Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ZeroAccess and Bundespolizei Ukash


  • This topic is locked This topic is locked
52 replies to this topic

#1 esponda1

esponda1

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:09:24 PM

Posted 13 July 2012 - 06:47 AM

Hello! First of all I want to thank whoever is reading this for taking the time to help.

Yesterday I started noticing some tabs opening without me clicking on anything. After that AVG alerted me of a Trojan, I don't remember the name of the Trojan (didn't have time to write it down before the rest happened) but I do remember that the infected file was Desktop.ini. While looking online for options I got a screen that obstructed me from doing anything else. It identified itself as being from the Bundespolizei (State police) and claimed to need me to pay a fine with Ukash in order to have the use of my computer back. I didn't fall for that and started looking for options on another computer I have.

Before finding this site I found other forums talking about similar problems and followed some of the suggestions. I ran Malwarebytes on Safe Mode and it found 10 files. The log is:

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.07.12.04

Windows XP Service Pack 3 x86 NTFS (Safe Mode/Networking)
Internet Explorer 8.0.6001.18702
Mario :: LAPTOPMER [administrator]

12/07/2012 10:44:07 a.m.
mbam-log-2012-07-12 (10-44-07).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 565755
Time elapsed: 1 hour(s), 30 minute(s), 4 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 1
HKCR\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32| (Trojan.Zaccess) -> Bad: (\\.\globalroot\systemroot\Installer\{526f91f3-16b4-eda0-b274-e2ab7e347d0c}\n.) Good: (wbemess.dll) -> Quarantined and repaired successfully.

Folders Detected: 0
(No malicious items detected)

Files Detected: 9
C:\Documents and Settings\Mario\Configuración local\Datos de programa\{526f91f3-16b4-eda0-b274-e2ab7e347d0c}\n (Trojan.Agent.BVXGen) -> Delete on reboot.
C:\System Volume Information\_restore{76ABF1A7-BFF7-42CC-9056-935615489067}\RP1378\A0269174.ini (Trojan.0access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{76ABF1A7-BFF7-42CC-9056-935615489067}\RP1379\A0270174.ini (Trojan.0access) -> Quarantined and deleted successfully.
C:\WINDOWS\Installer\{526f91f3-16b4-eda0-b274-e2ab7e347d0c}\n (Trojan.Agent.BVXGen) -> Delete on reboot.
C:\WINDOWS\Installer\{526f91f3-16b4-eda0-b274-e2ab7e347d0c}\U\00000004.@ (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\WINDOWS\Installer\{526f91f3-16b4-eda0-b274-e2ab7e347d0c}\U\00000008.@ (Trojan.Dropper.BCMiner) -> Quarantined and deleted successfully.
C:\WINDOWS\Installer\{526f91f3-16b4-eda0-b274-e2ab7e347d0c}\U\000000cb.@ (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\WINDOWS\Installer\{526f91f3-16b4-eda0-b274-e2ab7e347d0c}\U\80000000.@ (Trojan.Sirefef) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mario\0.8664409052151274.exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully.

(end)

It claimed to have succesfully removed them and asked me to reboot. So I did, but when Windows started normally again I got the Ukash screen again. So I kept looking for options. I found another forum recommending to run Emsisoft Emergency Kit on Safe Mode and found 11 objects. The log is:

Emsisoft Emergency Kit - Version 2.0
Last update: 12/07/2012 12:29:09 p.m.

Scan settings:

Scan type: Deep Scan
Objects: Rootkits, Memory, Traces, C:\
Scan archives: On
ADS Scan: On

Scan start: 12/07/2012 12:30:03 p.m.

C:\WINDOWS\Installer\{526f91f3-16b4-eda0-b274-e2ab7e347d0c}\U\80000032.@ detected: Trojan.Win32.Alureon!E2
C:\TU Dortmund\Semester 1\Object Oriented Programming\Assignments\Exercise_5_1\Debug\Exercise_5_1.exe detected: Trojan.Win32.Agent!E2
C:\TU Dortmund\Semester 1\Object Oriented Programming\Assignments\Exercise_3_4\Debug\Exercise_3_4.exe detected: Trojan.Win32.Agent!E2
C:\TU Dortmund\Semester 1\Object Oriented Programming\Assignments\Exercise_3_3\Debug\Exercise_3_3.exe detected: Trojan.Win32.Agent!E2
C:\TU Dortmund\Semester 1\Object Oriented Programming\Assignments\Exercise_2_4\Debug\Exercise_2_4.exe detected: Trojan.Win32.Agent!E2
C:\TU Dortmund\Semester 1\Object Oriented Programming\Assignments\Exercise_2_5\Debug\Exercise_2_5.exe detected: Trojan.Win32.Agent!E2
C:\TU Dortmund\Semester 1\Object Oriented Programming\Assignments\Exercise_2_3\Debug\Exercise_2_3.exe detected: Trojan.Win32.Agent!E2
C:\TU Dortmund\Semester 1\Object Oriented Programming\Assignments\Exercise_2_2b\Debug\Exercise_2_2b.exe detected: Trojan.Win32.Agent!E2
C:\TU Dortmund\Semester 1\Object Oriented Programming\Assignments\Exercise_2_1\Debug\Exercise_2_1.exe detected: Trojan.Win32.Agent!E2
C:\System Volume Information\_restore{76ABF1A7-BFF7-42CC-9056-935615489067}\RP1379\A0270208.ini detected: Trojan.Win32.Sirefef!E2
C:\Archivos de programa\DAEMON Tools Lite\uninst.exe detected: Adware.Win32.Toolbar.Shopper.AMN!E1

Scanned 809451
Found 11

Scan end: 12/07/2012 03:25:23 p.m.
Scan time: 2:55:20

C:\Archivos de programa\DAEMON Tools Lite\uninst.exe Quarantined Adware.Win32.Toolbar.Shopper.AMN!E1
C:\System Volume Information\_restore{76ABF1A7-BFF7-42CC-9056-935615489067}\RP1379\A0270208.ini Quarantined Trojan.Win32.Sirefef!E2
C:\TU Dortmund\Semester 1\Object Oriented Programming\Assignments\Exercise_5_1\Debug\Exercise_5_1.exe Quarantined Trojan.Win32.Agent!E2
C:\TU Dortmund\Semester 1\Object Oriented Programming\Assignments\Exercise_3_4\Debug\Exercise_3_4.exe Quarantined Trojan.Win32.Agent!E2
C:\TU Dortmund\Semester 1\Object Oriented Programming\Assignments\Exercise_3_3\Debug\Exercise_3_3.exe Quarantined Trojan.Win32.Agent!E2
C:\TU Dortmund\Semester 1\Object Oriented Programming\Assignments\Exercise_2_4\Debug\Exercise_2_4.exe Quarantined Trojan.Win32.Agent!E2
C:\TU Dortmund\Semester 1\Object Oriented Programming\Assignments\Exercise_2_5\Debug\Exercise_2_5.exe Quarantined Trojan.Win32.Agent!E2
C:\TU Dortmund\Semester 1\Object Oriented Programming\Assignments\Exercise_2_3\Debug\Exercise_2_3.exe Quarantined Trojan.Win32.Agent!E2
C:\TU Dortmund\Semester 1\Object Oriented Programming\Assignments\Exercise_2_2b\Debug\Exercise_2_2b.exe Quarantined Trojan.Win32.Agent!E2
C:\TU Dortmund\Semester 1\Object Oriented Programming\Assignments\Exercise_2_1\Debug\Exercise_2_1.exe Quarantined Trojan.Win32.Agent!E2
C:\WINDOWS\Installer\{526f91f3-16b4-eda0-b274-e2ab7e347d0c}\U\80000032.@ Quarantined Trojan.Win32.Alureon!E2

Quarantined 11

After restarting to normal Windows I got the Ukash screen again. So it was back to the forums. Found another that just "solved" the problem by going to "msconfig" - Boot Options and turning one off at a time until finding the one that was causing the problem. I did this until I found that pxzrdquw.exe on the boot options was launching the Ukash screen and I turned it off. So now at least I can use the computer. I realize this didn't solve the problem, it just hid it and that is how finally I came to find this great site. I hope you can help me and I apologize for the extra long initial post.

I followed all the steps in "Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help". It is important to mention that when I ran GMER on "normal" Windows it took hours and I finally decided to leave it running during the night. When I woke up I found the computer with many Error messages that read:

Critical Error
Windows was unable to save all the data for the file XXXXX. The data has been lost. The error may be caused by a failure of your computer hardware or network connection. Please try to save this file elsewhere.

Most windows had a different path on XXXXX and some were repeated. I wrote them all down (19 until I decided to restart), let me know if it is relevant for you to know. Just in case here are some of the file paths:

\Device\HarddiskVolume2\$BitMap
\Device\HarddiskVolume2\WINDOWS\system32\config\SysEvent.Evt

After restarting, I ran GMER on SafeMode. It took only an hour. So here are the logs requested on the guide. DDS was run under "normal" Windows and GMER on Safe Mode. THANK YOU VERY MUCH!

Attached Files



BC AdBot (Login to Remove)

 


#2 Guest_White Warrior_*

Guest_White Warrior_*

  • Guests
  • OFFLINE
  •  

Posted 17 July 2012 - 11:56 PM

Hi esponda1

I will be handling your log to help you get cleaned up. Please give me some time to look it over and I will get back to you as soon as possible.

White Warrior

#3 esponda1

esponda1
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  

Posted 18 July 2012 - 12:06 AM

No problem. Happy someone is looking into it. Thanks!

#4 Guest_White Warrior_*

Guest_White Warrior_*

  • Guests
  • OFFLINE
  •  

Posted 18 July 2012 - 08:47 AM

Hi esponda1 and welcome.

I'm afraid I have bad news.

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

Instructions how to format and reinstall Windows can be found here

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

I need to see the DDS log.

  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control
here

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.
Please copy/paste all your logs into your topic. Do not attach them.

I need to see:
DDS log
MBRScan log.
How is the computer running now?

White Warrior

#5 esponda1

esponda1
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:09:24 PM

Posted 18 July 2012 - 11:36 AM

I would definitely like to continue and clean the computer. I can't restore it right now, so this will have to do. Thanks a lot for your help, I'll follow your instructions and post the results as soon as possible.

Just one question, isn't the DDS log one of the files I posted already following the instructions on "Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help"? If I have to run it again its no problem, just wanted to make sure.

#6 Guest_White Warrior_*

Guest_White Warrior_*

  • Guests
  • OFFLINE
  •  

Posted 18 July 2012 - 07:17 PM

Hi

Ah no. You posted the MBAM log and the Emsisoft Emergency Kit log.

White Warrior.

#7 esponda1

esponda1
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  

Posted 19 July 2012 - 07:46 AM

Hi
I followed your instructions and ran DDS. I'll post the log.
When I scanned with aswMBR, it ran for around 20 mins and got a BSOD. I restarted and tried again. About an hour into the scan it found an infection and stalled. Since I didn't know if it was still running or doing something I allowed it to be, but after waiting for almost 2 hours and seeing no change I decided to just click on Save log. I don't now if the scan had finished, but it didn't show any sign of activity for a long time. I'm posting the log of the run. Please let me know if I should run it again hoping for a better result.

The computer seems to be behaving as before, slow and the mouse stops at random moments and then comes back.

Thanks a lot for your help so far, I really appreciate it.

DDS LOG:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_31
Run by Mario at 8:39:03 on 2012-07-19
Microsoft Windows XP Home Edition 5.1.2600.3.1252.34.3082.18.3326.2693 [GMT 2:00]
.
AV: AVG Anti-Virus Free *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Archivos de programa\Intel\Wireless\Bin\EvtEng.exe
C:\Archivos de programa\Intel\Wireless\Bin\S24EvMon.exe
C:\Archivos de programa\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Archivos de programa\Archivos comunes\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\ARCHIV~1\AVG\AVG8\avgwdsvc.exe
C:\Archivos de programa\Bonjour\mDNSResponder.exe
svchost.exe
C:\ARCHIV~1\AVG\AVG8\avgrsx.exe
C:\ARCHIV~1\AVG\AVG8\avgnsx.exe
C:\Archivos de programa\Java\jre6\bin\jqs.exe
C:\Archivos de programa\Archivos comunes\LogiShrd\LVCOMSER\LVComSer.exe
C:\Archivos de programa\Archivos comunes\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Archivos de programa\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Archivos de programa\Intel\Wireless\Bin\RegSrvc.exe
C:\Documents and Settings\All Users\Datos de programa\Skype\Toolbars\Skype C2C Service\c2c_service.exe
C:\WINDOWS\Explorer.EXE
c:\Archivos de programa\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\stacsv.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\ARCHIV~1\AVG\AVG8\avgemc.exe
C:\Archivos de programa\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Archivos de programa\Archivos comunes\LogiShrd\LVCOMSER\LVComSer.exe
C:\Archivos de programa\TortoiseSVN\bin\TSVNCache.exe
C:\WINDOWS\system32\rundll32.exe
C:\Archivos de programa\Intel\Wireless\bin\ZCfgSvc.exe
C:\Archivos de programa\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\rundll32.exe
C:\Archivos de programa\Dell\QuickSet\quickset.exe
C:\WINDOWS\stsystra.exe
C:\Archivos de programa\Synaptics\SynTP\SynTPEnh.exe
C:\ARCHIV~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\ARCHIV~1\AVG\AVG8\avgtray.exe
C:\Archivos de programa\Archivos comunes\LogiShrd\LComMgr\Communications_Helper.exe
C:\Archivos de programa\Logitech\QuickCam\Quickcam.exe
C:\Archivos de programa\Archivos comunes\Java\Java Update\jusched.exe
C:\Archivos de programa\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Archivos comunes\Ahead\Lib\NMBgMonitor.exe
C:\Archivos de programa\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Archivos de programa\iPod\bin\iPodService.exe
C:\Archivos de programa\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Archivos de programa\Archivos comunes\Ahead\Lib\NMIndexingService.exe
C:\Archivos de programa\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Archivos de programa\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Archivos de programa\Archivos comunes\Logishrd\LQCVFX\COCIManager.exe
C:\Archivos de programa\Archivos comunes\Ahead\Lib\NMIndexStoreSvr.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://search.babylon.com/?affID=112467&babsrc=HP_ss&mntrId=bc916d9c000000000000001302b7aaa7
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyServer = http=128.8.126.111:3124
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\archivos de programa\archivos comunes\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - c:\archivos de programa\bitcomet\tools\BitCometBHO_1.5.4.11.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\archivos de programa\avg\avg8\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Ad-Aware Security Toolbar: {6c97a91e-4524-4019-86af-2aa2d567bf5c} - c:\archivos de programa\adawaretb\adawareDx.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\archivos de programa\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\archivos de programa\archivos comunes\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\archivos de programa\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\archivos de programa\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\archivos de programa\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\archivos de programa\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Ad-Aware Security Toolbar: {6c97a91e-4524-4019-86af-2aa2d567bf5c} - c:\archivos de programa\adawaretb\adawareDx.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\archivos de programa\archivos comunes\ahead\lib\NMBgMonitor.exe"
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [IntelZeroConfig] "c:\archivos de programa\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\archivos de programa\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [Dell QuickSet] c:\archivos de programa\dell\quickset\quickset.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [SynTPEnh] c:\archivos de programa\synaptics\syntp\SynTPEnh.exe
mRun: [AVG8_TRAY] c:\archiv~1\avg\avg8\avgtray.exe
mRun: [LogitechCommunicationsManager] "c:\archivos de programa\archivos comunes\logishrd\lcommgr\Communications_Helper.exe"
mRun: [LogitechQuickCamRibbon] "c:\archivos de programa\logitech\quickcam\Quickcam.exe" /hide
mRun: [NeroFilterCheck] c:\archivos de programa\archivos comunes\ahead\lib\NeroCheck.exe
mRun: [Ad-Aware Browsing Protection] "c:\documents and settings\all users\datos de programa\ad-aware browsing protection\adawarebp.exe"
mRun: [SunJavaUpdateSched] "c:\archivos de programa\archivos comunes\java\java update\jusched.exe"
mRun: [APSDaemon] "c:\archivos de programa\archivos comunes\apple\apple application support\APSDaemon.exe"
mRun: [QuickTime Task] "c:\archivos de programa\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\archivos de programa\itunes\iTunesHelper.exe"
mRun: [Adobe ARM] "c:\archivos de programa\archivos comunes\adobe\arm\1.0\AdobeARM.exe"
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [adawarebp] reg.exe delete "HKCU\Software\AppDataLow\Software\adawarebp" /f
dRunOnce: [adawarebp_XP] reg.exe delete "HKCU\Software\adawarebp" /f
StartupFolder: c:\docume~1\mario\menini~1\progra~1\inicio\dropbox.lnk - c:\documents and settings\mario\datos de programa\dropbox\bin\Dropbox.exe
StartupFolder: c:\docume~1\alluse~1\menini~1\progra~1\inicio\blueto~1.lnk - c:\archivos de programa\toshiba\bluetooth toshiba stack\TosBtMng.exe
IE: &D&ownload &with BitComet - c:\archivos de programa\bitcomet\BitComet.exe/AddLink.htm
IE: &D&ownload all with BitComet - c:\archivos de programa\bitcomet\BitComet.exe/AddAllLink.htm
IE: E&xportar a Microsoft Excel - c:\archiv~1\micros~2\office11\EXCEL.EXE/3000
IE: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://c:\archivos de programa\bitcomet\tools\BitCometBHO_1.5.4.11.dll/206
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\archivos de programa\messenger\msmsgs.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\archivos de programa\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\archiv~1\micros~2\office11\REFIEBAR.DLL
LSP: mswsock.dll
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1341519620078
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.4.2/jinstall-1_4_2_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\archivos de programa\avg\avg8\avgpp.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\archivos de programa\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\archiv~1\archiv~1\skype\SKYPE4~1.DLL
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\mario\datos de programa\mozilla\firefox\profiles\06dfd9hs.default\
FF - prefs.js: browser.search.selectedEngine - Google.com (in English)
FF - prefs.js: browser.startup.homepage - www.nfl.com
FF - prefs.js: keyword.URL - hxxp://search.babylon.com/?affID=112467&babsrc=KW_ss&mntrId=bc916d9c000000000000001302b7aaa7&q=
FF - component: c:\documents and settings\mario\datos de programa\mozilla\firefox\profiles\06dfd9hs.default\extensions\{b042753d-f57e-4e8e-a01b-7379a6d4cefb}\components\IBitCometExtension3.dll
FF - plugin: c:\archivos de programa\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\archivos de programa\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\archivos de programa\google\google updater\2.4.2432.1652\npCIDetect14.dll
FF - plugin: c:\archivos de programa\google\update\1.3.21.115\npGoogleUpdate3.dll
FF - plugin: c:\archivos de programa\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\archivos de programa\java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: c:\archivos de programa\java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\archivos de programa\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\documents and settings\mario\datos de programa\move networks\plugins\npqmp071505000010.dll
FF - plugin: c:\windows\system32\c2mp\npdivx32.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_3_300_262.dll
.
---- FIREFOX POLICIES ----
FF - user.js: extensions.incredibar_i.newTab - false
FF - user.js: extensions.incredibar_i.tlbrSrchUrl - hxxp://mystart.Incredibar.com/?a=6OyI1cj8M5&loc=IB_TB&i=26&search=
FF - user.js: extensions.incredibar_i.id - bc916d9c000000000000001302b7aaa7
FF - user.js: extensions.incredibar_i.instlDay - 15536
FF - user.js: extensions.incredibar_i.vrsn - 1.5.11.14
FF - user.js: extensions.incredibar_i.vrsni - 1.5.11.14
FF - user.js: extensions.incredibar_i.vrsnTs - 1.5.11.1415:39:16
FF - user.js: extensions.incredibar_i.prtnrId - Incredibar
FF - user.js: extensions.incredibar_i.prdct - incredibar
FF - user.js: extensions.incredibar_i.aflt - orgnl
FF - user.js: extensions.incredibar_i.smplGrp - none
FF - user.js: extensions.incredibar_i.tlbrId - base
FF - user.js: extensions.incredibar_i.instlRef -
FF - user.js: extensions.incredibar_i.dfltLng -
FF - user.js: extensions.incredibar_i.excTlbr - false
FF - user.js: extensions.incredibar_i.ms_url_id -
FF - user.js: extensions.incredibar_i.upn2 - 6OyI1cj8M5
FF - user.js: extensions.incredibar_i.upn2n - 92261759761813709
FF - user.js: extensions.incredibar_i.productid - 26
FF - user.js: extensions.incredibar_i.installerproductid - 26
FF - user.js: extensions.incredibar_i.did - 10671
FF - user.js: extensions.incredibar_i.ppd -
.
============= SERVICES / DRIVERS ===============
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-1-19 64512]
R1 A2DDA;A2 Direct Disk Access Support Driver;c:\documents and settings\mario\escritorio\nueva carpeta\run\a2ddax86.sys [2012-7-12 17904]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-10-9 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-10-9 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-10-9 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\archiv~1\avg\avg8\avgemc.exe [2008-10-9 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\archiv~1\avg\avg8\avgwdsvc.exe [2008-10-9 297752]
R2 Skype C2C Service;Skype C2C Service;c:\documents and settings\all users\datos de programa\skype\toolbars\skype c2c service\c2c_service.exe [2012-6-19 3048136]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate1c99fda6789c4be;Google Update Service (gupdate1c99fda6789c4be);c:\archivos de programa\google\update\GoogleUpdate.exe [2009-3-8 133104]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\archivos de programa\lavasoft\ad-aware\AAWService.exe [2012-3-20 2152720]
S2 SkypeUpdate;Skype Updater;c:\archivos de programa\skype\updater\Updater.exe [2012-6-7 160944]
S3 gupdatem;Google Update Servicio (gupdatem);c:\archivos de programa\google\update\GoogleUpdate.exe [2009-3-8 133104]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\archivos de programa\lavasoft\ad-aware\kernexplorer.sys [2012-3-20 15232]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\archivos de programa\mozilla maintenance service\maintenanceservice.exe [2012-4-26 113120]
S3 ueye;IDS uEye Kernel Driver;c:\windows\system32\drivers\ueye_usb.sys --> c:\windows\system32\drivers\uEye_usb.sys [?]
S3 ueye_boot;IDS uEye boot driver;c:\windows\system32\drivers\ueye_boot.sys --> c:\windows\system32\drivers\uEye_boot.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-07-15 13:43:49 -------- d-----w- c:\documents and settings\all users\datos de programa\Babylon
2012-07-15 13:43:48 -------- d-----w- c:\documents and settings\mario\datos de programa\Babylon
2012-07-15 13:43:48 -------- d-----w- c:\documents and settings\all users\datos de programa\Premium
2012-07-15 13:43:35 -------- d-----w- c:\documents and settings\all users\datos de programa\DownloadnSave
2012-07-15 13:42:43 -------- d-----w- c:\documents and settings\all users\datos de programa\InstallMate
2012-07-12 07:11:33 65536 ----a-w- c:\documents and settings\all users\datos de programa\pxzrdquw.exe
2012-07-12 07:11:31 -------- d-----w- c:\documents and settings\all users\datos de programa\aavznudfqpiyatm
2012-07-11 15:00:12 -------- d-----w- c:\windows\pss
2012-07-05 19:19:52 -------- d-----w- c:\documents and settings\all users\datos de programa\Freemake
2012-07-05 19:19:29 -------- d-----w- c:\archivos de programa\Freemake
2012-06-24 18:45:18 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-06-19 15:35:14 4967624 ----a-w- c:\archivos de programa\mozilla firefox\extensions\{82af8dca-6de9-405d-bd5e-43525bdad38a}\components\SkypeFfComponent.dll
.
==================== Find3M ====================
.
2012-07-11 15:46:52 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-03 11:46:44 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-13 13:55:05 1866240 ----a-w- c:\windows\system32\win32k.sys
2012-06-05 15:49:25 1372672 ----a-w- c:\windows\system32\msxml6.dll
2012-06-05 15:49:25 1172480 ----a-w- c:\windows\system32\msxml3.dll
2012-06-04 15:35:26 222448 ----a-w- c:\windows\system32\muweb.dll
2012-06-04 04:32:02 152576 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 13:19:38 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 13:19:38 15896 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 13:19:24 24088 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 13:19:18 18456 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-06-02 13:19:18 15896 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 13:18:58 275696 ----a-w- c:\windows\system32\mucltui.dll
2012-06-02 13:18:58 18160 ----a-w- c:\windows\system32\mucltui.dll.mui
2012-05-31 13:21:55 605184 ----a-w- c:\windows\system32\crypt32.dll
2012-05-16 15:08:41 916992 ----a-w- c:\windows\system32\wininet.dll
2012-05-11 14:43:20 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-05-11 14:43:20 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2012-05-11 11:38:14 385024 ----a-w- c:\windows\system32\html.iec
2012-05-05 03:14:26 2150912 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-05 03:14:26 2029056 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-02 13:46:37 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
.
============= FINISH: 8:40:37.70 ===============


aswMBR LOG:

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-07-19 11:07:11
-----------------------------
11:07:11.531 OS Version: Windows 5.1.2600 Service Pack 3
11:07:11.531 Number of processors: 2 586 0xE08
11:07:11.531 ComputerName: LAPTOPMER UserName: Mario
11:07:15.375 Initialize success
11:08:14.578 AVAST engine defs: 12071900
11:08:19.390 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
11:08:19.390 Disk 0 Vendor: TOSHIBA_MK1032GSX AS022D Size: 93958MB BusType: 3
11:08:19.406 Disk 0 MBR read successfully
11:08:19.406 Disk 0 MBR scan
11:08:19.515 Disk 0 Windows XP default MBR code
11:08:19.515 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 47 MB offset 63
11:08:19.546 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 93903 MB offset 96390
11:08:19.562 Disk 0 scanning sectors +192410505
11:08:19.687 Disk 0 scanning C:\WINDOWS\system32\drivers
11:09:17.859 Service scanning
11:11:05.203 Modules scanning
11:11:28.640 Disk 0 trace - called modules:
11:11:28.656 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys
11:11:28.656 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a6b1ab8]
11:11:28.656 3 CLASSPNP.SYS[ba108fd7] -> nt!IofCallDriver -> \Device\0000006e[0x8a62ff18]
11:11:28.656 5 ACPI.sys[b9f7e620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8a6a5940]
11:11:32.437 AVAST engine scan C:\WINDOWS
11:12:10.781 AVAST engine scan C:\WINDOWS\system32
11:34:40.437 AVAST engine scan C:\WINDOWS\system32\drivers
11:35:43.343 AVAST engine scan C:\Documents and Settings\Mario
12:03:33.265 AVAST engine scan C:\Documents and Settings\All Users
12:09:29.890 File: C:\Documents and Settings\All Users\Datos de programa\pxzrdquw.exe **INFECTED** Win32:Kryptik-JGG [Trj]
13:45:04.203 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Mario\Escritorio\MBR.dat"
13:45:04.203 The log file has been saved successfully to "C:\Documents and Settings\Mario\Escritorio\aswMBR.txt"

Edited by esponda1, 19 July 2012 - 07:47 AM.


#8 esponda1

esponda1
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:09:24 PM

Posted 19 July 2012 - 09:14 AM

Hi again!
Update: I tried to run aswMBR again and got another BSOD. Will try again and will let you know.

#9 esponda1

esponda1
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  

Posted 19 July 2012 - 11:20 AM

Update (again, sorry)
Ran aswMBR one more time. This time it managed to stay on long enough to find the infection again. After finding it, it stalled as before and showed no sign of activity. I left the computer undisturbed for exactly an hour and suddenly out of nothing it went into BSOD again.

Sorry I posted all this updates, I just wanted to make sure I tried to run aswMBR as you requested, but its proving to be problematic.

Thanks a lot for your help!

#10 Guest_White Warrior_*

Guest_White Warrior_*

  • Guests
  • OFFLINE
  •  

Posted 20 July 2012 - 07:20 AM

Hi esponda1

Don't worry about the aswMBR scan.

I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove either AVG8 or AdAware.

Note: AVG is very outdated. If you decide to keep it you will need to update it. AdAware has had some suspicious activities lately (related to phone scams)

Next ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

Download Security Check by screen317 from here.
  • Save it to your desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
I need to see:
ComboFix log
Security Check log
How's the computer running now?

White Warrior

#11 esponda1

esponda1
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:09:24 PM

Posted 20 July 2012 - 08:52 AM

Hi!
I actually wanted to ask for your advice on an antivirus. Do you have any suggestions on which one to keep or on another one to get (free)? I'll run those scans and let you know.
Thanks

#12 esponda1

esponda1
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:09:24 PM

Posted 20 July 2012 - 01:41 PM

I ran ComboFix and Security Check according to the instructions and everything went well. I include the logs as requested.

I decided to stay with AVG, so I uninstalled Ad-Aware and updated to AVG 2012. However, if you have a better suggestion for a free antivirus and any security tool to use and be better protected I'm open to changes.

Unfortunately, I can't say that the performance of the computer has improved. It still takes a really long time on start up and feels slow while using, can't run much a time (Firefox and a movie at the same time is already way too much), and the mouse pointer keeps vanishing and reappearing at will.

I await for your next instructions and I appreciate the help a lot.

COMBOFIX LOG:

ComboFix 12-07-20.02 - Mario 20/07/2012 19:20:09.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.34.3082.18.3326.2655 [GMT 2:00]
Running from: c:\documents and settings\Mario\Escritorio\ComboFix.exe
.
ADS - system32: deleted 40 bytes in 1 streams.
ADS - WINDOWS: deleted 24 bytes in 1 streams.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Datos de programa\DownloadnSave
c:\documents and settings\All Users\Datos de programa\DownloadnSave\background.html
c:\documents and settings\All Users\Datos de programa\DownloadnSave\bhoclass.dll
c:\documents and settings\All Users\Datos de programa\DownloadnSave\content.js
c:\documents and settings\All Users\Datos de programa\DownloadnSave\fjgbjkgdbbcoddfbobbkhbclkocbbach.crx
c:\documents and settings\All Users\Datos de programa\DownloadnSave\settings.ini
c:\documents and settings\All Users\Datos de programa\gqvkkuwsczudmhe
c:\documents and settings\All Users\Datos de programa\pxzrdquw.exe
c:\documents and settings\All Users\Datos de programa\TEMP
c:\documents and settings\Mario\WINDOWS
c:\windows\EventSystem.log
c:\windows\system32\dllcache\dlimport.exe
c:\windows\system32\html
c:\windows\system32\html\calendar.html
c:\windows\system32\html\calendarbottom.html
c:\windows\system32\html\calendartop.html
c:\windows\system32\html\crystalexportdialog.htm
c:\windows\system32\html\crystalprinthost.html
c:\windows\system32\images
c:\windows\system32\images\toolbar\calendar.gif
c:\windows\system32\images\toolbar\crlogo.gif
c:\windows\system32\images\toolbar\export.gif
c:\windows\system32\images\toolbar\export_over.gif
c:\windows\system32\images\toolbar\exportd.gif
c:\windows\system32\images\toolbar\First.gif
c:\windows\system32\images\toolbar\first_over.gif
c:\windows\system32\images\toolbar\Firstd.gif
c:\windows\system32\images\toolbar\gotopage.gif
c:\windows\system32\images\toolbar\gotopage_over.gif
c:\windows\system32\images\toolbar\gotopaged.gif
c:\windows\system32\images\toolbar\grouptree.gif
c:\windows\system32\images\toolbar\grouptree_over.gif
c:\windows\system32\images\toolbar\grouptreed.gif
c:\windows\system32\images\toolbar\grouptreepressed.gif
c:\windows\system32\images\toolbar\Last.gif
c:\windows\system32\images\toolbar\last_over.gif
c:\windows\system32\images\toolbar\Lastd.gif
c:\windows\system32\images\toolbar\Next.gif
c:\windows\system32\images\toolbar\next_over.gif
c:\windows\system32\images\toolbar\Nextd.gif
c:\windows\system32\images\toolbar\Prev.gif
c:\windows\system32\images\toolbar\prev_over.gif
c:\windows\system32\images\toolbar\Prevd.gif
c:\windows\system32\images\toolbar\print.gif
c:\windows\system32\images\toolbar\print_over.gif
c:\windows\system32\images\toolbar\printd.gif
c:\windows\system32\images\toolbar\Refresh.gif
c:\windows\system32\images\toolbar\refresh_over.gif
c:\windows\system32\images\toolbar\refreshd.gif
c:\windows\system32\images\toolbar\Search.gif
c:\windows\system32\images\toolbar\search_over.gif
c:\windows\system32\images\toolbar\searchd.gif
c:\windows\system32\images\toolbar\up.gif
c:\windows\system32\images\toolbar\up_over.gif
c:\windows\system32\images\toolbar\upd.gif
c:\windows\system32\images\tree\begindots.gif
c:\windows\system32\images\tree\beginminus.gif
c:\windows\system32\images\tree\beginplus.gif
c:\windows\system32\images\tree\blank.gif
c:\windows\system32\images\tree\blankdots.gif
c:\windows\system32\images\tree\dots.gif
c:\windows\system32\images\tree\lastdots.gif
c:\windows\system32\images\tree\lastminus.gif
c:\windows\system32\images\tree\lastplus.gif
c:\windows\system32\images\tree\Magnify.gif
c:\windows\system32\images\tree\minus.gif
c:\windows\system32\images\tree\minusbox.gif
c:\windows\system32\images\tree\plus.gif
c:\windows\system32\images\tree\plusbox.gif
c:\windows\system32\images\tree\singleminus.gif
c:\windows\system32\images\tree\singleplus.gif
c:\windows\TEMP\logishrd\LVPrcInj01.dll
.
.
((((((((((((((((((((((((( Files Created from 2012-06-20 to 2012-07-20 )))))))))))))))))))))))))))))))
.
.
2012-07-20 16:57 . 2012-07-20 16:57 -------- d-----w- c:\documents and settings\Mario\Datos de programa\AVG2012
2012-07-20 16:52 . 2012-07-20 16:52 -------- d-----w- c:\windows\LastGood.Tmp
2012-07-20 16:49 . 2012-07-20 17:04 -------- d-----w- c:\documents and settings\All Users\Datos de programa\AVG2012
2012-07-20 16:49 . 2012-07-20 17:01 -------- d-----w- c:\windows\system32\drivers\AVG
2012-07-20 16:34 . 2012-07-20 16:49 -------- d-----w- C:\$AVG
2012-07-20 16:19 . 2012-07-20 16:19 -------- d--h--w- c:\documents and settings\All Users\Datos de programa\Common Files
2012-07-20 16:19 . 2012-07-20 17:01 -------- d-----w- c:\documents and settings\All Users\Datos de programa\MFAData
2012-07-15 20:04 . 2012-07-15 20:04 -------- d-----w- c:\documents and settings\NetworkService\Datos de programa\Apple Computer
2012-07-15 13:43 . 2012-07-15 13:43 -------- d-----w- c:\documents and settings\All Users\Datos de programa\Babylon
2012-07-15 13:43 . 2012-07-15 13:43 -------- d-----w- c:\documents and settings\Mario\Datos de programa\Babylon
2012-07-15 13:43 . 2012-07-15 13:43 -------- d-----w- c:\documents and settings\All Users\Datos de programa\Premium
2012-07-15 13:42 . 2012-07-15 13:42 -------- d-----w- c:\documents and settings\All Users\Datos de programa\InstallMate
2012-07-15 13:39 . 2012-07-15 13:44 684 ----a-w- C:\user.js
2012-07-12 07:11 . 2012-07-12 07:11 -------- d-----w- c:\documents and settings\All Users\Datos de programa\aavznudfqpiyatm
2012-07-12 04:55 . 2012-07-12 04:55 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2012-07-05 19:19 . 2012-07-05 19:19 -------- d-----w- c:\documents and settings\All Users\Datos de programa\Freemake
2012-07-05 19:19 . 2012-07-05 19:19 -------- d-----w- c:\archivos de programa\Freemake
2012-06-24 18:45 . 2012-07-11 15:46 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-11 15:46 . 2011-05-20 08:45 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-03 11:46 . 2009-05-22 17:42 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-13 13:55 . 2004-08-20 10:00 1866240 ----a-w- c:\windows\system32\win32k.sys
2012-06-05 15:49 . 2008-04-14 02:18 1372672 ----a-w- c:\windows\system32\msxml6.dll
2012-06-05 15:49 . 2004-08-20 10:00 1172480 ----a-w- c:\windows\system32\msxml3.dll
2012-06-04 15:35 . 2009-03-28 01:25 222448 ----a-w- c:\windows\system32\muweb.dll
2012-06-04 04:32 . 2004-08-20 10:00 152576 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 13:19 . 2008-10-09 16:58 329240 ----a-w- c:\windows\system32\wucltui.dll
2012-06-02 13:19 . 2008-10-09 16:58 210968 ----a-w- c:\windows\system32\wuweb.dll
2012-06-02 13:19 . 2008-10-09 16:58 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 13:19 . 2008-07-19 03:09 15896 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 13:19 . 2008-10-09 16:58 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 13:19 . 2008-10-09 16:58 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 13:19 . 2008-07-19 03:10 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 13:19 . 2004-08-20 10:00 97304 ----a-w- c:\windows\system32\cdm.dll
2012-06-02 13:19 . 2008-10-09 16:58 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 13:19 . 2008-07-19 03:10 24088 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 13:19 . 2008-10-09 16:58 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 13:19 . 2008-07-19 03:09 15896 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 13:19 . 2008-07-19 03:08 18456 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-06-02 13:18 . 2009-03-28 01:25 275696 ----a-w- c:\windows\system32\mucltui.dll
2012-06-02 13:18 . 2009-03-28 01:25 18160 ----a-w- c:\windows\system32\mucltui.dll.mui
2012-05-31 13:21 . 2004-08-20 10:00 605184 ----a-w- c:\windows\system32\crypt32.dll
2012-05-16 15:08 . 2006-03-04 03:35 916992 ----a-w- c:\windows\system32\wininet.dll
2012-05-11 14:43 . 2004-08-20 10:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-05-11 14:43 . 2004-08-20 10:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2012-05-11 11:38 . 2004-08-20 10:00 385024 ----a-w- c:\windows\system32\html.iec
2012-05-05 03:14 . 2005-03-30 17:36 2150912 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-05 03:14 . 2005-03-30 17:36 2029056 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-02 13:46 . 2008-10-09 16:55 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-07-18 11:12 . 2011-09-30 13:22 136672 ----a-w- c:\archivos de programa\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2010-01-18 18:12 86280 ----a-w- c:\archivos de programa\Archivos comunes\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2010-01-18 18:12 86280 ----a-w- c:\archivos de programa\Archivos comunes\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2010-01-18 18:12 86280 ----a-w- c:\archivos de programa\Archivos comunes\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2010-01-18 18:12 86280 ----a-w- c:\archivos de programa\Archivos comunes\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2010-01-18 18:12 86280 ----a-w- c:\archivos de programa\Archivos comunes\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2010-01-18 18:12 86280 ----a-w- c:\archivos de programa\Archivos comunes\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2010-01-18 18:12 86280 ----a-w- c:\archivos de programa\Archivos comunes\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2010-01-18 18:12 86280 ----a-w- c:\archivos de programa\Archivos comunes\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2010-01-18 18:12 86280 ----a-w- c:\archivos de programa\Archivos comunes\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\documents and settings\Mario\Datos de programa\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\documents and settings\Mario\Datos de programa\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\documents and settings\Mario\Datos de programa\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\documents and settings\Mario\Datos de programa\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\archivos de programa\Archivos comunes\Ahead\Lib\NMBgMonitor.exe" [2007-03-12 153136]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"IntelZeroConfig"="c:\archivos de programa\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 667718]
"IntelWireless"="c:\archivos de programa\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 602182]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-03-22 7557120]
"nwiz"="nwiz.exe" [2006-03-22 1519616]
"NVHotkey"="nvHotkey.dll" [2006-03-22 73728]
"Dell QuickSet"="c:\archivos de programa\Dell\QuickSet\quickset.exe" [2006-04-06 1032192]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624]
"SynTPEnh"="c:\archivos de programa\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"LogitechCommunicationsManager"="c:\archivos de programa\Archivos comunes\LogiShrd\LComMgr\Communications_Helper.exe" [2008-08-14 565008]
"LogitechQuickCamRibbon"="c:\archivos de programa\Logitech\QuickCam\Quickcam.exe" [2008-08-14 2407184]
"NeroFilterCheck"="c:\archivos de programa\Archivos comunes\Ahead\Lib\NeroCheck.exe" [2007-03-09 153136]
"SunJavaUpdateSched"="c:\archivos de programa\Archivos comunes\Java\Java Update\jusched.exe" [2012-01-18 254696]
"APSDaemon"="c:\archivos de programa\Archivos comunes\Apple\Apple Application Support\APSDaemon.exe" [2012-02-20 59240]
"QuickTime Task"="c:\archivos de programa\QuickTime\QTTask.exe" [2011-10-24 421888]
"iTunesHelper"="c:\archivos de programa\iTunes\iTunesHelper.exe" [2012-03-27 421736]
"Adobe ARM"="c:\archivos de programa\Archivos comunes\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"AVG_TRAY"="c:\archivos de programa\AVG\AVG2012\avgtray.exe" [2012-04-05 2587008]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"adawarebp"="reg.exe delete HKCU\Software\AppDataLow\Software\adawarebp" [X]
"adawarebp_XP"="reg.exe delete HKCU\Software\adawarebp" [X]
.
c:\documents and settings\Mario\Menú Inicio\Programas\Inicio\
Dropbox.lnk - c:\documents and settings\Mario\Datos de programa\Dropbox\bin\Dropbox.exe [2012-5-24 27112840]
.
c:\documents and settings\All Users\Menú Inicio\Programas\Inicio\
Bluetooth Manager.lnk - c:\archivos de programa\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2005-11-19 1724416]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\archiv~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [19/04/2012 04:50 a.m. 24896]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [31/01/2012 04:46 a.m. 31952]
R1 A2DDA;A2 Direct Disk Access Support Driver;c:\documents and settings\Mario\Escritorio\Nueva carpeta\Run\a2ddax86.sys [12/07/2012 10:55 a.m. 17904]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [22/02/2012 05:25 a.m. 235216]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [19/03/2012 05:17 a.m. 301248]
R2 AVGIDSAgent;AVGIDSAgent;c:\archivos de programa\AVG\AVG2012\avgidsagent.exe [04/07/2012 05:25 p.m. 5160568]
R2 avgwd;AVG WatchDog;c:\archivos de programa\AVG\AVG2012\avgwdsvc.exe [14/02/2012 04:53 a.m. 193288]
R2 Skype C2C Service;Skype C2C Service;c:\documents and settings\All Users\Datos de programa\Skype\Toolbars\Skype C2C Service\c2c_service.exe [19/06/2012 05:32 p.m. 3048136]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [23/12/2011 01:32 p.m. 139856]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\avgidsfilterx.sys [23/12/2011 01:32 p.m. 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [23/12/2011 01:32 p.m. 17232]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S2 gupdate1c99fda6789c4be;Google Update Service (gupdate1c99fda6789c4be);c:\archivos de programa\Google\Update\GoogleUpdate.exe [08/03/2009 12:41 p.m. 133104]
S2 SkypeUpdate;Skype Updater;c:\archivos de programa\Skype\Updater\Updater.exe [07/06/2012 07:12 p.m. 160944]
S3 gupdatem;Google Update Servicio (gupdatem);c:\archivos de programa\Google\Update\GoogleUpdate.exe [08/03/2009 12:41 p.m. 133104]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\archivos de programa\Lavasoft\Ad-Aware\KernExplorer.sys --> c:\archivos de programa\Lavasoft\Ad-Aware\KernExplorer.sys [?]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\archivos de programa\Mozilla Maintenance Service\maintenanceservice.exe [26/04/2012 10:16 a.m. 113120]
S3 ueye;IDS uEye Kernel Driver;c:\windows\system32\DRIVERS\uEye_usb.sys --> c:\windows\system32\DRIVERS\uEye_usb.sys [?]
S3 ueye_boot;IDS uEye boot driver;c:\windows\system32\DRIVERS\uEye_boot.sys --> c:\windows\system32\DRIVERS\uEye_boot.sys [?]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [16/11/2009 10:33 a.m. 717296]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - AVGIDSHX
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\archivos de programa\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:57]
.
2011-05-01 c:\windows\Tasks\expressburnShakeIcon.job
- c:\archivos de programa\NCH Swift Sound\ExpressBurn\expressburn.exe [2011-04-28 07:37]
.
2012-07-20 c:\windows\Tasks\GlaryInitialize.job
- c:\archivos de programa\Glary Utilities\initialize.exe [2010-10-23 07:43]
.
2012-07-20 c:\windows\Tasks\Google Software Updater.job
- c:\archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-10-23 21:54]
.
2012-07-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\archivos de programa\Google\Update\GoogleUpdate.exe [2009-03-08 10:41]
.
2012-07-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\archivos de programa\Google\Update\GoogleUpdate.exe [2009-03-08 10:41]
.
2012-07-15 c:\windows\Tasks\SmartDefrag.job
- c:\archivos de programa\IObit\IObit SmartDefrag\IObit SmartDefrag.exe [2010-02-19 14:48]
.
2011-05-01 c:\windows\Tasks\switchShakeIcon.job
- c:\archivos de programa\NCH Swift Sound\Switch\switch.exe [2011-04-28 07:36]
.
2012-07-16 c:\windows\Tasks\wavepadShakeIcon.job
- c:\archivos de programa\NCH Swift Sound\WavePad\wavepad.exe [2011-04-28 07:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.babylon.com/?affID=112467&babsrc=HP_ss&mntrId=bc916d9c000000000000001302b7aaa7
uInternet Settings,ProxyServer = http=128.8.126.111:3124
uInternet Settings,ProxyOverride = *.local
IE: &D&ownload &with BitComet - c:\archivos de programa\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all with BitComet - c:\archivos de programa\BitComet\BitComet.exe/AddAllLink.htm
IE: E&xportar a Microsoft Excel - c:\archiv~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.178.1
FF - ProfilePath - c:\documents and settings\Mario\Datos de programa\Mozilla\Firefox\Profiles\06dfd9hs.default\
FF - prefs.js: browser.search.selectedEngine - Google.com (in English)
FF - prefs.js: browser.startup.homepage - www.nfl.com
FF - prefs.js: keyword.URL - hxxp://search.babylon.com/?affID=112467&babsrc=KW_ss&mntrId=bc916d9c000000000000001302b7aaa7&q=
FF - user.js: extensions.incredibar_i.newTab - false
FF - user.js: extensions.incredibar_i.tlbrSrchUrl - hxxp://mystart.Incredibar.com/?a=6OyI1cj8M5&loc=IB_TB&i=26&search=
FF - user.js: extensions.incredibar_i.id - bc916d9c000000000000001302b7aaa7
FF - user.js: extensions.incredibar_i.instlDay - 15536
FF - user.js: extensions.incredibar_i.vrsn - 1.5.11.14
FF - user.js: extensions.incredibar_i.vrsni - 1.5.11.14
FF - user.js: extensions.incredibar_i.vrsnTs - 1.5.11.1415:39
FF - user.js: extensions.incredibar_i.prtnrId - Incredibar
FF - user.js: extensions.incredibar_i.prdct - incredibar
FF - user.js: extensions.incredibar_i.aflt - orgnl
FF - user.js: extensions.incredibar_i.smplGrp - none
FF - user.js: extensions.incredibar_i.tlbrId - base
FF - user.js: extensions.incredibar_i.instlRef -
FF - user.js: extensions.incredibar_i.dfltLng -
FF - user.js: extensions.incredibar_i.excTlbr - false
FF - user.js: extensions.incredibar_i.ms_url_id -
FF - user.js: extensions.incredibar_i.upn2 - 6OyI1cj8M5
FF - user.js: extensions.incredibar_i.upn2n - 92261759761813709
FF - user.js: extensions.incredibar_i.productid - 26
FF - user.js: extensions.incredibar_i.installerproductid - 26
FF - user.js: extensions.incredibar_i.did - 10671
FF - user.js: extensions.incredibar_i.ppd -
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-pxzrdquwvupnusq - c:\documents and settings\All Users\Datos de programa\pxzrdquw.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-07-20 19:48
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\h–€|˙˙˙˙¤•€|ů•9~*]
"A0C0110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(6196)
c:\windows\system32\WININET.dll
c:\archivos de programa\Archivos comunes\TortoiseOverlays\TortoiseOverlays.dll
c:\archivos de programa\TortoiseSVN\bin\TortoiseStub.dll
c:\archivos de programa\TortoiseSVN\bin\TortoiseSVN.dll
c:\archivos de programa\TortoiseSVN\bin\intl3_tsvn.dll
c:\documents and settings\Mario\Datos de programa\Dropbox\bin\DropboxExt.14.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\archiv~1\AVG\AVG2012\avgrsx.exe
c:\archivos de programa\AVG\AVG2012\avgcsrvx.exe
c:\archivos de programa\Archivos comunes\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\archivos de programa\Bonjour\mDNSResponder.exe
c:\archivos de programa\Java\jre6\bin\jqs.exe
c:\archivos de programa\Archivos comunes\LogiShrd\LVCOMSER\LVComSer.exe
c:\archivos de programa\Archivos comunes\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\archivos de programa\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\archivos de programa\AVG\AVG2012\avgnsx.exe
c:\archivos de programa\AVG\AVG2012\avgemcx.exe
c:\archivos de programa\Dell\QuickSet\NICCONFIGSVC.exe
c:\windows\system32\nvsvc32.exe
c:\archivos de programa\Intel\Wireless\Bin\RegSrvc.exe
c:\archivos de programa\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\archivos de programa\TortoiseSVN\bin\TSVNCache.exe
c:\archivos de programa\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\stacsv.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\windows\stsystra.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\archivos de programa\Archivos comunes\LogiShrd\LVCOMSER\LVComSer.exe
c:\archivos de programa\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
c:\archivos de programa\iPod\bin\iPodService.exe
c:\archivos de programa\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
c:\archivos de programa\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
c:\archivos de programa\Archivos comunes\Ahead\Lib\NMIndexingService.exe
c:\archivos de programa\Archivos comunes\Logishrd\LQCVFX\COCIManager.exe
c:\archivos de programa\Archivos comunes\Ahead\Lib\NMIndexStoreSvr.exe
.
**************************************************************************
.
Completion time: 2012-07-20 20:06:18 - machine was rebooted
ComboFix-quarantined-files.txt 2012-07-20 18:05
.
Pre-Run: 538,480,640 bytes libres
Post-Run: 1,465,614,336 bytes libres
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - BF0B82F1D649100CC427D560663B8922


SECURITY CHECK LOG:

Results of screen317's Security Check version 0.99.43
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````Antivirus/Firewall Check:``````````````
AVG 2012
AVG2012 successfully updated!
`````````Anti-malware/Other Utilities Check:`````````
Malwarebytes Anti-Malware version 1.62.0.1300
Java™ 6 Update 31
Java 2 Runtime Environment, SE v1.4.2_03
Java version out of Date!
Adobe Flash Player 11.3.300.262
Adobe Reader X (10.1.2)
Mozilla Firefox (14.0.1)
````````Process Check: objlist.exe by Laurent````````
AVG avgwdsvc.exe
AVG avgtray.exe
AVG avgrsx.exe
AVG avgnsx.exe
AVG avgemc.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:: 28% Defragment your hard drive soon!
````````````````````End of Log``````````````````````

#13 esponda1

esponda1
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:09:24 PM

Posted 20 July 2012 - 01:45 PM

I forgot to mention. I'm sure its not critical, but you asked about performance in general. Every time I open a new tab on Firefox I get this "Babylon Search" page. I think it must've been one of those options I should've unchecked on an install, but I can't find anything with that name on "Add/Remove Programs" so I'm not sure how to remove it.

Again thanks!

#14 Guest_White Warrior_*

Guest_White Warrior_*

  • Guests
  • OFFLINE
  •  

Posted 22 July 2012 - 05:44 PM

Hi esponda1

I'll give you some suggestions on security programs after you are clean.
I'll remove all traces of Babylon.

Now let's do some cleaning up.

To run a ComboFix script

Close any open browsers.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Open notepad and copy/paste the text in the code box below into it:


KILLALL::

ClearJavaCache::

File::
c:\windows\system32\DRIVERS\Lbd.sys

Folder::
c:\archivos de programa\Lavasoft
c:\documents and settings\All Users\Datos de programa\Babylon
c:\documents and settings\Mario\Datos de programa\Babylon
c:\documents and settings\All Users\Datos de programa\aavznudfqpiyatm

Registry::
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"adawarebp"=-
"adawarebp_XP"=-

Driver::
Lavasoft Kernexplorer
Lbd

DDS::
uStart Page = hxxp://search.babylon.com/?affID=112467&babsrc=HP_ss&mntrId=bc916d9c000000000000001302b7aaa7

FF::
FF - ProfilePath - c:\documents and settings\Mario\Datos de programa\Mozilla\Firefox\Profiles\06dfd9hs.default\
FF - prefs.js: browser.search.selectedEngine - 
FF - prefs.js: browser.startup.homepage - 
FF - prefs.js: keyword.URL - 
FF - user.js: extensions.incredibar_i.newTab - false
FF - user.js: extensions.incredibar_i.tlbrSrchUrl - hxxp://mystart.Incredibar.com/?a=6OyI1cj8M5&loc=IB_TB&i=26&search=
FF - user.js: extensions.incredibar_i.id - bc916d9c000000000000001302b7aaa7
FF - user.js: extensions.incredibar_i.instlDay - 15536
FF - user.js: extensions.incredibar_i.vrsn - 1.5.11.14
FF - user.js: extensions.incredibar_i.vrsni - 1.5.11.14
FF - user.js: extensions.incredibar_i.vrsnTs - 1.5.11.1415:39
FF - user.js: extensions.incredibar_i.prtnrId - Incredibar
FF - user.js: extensions.incredibar_i.prdct - incredibar
FF - user.js: extensions.incredibar_i.aflt - orgnl
FF - user.js: extensions.incredibar_i.smplGrp - none
FF - user.js: extensions.incredibar_i.tlbrId - base
FF - user.js: extensions.incredibar_i.instlRef -
FF - user.js: extensions.incredibar_i.dfltLng -
FF - user.js: extensions.incredibar_i.excTlbr - false
FF - user.js: extensions.incredibar_i.ms_url_id -
FF - user.js: extensions.incredibar_i.upn2 - 6OyI1cj8M5
FF - user.js: extensions.incredibar_i.upn2n - 92261759761813709
FF - user.js: extensions.incredibar_i.productid - 26
FF - user.js: extensions.incredibar_i.installerproductid - 26
FF - user.js: extensions.incredibar_i.did - 10671
FF - user.js: extensions.incredibar_i.ppd - 


Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

How is the computer running now?

White Warrior

#15 esponda1

esponda1
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  

Posted 23 July 2012 - 03:01 AM

Hello,
I did as you told me and here is the ComboFix.txt

It still takes a long time on start up. And the loading of a video or opening a program takes some time, but now once the program or video is open it can handle more than one at the same time. Babylon Search is still there when I open a new tab on Firefox. And I still loose the mouse cursor, but not as often as before. I notice a big improvement, but I'm not sure I would say its back to how it was before.

Thanks a lot for the help, I'm very happy that it is looking better every time.

COMBOFIX.TXT

ComboFix 12-07-21.01 - Mario 23/07/2012 8:23.2.2 - x86
Running from: c:\documents and settings\Mario\Escritorio\ComboFix.exe
Command switches used :: c:\documents and settings\Mario\Escritorio\CFScript.txt
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
FILE ::
"c:\windows\system32\DRIVERS\Lbd.sys"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Datos de programa\aavznudfqpiyatm
c:\documents and settings\All Users\Datos de programa\aavznudfqpiyatm\btn-green.png
c:\documents and settings\All Users\Datos de programa\aavznudfqpiyatm\corners-btn.png
c:\documents and settings\All Users\Datos de programa\aavznudfqpiyatm\corners1.png
c:\documents and settings\All Users\Datos de programa\aavznudfqpiyatm\corners2.png
c:\documents and settings\All Users\Datos de programa\aavznudfqpiyatm\corners3.png
c:\documents and settings\All Users\Datos de programa\aavznudfqpiyatm\corners4.png
c:\documents and settings\All Users\Datos de programa\aavznudfqpiyatm\de-flag.png
c:\documents and settings\All Users\Datos de programa\aavznudfqpiyatm\de-image.png
c:\documents and settings\All Users\Datos de programa\aavznudfqpiyatm\ie6-7.css
c:\documents and settings\All Users\Datos de programa\aavznudfqpiyatm\jquery.main.js
c:\documents and settings\All Users\Datos de programa\aavznudfqpiyatm\main.html
c:\documents and settings\All Users\Datos de programa\aavznudfqpiyatm\McAfee.png
c:\documents and settings\All Users\Datos de programa\aavznudfqpiyatm\pays-de.png
c:\documents and settings\All Users\Datos de programa\aavznudfqpiyatm\steps-de.png
c:\documents and settings\All Users\Datos de programa\aavznudfqpiyatm\steps-en.png
c:\documents and settings\All Users\Datos de programa\aavznudfqpiyatm\style.css
c:\documents and settings\All Users\Datos de programa\aavznudfqpiyatm\tabs.png
c:\documents and settings\All Users\Datos de programa\Babylon
c:\documents and settings\Mario\Datos de programa\Babylon
c:\documents and settings\Mario\Datos de programa\Babylon\log_file.txt
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_LAVASOFT_KERNEXPLORER
-------\Legacy_LBD
-------\Service_Lavasoft Kernexplorer
-------\Service_Lbd
.
.
((((((((((((((((((((((((( Files Created from 2012-06-23 to 2012-07-23 )))))))))))))))))))))))))))))))
.
.
2012-07-20 16:57 . 2012-07-20 16:57 -------- d-----w- c:\documents and settings\Mario\Datos de programa\AVG2012
2012-07-20 16:49 . 2012-07-23 06:10 -------- d-----w- c:\windows\system32\drivers\AVG
2012-07-20 16:49 . 2012-07-20 17:04 -------- d-----w- c:\documents and settings\All Users\Datos de programa\AVG2012
2012-07-20 16:34 . 2012-07-20 16:49 -------- d-----w- C:\$AVG
2012-07-20 16:19 . 2012-07-20 16:19 -------- d--h--w- c:\documents and settings\All Users\Datos de programa\Common Files
2012-07-20 16:19 . 2012-07-23 06:11 -------- d-----w- c:\documents and settings\All Users\Datos de programa\MFAData
2012-07-15 20:04 . 2012-07-15 20:04 -------- d-----w- c:\documents and settings\NetworkService\Datos de programa\Apple Computer
2012-07-15 13:43 . 2012-07-15 13:43 -------- d-----w- c:\documents and settings\All Users\Datos de programa\Premium
2012-07-15 13:42 . 2012-07-15 13:42 -------- d-----w- c:\documents and settings\All Users\Datos de programa\InstallMate
2012-07-15 13:39 . 2012-07-15 13:44 684 ----a-w- C:\user.js
2012-07-12 04:55 . 2012-07-12 04:55 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2012-07-05 19:19 . 2012-07-05 19:19 -------- d-----w- c:\documents and settings\All Users\Datos de programa\Freemake
2012-07-05 19:19 . 2012-07-05 19:19 -------- d-----w- c:\archivos de programa\Freemake
2012-06-24 18:45 . 2012-07-11 15:46 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-11 15:46 . 2011-05-20 08:45 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-03 11:46 . 2009-05-22 17:42 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-13 13:55 . 2004-08-20 10:00 1866240 ----a-w- c:\windows\system32\win32k.sys
2012-06-05 15:49 . 2008-04-14 02:18 1372672 ----a-w- c:\windows\system32\msxml6.dll
2012-06-05 15:49 . 2004-08-20 10:00 1172480 ----a-w- c:\windows\system32\msxml3.dll
2012-06-04 15:35 . 2009-03-28 01:25 222448 ----a-w- c:\windows\system32\muweb.dll
2012-06-04 04:32 . 2004-08-20 10:00 152576 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 13:19 . 2008-10-09 16:58 329240 ----a-w- c:\windows\system32\wucltui.dll
2012-06-02 13:19 . 2008-10-09 16:58 210968 ----a-w- c:\windows\system32\wuweb.dll
2012-06-02 13:19 . 2008-10-09 16:58 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 13:19 . 2008-07-19 03:09 15896 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 13:19 . 2008-10-09 16:58 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 13:19 . 2008-10-09 16:58 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 13:19 . 2008-07-19 03:10 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 13:19 . 2004-08-20 10:00 97304 ----a-w- c:\windows\system32\cdm.dll
2012-06-02 13:19 . 2008-10-09 16:58 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 13:19 . 2008-07-19 03:10 24088 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 13:19 . 2008-10-09 16:58 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 13:19 . 2008-07-19 03:09 15896 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 13:19 . 2008-07-19 03:08 18456 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-06-02 13:18 . 2009-03-28 01:25 275696 ----a-w- c:\windows\system32\mucltui.dll
2012-06-02 13:18 . 2009-03-28 01:25 18160 ----a-w- c:\windows\system32\mucltui.dll.mui
2012-05-31 13:21 . 2004-08-20 10:00 605184 ----a-w- c:\windows\system32\crypt32.dll
2012-05-16 15:08 . 2006-03-04 03:35 916992 ----a-w- c:\windows\system32\wininet.dll
2012-05-11 14:43 . 2004-08-20 10:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-05-11 14:43 . 2004-08-20 10:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2012-05-11 11:38 . 2004-08-20 10:00 385024 ----a-w- c:\windows\system32\html.iec
2012-05-05 03:14 . 2005-03-30 17:36 2150912 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-05 03:14 . 2005-03-30 17:36 2029056 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-02 13:46 . 2008-10-09 16:55 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-07-18 11:12 . 2011-09-30 13:22 136672 ----a-w- c:\archivos de programa\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-07-20_17.44.23 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-07-23 06:52 . 2012-07-23 06:52 16384 c:\windows\temp\Perflib_Perfdata_5c4.dat
+ 2008-10-09 18:08 . 2012-07-22 09:18 60500 c:\windows\system32\nvModes.dat
+ 2012-07-23 06:52 . 2008-07-26 07:25 109080 c:\windows\temp\logishrd\LVPrcInj01.dll
- 2012-07-20 17:42 . 2012-07-20 17:45 109080 c:\windows\Temp\logishrd\LVPrcInj01.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2010-01-18 18:12 86280 ----a-w- c:\archivos de programa\Archivos comunes\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2010-01-18 18:12 86280 ----a-w- c:\archivos de programa\Archivos comunes\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2010-01-18 18:12 86280 ----a-w- c:\archivos de programa\Archivos comunes\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2010-01-18 18:12 86280 ----a-w- c:\archivos de programa\Archivos comunes\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2010-01-18 18:12 86280 ----a-w- c:\archivos de programa\Archivos comunes\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2010-01-18 18:12 86280 ----a-w- c:\archivos de programa\Archivos comunes\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2010-01-18 18:12 86280 ----a-w- c:\archivos de programa\Archivos comunes\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2010-01-18 18:12 86280 ----a-w- c:\archivos de programa\Archivos comunes\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2010-01-18 18:12 86280 ----a-w- c:\archivos de programa\Archivos comunes\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\documents and settings\Mario\Datos de programa\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\documents and settings\Mario\Datos de programa\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\documents and settings\Mario\Datos de programa\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\documents and settings\Mario\Datos de programa\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\archivos de programa\Archivos comunes\Ahead\Lib\NMBgMonitor.exe" [2007-03-12 153136]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"IntelZeroConfig"="c:\archivos de programa\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 667718]
"IntelWireless"="c:\archivos de programa\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 602182]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-03-22 7557120]
"nwiz"="nwiz.exe" [2006-03-22 1519616]
"NVHotkey"="nvHotkey.dll" [2006-03-22 73728]
"Dell QuickSet"="c:\archivos de programa\Dell\QuickSet\quickset.exe" [2006-04-06 1032192]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624]
"SynTPEnh"="c:\archivos de programa\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"LogitechCommunicationsManager"="c:\archivos de programa\Archivos comunes\LogiShrd\LComMgr\Communications_Helper.exe" [2008-08-14 565008]
"LogitechQuickCamRibbon"="c:\archivos de programa\Logitech\QuickCam\Quickcam.exe" [2008-08-14 2407184]
"NeroFilterCheck"="c:\archivos de programa\Archivos comunes\Ahead\Lib\NeroCheck.exe" [2007-03-09 153136]
"SunJavaUpdateSched"="c:\archivos de programa\Archivos comunes\Java\Java Update\jusched.exe" [2012-01-18 254696]
"APSDaemon"="c:\archivos de programa\Archivos comunes\Apple\Apple Application Support\APSDaemon.exe" [2012-02-20 59240]
"QuickTime Task"="c:\archivos de programa\QuickTime\QTTask.exe" [2011-10-24 421888]
"iTunesHelper"="c:\archivos de programa\iTunes\iTunesHelper.exe" [2012-03-27 421736]
"Adobe ARM"="c:\archivos de programa\Archivos comunes\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"AVG_TRAY"="c:\archivos de programa\AVG\AVG2012\avgtray.exe" [2012-04-05 2587008]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\Mario\Menú Inicio\Programas\Inicio\
Dropbox.lnk - c:\documents and settings\Mario\Datos de programa\Dropbox\bin\Dropbox.exe [2012-5-24 27112840]
.
c:\documents and settings\All Users\Menú Inicio\Programas\Inicio\
Bluetooth Manager.lnk - c:\archivos de programa\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2005-11-19 1724416]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\archiv~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Archivos de programa\\BitComet\\BitComet.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"12875:TCP"= 12875:TCP:BitComet 12875 TCP
"12875:UDP"= 12875:UDP:BitComet 12875 UDP
.
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [19/04/2012 04:50 a.m. 24896]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [31/01/2012 04:46 a.m. 31952]
R1 A2DDA;A2 Direct Disk Access Support Driver;c:\documents and settings\Mario\Escritorio\Nueva carpeta\Run\a2ddax86.sys [12/07/2012 10:55 a.m. 17904]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [22/02/2012 05:25 a.m. 235216]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [19/03/2012 05:17 a.m. 301248]
R2 AVGIDSAgent;AVGIDSAgent;c:\archivos de programa\AVG\AVG2012\avgidsagent.exe [04/07/2012 05:25 p.m. 5160568]
R2 avgwd;AVG WatchDog;c:\archivos de programa\AVG\AVG2012\avgwdsvc.exe [14/02/2012 04:53 a.m. 193288]
R2 Skype C2C Service;Skype C2C Service;c:\documents and settings\All Users\Datos de programa\Skype\Toolbars\Skype C2C Service\c2c_service.exe [19/06/2012 05:32 p.m. 3048136]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [23/12/2011 01:32 p.m. 139856]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\avgidsfilterx.sys [23/12/2011 01:32 p.m. 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [23/12/2011 01:32 p.m. 17232]
S2 gupdate1c99fda6789c4be;Google Update Service (gupdate1c99fda6789c4be);c:\archivos de programa\Google\Update\GoogleUpdate.exe [08/03/2009 12:41 p.m. 133104]
S2 SkypeUpdate;Skype Updater;c:\archivos de programa\Skype\Updater\Updater.exe [07/06/2012 07:12 p.m. 160944]
S3 gupdatem;Google Update Servicio (gupdatem);c:\archivos de programa\Google\Update\GoogleUpdate.exe [08/03/2009 12:41 p.m. 133104]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\archivos de programa\Mozilla Maintenance Service\maintenanceservice.exe [26/04/2012 10:16 a.m. 113120]
S3 ueye;IDS uEye Kernel Driver;c:\windows\system32\DRIVERS\uEye_usb.sys --> c:\windows\system32\DRIVERS\uEye_usb.sys [?]
S3 ueye_boot;IDS uEye boot driver;c:\windows\system32\DRIVERS\uEye_boot.sys --> c:\windows\system32\DRIVERS\uEye_boot.sys [?]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [16/11/2009 10:33 a.m. 717296]
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\archivos de programa\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:57]
.
2011-05-01 c:\windows\Tasks\expressburnShakeIcon.job
- c:\archivos de programa\NCH Swift Sound\ExpressBurn\expressburn.exe [2011-04-28 07:37]
.
2012-07-23 c:\windows\Tasks\GlaryInitialize.job
- c:\archivos de programa\Glary Utilities\initialize.exe [2010-10-23 07:43]
.
2012-07-22 c:\windows\Tasks\Google Software Updater.job
- c:\archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-10-23 21:54]
.
2012-07-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\archivos de programa\Google\Update\GoogleUpdate.exe [2009-03-08 10:41]
.
2012-07-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\archivos de programa\Google\Update\GoogleUpdate.exe [2009-03-08 10:41]
.
2011-05-01 c:\windows\Tasks\switchShakeIcon.job
- c:\archivos de programa\NCH Swift Sound\Switch\switch.exe [2011-04-28 07:36]
.
2012-07-16 c:\windows\Tasks\wavepadShakeIcon.job
- c:\archivos de programa\NCH Swift Sound\WavePad\wavepad.exe [2011-04-28 07:36]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyServer = http=128.8.126.111:3124
uInternet Settings,ProxyOverride = *.local
IE: &D&ownload &with BitComet - c:\archivos de programa\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all with BitComet - c:\archivos de programa\BitComet\BitComet.exe/AddAllLink.htm
IE: E&xportar a Microsoft Excel - c:\archiv~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.178.1
FF - ProfilePath - c:\documents and settings\Mario\Datos de programa\Mozilla\Firefox\Profiles\06dfd9hs.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - www.nfl.com
FF - prefs.js: keyword.URL - hxxp://search.babylon.com/?affID=112467&babsrc=KW_ss&mntrId=bc916d9c000000000000001302b7aaa7&q=
FF - user.js: extensions.incredibar_i.newTab - false
FF - user.js: extensions.incredibar_i.tlbrSrchUrl - hxxp://mystart.Incredibar.com/?a=6OyI1cj8M5&loc=IB_TB&i=26&search=
FF - user.js: extensions.incredibar_i.id - bc916d9c000000000000001302b7aaa7
FF - user.js: extensions.incredibar_i.instlDay - 15536
FF - user.js: extensions.incredibar_i.vrsn - 1.5.11.14
FF - user.js: extensions.incredibar_i.vrsni - 1.5.11.14
FF - user.js: extensions.incredibar_i.vrsnTs - 1.5.11.1415:39
FF - user.js: extensions.incredibar_i.prtnrId - Incredibar
FF - user.js: extensions.incredibar_i.prdct - incredibar
FF - user.js: extensions.incredibar_i.aflt - orgnl
FF - user.js: extensions.incredibar_i.smplGrp - none
FF - user.js: extensions.incredibar_i.tlbrId - base
FF - user.js: extensions.incredibar_i.instlRef -
FF - user.js: extensions.incredibar_i.dfltLng -
FF - user.js: extensions.incredibar_i.excTlbr - false
FF - user.js: extensions.incredibar_i.ms_url_id -
FF - user.js: extensions.incredibar_i.upn2 - 6OyI1cj8M5
FF - user.js: extensions.incredibar_i.upn2n - 92261759761813709
FF - user.js: extensions.incredibar_i.productid - 26
FF - user.js: extensions.incredibar_i.installerproductid - 26
FF - user.js: extensions.incredibar_i.did - 10671
FF - user.js: extensions.incredibar_i.ppd -
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-07-23 08:57
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\h–€|ÿÿÿÿ¤•€|ù•9~*]
"A0C0110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(9024)
c:\windows\system32\WININET.dll
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\archivos de programa\Archivos comunes\TortoiseOverlays\TortoiseOverlays.dll
c:\archivos de programa\TortoiseSVN\bin\TortoiseStub.dll
c:\archivos de programa\TortoiseSVN\bin\TortoiseSVN.dll
c:\archivos de programa\TortoiseSVN\bin\intl3_tsvn.dll
c:\documents and settings\Mario\Datos de programa\Dropbox\bin\DropboxExt.14.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\archivos de programa\Intel\Wireless\Bin\EvtEng.exe
c:\archivos de programa\Intel\Wireless\Bin\S24EvMon.exe
c:\archivos de programa\Intel\Wireless\Bin\WLKeeper.exe
c:\archivos de programa\Archivos comunes\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\archivos de programa\Bonjour\mDNSResponder.exe
c:\archivos de programa\Java\jre6\bin\jqs.exe
c:\archivos de programa\Archivos comunes\LogiShrd\LVCOMSER\LVComSer.exe
c:\archivos de programa\Archivos comunes\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\archivos de programa\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\archivos de programa\Dell\QuickSet\NICCONFIGSVC.exe
c:\windows\system32\nvsvc32.exe
c:\archivos de programa\AVG\AVG2012\avgnsx.exe
c:\archivos de programa\AVG\AVG2012\avgemcx.exe
c:\archivos de programa\Intel\Wireless\Bin\RegSrvc.exe
c:\archivos de programa\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\archivos de programa\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\stacsv.exe
c:\archivos de programa\AVG\AVG2012\avgrsx.exe
c:\archivos de programa\AVG\AVG2012\avgcsrvx.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\archivos de programa\Archivos comunes\LogiShrd\LVCOMSER\LVComSer.exe
c:\archivos de programa\TortoiseSVN\bin\TSVNCache.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\windows\stsystra.exe
c:\archivos de programa\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
c:\archivos de programa\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
c:\archivos de programa\Archivos comunes\Ahead\Lib\NMIndexingService.exe
c:\archivos de programa\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
c:\archivos de programa\iPod\bin\iPodService.exe
c:\archivos de programa\Archivos comunes\Ahead\Lib\NMIndexStoreSvr.exe
c:\archiv~1\Intel\Wireless\Bin\Dot1XCfg.exe
c:\archivos de programa\Archivos comunes\Logishrd\LQCVFX\COCIManager.exe
c:\archivos de programa\Archivos comunes\Java\Java Update\jucheck.exe
.
**************************************************************************
.
Completion time: 2012-07-23 09:10:17 - machine was rebooted
ComboFix-quarantined-files.txt 2012-07-23 07:09
ComboFix2.txt 2012-07-20 18:06
.
Pre-Run: 3,058,966,528 bytes libres
Post-Run: 2,913,312,768 bytes libres
.
- - End Of File - - 9B146F7430AA97FD7902F82F86C61403

Edited by esponda1, 23 July 2012 - 03:03 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users