00 -------- d-----w- c:\windows\system32\xircom
2011-01-20 22:06:00 -------- d-----w- c:\windows\system32\wbem\snmp
2011-01-20 22:06:00 -------- d-----w- c:\windows\system32\restore
2011-01-20 22:06:00 -------- d-----w- c:\windows\system32\oobe
2011-01-20 22:06:00 -------- d-----w- c:\windows\srchasst
2011-01-20 22:06:00 -------- d-----w- c:\windows\msagent
2011-01-20 22:06:00 -------- d-----w- c:\archivos de programa\msn gaming zone
2011-01-20 22:06:00 -------- d-----w- c:\archivos de programa\archivos comunes\speechengines
2011-01-20 21:59:51 -------- d-sha-r- C:\cmdcons
2011-01-20 21:57:54 89088 ----a-w- c:\windows\MBR.exe
2011-01-20 21:57:53 256512 ----a-w- c:\windows\PEV.exe
2011-01-20 21:57:52 98816 ----a-w- c:\windows\sed.exe
2011-01-20 21:57:52 161792 ----a-w- c:\windows\SWREG.exe

==================== Find3M ====================

2010-11-12 21:53:06 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-12 19:34:10 73728 ----a-w- c:\windows\system32\javacpl.cpl
2004-10-01 19:00:16 40960 ----a-w- c:\archivos de programa\Uninstall_CDS.exe

============= FINISH: 0:10:15,26 ===============

I just realized I removed Xmarks for IE AFTER creating the logs pasted and attached - I apologize.

EDIT: Posts merged ~BP

Attached Files


Edited by Budapest, 24 January 2011 - 12:14 AM.


BC AdBot (Login to Remove)

 


#2 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:10:56 PM

Posted 30 January 2011 - 11:10 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Please take note:

  • If you have since resolved the original problem you were having, we would appreciate you letting us know.
  • If you are unable to create a log because your computer cannot start up successfully please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • If you are unable to perform the steps we have recommended please try one more time and if unsuccessful alert us of such and we will design an alternate means of obtaining the necessary information.
  • If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.
  • If you have already posted a DDS log, please do so again, as your situation may have changed.
  • Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Thanks and again sorry for the delay.

Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#3 Mint Condish

Mint Condish
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:56 PM

Posted 30 January 2011 - 07:35 PM

Thanks a million for your reply, Casey. The delay is OK - I figured it would take about 5-7 days to get a response.

Following your instructions, I can tell you that:

- The problem I described persists.
- My OS is Windows XP Professional Version 2002 Service Pack 2. I assume it's 32-bit, because I had no problem running GMER.
- I do NOT have the original Windows disc available.
- I believe I described the problem as best I could on my initial post... I suppose there's always more information I can provide depending on what you tell me to do.

I disconnected from the Internet and disabled all antivirus protection before running DDS and GMER again. CD Emulation was also disabled. Once again, many thanks in advance for your help.


DDS (Ver_10-12-12.02) - NTFSx86
Run by Administrador at 20:23:41,06 on 30/01/2011
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_23
Microsoft Windows XP Professional 5.1.2600.2.1252.34.3082.18.991.687 [GMT -3:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\Ask & Record Toolbar\FLVSrvc.exe
C:\Archivos de programa\Archivos comunes\Java\Java Update\jusched.exe
C:\Archivos de programa\TaskSwitchXP\TaskSwitchXP.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\Archivos de programa\Java\jre6\bin\jqs.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Archivos de programa\Eset\nod32krn.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Archivos de programa\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Administrador\Escritorio\dds.scr

============== Pseudo HJT Report ===============

mWinlogon: UIHost=XPize_Logon.exe
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\archivos de programa\orbitdownloader\orbitcth.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\archivos de programa\archivos comunes\adobe\acrobat\activex\AcroIEHelper.dll
BHO: ClickCatcher MSIE handler: {16664845-0e00-11d2-8059-000000000000} - c:\archivos de programa\archivos comunes\reget shared\Catcher.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\archivos de programa\archivos comunes\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: CoolIrisIEHelperObject.CoolIrisIEBHO: {ad0bab4b-212d-45d7-9e5b-cb1579132715} - c:\archivos de programa\cooliris\CoolIrisIEHelperObject.dll
BHO: Ask and Record Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\archivos de programa\ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\archivos de programa\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\archivos de programa\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: ReGet Bar: {17939a30-18e2-471e-9d3a-56dd725f1215} - c:\archivos de programa\regetdx\iebar.dll
TB: Ask and Record Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\archivos de programa\ask.com\GenericAskToolbar.dll
TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\archivos de programa\orbitdownloader\GrabPro.dll
uRun: [TaskSwitchXP] c:\archivos de programa\taskswitchxp\TaskSwitchXP.exe
uRun: [Sound Effect] c:\windows\SOUNDMAN.EXE
uRun: [NOD32kui] c:\archivos de programa\eset\nod32kui.exe /WAITSERVICE
uRun: [AWMON] "c:\archivos de programa\lavasoft\ad-aware se professional\Ad-Watch.exe"
uRun: [Aim6]
uRun: [ares] "c:\archivos de programa\ares\Ares.exe" -h
uRun: [YouSendIt.exe] c:\archivos de programa\yousendit\express\YouSendIt.exe -ui none
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Xmarks] c:\archivos de programa\xmarks\ie extension\xmarkssync.exe -q
uRun: [uTorrent] "c:\archivos de programa\utorrent\uTorrent.exe"
mRun: [Ink Monitor] c:\archivos de programa\epson\ink monitor\InkMonitor.exe
mRun: [Ask and Record FLV Service] "c:\archivos de programa\ask & record toolbar\FLVSrvc.exe" /run
mRun: [SunJavaUpdateSched] "c:\archivos de programa\archivos comunes\java\java update\jusched.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [Run StartupMonitor] StartupMonitor.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dPolicies-explorer: NoSMHelp = 1 (0x1)
dPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
dPolicies-explorer: NoSMMyPictures = 1 (0x1)
dPolicies-explorer: NoResolveTrack = 1 (0x1)
IE: &Download by Orbit - c:\archivos de programa\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\archivos de programa\orbitdownloader\orbitmxt.dll/204
IE: Do&wnload by ReGet Deluxe - c:\archivos de programa\archivos comunes\reget shared\CC_Link.htm
IE: Do&wnload selected by Orbit - c:\archivos de programa\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\archivos de programa\orbitdownloader\orbitmxt.dll/202
IE: Download A&ll by ReGet Deluxe - c:\archivos de programa\archivos comunes\reget shared\CC_All.htm
IE: E&xportar a Microsoft Excel - c:\archiv~1\micros~1\office11\EXCEL.EXE/3000
IE: {449DB14A-F988-4fd8-9361-F212D7B6414B} - c:\archivos de programa\cooliris\CoolIrisPreferences.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\archiv~1\micros~1\office11\REFIEBAR.DLL
LSP: c:\windows\system32\imon.dll
DPF: {001000AF-2DEF-0206-10B6-DC5BA692C858} - hxxp://gate.x10.com/control/xvidnx.cab
DPF: {3334504D-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/C/8/0C8EDFAB-30BC-4792-898E-2DABE27B2C4D/mp43dmo.CAB
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1188515240890
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
Notify: !SASWinLogon - c:\archivos de programa\superantispyware\SASWINLO.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\archivos de programa\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\datosd~1\mozilla\firefox\profiles\afps0tyu.default user\
FF - prefs.js: browser.search.selectedEngine - Wiktionary (en)
FF - prefs.js: browser.startup.homepage - about:blank
FF - plugin: c:\archivos de programa\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\archivos de programa\viewpoint\viewpoint media player\npViewpoint.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\archivos de programa\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - c:\archivos de programa\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\archivos de programa\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\archivos de programa\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\archivos de programa\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\archivos de programa\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\archivos de programa\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\archivos de programa\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\archivos de programa\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\archivos de programa\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\archivos de programa\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Xmarks: foxmarks@kei.com - %profile%\extensions\foxmarks@kei.com
FF - Ext: LiveClick: {d166ee2a-36bb-4f33-aff7-e85f912df509} - %profile%\extensions\{d166ee2a-36bb-4f33-aff7-e85f912df509}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Ask and Record Toolbar: toolbar@ask.com - %profile%\extensions\toolbar@ask.com
FF - Ext: Java Quick Starter: jqs@sun.com - c:\archivos de programa\java\jre6\lib\deploy\jqs\ff

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-8-22 64160]
R1 SASDIFSV;SASDIFSV;c:\archivos de programa\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\archivos de programa\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 DVDAccss;DVDAccss;c:\windows\system32\drivers\DVDAccss.sys [2009-9-16 29156]
R2 NOD32krn;NOD32 Kernel Service;c:\archivos de programa\eset\nod32krn.exe [2007-8-8 507904]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\archivos de programa\viewpoint\common\ViewpointService.exe [2009-8-2 24652]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\archivos de programa\lavasoft\ad-aware\AAWService.exe [2009-7-3 1029456]
S3 EverestDriver;Lavalys EVEREST Kernel Driver;\??\c:\archivos de programa\lavalys\everest ultimate edition\kerneld.wnt --> c:\archivos de programa\lavalys\everest ultimate edition\kerneld.wnt [?]
S3 UfasoftSnifDriver4;Ufasoft Snif Driver v4;c:\archivos de programa\ufasoft\sniffer\usft_sn4.sys [2008-1-9 23200]

=============== Created Last 30 ================

2011-01-24 02:51:14 -------- d-----w- c:\docume~1\admini~1\config~1\datosd~1\Safe mirror
2011-01-24 02:50:58 -------- d-----w- c:\archivos de programa\Cobian Backup 10
2011-01-21 00:23:28 -------- d-----w- c:\docume~1\alluse~1\datosd~1\SUPERAntiSpyware.com
2011-01-21 00:23:28 -------- d-----w- c:\docume~1\admini~1\datosd~1\SUPERAntiSpyware.com
2011-01-21 00:23:20 -------- d-----w- c:\archivos de programa\SUPERAntiSpyware
2011-01-20 22:06:00 -------- d-----w- c:\windows\system32\xircom
2011-01-20 22:06:00 -------- d-----w- c:\windows\system32\wbem\snmp
2011-01-20 22:06:00 -------- d-----w- c:\windows\system32\restore
2011-01-20 22:06:00 -------- d-----w- c:\windows\system32\oobe
2011-01-20 22:06:00 -------- d-----w- c:\windows\srchasst
2011-01-20 22:06:00 -------- d-----w- c:\windows\msagent
2011-01-20 22:06:00 -------- d-----w- c:\archivos de programa\msn gaming zone
2011-01-20 22:06:00 -------- d-----w- c:\archivos de programa\archivos comunes\speechengines
2011-01-20 21:59:51 -------- d-sha-r- C:\cmdcons
2011-01-20 21:57:54 89088 ----a-w- c:\windows\MBR.exe
2011-01-20 21:57:53 256512 ----a-w- c:\windows\PEV.exe
2011-01-20 21:57:52 98816 ----a-w- c:\windows\sed.exe
2011-01-20 21:57:52 161792 ----a-w- c:\windows\SWREG.exe

==================== Find3M ====================

2010-11-12 21:53:06 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-12 19:34:10 73728 ----a-w- c:\windows\system32\javacpl.cpl
2004-10-01 19:00:16 40960 ----a-w- c:\archivos de programa\Uninstall_CDS.exe

============= FINISH: 20:24:14,85 ===============

Attached Files



#4 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:01:56 AM

Posted 02 February 2011 - 06:16 AM

Hi,

uTorrent

Above listed ones are P2P file sharing programs. P2P downloads are nowadays one of those things that most likely bring infection into the system. My recommendation is to uninstall these (and other if present) P2P file sharing programs.


Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully first.

Please continue as follows:

  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.

  • Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds log.


A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#5 Mint Condish

Mint Condish
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:56 PM

Posted 06 February 2011 - 03:37 PM

Hello - I apologize for the delay; I've been away from this computer.

uTorrent was uninstalled and all A/V software disabled before running ComboFix. Thanks again!



DDS (Ver_10-12-12.02) - NTFSx86
Run by Administrador at 17:26:55,46 on 06/02/2011
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_23
Microsoft Windows XP Professional 5.1.2600.2.1252.34.3082.18.991.616 [GMT -3:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Ask & Record Toolbar\FLVSrvc.exe
C:\Archivos de programa\Archivos comunes\Java\Java Update\jusched.exe
C:\Archivos de programa\TaskSwitchXP\TaskSwitchXP.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\Archivos de programa\Java\jre6\bin\jqs.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Archivos de programa\Eset\nod32krn.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Archivos de programa\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Administrador\Escritorio\dds.scr

============== Pseudo HJT Report ===============

mWinlogon: UIHost=XPize_Logon.exe
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\archivos de programa\orbitdownloader\orbitcth.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\archivos de programa\archivos comunes\adobe\acrobat\activex\AcroIEHelper.dll
BHO: ClickCatcher MSIE handler: {16664845-0e00-11d2-8059-000000000000} - c:\archivos de programa\archivos comunes\reget shared\Catcher.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\archivos de programa\archivos comunes\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: CoolIrisIEHelperObject.CoolIrisIEBHO: {ad0bab4b-212d-45d7-9e5b-cb1579132715} - c:\archivos de programa\cooliris\CoolIrisIEHelperObject.dll
BHO: Ask and Record Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\archivos de programa\ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\archivos de programa\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\archivos de programa\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: ReGet Bar: {17939a30-18e2-471e-9d3a-56dd725f1215} - c:\archivos de programa\regetdx\iebar.dll
TB: Ask and Record Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\archivos de programa\ask.com\GenericAskToolbar.dll
TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\archivos de programa\orbitdownloader\GrabPro.dll
uRun: [TaskSwitchXP] c:\archivos de programa\taskswitchxp\TaskSwitchXP.exe
uRun: [Sound Effect] c:\windows\SOUNDMAN.EXE
uRun: [NOD32kui] c:\archivos de programa\eset\nod32kui.exe /WAITSERVICE
uRun: [AWMON] "c:\archivos de programa\lavasoft\ad-aware se professional\Ad-Watch.exe"
uRun: [Aim6]
uRun: [ares] "c:\archivos de programa\ares\Ares.exe" -h
uRun: [YouSendIt.exe] c:\archivos de programa\yousendit\express\YouSendIt.exe -ui none
mRun: [Ink Monitor] c:\archivos de programa\epson\ink monitor\InkMonitor.exe
mRun: [Ask and Record FLV Service] "c:\archivos de programa\ask & record toolbar\FLVSrvc.exe" /run
mRun: [SunJavaUpdateSched] "c:\archivos de programa\archivos comunes\java\java update\jusched.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [Run StartupMonitor] StartupMonitor.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dPolicies-explorer: NoSMHelp = 1 (0x1)
dPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
dPolicies-explorer: NoSMMyPictures = 1 (0x1)
dPolicies-explorer: NoResolveTrack = 1 (0x1)
IE: &Download by Orbit - c:\archivos de programa\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\archivos de programa\orbitdownloader\orbitmxt.dll/204
IE: Do&wnload by ReGet Deluxe - c:\archivos de programa\archivos comunes\reget shared\CC_Link.htm
IE: Do&wnload selected by Orbit - c:\archivos de programa\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\archivos de programa\orbitdownloader\orbitmxt.dll/202
IE: Download A&ll by ReGet Deluxe - c:\archivos de programa\archivos comunes\reget shared\CC_All.htm
IE: E&xportar a Microsoft Excel - c:\archiv~1\micros~1\office11\EXCEL.EXE/3000
IE: {449DB14A-F988-4fd8-9361-F212D7B6414B} - c:\archivos de programa\cooliris\CoolIrisPreferences.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\archiv~1\micros~1\office11\REFIEBAR.DLL
LSP: c:\windows\system32\imon.dll
DPF: {001000AF-2DEF-0206-10B6-DC5BA692C858} - hxxp://gate.x10.com/control/xvidnx.cab
DPF: {3334504D-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/C/8/0C8EDFAB-30BC-4792-898E-2DABE27B2C4D/mp43dmo.CAB
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1188515240890
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
Notify: !SASWinLogon - c:\archivos de programa\superantispyware\SASWINLO.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\archivos de programa\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\datosd~1\mozilla\firefox\profiles\afps0tyu.default user\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - about:blank
FF - plugin: c:\archivos de programa\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\archivos de programa\viewpoint\viewpoint media player\npViewpoint.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\archivos de programa\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - c:\archivos de programa\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\archivos de programa\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\archivos de programa\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\archivos de programa\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\archivos de programa\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\archivos de programa\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\archivos de programa\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\archivos de programa\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\archivos de programa\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\archivos de programa\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Xmarks: foxmarks@kei.com - %profile%\extensions\foxmarks@kei.com
FF - Ext: LiveClick: {d166ee2a-36bb-4f33-aff7-e85f912df509} - %profile%\extensions\{d166ee2a-36bb-4f33-aff7-e85f912df509}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Ask and Record Toolbar: toolbar@ask.com - %profile%\extensions\toolbar@ask.com
FF - Ext: Java Quick Starter: jqs@sun.com - c:\archivos de programa\java\jre6\lib\deploy\jqs\ff

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-8-22 64160]
R1 SASDIFSV;SASDIFSV;c:\archivos de programa\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\archivos de programa\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 DVDAccss;DVDAccss;c:\windows\system32\drivers\DVDAccss.sys [2009-9-16 29156]
R2 NOD32krn;NOD32 Kernel Service;c:\archivos de programa\eset\nod32krn.exe [2007-8-8 507904]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\archivos de programa\viewpoint\common\ViewpointService.exe [2009-8-2 24652]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\archivos de programa\lavasoft\ad-aware\AAWService.exe [2009-7-3 1029456]
S3 EverestDriver;Lavalys EVEREST Kernel Driver;\??\c:\archivos de programa\lavalys\everest ultimate edition\kerneld.wnt --> c:\archivos de programa\lavalys\everest ultimate edition\kerneld.wnt [?]
S3 UfasoftSnifDriver4;Ufasoft Snif Driver v4;c:\archivos de programa\ufasoft\sniffer\usft_sn4.sys [2008-1-9 23200]

=============== Created Last 30 ================

2011-01-24 02:51:14 -------- d-----w- c:\docume~1\admini~1\config~1\datosd~1\Safe mirror
2011-01-24 02:50:58 -------- d-----w- c:\archivos de programa\Cobian Backup 10
2011-01-21 00:23:28 -------- d-----w- c:\docume~1\alluse~1\datosd~1\SUPERAntiSpyware.com
2011-01-21 00:23:28 -------- d-----w- c:\docume~1\admini~1\datosd~1\SUPERAntiSpyware.com
2011-01-21 00:23:20 -------- d-----w- c:\archivos de programa\SUPERAntiSpyware
2011-01-20 22:06:00 -------- d-----w- c:\windows\system32\xircom
2011-01-20 22:06:00 -------- d-----w- c:\windows\system32\wbem\snmp
2011-01-20 22:06:00 -------- d-----w- c:\windows\system32\restore
2011-01-20 22:06:00 -------- d-----w- c:\windows\system32\oobe
2011-01-20 22:06:00 -------- d-----w- c:\windows\srchasst
2011-01-20 22:06:00 -------- d-----w- c:\windows\msagent
2011-01-20 22:06:00 -------- d-----w- c:\archivos de programa\msn gaming zone
2011-01-20 22:06:00 -------- d-----w- c:\archivos de programa\archivos comunes\speechengines
2011-01-20 21:59:51 -------- d-sha-r- C:\cmdcons
2011-01-20 21:57:54 89088 ----a-w- c:\windows\MBR.exe
2011-01-20 21:57:53 256512 ----a-w- c:\windows\PEV.exe
2011-01-20 21:57:52 98816 ----a-w- c:\windows\sed.exe
2011-01-20 21:57:52 161792 ----a-w- c:\windows\SWREG.exe

==================== Find3M ====================

2010-11-12 21:53:06 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-12 19:34:10 73728 ----a-w- c:\windows\system32\javacpl.cpl
2004-10-01 19:00:16 40960 ----a-w- c:\archivos de programa\Uninstall_CDS.exe

============= FINISH: 17:27:08,15 ===============

Attached Files



#6 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:01:56 AM

Posted 07 February 2011 - 01:05 AM

Hi,

Look for ComboFix4.txt file in c:\ComboFix or c:\QooBox folder and post back its contents.

Please download and extract the following file. Then double click on it to merge it into the Registry. XPSP2 netsvcs. Disable antivirus protection. Then please re-run ComboFix (let it update itself). Post back the report (yes, post this in addition with above requested ComboFix4.txt file).

Update MBAM and run a full scan with it. Post back the report.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#7 Mint Condish

Mint Condish
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:56 PM

Posted 11 February 2011 - 07:20 PM

I apologize again for the delay; I am now back on this computer full-time. Thanks a million again.

-Mint Condish

Attached Files



#8 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:01:56 AM

Posted 12 February 2011 - 05:46 AM

Hi,

Do you have XP Professional media with service pack 2 around?

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#9 Mint Condish

Mint Condish
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:56 PM

Posted 13 February 2011 - 12:43 PM

I'm afraid I don't, sorry.
:(

-Mint Condish

#10 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:01:56 AM

Posted 13 February 2011 - 03:42 PM

I'm afraid I don't, sorry.

How about some friend? Missing files may be repairable with service pack 3 update too. We won't do it before the system is clean though.


Is your ESET license valid and legit one? If it isn't you have to buy a legit license or uninstall NOD32 and replace it with other antivirus program.


Uninstall old Adobe Reader versions and get the latest one (X + 10.0.1 update) here or get Foxit Reader here. Make sure you don't install toolbar if choose Foxit Reader! You may also check free readers introduced here.

Uninstall Macromedia shockwave player and get the fresh one here if needed.


Uninstall these old Javas:
J2SE Runtime Environment 5.0 Update 7
Java™ 6 Update 6
Java™ 6 Update 7



What are current symptoms left there (if any)?

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#11 Mint Condish

Mint Condish
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:56 PM

Posted 13 February 2011 - 07:39 PM

- Adobe Reader uninstalled, replaced with Foxit Reader (thanks a ton for this recommendation, Blade!)
- Macromedia Shockwave uninstalled, newest version installed
- J2SE Runtime Environment 5.0 Update 7, Java™ 6 Update 6 and Java™ 6 Update 7 uninstalled

The symptoms are still present. Here's a screenshot of Startup Control Panel to explain it better:

http://postimage.org/image/jd3tf3lw/

If I delete Aim6 or Ares or YouSendIt from there, they reappear instantly (and by the way, I never installed anything called Aim or Ares willingly). I also tried to do it directly using msconfig (which is not recommended, I know!) and the same thing happened. Now, as you can see in that screenshot, it appears to be that the Aim, Ares, uTorrent and Xmarks exe files are no longer in my PC, correct? So the inconvenience is minor now, BUT I'm scared of the possibility that there's still some evil program here collecting my private info (passwords, for example!) and beaming it to hell knows where.

NOD32 seems to be legit. Every day it updates itself more than once, and I have all its configurations password-protected. As for getting a copy of WindowsXP Pro SP2, I don't know anybody who has it, but I can start asking around.

A million thanks again!

-Mint Condish

#12 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:01:56 AM

Posted 14 February 2011 - 05:20 AM

NOD32 seems to be legit.

Then I'm not sure why NOD32 FiX is installed. Uninstall it, please.

Post fresh dds logs. Shall see if it's ok moment for sp3 install.

Edited by Blade81, 14 February 2011 - 05:20 AM.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#13 Mint Condish

Mint Condish
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:56 PM

Posted 14 February 2011 - 07:51 PM

NOD32 seems to be legit.

Then I'm not sure why NOD32 FiX is installed. Uninstall it, please.


Oh crap, you're right... I checked out NOD32's general info and it says it's an evaluation version with almost 17 million days left. That sure as hell can't be right, correct? Damn! So I uninstalled NOD32 Fix and replaced the antivirus with a free trial of the official NOD32 4 from eset.com; I'll purchase the software as soon as possible (unless you recommend a better A/V program). By the way, I ran a deep scan with this NOD32 4 and it found nothing.

Thanks a ton again. New DDS logs:


DDS (Ver_10-12-12.02) - NTFSx86
Run by Administrador at 21:43:26,78 on 14/02/2011
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_23
Microsoft Windows XP Professional 5.1.2600.2.1252.34.3082.18.991.349 [GMT -3:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Archivos de programa\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\Archivos de programa\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Archivos de programa\Java\jre6\bin\jqs.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Archivos de programa\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\Ask & Record Toolbar\FLVSrvc.exe
C:\WINDOWS\StartupMonitor.exe
C:\Archivos de programa\Archivos comunes\Java\Java Update\jusched.exe
C:\Archivos de programa\ESET\ESET NOD32 Antivirus\egui.exe
C:\Archivos de programa\TaskSwitchXP\TaskSwitchXP.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Archivos de programa\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Lavasoft\Ad-Aware\AAWTray.exe
C:\Archivos de programa\Mozilla Firefox\firefox.exe
C:\Archivos de programa\Mozilla Firefox\plugin-container.exe
C:\Archivos de programa\Windows Live\Messenger\msnmsgr.exe
C:\Archivos de programa\Windows Live\Contacts\wlcomm.exe
C:\Archivos de programa\Axantum\AxCrypt\AxCrypt.exe
C:\Documents and Settings\Administrador\Escritorio\dds.scr

============== Pseudo HJT Report ===============

mWinlogon: UIHost=XPize_Logon.exe
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\archivos de programa\orbitdownloader\orbitcth.dll
BHO: ClickCatcher MSIE handler: {16664845-0e00-11d2-8059-000000000000} - c:\archivos de programa\archivos comunes\reget shared\Catcher.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\archivos de programa\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\archivos de programa\archivos comunes\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: CoolIrisIEHelperObject.CoolIrisIEBHO: {ad0bab4b-212d-45d7-9e5b-cb1579132715} - c:\archivos de programa\cooliris\CoolIrisIEHelperObject.dll
BHO: Ask and Record Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\archivos de programa\ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\archivos de programa\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\archivos de programa\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: ReGet Bar: {17939a30-18e2-471e-9d3a-56dd725f1215} - c:\archivos de programa\regetdx\iebar.dll
TB: Ask and Record Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\archivos de programa\ask.com\GenericAskToolbar.dll
TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\archivos de programa\orbitdownloader\GrabPro.dll
uRun: [TaskSwitchXP] c:\archivos de programa\taskswitchxp\TaskSwitchXP.exe
uRun: [Sound Effect] c:\windows\SOUNDMAN.EXE
uRun: [NOD32kui] c:\archivos de programa\eset\nod32kui.exe /WAITSERVICE
uRun: [AWMON] "c:\archivos de programa\lavasoft\ad-aware se professional\Ad-Watch.exe"
uRun: [Xmarks] c:\archivos de programa\xmarks\ie extension\xmarkssync.exe -q
uRun: [Aim6]
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [ares] "c:\archivos de programa\ares\Ares.exe" -h
uRun: [YouSendIt.exe] c:\archivos de programa\yousendit\express\YouSendIt.exe -ui none
uRun: [uTorrent] "c:\archivos de programa\utorrent\uTorrent.exe"
mRun: [Ink Monitor] c:\archivos de programa\epson\ink monitor\InkMonitor.exe
mRun: [Ask and Record FLV Service] "c:\archivos de programa\ask & record toolbar\FLVSrvc.exe" /run
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [Run StartupMonitor] StartupMonitor.exe
mRun: [SunJavaUpdateSched] "c:\archivos de programa\archivos comunes\java\java update\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dPolicies-explorer: NoSMHelp = 1 (0x1)
dPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
dPolicies-explorer: NoSMMyPictures = 1 (0x1)
dPolicies-explorer: NoResolveTrack = 1 (0x1)
IE: &Download by Orbit - c:\archivos de programa\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\archivos de programa\orbitdownloader\orbitmxt.dll/204
IE: Do&wnload by ReGet Deluxe - c:\archivos de programa\archivos comunes\reget shared\CC_Link.htm
IE: Do&wnload selected by Orbit - c:\archivos de programa\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\archivos de programa\orbitdownloader\orbitmxt.dll/202
IE: Download A&ll by ReGet Deluxe - c:\archivos de programa\archivos comunes\reget shared\CC_All.htm
IE: E&xportar a Microsoft Excel - c:\archiv~1\micros~1\office11\EXCEL.EXE/3000
IE: {449DB14A-F988-4fd8-9361-F212D7B6414B} - c:\archivos de programa\cooliris\CoolIrisPreferences.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBC} - c:\archivos de programa\java\jre6\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\archiv~1\micros~1\office11\REFIEBAR.DLL
DPF: {001000AF-2DEF-0206-10B6-DC5BA692C858} - hxxp://gate.x10.com/control/xvidnx.cab
DPF: {3334504D-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/C/8/0C8EDFAB-30BC-4792-898E-2DABE27B2C4D/mp43dmo.CAB
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1188515240890
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
Notify: !SASWinLogon - c:\archivos de programa\superantispyware\SASWINLO.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\archivos de programa\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\datosd~1\mozilla\firefox\profiles\afps0tyu.default user\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - about:blank
FF - plugin: c:\archivos de programa\foxit software\foxit reader\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\archivos de programa\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\archivos de programa\viewpoint\viewpoint media player\npViewpoint.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\archivos de programa\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - c:\archivos de programa\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\archivos de programa\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\archivos de programa\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\archivos de programa\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\archivos de programa\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\archivos de programa\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\archivos de programa\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\archivos de programa\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\archivos de programa\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\archivos de programa\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Xmarks: foxmarks@kei.com - %profile%\extensions\foxmarks@kei.com
FF - Ext: LiveClick: {d166ee2a-36bb-4f33-aff7-e85f912df509} - %profile%\extensions\{d166ee2a-36bb-4f33-aff7-e85f912df509}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Ask and Record Toolbar: toolbar@ask.com - %profile%\extensions\toolbar@ask.com
FF - Ext: Java Quick Starter: jqs@sun.com - c:\archivos de programa\java\jre6\lib\deploy\jqs\ff

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-8-22 64160]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2010-12-21 115008]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2010-12-21 94872]
R1 SASDIFSV;SASDIFSV;c:\archivos de programa\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\archivos de programa\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 DVDAccss;DVDAccss;c:\windows\system32\drivers\DVDAccss.sys [2009-9-16 29156]
R2 ekrn;ESET Service;c:\archivos de programa\eset\eset nod32 antivirus\ekrn.exe [2011-1-12 810144]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\archivos de programa\lavasoft\ad-aware\AAWService.exe [2009-7-3 1029456]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\archivos de programa\viewpoint\common\ViewpointService.exe [2009-8-2 24652]
S3 EverestDriver;Lavalys EVEREST Kernel Driver;\??\c:\archivos de programa\lavalys\everest ultimate edition\kerneld.wnt --> c:\archivos de programa\lavalys\everest ultimate edition\kerneld.wnt [?]
S3 UfasoftSnifDriver4;Ufasoft Snif Driver v4;c:\archivos de programa\ufasoft\sniffer\usft_sn4.sys [2008-1-9 23200]

=============== Created Last 30 ================

2011-02-13 21:49:25 -------- d-----w- c:\docume~1\admini~1\datosd~1\Foxit Software
2011-02-13 21:48:20 -------- d-----w- c:\archivos de programa\Foxit Software
2011-02-13 21:45:59 -------- d-----w- c:\windows\system32\Adobe
2011-02-11 23:03:57 709456 ----a-w- c:\windows\is-BAM3D.exe
2011-01-24 02:51:14 -------- d-----w- c:\docume~1\admini~1\config~1\datosd~1\Safe mirror
2011-01-24 02:50:58 -------- d-----w- c:\archivos de programa\Cobian Backup 10
2011-01-21 00:23:28 -------- d-----w- c:\docume~1\alluse~1\datosd~1\SUPERAntiSpyware.com
2011-01-21 00:23:28 -------- d-----w- c:\docume~1\admini~1\datosd~1\SUPERAntiSpyware.com
2011-01-21 00:23:20 -------- d-----w- c:\archivos de programa\SUPERAntiSpyware
2011-01-20 22:06:00 -------- d-----w- c:\windows\system32\xircom
2011-01-20 22:06:00 -------- d-----w- c:\windows\system32\wbem\snmp
2011-01-20 22:06:00 -------- d-----w- c:\windows\system32\restore
2011-01-20 22:06:00 -------- d-----w- c:\windows\system32\oobe
2011-01-20 22:06:00 -------- d-----w- c:\windows\srchasst
2011-01-20 22:06:00 -------- d-----w- c:\windows\msagent
2011-01-20 22:06:00 -------- d-----w- c:\archivos de programa\msn gaming zone
2011-01-20 22:06:00 -------- d-----w- c:\archivos de programa\archivos comunes\speechengines
2011-01-20 21:59:51 -------- d-sha-r- C:\cmdcons
2011-01-20 21:57:54 89088 ----a-w- c:\windows\MBR.exe
2011-01-20 21:57:53 256512 ----a-w- c:\windows\PEV.exe
2011-01-20 21:57:52 98816 ----a-w- c:\windows\sed.exe
2011-01-20 21:57:52 161792 ----a-w- c:\windows\SWREG.exe

==================== Find3M ====================

2004-10-01 19:00:16 40960 ----a-w- c:\archivos de programa\Uninstall_CDS.exe

============= FINISH: 21:43:55,12 ===============

Attached Files



#14 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:01:56 AM

Posted 15 February 2011 - 12:55 AM

Hi,

I think it's ok to install service pack 3 at this point. Please download and install it here. Post back fresh dds logs when ready.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#15 Mint Condish

Mint Condish
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:56 PM

Posted 19 February 2011 - 03:57 PM

VICTORY!! :warrior: The problem appears to be GONE. New DDS log:


DDS (Ver_10-12-12.02) - NTFSx86
Run by Administrador at 17:47:56,57 on 19/02/2011
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_23
Microsoft Windows XP Professional 5.1.2600.3.1252.34.3082.18.991.545 [GMT -3:00]

AV: ESET NOD32 Antivirus 4.2 *Enabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\Ask & Record Toolbar\FLVSrvc.exe
C:\WINDOWS\StartupMonitor.exe
C:\Archivos de programa\Archivos comunes\Java\Java Update\jusched.exe
C:\Archivos de programa\ESET\ESET NOD32 Antivirus\egui.exe
C:\Archivos de programa\TaskSwitchXP\TaskSwitchXP.exe
C:\Archivos de programa\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Java\jre6\bin\jqs.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Archivos de programa\Viewpoint\Common\ViewpointService.exe
C:\Archivos de programa\Mozilla Firefox\firefox.exe
C:\Archivos de programa\Mozilla Firefox\plugin-container.exe
C:\Archivos de programa\Axantum\AxCrypt\AxCrypt.exe
C:\Documents and Settings\Administrador\Escritorio\dds.scr

============== Pseudo HJT Report ===============

mWinlogon: UIHost=XPize_Logon.exe
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\archivos de programa\orbitdownloader\orbitcth.dll
BHO: ClickCatcher MSIE handler: {16664845-0e00-11d2-8059-000000000000} - c:\archivos de programa\archivos comunes\reget shared\Catcher.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\archivos de programa\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\archivos de programa\archivos comunes\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: CoolIrisIEHelperObject.CoolIrisIEBHO: {ad0bab4b-212d-45d7-9e5b-cb1579132715} - c:\archivos de programa\cooliris\CoolIrisIEHelperObject.dll
BHO: Ask and Record Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\archivos de programa\ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\archivos de programa\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\archivos de programa\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: ReGet Bar: {17939a30-18e2-471e-9d3a-56dd725f1215} - c:\archivos de programa\regetdx\iebar.dll
TB: Ask and Record Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\archivos de programa\ask.com\GenericAskToolbar.dll
TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\archivos de programa\orbitdownloader\GrabPro.dll
uRun: [TaskSwitchXP] c:\archivos de programa\taskswitchxp\TaskSwitchXP.exe
uRun: [Sound Effect] c:\windows\SOUNDMAN.EXE
uRun: [NOD32kui] c:\archivos de programa\eset\nod32kui.exe /WAITSERVICE
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Ink Monitor] c:\archivos de programa\epson\ink monitor\InkMonitor.exe
mRun: [Ask and Record FLV Service] "c:\archivos de programa\ask & record toolbar\FLVSrvc.exe" /run
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [Run StartupMonitor] StartupMonitor.exe
mRun: [SunJavaUpdateSched] "c:\archivos de programa\archivos comunes\java\java update\jusched.exe"
mRun: [egui] "c:\archivos de programa\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dPolicies-explorer: NoSMHelp = 1 (0x1)
dPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
dPolicies-explorer: NoSMMyPictures = 1 (0x1)
dPolicies-explorer: NoResolveTrack = 1 (0x1)
IE: &Download by Orbit - c:\archivos de programa\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\archivos de programa\orbitdownloader\orbitmxt.dll/204
IE: Do&wnload by ReGet Deluxe - c:\archivos de programa\archivos comunes\reget shared\CC_Link.htm
IE: Do&wnload selected by Orbit - c:\archivos de programa\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\archivos de programa\orbitdownloader\orbitmxt.dll/202
IE: Download A&ll by ReGet Deluxe - c:\archivos de programa\archivos comunes\reget shared\CC_All.htm
IE: E&xportar a Microsoft Excel - c:\archiv~1\micros~1\office11\EXCEL.EXE/3000
IE: {449DB14A-F988-4fd8-9361-F212D7B6414B} - c:\archivos de programa\cooliris\CoolIrisPreferences.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\archivos de programa\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBC} - c:\archivos de programa\java\jre6\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\archiv~1\micros~1\office11\REFIEBAR.DLL
DPF: {001000AF-2DEF-0206-10B6-DC5BA692C858} - hxxp://gate.x10.com/control/xvidnx.cab
DPF: {3334504D-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/C/8/0C8EDFAB-30BC-4792-898E-2DABE27B2C4D/mp43dmo.CAB
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1188515240890
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
Notify: !SASWinLogon - c:\archivos de programa\superantispyware\SASWINLO.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\archivos de programa\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\datosd~1\mozilla\firefox\profiles\afps0tyu.default user\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - about:blank
FF - plugin: c:\archivos de programa\foxit software\foxit reader\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\archivos de programa\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\archivos de programa\viewpoint\viewpoint media player\npViewpoint.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\archivos de programa\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - c:\archivos de programa\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\archivos de programa\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\archivos de programa\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\archivos de programa\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\archivos de programa\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\archivos de programa\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\archivos de programa\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\archivos de programa\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\archivos de programa\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\archivos de programa\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Xmarks: foxmarks@kei.com - %profile%\extensions\foxmarks@kei.com
FF - Ext: LiveClick: {d166ee2a-36bb-4f33-aff7-e85f912df509} - %profile%\extensions\{d166ee2a-36bb-4f33-aff7-e85f912df509}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Ask and Record Toolbar: toolbar@ask.com - %profile%\extensions\toolbar@ask.com
FF - Ext: Java Quick Starter: jqs@sun.com - c:\archivos de programa\java\jre6\lib\deploy\jqs\ff

============= SERVICES / DRIVERS ===============

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2010-12-21 115008]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2010-12-21 94872]
R1 SASDIFSV;SASDIFSV;c:\archivos de programa\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\archivos de programa\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 DVDAccss;DVDAccss;c:\windows\system32\drivers\DVDAccss.sys [2009-9-16 29156]
R2 ekrn;ESET Service;c:\archivos de programa\eset\eset nod32 antivirus\ekrn.exe [2011-1-12 810144]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\archivos de programa\viewpoint\common\ViewpointService.exe [2009-8-2 24652]
S3 EverestDriver;Lavalys EVEREST Kernel Driver;\??\c:\archivos de programa\lavalys\everest ultimate edition\kerneld.wnt --> c:\archivos de programa\lavalys\everest ultimate edition\kerneld.wnt [?]
S3 UfasoftSnifDriver4;Ufasoft Snif Driver v4;c:\archivos de programa\ufasoft\sniffer\usft_sn4.sys [2008-1-9 23200]

=============== Created Last 30 ================

2011-02-19 19:20:00 -------- d-----w- c:\windows\ServicePackFiles
2011-02-19 19:17:48 19569 ----a-w- c:\windows\002331_.tmp
2011-02-19 19:14:47 -------- d-----w- c:\windows\EHome
2011-02-18 21:13:07 1409 ----a-w- c:\windows\QTFont.for
2011-02-13 21:49:25 -------- d-----w- c:\docume~1\admini~1\datosd~1\Foxit Software
2011-02-13 21:48:20 -------- d-----w- c:\archivos de programa\Foxit Software
2011-02-13 21:45:59 -------- d-----w- c:\windows\system32\Adobe
2011-02-11 23:03:57 709456 ----a-w- c:\windows\is-BAM3D.exe
2011-01-24 02:51:14 -------- d-----w- c:\docume~1\admini~1\config~1\datosd~1\Safe mirror
2011-01-24 02:50:58 -------- d-----w- c:\archivos de programa\Cobian Backup 10
2011-01-21 00:23:28 -------- d-----w- c:\docume~1\alluse~1\datosd~1\SUPERAntiSpyware.com
2011-01-21 00:23:28 -------- d-----w- c:\docume~1\admini~1\datosd~1\SUPERAntiSpyware.com
2011-01-21 00:23:20 -------- d-----w- c:\archivos de programa\SUPERAntiSpyware
2011-01-20 22:06:00 -------- d-----w- c:\windows\system32\xircom
2011-01-20 22:06:00 -------- d-----w- c:\windows\system32\wbem\snmp
2011-01-20 22:06:00 -------- d-----w- c:\windows\system32\restore
2011-01-20 22:06:00 -------- d-----w- c:\windows\system32\oobe
2011-01-20 22:06:00 -------- d-----w- c:\windows\srchasst
2011-01-20 22:06:00 -------- d-----w- c:\windows\msagent
2011-01-20 22:06:00 -------- d-----w- c:\archivos de programa\msn gaming zone
2011-01-20 22:06:00 -------- d-----w- c:\archivos de programa\archivos comunes\speechengines
2011-01-20 21:59:51 -------- d-sha-r- C:\cmdcons
2011-01-20 21:57:54 89088 ----a-w- c:\windows\MBR.exe
2011-01-20 21:57:53 256512 ----a-w- c:\windows\PEV.exe
2011-01-20 21:57:52 98816 ----a-w- c:\windows\sed.exe
2011-01-20 21:57:52 161792 ----a-w- c:\windows\SWREG.exe

==================== Find3M ====================

2004-10-01 19:00:16 40960 ----a-w- c:\archivos de programa\Uninstall_CDS.exe

============= FINISH: 17:48:34,79 ===============



As you can see (I think), I have removed the Ad-Aware programs, which were doing nothing for me. I believe I'll do the same with SUPERAntiSpyware, which I actually used only once, and stick only with NOD32 and Malwarebytes' Anti-Malware. Please let me know if you think I should add and/or remove and/or update more programs, and/or change some configuration.

I can't thank you enough for all your help. Cheers!

-Mint Condish
:)

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users