Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde, Smitfraude and bunch more


  • This topic is locked This topic is locked
9 replies to this topic

#1 Vanedil

Vanedil

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:36 AM

Posted 28 September 2012 - 01:06 AM

Greetings everyone,

I really need your help. I do not use the computer very much, but yesterday I noticed that when my mother was using it, the browsers would constantly crash after couple of mins running. No toolbars on the computer. I tried doing a sys restore, but got error saying that it was disabled. Unable to run/install Kaspersky Pure Trial Version, because I get an error saying something prevented it and may be infected, reboot to Safe Mode, run the installer, prompts the same and asks me to download the Kaspersky Virus Removal tool. Run it and 22 files were infected, it asks me to reboot to finish the process. Reboot and tells me that it failed to start because there was a corruption somewhere.


Install/run Spybot Search and Destroy, Malwarebytes, and various problems were detected/quarantined. As of right now my Malwarebytes logs have become corrupted, only appearing as squares of some unsupported font. Spybot Search and Destroy supposedly fixed some problems, re-enabled system restore, but scan the program multiple times and each time finds new problem and I still am not allowed by system to install Kaspersky. I wasn't even able to download Hijack this in normal mode, had to access Safe Mode to download the EXE file.


Please do help me in cleaning this computer. I will add logs from Spybot Search and Destroy, unfortunately, I do not know if the Kaspersky Virus removal tool saves logs, because that program ran for like 10 hours, and was very thorough detecting the threats.... I will also attach a HijackThis file, which I believe is incomplete


Thanks for the help


SYSTEM is running Windows XP


*EDIT: Left Malwarebytes running in Safe Mode and was finally to post a log that shows 19 infections. It asked me to reboot, did, and quarantine shows more files registered than there were before.

Attached Files


Edited by Vanedil, 28 September 2012 - 09:54 AM.
Moved from XP to Malware Removal Logs - Hamluis.


BC AdBot (Login to Remove)

 


#2 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:36 AM

Posted 29 September 2012 - 06:10 AM

Hello, Vanedil.
My name is etavares and I will be helping you with this log.

Here are some guidelines to ensure we are able to get your machine back under your control.

  • Please do not run any unsupervised scans, fixes, etc. We can work against each other and end up in a worse place.
  • Please subscribe to this topic if you have not already done so. Please check back just in case, as the email system can fail at times.
  • Just because your machine is running better does not mean it is completely cleaned. Please wait for the 'all clear' from me to say when we are done.
  • Please reply within 3 days to be fair to other people asking for help.
  • When in doubt, please stop and ask first. There's no harm in asking questions!

We need to create an OTL report,
  • Please download OTL from this link.
  • (If that link doesn't work, try this alternate link
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Select "Use Safelist" under "Extra Registry"
  • Under the Custom Scan box paste this in:

    netsvcs
    msconfig
    %SYSTEMDRIVE%\*.*
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.sys /90
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\system32\*.exe /lockedfiles
    %systemroot%\System32\config\*.sav
    %PROGRAMFILES%\*
    %USERPROFILE%\..|smtmp;true;true;true /FP
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    hklm\software\clients\startmenuinternet|command /rs
    hklm\software\clients\startmenuinternet|command /64 /rs
    CREATERESTOREPOINT


  • Click the Quick Scan button.
  • The scan should take a few minutes.
  • Please copy and paste both logs in your reply. If they are too big to paste in one reply, please split them into separate posts.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#3 Vanedil

Vanedil
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:36 AM

Posted 29 September 2012 - 11:18 PM

Thanks for the assistance, etavares. Pretty sure that with your assistance this computer will be sanitized 100%. Before posting the OTL logs, I wanted to give some updates of my own. Last night Malwarebytes was left running in Safe Mode, again, and quarantined more files. After this, Kaspersky PURE was installed successfully. I ran it, and it quarantined deleted 16 vulnerabilities (Trojans, backdoors), so I will attach that log as well. Now, here are the requested logs:


OTL logfile created on: 29/09/2012 PM 09:48:09 - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\Omega Infinity\Mis documentos\Downloads
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 0000440A | Country: El Salvador | Language: ESE | Date Format: dd/MM/yyyy

959.48 Mb Total Physical Memory | 505.96 Mb Available Physical Memory | 52.73% Memory free
1013.14 Mb Paging File | 620.62 Mb Available in Paging File | 61.26% Paging File free
Paging file location(s): C:\pagefile.sys 144 288 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Archivos de programa
Drive C: | 37.27 Gb Total Space | 8.29 Gb Free Space | 22.24% Space Free | Partition Type: NTFS

Computer Name: DESKTOP | User Name: Omega Infinity | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/09/29 18:04:31 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Omega Infinity\Mis documentos\Downloads\OTL.exe
PRC - [2012/07/28 15:55:47 | 000,913,888 | ---- | M] (Mozilla Corporation) -- C:\Archivos de programa\Mozilla Firefox\firefox.exe
PRC - [2011/12/24 12:24:36 | 000,202,296 | ---- | M] (Kaspersky Lab ZAO) -- C:\Archivos de programa\Kaspersky Lab\Kaspersky PURE 2.0\avp.exe
PRC - [2009/12/21 17:34:38 | 000,743,992 | ---- | M] (Infowatch) -- C:\Archivos de programa\Archivos comunes\InfoWatch\CryptoStorage\ProtectedObjectsSrv.exe
PRC - [2006/03/08 21:03:56 | 000,262,144 | ---- | M] (Silicon Integrated Systems Corporation) -- C:\WINDOWS\system32\sistray.exe
PRC - [2004/08/19 08:42:48 | 001,034,752 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (No Company Name) ==========

MOD - [2012/07/28 15:55:42 | 002,003,424 | ---- | M] () -- C:\Archivos de programa\Mozilla Firefox\mozjs.dll
MOD - [2011/12/24 12:22:20 | 007,422,352 | ---- | M] () -- C:\Archivos de programa\Kaspersky Lab\Kaspersky PURE 2.0\qtgui4.dll
MOD - [2011/12/24 12:22:20 | 000,795,024 | ---- | M] () -- C:\Archivos de programa\Kaspersky Lab\Kaspersky PURE 2.0\qtnetwork4.dll
MOD - [2011/12/24 12:22:16 | 001,270,160 | ---- | M] () -- C:\Archivos de programa\Kaspersky Lab\Kaspersky PURE 2.0\qtscript4.dll
MOD - [2011/12/24 12:22:16 | 000,192,912 | ---- | M] () -- C:\Archivos de programa\Kaspersky Lab\Kaspersky PURE 2.0\qtsql4.dll
MOD - [2011/12/24 12:22:14 | 002,453,904 | ---- | M] () -- C:\Archivos de programa\Kaspersky Lab\Kaspersky PURE 2.0\qtdeclarative4.dll
MOD - [2011/12/24 12:22:12 | 002,126,224 | ---- | M] () -- C:\Archivos de programa\Kaspersky Lab\Kaspersky PURE 2.0\qtcore4.dll
MOD - [2011/12/24 12:21:10 | 000,459,152 | ---- | M] () -- C:\Archivos de programa\Kaspersky Lab\Kaspersky PURE 2.0\dblite.dll
MOD - [2011/09/05 19:36:52 | 000,025,088 | ---- | M] () -- C:\Archivos de programa\Kaspersky Lab\Kaspersky PURE 2.0\imageformats\qgif4.dll
MOD - [2011/09/05 19:36:50 | 000,180,224 | ---- | M] () -- C:\Archivos de programa\Kaspersky Lab\Kaspersky PURE 2.0\imageformats\qjpeg4.dll
MOD - [2007/02/21 18:14:21 | 000,012,288 | ---- | M] () -- C:\WINDOWS\system32\LXF3PMRC.DLL
MOD - [2007/02/21 18:11:50 | 000,045,056 | ---- | M] () -- C:\WINDOWS\system32\LXF3PMON.DLL
MOD - [2006/11/07 05:02:18 | 000,036,864 | ---- | M] () -- C:\WINDOWS\system32\lxf3oem.dll


========== Services (SafeList) ==========

SRV - [2012/07/28 15:55:43 | 000,113,120 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Archivos de programa\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2011/12/24 12:24:36 | 000,202,296 | ---- | M] (Kaspersky Lab ZAO) [Auto | Running] -- C:\Archivos de programa\Kaspersky Lab\Kaspersky PURE 2.0\avp.exe -- (AVP)
SRV - [2009/12/21 17:34:38 | 000,743,992 | ---- | M] (Infowatch) [Auto | Running] -- C:\Archivos de programa\Archivos comunes\InfoWatch\CryptoStorage\ProtectedObjectsSrv.exe -- (CSObjectsSrv)
SRV - [2006/10/26 13:49:34 | 000,441,136 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Archivos de programa\Archivos comunes\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv)
SRV - [2006/10/26 08:03:08 | 000,145,184 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Archivos de programa\Archivos comunes\Microsoft Shared\Source Engine\OSE.EXE -- (ose)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | Boot | Stopped] -- System32\Drivers\sptd.sys -- (sptd)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - [2012/09/28 10:05:03 | 000,583,472 | ---- | M] (Kaspersky Lab) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\klif.sys -- (KLIF)
DRV - [2012/08/01 13:13:40 | 000,033,512 | ---- | M] (AnchorFree Inc) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\taphss.sys -- (taphss)
DRV - [2011/10/20 11:48:00 | 000,135,984 | ---- | M] (Kaspersky Lab ZAO) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\kl1.sys -- (KL1)
DRV - [2011/10/20 11:48:00 | 000,013,104 | ---- | M] (Kaspersky Lab ZAO) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\kl2.sys -- (kl2)
DRV - [2011/03/10 18:34:46 | 000,034,608 | ---- | M] (Kaspersky Lab ZAO) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\klim5.sys -- (klim5)
DRV - [2009/12/14 12:44:24 | 000,088,632 | ---- | M] (Infowatch) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\CSCrySec.sys -- (CSCrySec)
DRV - [2009/12/14 12:44:24 | 000,039,352 | ---- | M] (Infowatch) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\CSVirtualDiskDrv.sys -- (CSVirtualDiskDrv)
DRV - [2009/11/02 20:27:24 | 000,019,472 | ---- | M] (Kaspersky Lab) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\klmouflt.sys -- (klmouflt)
DRV - [2008/07/07 02:40:49 | 000,056,108 | ---- | M] (PowerISO Computing, Inc.) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\scdemu.sys -- (SCDEmu)
DRV - [2006/12/17 21:19:42 | 000,032,768 | ---- | M] (SiS Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sisnic.sys -- (SISNIC)
DRV - [2006/12/17 21:19:36 | 000,002,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\msmpu401.sys -- (ms_mpu401)
DRV - [2006/12/17 21:19:28 | 000,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\gameenum.sys -- (gameenum)
DRV - [2006/12/17 20:19:42 | 000,019,017 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RTL8029.sys -- (rtl8029)
DRV - [2006/03/09 14:26:14 | 000,245,248 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sisgrp.sys -- (SiS315)
DRV - [2006/03/08 21:25:30 | 000,012,160 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\srvkp.sys -- (SiSkp)
DRV - [2003/07/18 03:58:20 | 000,036,992 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\SISAGPX.SYS -- (sisagp)
DRV - [2002/07/04 09:22:16 | 000,131,856 | ---- | M] (PCTEL, INC.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ptserial.sys -- (Ptserial)
DRV - [2002/06/05 03:04:52 | 000,536,715 | ---- | M] (PCtel, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\vpctcom.sys -- (Vpctcom)
DRV - [2002/06/04 22:35:08 | 000,065,343 | ---- | M] (PCtel, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\vvoice.sys -- (Vvoice)
DRV - [2002/06/04 22:27:40 | 000,694,253 | ---- | M] (PCTEL, INC.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\vmodem.sys -- (Vmodem)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.windowsue.com/
IE - HKU\.DEFAULT\Software\Microsoft\Internet Explorer\SearchURL\g, = http://www.google.com/search?q=%s
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.windowsue.com/
IE - HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchURL\g, = http://www.google.com/search?q=%s
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.windowsue.com/
IE - HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchURL\g, = http://www.google.com/search?q=%s

IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.windowsue.com/
IE - HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchURL\g, = http://www.google.com/search?q=%s

IE - HKU\S-1-5-21-73586283-1677128483-1957994488-1004\Software\Microsoft\Internet Explorer\SearchURL\g, = http://www.google.es/search?q=%s
IE - HKU\S-1-5-21-73586283-1677128483-1957994488-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.google.com/webhp?hl=en"
FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=0.9.2: C:\Archivos de programa\VideoLAN\VLC\npvlc.dll (the VideoLAN Team)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Documents and Settings\Omega Infinity\Configuración local\Datos de programa\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Documents and Settings\Omega Infinity\Configuración local\Datos de programa\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\linkfilter@kaspersky.ru: C:\Archivos de programa\Kaspersky Lab\Kaspersky PURE 2.0\FFExt\linkfilter@kaspersky.ru [2012/09/28 10:41:08 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\virtualKeyboard@kaspersky.ru: C:\Archivos de programa\Kaspersky Lab\Kaspersky PURE 2.0\FFExt\virtualKeyboard@kaspersky.ru [2012/09/28 10:41:10 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\KavAntiBanner@Kaspersky.ru: C:\Archivos de programa\Kaspersky Lab\Kaspersky PURE 2.0\FFExt\KavAntiBanner@Kaspersky.ru [2012/09/28 10:41:06 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 14.0.1\extensions\\Components: C:\Archivos de programa\Mozilla Firefox\components [2012/07/28 15:55:50 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 14.0.1\extensions\\Plugins: C:\Archivos de programa\Mozilla Firefox\plugins [2165/03/07 15:31:53 | 000,000,000 | ---D | M]

[2012/04/02 00:13:22 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Omega Infinity\Datos de programa\Mozilla\Extensions
[2012/05/02 01:42:03 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Omega Infinity\Datos de programa\Mozilla\Firefox\Profiles\pzouh5vx.default\extensions
[2012/09/24 18:13:43 | 000,000,000 | ---D | M] (No name found) -- C:\Archivos de programa\Mozilla Firefox\extensions
[2012/07/28 15:55:49 | 000,136,672 | ---- | M] (Mozilla Foundation) -- C:\Archivos de programa\mozilla firefox\components\browsercomps.dll
[2012/06/21 23:59:01 | 000,002,252 | ---- | M] () -- C:\Archivos de programa\mozilla firefox\searchplugins\bing.xml
[2012/06/21 23:59:01 | 000,002,040 | ---- | M] () -- C:\Archivos de programa\mozilla firefox\searchplugins\twitter.xml

========== Chrome ==========

CHR - homepage:
CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&hl={language}&q={searchTerms}
CHR - homepage:
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Documents and Settings\Omega Infinity\Configuraci\u00F3n local\Datos de programa\Google\Chrome\Application\20.0.1132.57\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Documents and Settings\Omega Infinity\Configuraci\u00F3n local\Datos de programa\Google\Chrome\Application\20.0.1132.57\pdf.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Documents and Settings\Omega Infinity\Configuraci\u00F3n local\Datos de programa\Google\Chrome\Application\20.0.1132.57\gcswf32.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
CHR - plugin: Adobe Acrobat (Enabled) = C:\Archivos de programa\Adobe\Reader 8.0\Reader\Browser\nppdf32.dll
CHR - plugin: 2007 Microsoft Office system (Enabled) = C:\Archivos de programa\Mozilla Firefox\plugins\NPOFF12.DLL
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Archivos de programa\Mozilla Firefox\plugins\npqtplugin.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Archivos de programa\Mozilla Firefox\plugins\npqtplugin2.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Archivos de programa\Mozilla Firefox\plugins\npqtplugin3.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Archivos de programa\Mozilla Firefox\plugins\npqtplugin4.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Archivos de programa\Mozilla Firefox\plugins\npqtplugin5.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Archivos de programa\Mozilla Firefox\plugins\npqtplugin6.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Archivos de programa\Mozilla Firefox\plugins\npqtplugin7.dll
CHR - plugin: Unity Player (Enabled) = C:\Archivos de programa\Unity\WebPlayer\loader\npUnity3D32.dll
CHR - plugin: VLC Multimedia Plug-in (Enabled) = C:\Archivos de programa\VideoLAN\VLC\npvlc.dll
CHR - plugin: Google Update (Enabled) = C:\Documents and Settings\Omega Infinity\Configuraci\u00F3n local\Datos de programa\Google\Update\1.3.21.111\npGoogleUpdate3.dll
CHR - Extension: YouTube = C:\Documents and Settings\Omega Infinity\Configuración local\Datos de programa\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\
CHR - Extension: B\u00FAsqueda de Google = C:\Documents and Settings\Omega Infinity\Configuración local\Datos de programa\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\
CHR - Extension: Gmail = C:\Documents and Settings\Omega Infinity\Configuración local\Datos de programa\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\

O1 HOSTS File: ([2001/08/24 10:00:00 | 000,000,792 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Archivos comunes\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (no name) - {1d57eb3b-977f-47c8-95cf-00bf2cd3f86c} - No CLSID value found.
O2 - BHO: (no name) - {453E7B50-2BE3-4D76-BB29-DD350A19C28F} - No CLSID value found.
O2 - BHO: (IEVkbdBHO Class) - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Archivos de programa\Kaspersky Lab\Kaspersky PURE 2.0\ievkbd.dll (Kaspersky Lab ZAO)
O2 - BHO: (no name) - {AA1EA7F5-FB21-449E-AA0F-2B439F090EB5} - No CLSID value found.
O2 - BHO: (FilterBHO Class) - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Archivos de programa\Kaspersky Lab\Kaspersky PURE 2.0\klwtbbho.dll (Kaspersky Lab ZAO)
O4 - HKLM..\Run: [APSDaemon] C:\Archivos de programa\Archivos comunes\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [AVP] C:\Archivos de programa\Kaspersky Lab\Kaspersky PURE 2.0\avp.exe (Kaspersky Lab ZAO)
O4 - HKLM..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd File not found
O4 - HKLM..\Run: [SiSPower] C:\WINDOWS\System32\SiSPower.dll (Silicon Integrated Systems Corporation)
O4 - HKLM..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe (Silicon Integrated Systems Corp.)
O4 - HKU\S-1-5-21-73586283-1677128483-1957994488-1004..\Run: [SpybotSD TeaTimer] C:\Archivos de programa\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - HKU\S-1-5-19..\RunOnce: [nltide1] C:\WINDOWS\System32\cmd.exe (Microsoft Corporation)
O4 - HKU\S-1-5-20..\RunOnce: [nltide1] C:\WINDOWS\System32\cmd.exe (Microsoft Corporation)
O4 - HKLM..\RunOnceEx: [TITLE] Finalizando La Instalacion File not found
O4 - Startup: C:\Documents and Settings\All Users\Menú Inicio\Programas\Inicio\Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe (Silicon Integrated Systems Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDesktopCleanupWizard = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableStatusMessages = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: VerboseStatus = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoInternetOpenWith = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMHelp = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMMyPictures = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveTrack = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMHelp = 1
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMMyPictures = 1
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 1
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveTrack = 1
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 1
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMHelp = 1
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMMyPictures = 1
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 1
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveTrack = 1
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 1
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMHelp = 1
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMMyPictures = 1
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 1
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveTrack = 1
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 1
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
O7 - HKU\S-1-5-21-73586283-1677128483-1957994488-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O7 - HKU\S-1-5-21-73586283-1677128483-1957994488-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMHelp = 0
O7 - HKU\S-1-5-21-73586283-1677128483-1957994488-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1
O7 - HKU\S-1-5-21-73586283-1677128483-1957994488-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMMyPictures = 1
O7 - HKU\S-1-5-21-73586283-1677128483-1957994488-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 1
O7 - HKU\S-1-5-21-73586283-1677128483-1957994488-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveTrack = 1
O7 - HKU\S-1-5-21-73586283-1677128483-1957994488-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 1
O7 - HKU\S-1-5-21-73586283-1677128483-1957994488-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
O8 - Extra context menu item: Add to Anti-Banner - C:\Archivos de programa\Kaspersky Lab\Kaspersky PURE 2.0\ie_banner_deny.htm ()
O9 - Extra Button: &Virtual Keyboard - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Archivos de programa\Kaspersky Lab\Kaspersky PURE 2.0\ievkbd.dll (Kaspersky Lab ZAO)
O9 - Extra Button: URLs c&heck - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Archivos de programa\Kaspersky Lab\Kaspersky PURE 2.0\klwtbbho.dll (Kaspersky Lab ZAO)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{712F6FE9-E3F0-48B9-AF7A-20BA2485DC79}: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Archivos de programa\Archivos comunes\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Archivos de programa\Archivos comunes\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\klogon: DllName - (C:\WINDOWS\system32\klogon.dll) - C:\WINDOWS\system32\klogon.dll (Kaspersky Lab ZAO)
O24 - Desktop Components:0 (Mi página de inicio actual) - About:Home
O24 - Desktop WallPaper: C:\Documents and Settings\Omega Infinity\Configuración local\Datos de programa\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Omega Infinity\Configuración local\Datos de programa\Microsoft\Wallpaper1.bmp
O30 - LSA: Authentication Packages - (C:\WINDOWS\system32\khfGwWOH) - File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/02/25 20:44:02 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{b8247490-d6c5-11e1-b4b2-000ae6f9d205}\Shell\AutoRun\command - "" = E:\start.exe
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

NetSvcs: 6to4 - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

MsConfig - Services: "TuneUp.ProgramStatisticsSvc"
MsConfig - Services: "TuneUp.Defrag"
MsConfig - Services: "NOD32krn"
MsConfig - Services: "aawservice"
MsConfig - Services: "ose"
MsConfig - Services: "odserv"
MsConfig - StartUpFolder: C:^Documents and Settings^Omega Infinity^Menú Inicio^Programas^Inicio^_uninst_.lnk - C:\WINDOWS\Temp\_uninst_.bat - ()
MsConfig - StartUpReg: FaxCenterServer - hkey= - key= - File not found
MsConfig - StartUpReg: PCTVOICE - hkey= - key= - File not found
MsConfig - State: "system.ini" - 0
MsConfig - State: "win.ini" - 0
MsConfig - State: "bootini" - 0
MsConfig - State: "services" - 2
MsConfig - State: "startup" - 2

CREATERESTOREPOINT
Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 30 Days ==========

[2165/03/07 19:34:06 | 000,000,000 | ---D | C] -- C:\Archivos de programa\eMule
[2012/09/29 15:43:10 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Datos de programa\CanonIJEGV
[2012/09/28 10:08:12 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2012/09/28 10:05:03 | 000,583,472 | ---- | C] (Kaspersky Lab) -- C:\WINDOWS\System32\drivers\klif.sys
[2012/09/28 09:41:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Omega Infinity\Menú Inicio\Programas\HiJackThis
[2012/09/28 09:41:56 | 000,000,000 | ---D | C] -- C:\Archivos de programa\HijackThis
[2012/09/28 09:33:53 | 000,000,000 | R--D | C] -- C:\Backup
[2012/09/28 09:31:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data
[2012/09/28 09:19:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Menú Inicio\Programas\Kaspersky PURE 2.0
[2012/09/28 09:17:07 | 000,039,352 | ---- | C] (Infowatch) -- C:\WINDOWS\System32\drivers\CSVirtualDiskDrv.sys
[2012/09/28 09:17:02 | 000,088,632 | ---- | C] (Infowatch) -- C:\WINDOWS\System32\drivers\CSCrySec.sys
[2012/09/28 09:17:02 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\DRVSTORE
[2012/09/28 09:10:19 | 000,000,000 | ---D | C] -- C:\Archivos de programa\Archivos comunes\InfoWatch
[2012/09/28 09:08:48 | 000,000,000 | ---D | C] -- C:\Archivos de programa\Kaspersky Lab
[2012/09/28 09:08:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Datos de programa\Kaspersky Lab
[2012/09/25 22:49:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Menú Inicio\Programas\Spybot - Search & Destroy
[2012/09/25 22:49:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Datos de programa\Spybot - Search & Destroy
[2012/09/25 22:49:17 | 000,000,000 | ---D | C] -- C:\Archivos de programa\Spybot - Search & Destroy
[2012/09/25 22:46:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Omega Infinity\Datos de programa\Malwarebytes
[2012/09/25 09:52:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Menú Inicio\Programas\Malwarebytes' Anti-Malware
[2012/09/25 09:52:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Datos de programa\Malwarebytes
[2012/09/25 09:52:43 | 000,022,856 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2012/09/25 09:52:43 | 000,000,000 | ---D | C] -- C:\Archivos de programa\Malwarebytes' Anti-Malware
[2012/09/01 01:28:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Omega Infinity\Escritorio\Recovered
[2012/09/01 01:25:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Menú Inicio\Programas\Recuva
[2012/09/01 01:25:04 | 000,000,000 | ---D | C] -- C:\Archivos de programa\Recuva
[2012/04/02 00:08:51 | 000,763,128 | ---- | C] (Duplex Secure Ltd.) -- C:\Documents and Settings\Omega Infinity\SPTDinst.exe
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2165/03/07 15:31:59 | 000,000,773 | ---- | M] () -- C:\Documents and Settings\All Users\Escritorio\Mozilla Firefox.lnk
[2012/09/29 21:43:14 | 000,001,228 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-73586283-1677128483-1957994488-1004UA.job
[2012/09/29 21:26:55 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/09/29 18:44:11 | 000,001,176 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-73586283-1677128483-1957994488-1004Core.job
[2012/09/29 15:37:28 | 000,002,184 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/09/28 19:16:16 | 000,000,298 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2012/09/28 10:36:24 | 000,116,189 | ---- | M] () -- C:\WINDOWS\System32\drivers\klin.dat
[2012/09/28 10:36:23 | 000,098,168 | ---- | M] () -- C:\WINDOWS\System32\drivers\klick.dat
[2012/09/28 10:05:03 | 000,583,472 | ---- | M] (Kaspersky Lab) -- C:\WINDOWS\System32\drivers\klif.sys
[2012/09/28 09:41:56 | 000,002,040 | ---- | M] () -- C:\Documents and Settings\Omega Infinity\Escritorio\HiJackThis.lnk
[2012/09/28 09:36:17 | 000,017,408 | ---- | M] () -- C:\Documents and Settings\Omega Infinity\Configuración local\Datos de programa\WebpageIcons.db
[2012/09/28 09:29:03 | 000,003,896 | -HS- | M] () -- C:\WINDOWS\System32\HOWwGfhk.ini
[2012/09/28 09:28:27 | 000,003,896 | -HS- | M] () -- C:\WINDOWS\System32\HOWwGfhk.ini2
[2012/09/28 09:13:55 | 000,000,754 | ---- | M] () -- C:\WINDOWS\WORDPAD.INI
[2012/09/28 09:11:37 | 000,002,405 | ---- | M] () -- C:\Documents and Settings\Omega Infinity\Escritorio\Google Chrome.lnk
[2012/09/27 23:50:13 | 000,000,270 | ---- | M] () -- C:\WINDOWS\Wininit.ini
[2012/09/27 22:16:29 | 000,000,211 | -HS- | M] () -- C:\boot.ini
[2012/09/25 09:52:55 | 000,000,833 | ---- | M] () -- C:\Documents and Settings\All Users\Escritorio\Malwarebytes Anti-Malware.lnk
[2012/09/25 01:39:39 | 000,436,202 | ---- | M] () -- C:\WINDOWS\System32\perfh00A.dat
[2012/09/25 01:39:39 | 000,377,004 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/09/25 01:39:39 | 000,069,480 | ---- | M] () -- C:\WINDOWS\System32\perfc00A.dat
[2012/09/25 01:39:39 | 000,053,436 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/09/07 17:04:46 | 000,022,856 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2012/09/01 01:25:05 | 000,001,575 | ---- | M] () -- C:\Documents and Settings\All Users\Escritorio\Recuva.lnk
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2165/03/07 15:31:59 | 000,000,779 | ---- | C] () -- C:\Documents and Settings\All Users\Menú Inicio\Programas\Mozilla Firefox.lnk
[2012/09/28 09:41:56 | 000,002,040 | ---- | C] () -- C:\Documents and Settings\Omega Infinity\Escritorio\HiJackThis.lnk
[2012/09/28 09:36:14 | 000,017,408 | ---- | C] () -- C:\Documents and Settings\Omega Infinity\Configuración local\Datos de programa\WebpageIcons.db
[2012/09/28 09:33:51 | 000,116,189 | ---- | C] () -- C:\WINDOWS\System32\drivers\klin.dat
[2012/09/28 09:33:51 | 000,098,168 | ---- | C] () -- C:\WINDOWS\System32\drivers\klick.dat
[2012/09/28 02:09:35 | 000,003,896 | -HS- | C] () -- C:\WINDOWS\System32\HOWwGfhk.ini2
[2012/09/27 01:57:13 | 000,003,896 | -HS- | C] () -- C:\WINDOWS\System32\HOWwGfhk.ini
[2012/09/25 22:46:34 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2012/09/25 09:52:55 | 000,000,833 | ---- | C] () -- C:\Documents and Settings\All Users\Escritorio\Malwarebytes Anti-Malware.lnk
[2012/09/01 01:51:56 | 000,001,513 | ---- | C] () -- C:\Documents and Settings\All Users\Menú Inicio\Programas\Inicio\Utility Tray.lnk
[2012/09/01 01:51:56 | 000,000,982 | ---- | C] () -- C:\Documents and Settings\Omega Infinity\Menú Inicio\Programas\Inicio\OneNote 2007 Screen Clipper and Launcher.lnk
[2012/09/01 01:25:05 | 000,001,575 | ---- | C] () -- C:\Documents and Settings\All Users\Escritorio\Recuva.lnk
[2012/05/22 23:06:44 | 000,000,459 | ---- | C] () -- C:\Documents and Settings\All Users\lxdd
[2012/04/17 02:33:37 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/04/02 00:09:00 | 000,001,700 | ---- | C] () -- C:\WINDOWS\System32\rqRJDspN.dll
[2012/03/31 22:15:58 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\LXF3PMON.DLL
[2012/03/31 22:15:58 | 000,032,768 | ---- | C] () -- C:\WINDOWS\System32\LXF3FXPU.DLL
[2012/03/31 22:15:56 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\lxf3oem.dll
[2012/03/31 22:15:56 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\LXF3PMRC.DLL
[2012/03/03 16:18:46 | 000,095,496 | ---- | C] () -- C:\WINDOWS\VGAsetup.ini
[2012/03/03 16:18:40 | 000,036,864 | ---- | C] () -- C:\WINDOWS\InstFunc.exe
[2012/03/03 16:18:08 | 000,081,543 | ---- | C] () -- C:\WINDOWS\System32\VGAunistlog.ini
[2012/03/03 16:16:03 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\sis740.bin
[2012/03/03 16:16:03 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\sis650.bin
[2011/03/11 12:43:54 | 000,029,763 | ---- | C] () -- C:\WINDOWS\System32\drivers\klopp.dat

========== ZeroAccess Check ==========

[2012/03/31 21:44:37 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shdocvw.dll -- [2006/12/17 20:18:32 | 001,498,112 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = C:\WINDOWS\system32\wbem\fastprox.dll -- [2004/08/19 08:42:08 | 000,472,064 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = C:\WINDOWS\system32\wbem\wbemess.dll -- [2004/08/19 08:42:30 | 000,273,920 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

========== LOP Check ==========

[2012/03/31 23:51:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrador\Datos de programa\Lexmark Productivity Studio
[2009/02/26 18:50:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrador\Datos de programa\TuneUp Software
[2012/03/31 23:52:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrador\Datos de programa\Unity
[2012/07/29 19:44:21 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Datos de programa\CanonEPP
[2012/09/29 15:43:10 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Datos de programa\CanonIJEGV
[2012/07/29 19:44:21 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Datos de programa\CanonIJEPPEX2
[2012/07/29 19:38:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Datos de programa\CanonIJMSetup
[2012/07/29 19:44:48 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Datos de programa\CanonIJSolutionMenuEX
[2012/07/29 19:37:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Datos de programa\CanonIJWSpt
[2009/02/26 18:48:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Datos de programa\TuneUp Software
[2009/02/26 18:43:50 | 000,000,000 | -HSD | M] -- C:\Documents and Settings\All Users\Datos de programa\{55A29068-F2CE-456C-9148-C869879E2357}

========== Purity Check ==========



========== Custom Scans ==========

< %SYSTEMDRIVE%\*.* >
[2009/02/26 16:01:12 | 000,000,002 | ---- | M] () -- C:\-669748633
[2009/02/26 16:01:16 | 000,000,000 | ---- | M] () -- C:\arcwvqi.exe
[2009/02/25 20:44:02 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2012/09/27 22:16:29 | 000,000,211 | -HS- | M] () -- C:\boot.ini
[2001/08/24 10:00:00 | 000,004,952 | RHS- | M] () -- C:\Bootfont.bin
[2009/02/25 20:44:02 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2009/02/25 20:44:02 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2012/04/05 23:54:59 | 000,005,920 | ---- | M] () -- C:\lxdd.log
[2009/02/25 20:44:02 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2004/08/03 15:38:34 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2004/08/03 15:59:42 | 000,250,640 | RHS- | M] () -- C:\ntldr
[2012/09/29 21:26:51 | 150,994,944 | -HS- | M] () -- C:\pagefile.sys

< %systemroot%\system32\Spool\prtprocs\w32x86\*.dll >
[2010/08/24 22:00:00 | 000,027,648 | ---- | M] (CANON INC.) -- C:\WINDOWS\system32\Spool\prtprocs\w32x86\CNMPDAA.DLL
[2010/08/24 22:00:00 | 000,073,216 | ---- | M] (CANON INC.) -- C:\WINDOWS\system32\Spool\prtprocs\w32x86\CNMPPAA.DLL
[2006/10/26 13:56:12 | 000,033,104 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\Spool\prtprocs\w32x86\msonpppr.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.sys /90 >
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\system32\*.dll /lockedfiles >
[2011/12/24 12:21:48 | 000,229,776 | ---- | M] (Kaspersky Lab ZAO) Unable to obtain MD5 -- C:\WINDOWS\system32\klogon.dll
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >
[2004/08/23 17:21:12 | 000,821,760 | R--- | M] (C-Media Inc) Unable to obtain MD5 -- C:\WINDOWS\system32\drivers\cmuda.sys
[2006/12/17 21:19:28 | 000,010,624 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\drivers\gameenum.sys
[2011/10/20 11:48:00 | 000,135,984 | ---- | M] (Kaspersky Lab ZAO) Unable to obtain MD5 -- C:\WINDOWS\system32\drivers\kl1.sys
[2011/10/20 11:48:00 | 000,013,104 | ---- | M] (Kaspersky Lab ZAO) Unable to obtain MD5 -- C:\WINDOWS\system32\drivers\kl2.sys
[2012/09/28 10:05:03 | 000,583,472 | ---- | M] (Kaspersky Lab) Unable to obtain MD5 -- C:\WINDOWS\system32\drivers\klif.sys
[2011/03/10 18:34:46 | 000,034,608 | ---- | M] (Kaspersky Lab ZAO) Unable to obtain MD5 -- C:\WINDOWS\system32\drivers\klim5.sys
[2009/11/02 20:27:24 | 000,019,472 | ---- | M] (Kaspersky Lab) Unable to obtain MD5 -- C:\WINDOWS\system32\drivers\klmouflt.sys
[2006/12/17 21:19:36 | 000,002,944 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\drivers\msmpu401.sys
[2001/08/24 10:00:00 | 000,017,792 | ---- | M] (Parallel Technologies, Inc.) Unable to obtain MD5 -- C:\WINDOWS\system32\drivers\ptilink.sys
[2002/07/04 09:22:16 | 000,131,856 | ---- | M] (PCTEL, INC.) Unable to obtain MD5 -- C:\WINDOWS\system32\drivers\ptserial.sys

< %systemroot%\system32\*.exe /lockedfiles >
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\System32\config\*.sav >
[2009/02/25 21:27:51 | 000,065,536 | ---- | M] () -- C:\WINDOWS\System32\config\default.sav
[2009/02/25 21:27:51 | 000,630,784 | ---- | M] () -- C:\WINDOWS\System32\config\software.sav
[2009/02/25 21:27:51 | 000,401,408 | ---- | M] () -- C:\WINDOWS\System32\config\system.sav

< %PROGRAMFILES%\* >

< %USERPROFILE%\..|smtmp;true;true;true /FP >

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >
"AutoInstallMinorUpdates" = 1

< hklm\software\clients\startmenuinternet|command /rs >
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\HideIconsCommand: "C:\Archivos de programa\Mozilla Firefox\uninstall\helper.exe" /HideShortcuts [2012/07/28 15:55:22 | 000,865,776 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ShowIconsCommand: "C:\Archivos de programa\Mozilla Firefox\uninstall\helper.exe" /ShowShortcuts [2012/07/28 15:55:22 | 000,865,776 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ReinstallCommand: "C:\Archivos de programa\Mozilla Firefox\uninstall\helper.exe" /SetAsDefaultAppGlobal [2012/07/28 15:55:22 | 000,865,776 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\open\command\\: C:\Archivos de programa\Mozilla Firefox\firefox.exe [2012/07/28 15:55:47 | 000,913,888 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\properties\command\\: "C:\Archivos de programa\Mozilla Firefox\firefox.exe" -preferences [2012/07/28 15:55:47 | 000,913,888 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\safemode\command\\: "C:\Archivos de programa\Mozilla Firefox\firefox.exe" -safe-mode [2012/07/28 15:55:47 | 000,913,888 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\InstallInfo\\ShowIconsCommand: "C:\Documents and Settings\Omega Infinity\Configuración local\Datos de programa\Google\Chrome\Application\chrome.exe" --show-icons [2012/09/25 04:43:01 | 001,239,064 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\InstallInfo\\HideIconsCommand: "C:\Documents and Settings\Omega Infinity\Configuración local\Datos de programa\Google\Chrome\Application\chrome.exe" --hide-icons [2012/09/25 04:43:01 | 001,239,064 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\InstallInfo\\ReinstallCommand: "C:\Documents and Settings\Omega Infinity\Configuración local\Datos de programa\Google\Chrome\Application\chrome.exe" --make-default-browser [2012/09/25 04:43:01 | 001,239,064 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\shell\open\command\\: "C:\Documents and Settings\Omega Infinity\Configuración local\Datos de programa\Google\Chrome\Application\chrome.exe" [2012/09/25 04:43:01 | 001,239,064 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: %systemroot%\system32\shmgrate.exe OCInstallReinstallIE [2004/08/19 08:43:10 | 000,042,496 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: %systemroot%\system32\shmgrate.exe OCInstallHideIE [2004/08/19 08:43:10 | 000,042,496 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: %systemroot%\system32\shmgrate.exe OCInstallShowIE [2004/08/19 08:43:10 | 000,042,496 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: "C:\Archivos de programa\Internet Explorer\iexplore.exe" [2004/08/19 08:42:50 | 000,093,184 | ---- | M] (Microsoft Corporation)

< hklm\software\clients\startmenuinternet|command /64 /rs >
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\HideIconsCommand: "C:\Archivos de programa\Mozilla Firefox\uninstall\helper.exe" /HideShortcuts [2012/07/28 15:55:22 | 000,865,776 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ShowIconsCommand: "C:\Archivos de programa\Mozilla Firefox\uninstall\helper.exe" /ShowShortcuts [2012/07/28 15:55:22 | 000,865,776 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ReinstallCommand: "C:\Archivos de programa\Mozilla Firefox\uninstall\helper.exe" /SetAsDefaultAppGlobal [2012/07/28 15:55:22 | 000,865,776 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\open\command\\: C:\Archivos de programa\Mozilla Firefox\firefox.exe [2012/07/28 15:55:47 | 000,913,888 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\properties\command\\: "C:\Archivos de programa\Mozilla Firefox\firefox.exe" -preferences [2012/07/28 15:55:47 | 000,913,888 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\safemode\command\\: "C:\Archivos de programa\Mozilla Firefox\firefox.exe" -safe-mode [2012/07/28 15:55:47 | 000,913,888 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\InstallInfo\\ShowIconsCommand: "C:\Documents and Settings\Omega Infinity\Configuración local\Datos de programa\Google\Chrome\Application\chrome.exe" --show-icons [2012/09/25 04:43:01 | 001,239,064 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\InstallInfo\\HideIconsCommand: "C:\Documents and Settings\Omega Infinity\Configuración local\Datos de programa\Google\Chrome\Application\chrome.exe" --hide-icons [2012/09/25 04:43:01 | 001,239,064 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\InstallInfo\\ReinstallCommand: "C:\Documents and Settings\Omega Infinity\Configuración local\Datos de programa\Google\Chrome\Application\chrome.exe" --make-default-browser [2012/09/25 04:43:01 | 001,239,064 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\shell\open\command\\: "C:\Documents and Settings\Omega Infinity\Configuración local\Datos de programa\Google\Chrome\Application\chrome.exe" [2012/09/25 04:43:01 | 001,239,064 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: %systemroot%\system32\shmgrate.exe OCInstallReinstallIE [2004/08/19 08:43:10 | 000,042,496 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: %systemroot%\system32\shmgrate.exe OCInstallHideIE [2004/08/19 08:43:10 | 000,042,496 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: %systemroot%\system32\shmgrate.exe OCInstallShowIE [2004/08/19 08:43:10 | 000,042,496 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: "C:\Archivos de programa\Internet Explorer\iexplore.exe" [2004/08/19 08:42:50 | 000,093,184 | ---- | M] (Microsoft Corporation)

========== Alternate Data Streams ==========

@Alternate Data Stream - 396 bytes -> C:\WINDOWS\Temp\0075480:extended

< End of report >



Here is the EXTRAS REPORT:



OTL Extras logfile created on: 29/09/2012 PM 09:48:09 - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\Omega Infinity\Mis documentos\Downloads
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 0000440A | Country: El Salvador | Language: ESE | Date Format: dd/MM/yyyy

959.48 Mb Total Physical Memory | 505.96 Mb Available Physical Memory | 52.73% Memory free
1013.14 Mb Paging File | 620.62 Mb Available in Paging File | 61.26% Paging File free
Paging file location(s): C:\pagefile.sys 144 288 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Archivos de programa
Drive C: | 37.27 Gb Total Space | 8.29 Gb Free Space | 22.24% Space Free | Partition Type: NTFS

Computer Name: DESKTOP | User Name: Omega Infinity | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.url [@ = InternetShortcut] -- rundll32.exe shdocvw.dll,OpenURL %l

[HKEY_USERS\S-1-5-21-73586283-1677128483-1957994488-1004\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Archivos de programa\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
InternetShortcut [open] -- rundll32.exe shdocvw.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- C:\Archivos de programa\VideoLAN\VLC\vlc.exe --started-from-file --playlist-enqueue "%1" ()
Directory [cmd] -- cmd.exe /k cd "%L" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- C:\Archivos de programa\VideoLAN\VLC\vlc.exe --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring" = 1

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0
"DisableUnicastResponsesToMulticastBroadcast" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0
"DisableUnicastResponsesToMulticastBroadcast" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"C:\Archivos de programa\Lexmark 2500 Series\app4r.exe" = C:\Archivos de programa\Lexmark 2500 Series\app4r.exe:*:Enabled:Printing Application

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"C:\Archivos de programa\Microsoft Office\Office12\OUTLOOK.EXE" = C:\Archivos de programa\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook -- (Microsoft Corporation)
"C:\Archivos de programa\Microsoft Office\Office12\GROOVE.EXE" = C:\Archivos de programa\Microsoft Office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove -- (Microsoft Corporation)
"C:\Archivos de programa\Microsoft Office\Office12\ONENOTE.EXE" = C:\Archivos de programa\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote -- (Microsoft Corporation)
"C:\WINDOWS\system32\lxddcoms.exe" = C:\WINDOWS\system32\lxddcoms.exe:*:Enabled:Lexmark Communications System
"C:\Archivos de programa\Archivos comunes\Apple\Apple Application Support\WebKit2WebProcess.exe" = C:\Archivos de programa\Archivos comunes\Apple\Apple Application Support\WebKit2WebProcess.exe:*:Enabled:WebKit -- (Apple Inc.)
"C:\WINDOWS\system32\spool\drivers\w32x86\3\lxddpswx.exe" = C:\WINDOWS\system32\spool\drivers\w32x86\3\lxddpswx.exe:*:Enabled:
"C:\WINDOWS\system32\spool\drivers\w32x86\3\lxddjswx.exe" = C:\WINDOWS\system32\spool\drivers\w32x86\3\lxddjswx.exe:*:Enabled:
"C:\WINDOWS\system32\spool\drivers\w32x86\3\lxddtime.exe" = C:\WINDOWS\system32\spool\drivers\w32x86\3\lxddtime.exe:*:Enabled:
"C:\Archivos de programa\Lexmark 2500 Series\lxddmon.exe" = C:\Archivos de programa\Lexmark 2500 Series\lxddmon.exe:*:Enabled:
"C:\Archivos de programa\eMule\emule.exe" = C:\Archivos de programa\eMule\emule.exe:*:Enabled:eMule


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{2D270A67-B7CD-4281-B2FE-60DF18D19B8E}" = Kaspersky PURE 2.0
"{43BFB9E2-169C-46A9-BB81-141A37FD9750}" = Adobe Shockwave Player
"{45A66726-69BC-466B-A7A4-12FCBA4883D7}" = HiJackThis
"{7131646D-CD3C-40F4-97B9-CD9E4E6262EF}" = Microsoft .NET Framework 2.0
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{7BE15435-2D3E-4B58-867F-9C75BED0208C}" = QuickTime
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{A83279FD-CA4B-4206-9535-90974DE76654}" = Apple Application Support
"{AC76BA86-7AD7-1033-7B44-A81000000003}" = Adobe Reader 8.1.0
"{ACF60000-22B9-4CE9-98D6-2CCF359BAC07}" = ABBYY FineReader 6.0 Sprint
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{DC226AC9-0314-496C-BE6A-B6A132628466}" = SiSAGP driver
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"C-Media Audio" = C-Media 3D Audio
"ENTERPRISE" = Microsoft Office Enterprise 2007
"Installing HSP56 MicroModem Drivers" = HSP56 MR Drivers
"InstallWIX_{2D270A67-B7CD-4281-B2FE-60DF18D19B8E}" = Kaspersky PURE 2.0
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.65.0.1400
"Microsoft .NET Framework 2.0" = Microsoft .NET Framework 2.0
"Mozilla Firefox 14.0.1 (x86 en-US)" = Mozilla Firefox 14.0.1 (x86 en-US)
"MozillaMaintenanceService" = Mozilla Maintenance Service
"PowerISO" = PowerISO
"Recuva" = Recuva
"ShockwaveFlash" = Adobe Flash Player 9 ActiveX
"SiS VGA Driver" = SiS VGA Utilities
"VLC media player" = VLC media player 0.9.2
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0.0 (Pre-Release 5348)

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-73586283-1677128483-1957994488-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Google Chrome" = Google Chrome

========== Last 20 Event Log Errors ==========

[ Application Events ]
Error - 11/05/2033 PM 01:57:20 | Computer Name = DESKTOP | Source = crypt32 | ID = 131083
Description = Error en la extracción de la lista raíz de terceros del archivo .CAB
actualizado automáticamente: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
con el error: Un certificado requerido no se encuentra dentro del periodo de validez
cuando se ha realizado la comprobación con el reloj de sistema actual o con la
marca de fecha y hora en el archivo firmado.

Error - 11/05/2033 PM 01:57:20 | Computer Name = DESKTOP | Source = crypt32 | ID = 131083
Description = Error en la extracción de la lista raíz de terceros del archivo .CAB
actualizado automáticamente: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
con el error: Un certificado requerido no se encuentra dentro del periodo de validez
cuando se ha realizado la comprobación con el reloj de sistema actual o con la
marca de fecha y hora en el archivo firmado.

Error - 11/05/2033 PM 01:57:20 | Computer Name = DESKTOP | Source = crypt32 | ID = 131083
Description = Error en la extracción de la lista raíz de terceros del archivo .CAB
actualizado automáticamente: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
con el error: Un certificado requerido no se encuentra dentro del periodo de validez
cuando se ha realizado la comprobación con el reloj de sistema actual o con la
marca de fecha y hora en el archivo firmado.

Error - 11/05/2033 PM 01:57:20 | Computer Name = DESKTOP | Source = crypt32 | ID = 131083
Description = Error en la extracción de la lista raíz de terceros del archivo .CAB
actualizado automáticamente: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
con el error: Un certificado requerido no se encuentra dentro del periodo de validez
cuando se ha realizado la comprobación con el reloj de sistema actual o con la
marca de fecha y hora en el archivo firmado.

Error - 11/05/2033 PM 01:57:20 | Computer Name = DESKTOP | Source = crypt32 | ID = 131083
Description = Error en la extracción de la lista raíz de terceros del archivo .CAB
actualizado automáticamente: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
con el error: Un certificado requerido no se encuentra dentro del periodo de validez
cuando se ha realizado la comprobación con el reloj de sistema actual o con la
marca de fecha y hora en el archivo firmado.

Error - 11/05/2033 PM 01:57:20 | Computer Name = DESKTOP | Source = crypt32 | ID = 131083
Description = Error en la extracción de la lista raíz de terceros del archivo .CAB
actualizado automáticamente: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
con el error: Un certificado requerido no se encuentra dentro del periodo de validez
cuando se ha realizado la comprobación con el reloj de sistema actual o con la
marca de fecha y hora en el archivo firmado.

Error - 06/04/2012 AM 12:44:20 | Computer Name = DESKTOP | Source = .NET Runtime | ID = 0
Description =

Error - 24/09/2012 PM 07:03:24 | Computer Name = DESKTOP | Source = hshld | ID = 10103
Description =

Error - 27/09/2080 AM 09:50:04 | Computer Name = DESKTOP | Source = crypt32 | ID = 131083
Description = Error en la extracción de la lista raíz de terceros del archivo .CAB
actualizado automáticamente: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
con el error: Un certificado requerido no se encuentra dentro del periodo de validez
cuando se ha realizado la comprobación con el reloj de sistema actual o con la
marca de fecha y hora en el archivo firmado.

Error - 27/09/2080 AM 09:50:04 | Computer Name = DESKTOP | Source = crypt32 | ID = 131083
Description = Error en la extracción de la lista raíz de terceros del archivo .CAB
actualizado automáticamente: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
con el error: Un certificado requerido no se encuentra dentro del periodo de validez
cuando se ha realizado la comprobación con el reloj de sistema actual o con la
marca de fecha y hora en el archivo firmado.

[ System Events ]
Error - 13/05/2012 PM 10:17:34 | Computer Name = DESKTOP | Source = Service Control Manager | ID = 7022
Description = El servicio Adquisición de imágenes de Windows (WIA) permanece en
inicio.

Error - 13/05/2012 PM 10:17:34 | Computer Name = DESKTOP | Source = Service Control Manager | ID = 7026
Description = El controlador de inicialización siguiente no se cargó correctamente:
Beep

Error - 15/05/2012 PM 12:13:15 | Computer Name = DESKTOP | Source = Service Control Manager | ID = 7009
Description = Intervalo de espera (30000 ms.) para la conexión con el servicio lxddCATSCustConnectService.

Error - 15/05/2012 PM 12:13:15 | Computer Name = DESKTOP | Source = Service Control Manager | ID = 7000
Description = El servicio lxddCATSCustConnectService no pudo iniciarse debido al
siguiente error: %%1053

Error - 15/05/2012 PM 12:13:37 | Computer Name = DESKTOP | Source = Service Control Manager | ID = 7022
Description = El servicio Adquisición de imágenes de Windows (WIA) permanece en
inicio.

Error - 15/05/2012 PM 12:13:37 | Computer Name = DESKTOP | Source = Service Control Manager | ID = 7026
Description = El controlador de inicialización siguiente no se cargó correctamente:
Beep

Error - 16/05/2012 AM 02:17:58 | Computer Name = DESKTOP | Source = Service Control Manager | ID = 7009
Description = Intervalo de espera (30000 ms.) para la conexión con el servicio lxddCATSCustConnectService.

Error - 16/05/2012 AM 02:17:58 | Computer Name = DESKTOP | Source = Service Control Manager | ID = 7000
Description = El servicio lxddCATSCustConnectService no pudo iniciarse debido al
siguiente error: %%1053

Error - 16/05/2012 AM 02:18:20 | Computer Name = DESKTOP | Source = Service Control Manager | ID = 7022
Description = El servicio Adquisición de imágenes de Windows (WIA) permanece en
inicio.

Error - 16/05/2012 AM 02:18:20 | Computer Name = DESKTOP | Source = Service Control Manager | ID = 7026
Description = El controlador de inicialización siguiente no se cargó correctamente:
Beep


< End of report >


Hope this helps, and again thanks for the help.



***********UPDATE****** Being as suspicious as I am, I ran Spybot Search and Destroy, and found two more vulnerabilities: Network Essentials and Monder. Kaspersky also found the Trojans.

With how the machine has been behaving I am at a loss, as to previous threats have been entirely dealt with. I understand malware may rewrite Windows registry files to hide themselves, and may have a worm or something that keeps replicating itself...

Attached Files


Edited by Vanedil, 30 September 2012 - 01:51 AM.


#4 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:36 AM

Posted 30 September 2012 - 09:16 AM

Hello, Vanedil.


Next, please download ComboFix from one of these locations:
* IMPORTANT !!! Save ComboFix.exe to your Desktop as etavaresCF.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on etavaresCF.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply, along with any symptoms that are present after it runs.

Note: After running Combofix, you may receive an error about "illegal operation on a registry key that has been marked for deletion." If you receive this error, please reboot and it should disappear.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#5 Vanedil

Vanedil
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:36 AM

Posted 30 September 2012 - 12:16 PM

Greetings etavares,


As requested, disabled system's protection and ran Combofix. Here is the log:

ComboFix 12-09-30.01 - Omega Infinity 30/09/2012 10:01:57.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.34.3082.18.959.422 [GMT -5:00]
Running from: c:\documents and settings\Omega Infinity\Escritorio\etavaresCF.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrador\WINDOWS
c:\windows\setupapi.log
c:\windows\system32\clqxqnkm.ini
c:\windows\Temp\tmp3.tmp
.
.
.
c:\windows\system32\proquota.exe . . . is missing!!
.
c:\windows\system32\drivers\psched.sys . . . is missing!!
.
.
((((((((((((((((((((((((( Files Created from 2012-08-28 to 2012-09-30 )))))))))))))))))))))))))))))))
.
.
2165-03-08 00:36 . 2004-08-19 13:42 25600 ----a-w- c:\documents and settings\LocalService\Datos de programa\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2165-03-08 00:34 . 2012-09-09 02:44 -------- d-----w- c:\archivos de programa\eMule
2165-03-07 20:31 . 2012-07-28 20:55 16864 ----a-w- c:\archivos de programa\Mozilla Firefox\plugin-container.exe
2012-09-30 15:24 . 2012-09-30 15:24 -------- d-----w- c:\windows\system32\xircom
2012-09-30 15:24 . 2012-09-30 15:24 -------- d-----w- c:\windows\system32\wbem\snmp
2012-09-30 15:24 . 2012-09-30 15:24 -------- d-----w- c:\windows\system32\oobe
2012-09-30 15:24 . 2012-09-30 15:24 -------- d-----w- c:\windows\srchasst
2012-09-30 15:24 . 2012-09-30 15:24 -------- d-----w- c:\windows\msagent
2012-09-30 15:24 . 2012-09-30 15:24 -------- d-----w- c:\archivos de programa\microsoft frontpage
2012-09-29 20:43 . 2012-09-29 20:43 -------- d--h--w- c:\documents and settings\All Users\Datos de programa\CanonIJEGV
2012-09-28 14:42 . 2012-09-28 14:42 388096 ----a-r- c:\documents and settings\Omega Infinity\Datos de programa\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-09-28 14:33 . 2012-09-28 14:33 -------- d-----r- C:\Backup
2012-09-28 14:33 . 2012-09-28 15:36 116189 ----a-w- c:\windows\system32\drivers\klin.dat
2012-09-28 14:33 . 2012-09-28 15:36 98168 ----a-w- c:\windows\system32\drivers\klick.dat
2012-09-28 14:17 . 2009-12-14 17:44 39352 ----a-w- c:\windows\system32\drivers\CSVirtualDiskDrv.sys
2012-09-28 14:17 . 2012-09-28 14:17 -------- dc----w- c:\windows\system32\DRVSTORE
2012-09-28 14:17 . 2009-12-14 17:44 88632 ----a-w- c:\windows\system32\drivers\CSCrySec.sys
2012-09-28 14:10 . 2012-09-28 14:10 -------- d-----w- c:\archivos de programa\Archivos comunes\InfoWatch
2012-09-28 14:08 . 2012-09-28 14:08 -------- d-----w- c:\archivos de programa\Kaspersky Lab
2012-09-28 14:08 . 2012-09-30 16:03 -------- d-----w- c:\documents and settings\All Users\Datos de programa\Kaspersky Lab
2012-09-26 03:49 . 2012-09-26 04:30 -------- d-----w- c:\documents and settings\All Users\Datos de programa\Spybot - Search & Destroy
2012-09-26 03:49 . 2012-09-26 04:20 -------- d-----w- c:\archivos de programa\Spybot - Search & Destroy
2012-09-26 03:46 . 2012-09-26 03:46 -------- d-----w- c:\documents and settings\Omega Infinity\Datos de programa\Malwarebytes
2012-09-25 14:54 . 2012-09-25 14:54 -------- d-----w- c:\documents and settings\Mama\Datos de programa\Malwarebytes
2012-09-25 14:52 . 2012-09-25 14:52 -------- d-----w- c:\documents and settings\All Users\Datos de programa\Malwarebytes
2012-09-25 14:52 . 2012-09-25 14:53 -------- d-----w- c:\archivos de programa\Malwarebytes' Anti-Malware
2012-09-25 14:52 . 2012-09-07 22:04 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-09-01 06:25 . 2012-09-01 06:25 -------- d-----w- c:\archivos de programa\Recuva
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-26 22:46 . 2009-02-26 02:22 90112 ----a-w- c:\windows\DUMP937a.tmp
2012-08-26 22:35 . 2009-02-26 02:22 90112 ----a-w- c:\windows\DUMP9302.tmp
2012-08-26 22:29 . 2009-02-26 02:22 90112 ----a-w- c:\windows\DUMPa9bc.tmp
2012-08-01 18:13 . 2012-08-01 18:13 33512 ----a-w- c:\windows\system32\drivers\taphss.sys
2012-07-30 00:17 . 2009-02-26 02:22 90112 ----a-w- c:\windows\DUMP84ce.tmp
2012-07-28 20:55 . 2012-06-22 04:59 136672 ----a-w- c:\archivos de programa\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
.
[-] 2006-12-18 . 64A75EA132E38494525FDB545B75EF81 . 360576 . . [5.1.2600.2892] . . c:\windows\system32\drivers\tcpip.sys
.
[-] 2006-12-18 . 157B6FCB58270E3DF3ED67D316DCECE0 . 197632 . . [5.1.2600.2743] . . c:\windows\system32\netman.dll
.
[-] 2006-12-18 . 78793AAE30E77A07D6C5A378D163B909 . 398336 . . [5.1.2600.2726] . . c:\windows\system32\rpcss.dll
.
[-] 2006-12-18 . AD3D9D191AEA7B5445FE1D82FFBB4788 . 57856 . . [5.1.2600.2696] . . c:\windows\system32\spoolsv.exe
.
[-] 2006-12-18 . 3E555C1ABB1F5DF1649B83B1878AC123 . 617472 . . [5.82] . . c:\windows\system32\comctl32.dll
[-] 2006-08-25 . 27CDCD592CCCBC1A5A62A0DE169B5BBB . 1054208 . . [6.0] . . c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll
[7] 2001-08-24 . AEF3D788DBF40C7C4D204EA45EB0C505 . 921088 . . [6.0] . . c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll
.
[-] 2006-12-18 01:17 . 0D0F85237E32538F58278D673032676A . 243200 . . [2001.12.4414.308] . . c:\windows\system32\es.dll
.
[-] 2006-12-18 . B480AE5113575BD20685D977F7BCFE43 . 1038848 . . [5.1.2600.2991] . . c:\windows\system32\kernel32.dll
.
[-] 2006-12-18 . C4E7CEFD3802415865E631BE3AB6AC3B . 19968 . . [5.1.2600.2751] . . c:\windows\system32\linkinfo.dll
.
[-] 2006-12-18 . 8156156CC9BA600FFA641601DDAF1C6B . 3082240 . . [6.00.2900.3020] . . c:\windows\system32\mshtml.dll
.
[-] 2006-12-18 . 861E25215BA370D4CA9337C2BC0E647F . 249344 . . [5.1.2600.2716] . . c:\windows\system32\tapisrv.dll
.
[-] 2006-12-18 . 37CE819E8ECB3517B9981A886876EF72 . 578048 . . [5.1.2600.2622] . . c:\windows\system32\user32.dll
.
[-] 2006-12-18 . D95D80CC43C29673CCC44D3B387473DA . 667136 . . [6.00.2900.3020] . . c:\windows\system32\wininet.dll
.
[-] 2006-12-18 . 1CCD86AF8968519AE6BF9729FC566F1A . 1285632 . . [5.1.2600.2726] . . c:\windows\system32\ole32.dll
.
.
.
[-] 2006-12-18 02:19 . 1EE7B434BA961EF845DE136224C30FEC . 142464 . . [5.1.2601.2180] . . c:\windows\system32\drivers\aec.sys
.
[-] 2006-12-18 . 437C13AA25F9A30D8A43C318973593FD . 2059776 . . [5.1.2600.2774] . . c:\windows\system32\ntkrnlpa.exe
.
[-] 2006-12-18 . 4CE3F75B94DD878CD2D2775323E1F0BE . 2182528 . . [5.1.2600.2774] . . c:\windows\system32\ntoskrnl.exe
.
[-] 2006-12-18 . 93D6AEA2B292424863412EEBCC0834CF . 7680 . . [5.1.2600.2938] . . c:\windows\system32\rasadhlp.dll
.
c:\windows\System32\drivers\beep.sys ... is missing !!
c:\windows\System32\wscntfy.exe ... is missing !!
c:\windows\System32\regsvc.dll ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\KAVOverlayIcon]
@="{dd230880-495a-11d1-b064-008048ec2fc5}"
[HKEY_CLASSES_ROOT\CLSID\{dd230880-495a-11d1-b064-008048ec2fc5}]
2012-09-28 14:47 496016 ----a-w- c:\archivos de programa\Kaspersky Lab\Kaspersky PURE 2.0\shellex.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\archivos de programa\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSUSBRG"="c:\windows\SiSUSBrg.exe" [2002-07-12 106496]
"SiSPower"="SiSPower.dll" [2006-03-09 49152]
"QuickTime Task"="c:\archivos de programa\QuickTime\QTTask.exe" [2011-10-24 421888]
"GrooveMonitor"="c:\archivos de programa\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"APSDaemon"="c:\archivos de programa\Archivos comunes\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"AVP"="c:\archivos de programa\Kaspersky Lab\Kaspersky PURE 2.0\avp.exe" [2011-12-24 202296]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-19 15360]
.
c:\documents and settings\Omega Infinity\Menú Inicio\Programas\Inicio\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\archivos de programa\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]
.
c:\documents and settings\All Users\Menú Inicio\Programas\Inicio\
Utility Tray.lnk - c:\windows\system32\sistray.exe [2012-3-3 262144]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMConfigurePrograms"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoSMHelp"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
.
[HKLM\~\startupfolder\C:^Documents and Settings^Omega Infinity^Menú Inicio^Programas^Inicio^_uninst_.lnk]
path=c:\documents and settings\Omega Infinity\Menú Inicio\Programas\Inicio\_uninst_.lnk
backup=c:\windows\pss\_uninst_.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCTVOICE]
2002-06-05 06:17 167936 ----a-w- c:\windows\system32\pctspk.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"TuneUp.ProgramStatisticsSvc"=2 (0x2)
"TuneUp.Defrag"=3 (0x3)
"NOD32krn"=2 (0x2)
"aawservice"=2 (0x2)
"ose"=3 (0x3)
"odserv"=3 (0x3)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Archivos de programa\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Archivos de programa\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Archivos de programa\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Archivos de programa\\Archivos comunes\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
.
R0 CSCrySec;InfoWatch Encrypt Sector Library driver;c:\windows\system32\drivers\CSCrySec.sys [28/09/2012 09:17 AM 88632]
R1 CSVirtualDiskDrv;InfoWatch Virtual Disk driver;c:\windows\system32\drivers\CSVirtualDiskDrv.sys [28/09/2012 09:17 AM 39352]
R1 kl2;kl2;c:\windows\system32\drivers\kl2.sys [20/10/2011 11:48 AM 13104]
R2 CSObjectsSrv;CryptoStorage control service;c:\archivos de programa\Archivos comunes\InfoWatch\CryptoStorage\ProtectedObjectsSrv.exe [21/12/2009 05:34 PM 743992]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [10/03/2011 06:34 PM 34608]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [02/11/2009 08:27 PM 19472]
S0 sptd;sptd;c:\windows\system32\Drivers\sptd.sys --> c:\windows\system32\Drivers\sptd.sys [?]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\archivos de programa\Mozilla Maintenance Service\maintenanceservice.exe [26/04/2012 12:22 AM 113120]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
NETSVCS REQUIRES REPAIRS - current entries shown
6to4
AppMgmt
AudioSrv
Browser
CryptSvc
DMServer
DHCP
EventSystem
FastUserSwitchingCompatibility
HidServ
Ias
Iprip
Irmon
LanmanServer
LanmanWorkstation
Netman
Nla
NWCWorkstation
Nwsapagent
Rasauto
Rasman
Remoteaccess
Schedule
Seclogon
SENS
Sharedaccess
SRService
Tapisrv
Themes
W32Time
WZCSVC
Wmi
WmdmPmSp
winmgmt
xmlprov
BITS
ShellHWDetection
helpsvc
wuauserv
WmdmPmSN
.
Rebuilding ... You need to reboot your machine for this to take effect.
.
ntmssvc
ERSvc
Messenger
TrkWks
uploadmgr
TermService
wscsvc
napagent
hkmsvc
ip6fwhlp
mhn
sacsvr
trksvr
.
Contents of the 'Scheduled Tasks' folder
.
2012-09-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\archivos de programa\Apple Software Update\SoftwareUpdate.exe [2011-06-01 15:57]
.
.
------- Supplementary Scan -------
.
IE: Add to Anti-Banner - c:\archivos de programa\Kaspersky Lab\Kaspersky PURE 2.0\ie_banner_deny.htm
IE: E&xport to Microsoft Excel - c:\archiv~1\MICROS~1\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\Omega Infinity\Datos de programa\Mozilla\Firefox\Profiles\pzouh5vx.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/webhp?hl=en
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{1d57eb3b-977f-47c8-95cf-00bf2cd3f86c} - (no file)
BHO-{453E7B50-2BE3-4D76-BB29-DD350A19C28F} - (no file)
BHO-{AA1EA7F5-FB21-449E-AA0F-2B439F090EB5} - (no file)
HKLM-Run-Cmaudio - cmicnfg.cpl
HKU-Default-RunOnce-nltide3 - rundll32 advpack.dll
MSConfigStartUp-FaxCenterServer - c:\archivos de programa\Lexmark Fax Solutions\fm3032.exe
HKLM_ActiveSetup-{11FC12D0-1A72-12D2-992D-5BC14F992BC7} - c:\windows\system32\javan.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-09-30 11:00
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3192)
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\RunDll32.exe
.
**************************************************************************
.
Completion time: 2012-09-30 11:09:19 - machine was rebooted
ComboFix-quarantined-files.txt 2012-09-30 16:09
.
Pre-Run: 8,744,669,184 bytes libres
Post-Run: 10,607,005,696 bytes libres
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 820D6A4914BC7CE2F49E1B37635E6D5C



Hope this help finding out if there are any hidden malicious programs!


Thanks for the help!

#6 Vanedil

Vanedil
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:36 AM

Posted 02 October 2012 - 02:48 AM

I think the issue has not been solved, and there must be an infection somewhere, because every time I try access Facebook, I am redirected to a website in Portuguese 'Explosion de Vendas Cielo', requesting for credit card. Trying access Facebook mobile, or in a different language is blocked and loads to a server error. What is strange, is that this is happening to both our desltop and laptop, makes me believe it is network related. Not sure if it is a DNS hijack or related to this: http://news.softpedia.com/news/Cybercriminals-Hijack-4-5-Million-ADLS-Modems-in-Brazil-to-Serve-Malware-295845.shtml.

Righ now left desktop running Kaspersky full scan, and in the laptop the Norton full scan. Do not think I will find anything.

#7 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:36 AM

Posted 02 October 2012 - 07:40 AM

Hello, Vanedil.

Are you able to access Windows Update? This computer is running Service Pack 2...that is NOT secure. We need to update to SP3. There are some major elements corrupted in this computer that we need to fix.

Also, let's reset your router given the redirects on multiple computers.



Router Reset
  • Please read this: Malware Silently Alters Wireless Router Settings

  • Consult this link to find out what is the default username and password of your router and note down them: Route Passwords

  • Then rest your router to it's factory default settings:

    "If your machine has been infected by one of these Zlob/DNSchanger Trojans, and your router settings have been altered, I would strongly recommend that you reset the router to its default configuration. Usually, this can be done by inserting something tiny like a paper clip end or pencil tip into a small hole labeled "reset" located on the back of the router. Press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about 10 seconds)"


  • This is the difficult part.
    First get to the routers server. To do that type http:\\192.168.1.1 in the address bar and click Enter. You get the log in window.
    Fill in the password you have already found and you will get the configuration page.
    Configure the router to allow you to connect to your ISP server. In some routers it is done by a setup wizard. But you have to fill in the log in password your ISP has initially given to you.
    You can also call your ISP if you don't have your initial password.
    Don't forget to change the routers default password and set a strong password. Note down the password and keep it somewhere for future reference.

  • Please make sure of the following settings:
    • Go to start => Control panel => Double-click Network and Sharing Center.
    • In the left window select Manage network Connection.
    • In the right window right-click Local Area connection and select Properties .
    • Internet Protocol Version 6 (IP6v) should be checked. Double-click on it: Make sure of the following settings:
    • The option Obtain an IP address automatically should be checked.
    • The option Obtain DNS server address automatically should be checked.
    • Click OK.
    • Internet Protocol Version 4 (IP4v) should be checked. Double-click on it.[list]
    • The option Obtain an IP address automatically should be checked.
    • The option Obtain DNS server address automatically should be checked.
  • Click OK twice.
  • If you should change any setting reboot the computer.

==========

Please run the following command on both the computers and post the logs.

Go to start > Run copy/paste the following line in the run box and click OK.

cmd /c (ipconfig /all&nslookup mbam-cdn.malwarebytes.org&ping -n 2 mbam-cdn.malwarebytes.org&route print) >log.txt&start log.txt

A command window opens. Wait until a log.txt file opens. Please post the content to your reply.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#8 Vanedil

Vanedil
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:36 AM

Posted 04 October 2012 - 12:37 AM

Thanks again for the help, etavares.


Wanted to report that on the same day the redirection post was filed, the browser settings were restored to default and all temporary files were deleted. This helped restore access to the intended website. After this, I performed the requested steps, except for updating to SP3 (I will perform this throughout the weekend).

I copied and pasted the script on CMD on the desktop, but it returned an error saying that tried pinging mbam-cdn.malwarebytes.org, but could not find server, 2 sent, 2 received and that MASK PARAMETERS are not valid (in Spanish). The laptop's log is pending, because I returned the laptop for the weekend. I will report back when the log is available.

#9 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:36 AM

Posted 12 October 2012 - 08:05 PM

Hi Vanedil, any luck getting the log?

-etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#10 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:36 AM

Posted 28 October 2012 - 05:47 AM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users