Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32.vbstats.***


  • This topic is locked This topic is locked
7 replies to this topic

#1 spiderstone

spiderstone

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:buenos aires
  • Local time:04:35 AM

Posted 31 May 2007 - 10:26 PM

Well...Some days ago avast notified me that a trojan was treating to enter to my PC. Clearly the trojan entered because I began to suffer a lot of pop-ups. I tried to solve the problem. Vundo was detected and I run VundoFix, from Symantec, but the problem still goes on. Using Kasperski on line I found the Win32.VBStats.J and I tried to remove it using all the resources I found. NOD32, Avast and Spyware didn´t recognized the infection, but every time I connect the machine to internet I recived a notify of Win 32.VBStats.J or C coming into my computer, an then pop-ups and some aberrant behavior start to appear. I used RegSeeker too. Nothing happened. The problems go on. I send you the files from HJT. Thank you in advance.

Attached Files



BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:10:35 AM

Posted 01 June 2007 - 03:22 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum spiderstone :thumbsup:

My name is Richie and i'll be helping you to fix your problems.

You've used Trend Micro HijackThis v2.0.0 (BETA) to post your log.
As with any Beta software its not completely reliable,so uninstall/delete it please.

Now download and install Hijackthis.
This is a self-extracting version which will automatically install HJT to C:\Program Files\Hijackthis by default.
A desktop shortcut can be created during install under 'Select Additional Tasks'.

**************************

Download VundoFix.exe to your desktop.
Double-click VundoFix.exe to run it.
When VundoFix re-opens,click the "Scan for Vundo" button.
Once it's done scanning,click the "Remove Vundo" button.
You will receive a prompt asking if you want to remove the files, click "YES".
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed,it will prompt that it will reboot your computer,click "OK".
Post the contents of C:\vundofix.txt into your next reply.

Note:
It is possible that VundoFix encountered a file it could not remove.
In this case,VundoFix will run on reboot,simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

**************************

Please download Combofix and save to your desktop:
http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window whilst it's running.
That may cause the program to freeze/hang.


**************************

Now go to:
C:\Program Files\HijackThis\HijackThis.exe
Right click on Hijackthis.exe and select 'Rename', rename it to abc.bat
Double click on abc.bat(which is still Hijackthis.exe),post that log into your next reply please.

Kindly post all your replies directly into this topic,NOT as attachments.
Posted Image
Posted Image

#3 spiderstone

spiderstone
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:buenos aires
  • Local time:04:35 AM

Posted 02 June 2007 - 05:52 PM

Richie: Thank you very much! For this time my computer is running faster again, so it seems everything is going right.
This is the log from vundofix:

VundoFix V6.4.1

Checking Java version...

Sun Java not detected
Scan started at 16:34:05 2007-06-02

Listing files found while scanning....

C:\WINDOWS\system32\aadgh.bak1
C:\WINDOWS\system32\aadgh.bak2
C:\WINDOWS\system32\aadgh.ini
C:\WINDOWS\system32\aadgh.ini2
C:\WINDOWS\system32\aadgh.tmp
C:\WINDOWS\system32\hgdaa.dll
C:\WINDOWS\system32\vgytyjrs.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\aadgh.bak1
C:\WINDOWS\system32\aadgh.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\aadgh.bak2
C:\WINDOWS\system32\aadgh.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\aadgh.ini
C:\WINDOWS\system32\aadgh.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\aadgh.ini2
C:\WINDOWS\system32\aadgh.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\aadgh.tmp
C:\WINDOWS\system32\aadgh.tmp Has been deleted!

Attempting to delete C:\WINDOWS\system32\hgdaa.dll
C:\WINDOWS\system32\hgdaa.dll Has been deleted!

Performing Repairs to the registry.
Done!

And here is the combofix log:

"Administrador" - 2007-06-02 19:17:38 Service Pack 2 NTFS
ComboFix 07-06-2.5.Ex - Running from: "C:\Documents and Settings\Administrador\Escritorio\"


(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\qomlk.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\ADMINI~1\DATOSD~1.\macromedia\Flash Player\#SharedObjects\BGC7YN7K\www.broadcaster.com
C:\DOCUME~1\ADMINI~1\DATOSD~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\DOCUME~1\ADMINI~1\DATOSD~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\install.log
C:\setup.exe


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_IPRIP
-------\Iprip
-------\nm


((((((((((((((((((((((((( Files Created from 2007-05-02 to 2007-06-02 )))))))))))))))))))))))))))))))


2007-06-02 16:34 <DIR> d-------- C:\VundoFix Backups
2007-05-26 00:14 1,184 --a------ C:\WINDOWS\mozver.dat
2007-05-25 22:40 512,096 --a------ C:\WINDOWS\system32\drivers\amon.sys
2007-05-25 22:40 298,104 --a------ C:\WINDOWS\system32\imon.dll
2007-05-25 22:40 15,424 --a------ C:\WINDOWS\system32\drivers\nod32drv.sys
2007-05-25 16:36 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-05-25 16:36 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DATOSD~1\Kaspersky Lab
2007-05-25 01:46 <DIR> d-------- C:\WINDOWS\McAfee.com
2007-05-25 01:41 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-05-25 00:40 83,536 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2007-05-25 00:40 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-05-25 00:40 59,984 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2007-05-25 00:40 52,304 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-05-25 00:40 39,248 --a------ C:\WINDOWS\system32\drivers\ikfileflt.sys
2007-05-25 00:40 26,064 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2007-05-25 00:40 <DIR> d-------- C:\DOCUME~1\ADMINI~1\DATOSD~1\PC Tools
2007-05-25 00:40 <DIR> d-------- C:\Archivos de programa\Spyware Doctor
2007-05-25 00:38 <DIR> d-------- C:\DOCUME~1\ADMINI~1\DATOSD~1\Google
2007-05-25 00:33 2,560 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-05-25 00:33 2,432 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-05-25 00:32 <DIR> d-------- C:\WINDOWS\system32\runtime
2007-05-25 00:32 <DIR> d-------- C:\Archivos de programa\Picasa2
2007-05-25 00:31 <DIR> d-------- C:\Archivos de programa\Norton Security Scan
2007-05-25 00:29 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DATOSD~1\Google
2007-05-25 00:28 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DATOSD~1\Google Updater
2007-05-19 20:44 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-05-19 20:43 <DIR> d-------- C:\Documents and Settings\Administrador\.housecall6.6
2007-05-19 20:43 <DIR> d-------- C:\DOCUME~1\ADMINI~1\.housecall6.6
2007-05-19 20:32 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DATOSD~1\ParetoLogic Anti-Spyware
2007-05-19 20:18 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-05-16 22:49 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DATOSD~1\Bluetooth
2007-05-16 22:45 82,148 --a------ C:\WINDOWS\system32\drivers\VcommMgr.sys
2007-05-16 22:45 77,824 --a------ C:\WINDOWS\system32\drivers\SioUi2k.dll
2007-05-16 22:45 7,680 --a------ C:\WINDOWS\system32\btinstall.dll
2007-05-16 22:45 63,488 --a------ C:\WINDOWS\system32\drivers\wssbtr1f.sys
2007-05-16 22:45 61,312 --a------ C:\WINDOWS\system32\drivers\VComm.sys
2007-05-16 22:45 51,169 --a------ C:\WINDOWS\system32\drivers\OXSER.SYS
2007-05-16 22:45 48,556 --a------ C:\WINDOWS\system32\drivers\SktBt2k.sys
2007-05-16 22:45 48,076 --a------ C:\WINDOWS\system32\drivers\Sio9502k.sys
2007-05-16 22:45 40,960 --a------ C:\WINDOWS\system32\drivers\SCTray.exe
2007-05-16 22:45 28,207 --a------ C:\WINDOWS\system32\drivers\BTHidMgr.sys
2007-05-16 22:45 22,488 --a------ C:\WINDOWS\system32\drivers\btcusb.sys
2007-05-16 22:45 20,096 --a------ C:\WINDOWS\system32\drivers\blueletaudio.sys
2007-05-16 22:45 148,830 --a------ C:\WINDOWS\system32\drivers\bcbthub.sys
2007-05-16 22:45 13,304 --a------ C:\WINDOWS\system32\drivers\BTNetFilter.sys
2007-05-16 22:45 12,504 --a------ C:\WINDOWS\system32\drivers\VHIDMini.sys
2007-05-16 22:45 116,021 --a------ C:\WINDOWS\system32\drivers\fw203x.sys
2007-05-16 22:45 11,604 --a------ C:\WINDOWS\system32\drivers\vbtenum.sys
2007-05-16 22:45 10,804 --a------ C:\WINDOWS\system32\drivers\BtNetDrv.sys
2007-05-16 22:45 <DIR> d-------- C:\Archivos de programa\IVT Corporation
2007-05-12 13:42 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DATOSD~1\discreet
2007-05-12 13:42 <DIR> d-------- C:\DOCUME~1\ADMINI~1\DATOSD~1\combustion4
2007-05-12 13:41 90,112 --a------ C:\WINDOWS\unvise32.exe
2007-05-12 13:41 <DIR> d-------- C:\Archivos de programa\backburner 2
2007-05-12 13:39 <DIR> d-------- C:\Archivos de programa\discreet
2007-05-04 19:01 <DIR> d-------- C:\DOCUME~1\ADMINI~1\DATOSD~1\CyberMotion 3D-Designer
2007-05-04 19:00 <DIR> d-------- C:\Archivos de programa\CyberMotion 3D-Designer v12.0


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-02 22:24:31 1,536 ----a-w C:\WINDOWS\system32\TrueSoft.dat
2007-06-02 06:50:45 -------- d-----w C:\Archivos de programa\Archivos comunes\Symantec Shared
2007-06-02 01:40:27 -------- d-----w C:\DOCUME~1\ADMINI~1\DATOSD~1\uTorrent
2007-06-01 11:41:09 -------- d-----w C:\Archivos de programa\Google
2007-05-25 03:36:25 -------- d--h--w C:\Archivos de programa\InstallShield Installation Information
2007-05-25 03:22:09 -------- d-----w C:\Archivos de programa\Archivos comunes\Wise Installation Wizard
2007-05-23 20:40:22 16 ----a-w C:\WINDOWS\popcinfo.dat
2007-05-19 20:21:48 -------- d-----w C:\Archivos de programa\mobile PhoneTools
2007-05-03 23:51:13 -------- d-----w C:\Archivos de programa\IncrediMail
2007-04-30 15:46:10 745,600 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-04-30 15:41:55 85,952 -c--a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-04-30 15:41:42 94,552 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-04-30 15:39:41 23,416 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-04-30 15:38:51 43,176 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-04-30 15:37:23 26,888 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-04-30 15:35:28 95,872 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2007-04-29 18:16:11 -------- d-----w C:\Archivos de programa\Lexmark X1100 Series
2007-04-18 16:14:22 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-15 00:56:24 -------- d-----w C:\Archivos de programa\Winamp
2007-04-15 00:56:24 -------- d-----w C:\Archivos de programa\Archivos comunes\NSV
2007-04-12 20:50:16 2,783,048 ----a-w C:\WINDOWS\system32\GPhotos.scr
2007-04-07 15:04:25 -------- d-----w C:\Archivos de programa\LiveUpdate
2007-04-07 15:04:24 -------- d-----w C:\Archivos de programa\Bejeweled 2 Deluxe
2007-04-06 19:53:22 -------- d-----w C:\Archivos de programa\eMule
2007-03-17 13:45:06 293,376 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-08 15:36:30 578,560 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:30 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:30 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 15:32:46 1,843,712 ----a-w C:\WINDOWS\system32\win32k.sys
2007-03-03 12:17:47 720,896 ----a-w C:\WINDOWS\iun6002ev.exe
2006-08-23 01:53:23 7,680 -csha-w C:\WINDOWS\BricoPacks\Longhorn Inspirat\ResFiles\10_explorer.exe\Thumbs.db
2006-08-23 01:53:23 7,168 -csha-w C:\WINDOWS\BricoPacks\Longhorn Inspirat\ResFiles\11_fontext.dll\Thumbs.db
2006-08-23 01:53:29 8,704 -csha-w C:\WINDOWS\BricoPacks\Longhorn Inspirat\ResFiles\14_inetcplc.dll\Thumbs.db
2006-08-23 01:53:29 7,680 -csha-w C:\WINDOWS\BricoPacks\Longhorn Inspirat\ResFiles\17_keymgr.dll\Thumbs.db
2006-08-23 01:53:29 6,656 -csha-w C:\WINDOWS\BricoPacks\Longhorn Inspirat\ResFiles\18_logon.scr\Thumbs.db
2006-08-23 01:53:30 8,704 -csha-w C:\WINDOWS\BricoPacks\Longhorn Inspirat\ResFiles\21_moricons.dll\Thumbs.db
2006-08-23 01:53:30 8,192 -csha-w C:\WINDOWS\BricoPacks\Longhorn Inspirat\ResFiles\22_msgina.dll\Thumbs.db
2006-08-23 01:53:30 8,704 -csha-w C:\WINDOWS\BricoPacks\Longhorn Inspirat\ResFiles\23_mshtml.dll\Thumbs.db
2006-08-23 01:53:31 7,680 -csha-w C:\WINDOWS\BricoPacks\Longhorn Inspirat\ResFiles\24_mspaint.exe\Thumbs.db
2006-08-23 01:53:31 6,144 -csha-w C:\WINDOWS\BricoPacks\Longhorn Inspirat\ResFiles\25_mydocs.dll\Thumbs.db
2006-08-23 01:53:31 6,656 -csha-w C:\WINDOWS\BricoPacks\Longhorn Inspirat\ResFiles\27_netid.dll\Thumbs.db
2006-08-23 01:53:31 8,192 -csha-w C:\WINDOWS\BricoPacks\Longhorn Inspirat\ResFiles\28_netshell.dll\Thumbs.db
2006-08-23 01:53:33 7,680 -csha-w C:\WINDOWS\BricoPacks\Longhorn Inspirat\ResFiles\29_newdev.dll\Thumbs.db
2006-08-23 01:53:22 5,120 -csha-w C:\WINDOWS\BricoPacks\Longhorn Inspirat\ResFiles\3_browseui.dll\Thumbs.db
2006-08-23 01:53:22 5,632 -csha-w C:\WINDOWS\BricoPacks\Longhorn Inspirat\ResFiles\4_calc.exe\Thumbs.db
2006-08-23 01:53:22 7,168 -csha-w C:\WINDOWS\BricoPacks\Longhorn Inspirat\ResFiles\5_cleanmgr.exe\Thumbs.db
2006-08-23 01:53:23 5,632 -csha-w C:\WINDOWS\BricoPacks\Longhorn Inspirat\ResFiles\6_cmd.exe\Thumbs.db
2006-08-23 01:53:23 5,632 -csha-w C:\WINDOWS\BricoPacks\Longhorn Inspirat\ResFiles\7_console.dll\Thumbs.db
2006-08-23 01:53:23 6,144 -csha-w C:\WINDOWS\BricoPacks\Longhorn Inspirat\ResFiles\8_credui.dll\Thumbs.db


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{154004B8-2DC1-410E-B7E8-067D42696058}=C:\WINDOWS\system32\hgdaa.dll []
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Archivos de programa\Java\jre1.5.0_09\bin\ssv.dll [2006-10-12 03:25]
{9394EDE7-C8B5-483E-8773-474BF36AF6E4}=C:\Archivos de programa\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll [2004-08-13 17:41]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\archivos de programa\google\googletoolbar2.dll [2007-06-01 08:40]
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}=C:\Archivos de programa\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll [2007-06-01 08:41]
{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}=C:\Archivos de programa\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\es\msntb.dll [2006-01-17 16:04]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsmqIntCert"="regsvr32 /s mqrt.dll" []
"PCTVOICE"="pctspk.exe" [2003-09-23 22:56 C:\WINDOWS\system32\pctspk.exe]
"LifeScape Media Detector"="C:\Archivos de programa\Picasa\PicasaMediaDetector.exe" [2004-05-16 18:11]
"Lexmark X1100 Series"="C:\Archivos de programa\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-19 08:18]
"Corel Graphics Suite 1117"="C:\Archivos de programa\Corel\Corel Graphics 11\Register\registration.exe" [2002-09-04 11:06]
"TkBellExe"="C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" [2006-02-12 04:57]
"avast!"="C:\ARCHIV~1\ALWILS~1\Avast4\ashDisp.exe" [2007-04-30 12:42]
"Google Desktop Search"="C:\Archivos de programa\Google\Google Desktop Search\GoogleDesktop.exe" [2007-05-25 00:30]
"SunJavaUpdateSched"="C:\Archivos de programa\Java\jre1.5.0_09\bin\jusched.exe" [2006-10-12 03:10]
"nod32kui"="C:\Archivos de programa\Eset\nod32kui.exe" [2007-05-25 22:38]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DrvMon.exe"="C:\WINDOWS\System32\DrvMon.exe" [2005-04-26 00:55]
"googletalk"="C:\Archivos de programa\Google\Google Talk\googletalk.exe" [2007-01-01 18:22]
"msnmsgr"="C:\Archivos de programa\MSN Messenger\msnmsgr.exe" [2006-01-25 01:24]
"Alwact.exe"="C:\Archivos de programa\Alwact\Bin\Alwact.exe" [2006-06-04 09:16]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Archivos de programa\Archivos comunes\Ahead\Lib\NMBgMonitor.exe" [2005-11-24 15:38]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 15:42]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byxxvsr]
byxxvsr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\ARCHIV~1\Google\GOOGLE~4\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdauxservice]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdcoreservice]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc p2psvc p2pimsvc p2pgasvc PNRPSvc

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*


Contents of the 'Scheduled Tasks' folder
2007-05-28 16:24:24 C:\WINDOWS\tasks\Norton Security Scan.job

**************************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-02 19:24:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-02 19:27:02 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-02 19:26

--- E O F ---

And this is the last HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 07:35:56 p.m., on 02/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Alwil Software\Avast4\aswUpdSv.exe
C:\Archivos de programa\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
C:\Archivos de programa\Eset\nod32krn.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Fast.exe
C:\WINDOWS\System32\mqsvc.exe
C:\WINDOWS\System32\mqtgsvc.exe
C:\Archivos de programa\Alwil Software\Avast4\ashMaiSv.exe
C:\Archivos de programa\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\pctspk.exe
C:\Archivos de programa\Lexmark X1100 Series\lxbkbmgr.exe
C:\Archivos de programa\Lexmark X1100 Series\lxbkbmon.exe
C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe
C:\ARCHIV~1\ALWILS~1\Avast4\ashDisp.exe
C:\Archivos de programa\Java\jre1.5.0_09\bin\jusched.exe
C:\Archivos de programa\Eset\nod32kui.exe
C:\WINDOWS\System32\DrvMon.exe
C:\Archivos de programa\Google\Google Talk\googletalk.exe
C:\Archivos de programa\MSN Messenger\msnmsgr.exe
C:\Archivos de programa\Alwact\Bin\Alwact.exe
C:\Archivos de programa\Archivos comunes\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\Archivos de programa\Google\Google Updater\GoogleUpdater.exe
C:\Archivos de programa\Rainlendar\Rainlendar.exe
C:\WINDOWS\BricoPacks\Longhorn Inspirat\ObjectDock\ObjectDock.exe
C:\Archivos de programa\BricoPacks\Longhorn Inspirat\YzToolBar\YzToolBar.exe
C:\Archivos de programa\Hijackthis\abc.bat.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Archivos comunes\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {154004B8-2DC1-410E-B7E8-067D42696058} - C:\WINDOWS\system32\hgdaa.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Archivos de programa\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\archivos de programa\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Archivos de programa\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Archivos de programa\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\es\msntb.dll
O2 - BHO: (no name) - {CF1E3E95-2FB2-48B7-8BA3-CE5119251060} - (no file)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Archivos de programa\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\es\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\archivos de programa\google\googletoolbar2.dll
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [LifeScape Media Detector] C:\Archivos de programa\Picasa\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Archivos de programa\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [Corel Graphics Suite 1117] C:\Archivos de programa\Corel\Corel Graphics 11\Register\registration.exe /title="Corel Graphics Suite 11" /date=060707 serial=DR11CRD-0012082-DGW
O4 - HKLM\..\Run: [TkBellExe] "C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avast!] C:\ARCHIV~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Archivos de programa\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Archivos de programa\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [DrvMon.exe] C:\WINDOWS\System32\DrvMon.exe
O4 - HKCU\..\Run: [googletalk] "C:\Archivos de programa\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [msnmsgr] "C:\Archivos de programa\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Alwact.exe] C:\Archivos de programa\Alwact\Bin\Alwact.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Archivos de programa\Archivos comunes\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Rainlendar.lnk = C:\Archivos de programa\Rainlendar\Rainlendar.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\WINDOWS\BricoPacks\Longhorn Inspirat\ObjectDock\ObjectDock.exe
O4 - Startup: Y'z Toolbar.lnk = C:\Archivos de programa\BricoPacks\Longhorn Inspirat\YzToolBar\YzToolBar.exe
O4 - Global Startup: abcHood Pager 1.0.lnk = C:\Archivos de programa\Bridgewell\Page abc\abcPager\abcpager.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Archivos de programa\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Archivos de programa\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: BlueSoleil.lnk = C:\Archivos de programa\IVT Corporation\BlueSoleil\BlueSoleil.exe
O4 - Global Startup: Google Updater.lnk = C:\Archivos de programa\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab55579.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...038/mcfscan.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\ARCHIV~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: C:\ARCHIV~1\Google\GOOGLE~4\GOEC62~1.DLL
O20 - Winlogon Notify: byxxvsr - byxxvsr.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Archivos de programa\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Archivos de programa\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Archivos de programa\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Archivos de programa\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Archivos de programa\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: GoogleDesktopManager - Google - C:\Archivos de programa\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Archivos de programa\Archivos comunes\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Archivos de programa\Eset\nod32krn.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Archivos de programa\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Archivos de programa\Spyware Doctor\swdsvc.exe

I have a slave disk, does all this tools scan it too?
Thank you again
Spiderstone

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:10:35 AM

Posted 02 June 2007 - 06:29 PM

Download/install AVG Anti-Spyware 7.5.

Please follow these instructions very carefully.

Launch/start up AVG Anti-Spyware.
On the main page click the 'Update' tab,and then 'Start Update'.
Note:
If you have any problems running the update process prior to running the scan,download/install the 'Full Database' from here:
http://download.ewido.net/avgas-signatures-full-current.exe

Once the updates have been installed,do the following:
Select the 'Scanner' icon at the top of the screen, then select the 'Settings' tab.
Once in the 'Settings' screen,under 'How to act?',then under 'Set default action for detected malware to:', click on 'Recommended actions',then click on 'Quarantine'.
Under 'Reports' select 'Automatically generate report after every scan' and unselect 'Only if threats were found'.
Exit AVG Anti-Spyware,don't run the scan just yet.

You might want to print/copy the following as you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Have Hijack This fix the following [If still present], by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:

O2 - BHO: (no name) - {154004B8-2DC1-410E-B7E8-067D42696058} - C:\WINDOWS\system32\hgdaa.dll (file missing)
O2 - BHO: (no name) - {CF1E3E95-2FB2-48B7-8BA3-CE5119251060} - (no file)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O20 - Winlogon Notify: byxxvsr - byxxvsr.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\


Still in Safe Mode launch AVG Anti-Spyware.
Click the 'Scanner' icon at the top.
To start the scan click on 'Complete System Scan'.
Please be patient,it takes a while for the scan to finish.

Once the scan is complete,do the following.
If AVG Anti-Spyware detected any infected objects:,click on 'Apply All Actions'.

Next click on 'Save Report'.
Copy and paste that report into your next reply.
The report can be found under the 'Reports' tab at the top.
Close AVG Anti-Spyware when you've done.
Reboot normally.

Post the AVG Anti Spyware report and a new Hijackthis log into your next reply.
Let me know how your pc is running now please.
Posted Image
Posted Image

#5 spiderstone

spiderstone
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:buenos aires
  • Local time:04:35 AM

Posted 02 June 2007 - 08:39 PM

Richie:
I erased all the entries you told me.
This is the report from AVG:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

A V G A n t i - S p y w a r e - I n f o r m e d e l a n á l i s i s

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+ C r e a d o e n : 1 0 : 2 3 : 1 5 p . m . 0 2 / 0 6 / 2 0 0 7


+ R e s u l t a d o d e l a n á l i s i s :


H K L M \ S O F T W A R E \ C l a s s e s \ C L S I D \ { 3 F 2 B B C 0 5 - 4 0 D F - 1 1 D 2 - 9 4 5 5 - 0 0 1 0 4 B C 9 3 6 F F } - > A d w a r e . R o g u e S u s p e c t : L i m p i o s c o n c o p i a d e s e g u r i d a d ( e n c u a r e n t e n a ) .

C : \ D o c u m e n t s a n d S e t t i n g s \ A d m i n i s t r a d o r \ C o o k i e s \ a d m i n i s t r a d o r @ a t d m t [ 1 ] . t x t - > T r a c k i n g C o o k i e . A t d m t : L i m p i o s .

C : \ D o c u m e n t s a n d S e t t i n g s \ A d m i n i s t r a d o r \ C o o k i e s \ a d m i n i s t r a d o r @ w w w . b u r s t n e t [ 1 ] . t x t - > T r a c k i n g C o o k i e . B u r s t n e t : L i m p i o s .

: m o z i l l a . 1 0 : C : \ D o c u m e n t s a n d S e t t i n g s \ A d m i n i s t r a d o r \ D a t o s d e p r o g r a m a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ 5 b s 8 g 5 7 a . d e f a u l t \ c o o k i e s . t x t - > T r a c k i n g C o o k i e . P a y p a l : L i m p i o s .

C : \ D o c u m e n t s a n d S e t t i n g s \ A d m i n i s t r a d o r \ C o o k i e s \ a d m i n i s t r a d o r @ a d . y i e l d m a n a g e r [ 2 ] . t x t - > T r a c k i n g C o o k i e . Y i e l d m a n a g e r : L i m p i o s .



: : F i n d e l i n f o r m e


And this is the new HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 10:30:50 p.m., on 02/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Alwil Software\Avast4\aswUpdSv.exe
C:\Archivos de programa\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\pctspk.exe
C:\Archivos de programa\Lexmark X1100 Series\lxbkbmgr.exe
C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe
C:\ARCHIV~1\ALWILS~1\Avast4\ashDisp.exe
C:\Archivos de programa\Java\jre1.5.0_09\bin\jusched.exe
C:\Archivos de programa\Eset\nod32kui.exe
C:\Archivos de programa\Lexmark X1100 Series\lxbkbmon.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\System32\DrvMon.exe
C:\Archivos de programa\MSN Messenger\msnmsgr.exe
C:\Archivos de programa\Alwact\Bin\Alwact.exe
C:\Archivos de programa\Archivos comunes\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Archivos de programa\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\Archivos de programa\Google\Google Updater\GoogleUpdater.exe
C:\Archivos de programa\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Archivos de programa\Rainlendar\Rainlendar.exe
C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\BricoPacks\Longhorn Inspirat\ObjectDock\ObjectDock.exe
C:\Archivos de programa\BricoPacks\Longhorn Inspirat\YzToolBar\YzToolBar.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
C:\Archivos de programa\Eset\nod32krn.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Fast.exe
C:\WINDOWS\System32\mqsvc.exe
C:\WINDOWS\System32\mqtgsvc.exe
C:\Archivos de programa\Alwil Software\Avast4\ashMaiSv.exe
C:\Archivos de programa\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Archivos de programa\Hijackthis\abc.bat.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Archivos comunes\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Archivos de programa\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\archivos de programa\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Archivos de programa\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Archivos de programa\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\es\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Archivos de programa\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\es\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\archivos de programa\google\googletoolbar2.dll
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [LifeScape Media Detector] C:\Archivos de programa\Picasa\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Archivos de programa\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [Corel Graphics Suite 1117] C:\Archivos de programa\Corel\Corel Graphics 11\Register\registration.exe /title="Corel Graphics Suite 11" /date=060707 serial=DR11CRD-0012082-DGW
O4 - HKLM\..\Run: [TkBellExe] "C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avast!] C:\ARCHIV~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Archivos de programa\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Archivos de programa\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [DrvMon.exe] C:\WINDOWS\System32\DrvMon.exe
O4 - HKCU\..\Run: [googletalk] "C:\Archivos de programa\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [msnmsgr] "C:\Archivos de programa\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Alwact.exe] C:\Archivos de programa\Alwact\Bin\Alwact.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Archivos de programa\Archivos comunes\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Rainlendar.lnk = C:\Archivos de programa\Rainlendar\Rainlendar.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\WINDOWS\BricoPacks\Longhorn Inspirat\ObjectDock\ObjectDock.exe
O4 - Startup: Y'z Toolbar.lnk = C:\Archivos de programa\BricoPacks\Longhorn Inspirat\YzToolBar\YzToolBar.exe
O4 - Global Startup: abcHood Pager 1.0.lnk = C:\Archivos de programa\Bridgewell\Page abc\abcPager\abcpager.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Archivos de programa\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Archivos de programa\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: BlueSoleil.lnk = C:\Archivos de programa\IVT Corporation\BlueSoleil\BlueSoleil.exe
O4 - Global Startup: Google Updater.lnk = C:\Archivos de programa\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab55579.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...038/mcfscan.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\ARCHIV~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: C:\ARCHIV~1\Google\GOOGLE~4\GOEC62~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Archivos de programa\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Archivos de programa\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Archivos de programa\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Archivos de programa\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Archivos de programa\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: GoogleDesktopManager - Google - C:\Archivos de programa\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Archivos de programa\Archivos comunes\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Archivos de programa\Eset\nod32krn.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Archivos de programa\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Archivos de programa\Spyware Doctor\swdsvc.exe

Thank you!!!
Spiderstone

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:10:35 AM

Posted 03 June 2007 - 03:10 AM

Your log is clean :thumbsup:
If all's ok,please do the following:

Find and delete:
VundoFix.exe
Combofix

C:\VundoFix Backups
C:\QooBox

Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click on the 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description\name for the Restore Point,then click on 'Create',wait,then click 'Close'.
The date and time will be created automatically.

Next click on Start/All Programs/Accessories/System Tools/Disk Cleanup.
The 'Select Drive' box will appear,click on Ok.
The 'Disk Cleanup for [C:]' box will appear,click on the 'More Options' tab.
At the bottom in the 'System Restore' window,click on the 'Clean up...' button.
A box will pop up 'Are you sure you want to delete all but the most recent restore point?',click on 'Yes'.
Click on 'Yes' at 'Are you sure you want to perform these actions?'.
Now wait until 'Disk Cleanup' finishes and the box disappears.

Read through the information found here,to help you prevent any possible future infections.
'How to prevent Malware' by miekiemoes:
http://users.telenet.be/bluepatchy/miekiem...prevention.html

Your version of Sun Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older versions of Sun Java,and then update.
1. Download the latest version of Java Runtime Environment (JRE)
2. Scroll down to where it says 'Java Runtime Environment (JRE) 6u1'.
3. Click the "Download" button to the right.
4. Check the box that says: "Accept License Agreement".
5. The page will refresh.
6. Click on the link to download 'Windows Offline Installation, Multi-language' and save to your desktop.
7. Close any programs you may have running - especially your web browser.
8. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
9. Check any item with Java Runtime Environment (JRE or J2SE) in the name.
10. Click the Change/Remove button.
11. Repeat as many times as necessary to remove each Java versions.
12. Reboot your computer once all Java components are removed.
13. Then from your desktop double-click on jre-6u1-windows-i586-p.exe to install the newest version.
Posted Image
Posted Image

#7 spiderstone

spiderstone
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:buenos aires
  • Local time:04:35 AM

Posted 04 June 2007 - 01:25 AM

Richie:
I really love you! thank you very much. :thumbsup:
See you!

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:10:35 AM

Posted 04 June 2007 - 02:05 AM

You're most welcome :thumbsup:

This thread will now be closed.
If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you.
Include the address of this thread in your request.
If you should have a new issue, please start a new topic.
This applies only to the original topic starter.
Everyone else please begin a New Topic.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users