Geeks to Go Forums: Win32/Rootkit.Agent.ODG && Win32/Kryptik.ZV [Solved] - Geeks to Go Forums

Jump to content

i Need a geek? Geeks to Go offers free, quality tech support -- in terms anyone can understand. Volunteers are waiting to help, friendly, technology experts who have knowledge to share, and enjoy helping others. Feel free to browse the site as a guest. However, you must log in to reply to existing topics, or start a new topic of your own. Joining allows you to enjoy all this forum has to offer. Learn more in our Welcome Guide. What are you waiting for? Click here to join for free today!
  • (2 Pages)
  • +
  • 1
  • 2

Win32/Rootkit.Agent.ODG && Win32/Kryptik.ZV [Solved]

#1 User is offline   Zet 

  • Member
  • PipPip
  • Group: Member
  • Posts: 19
  • Joined: 20-August 09
  • Operating System:XP

  Posted 20 August 2009 - 06:14 AM

I have been reading this forums for quite a while now and they always helped me and found solution to my problems until now.
I went on a travel and got away from my computer for 4 weeks. I brought home to usb devices, both pendrive kind a like mp3s.
Seems then, after I installed ESET Smart Security 4(had 3 before), and updated it, I found the Rootkit, and it lets me know it is still in, everytime i log in.
I downloaded malwarebytes, dr web cureit, lavasoft ad-aware, rootrepeal, spybot s&d, ccleaner, hijackthis and i still have my trusty eset SS.

I disabled system restore thingy, then went safe mode and did complete scans with dr web, malwarebytes, ad-aware, and i cant remember wich more, but i tryied almost everything.
I did this at least 4 times now in this 2 days. Sometimes one of the programs found something, next time none, other time found another thing with diferent program and so on.
Until last night lavasoft ad-aware found something, tryied to deleat it next restart, i restarted on safe mode and eset ss4, pops and shows me an alert i haven seen on the days before,
about an object:
\\?\globalroot\systemroot\system32\kbiwkmxrxuxysr.dll
threat:
a variant of Win32/Kryptik.ZV Trojan

It trys to deleat/quarantine/clean it but it fails every attempt.

Now, can someone please tell me how should i take the hijackthis report here, and if its needed on safe mode so I can get a hand with this, please?

Kind Regards,

Esteban


PD: so far the only thing its bothering me about the virus, or the only way i know its there. Its cause every usb disk i plug, it says its without format, when it has one.
and it seems to block my msn from conecting. But the rest seems ok, changeing the view of files from hidden/system files, works, and i can download and install and update any program OK
0

#2 User is offline   Rorschach112 

  • Ralphie
  • Group: Geek U Moderator
  • Posts: 47,261
  • Joined: 23-March 07
  • Location:Dublin
  • Operating System:XP

Posted 20 August 2009 - 06:16 AM

hi

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**
  • If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".

  • During the download, rename Combofix to Combo-Fix as follows:

    Posted Image

    Posted Image


  • It is important you rename Combofix during the download, but not after.
  • Please do not rename Combofix to other names, but only to the one indicated.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    -----------------------------------------------------------
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------
  • Double click on combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\Combo-Fix.txt" for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**
0

#3 User is offline   Zet 

  • Member
  • PipPip
  • Group: Member
  • Posts: 19
  • Joined: 20-August 09
  • Operating System:XP

Posted 20 August 2009 - 06:53 AM

ComboFix 09-08-19.08 - Zet 20/08/2009 9:01.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.591.3082.18.2047.1497 [GMT -4:00]
Running from: f:\instaladores imagenes old 60\Instaladores\Combo-Fix.exe
AV: BitDefender Antivirus *On-access scanning disabled* (Outdated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
AV: ESET Smart Security 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: BitDefender Cortafuego *disabled* {4055920F-2E99-48A8-A270-4243D2B8F242}
FW: Cortafuegos personal de ESET *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Installer\1d8fc69.msi
c:\windows\Installer\1d8fc6a.msp
c:\windows\Installer\1d8fc6b.msp
c:\windows\Installer\1d8fc6c.msp
c:\windows\Installer\1d8fc6d.msp
c:\windows\Installer\1d8fc6e.msp
c:\windows\Installer\1d8fc6f.msp
c:\windows\Installer\1d8fc70.msp
c:\windows\Installer\1d8fc71.msp
c:\windows\Installer\1d8fc72.msp
c:\windows\Installer\1ff001.msp
c:\windows\Installer\3f73c7.msp
c:\windows\Installer\3f73c8.msp
c:\windows\Installer\3f73c9.msp
c:\windows\Installer\3f73ca.msp
c:\windows\Installer\3f73cb.msp
c:\windows\Installer\3f73cc.msp
c:\windows\Installer\3f73cd.msp
c:\windows\Installer\3f73ce.msp
c:\windows\Installer\3f73cf.msp
c:\windows\Installer\b8b464.msp
c:\windows\Installer\b8b465.msp
c:\windows\Installer\b8b466.msp
c:\windows\Installer\b8b467.msp
c:\windows\Installer\b8b468.msp
c:\windows\Installer\b8b469.msp
c:\windows\Installer\b8b46a.msp
c:\windows\Installer\b8b46b.msp
c:\windows\Installer\b8b46c.msp
c:\windows\Installer\c1d8c2.msp
c:\windows\Installer\c1d8c3.msp
c:\windows\Installer\c1d8c4.msp
c:\windows\Installer\c1d8c5.msp
c:\windows\Installer\c1d8c6.msp
c:\windows\Installer\c1d8c7.msp
c:\windows\Installer\c1d8c8.msp
c:\windows\Installer\c1d8c9.msp
c:\windows\Installer\c1d8ca.msp
c:\windows\Installer\SwInstall.msi
c:\windows\Installer\winamp.msi
c:\windows\system32\Cache
c:\windows\system32\drivers\kbiwkmqjpwswul.sys
c:\windows\system32\kbiwkmcwbpsmmi.dat
c:\windows\system32\kbiwkmqskymrxn.dll
c:\windows\system32\kbiwkmshuextax.dat
c:\windows\system32\kbiwkmxrxuxysr.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_kbiwkmjomuwepf
-------\Legacy_kbiwkmjomuwepf


((((((((((((((((((((((((( Files Created from 2009-07-20 to 2009-08-20 )))))))))))))))))))))))))))))))
.

2009-08-19 12:13 . 2009-07-03 14:49 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-08-19 10:06 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-08-19 10:00 . 2009-08-19 10:00 -------- dc-h--w- c:\docume~1\ALLUSE~1\DATOSD~1\{EF63305C-BAD7-4144-9208-D65528260864}
2009-08-19 09:59 . 2009-08-19 10:06 -------- d-----w- c:\docume~1\ALLUSE~1\DATOSD~1\Lavasoft
2009-08-19 09:59 . 2009-08-19 09:59 -------- d-----w- c:\archivos de programa\Lavasoft
2009-08-19 03:29 . 2009-08-19 03:29 -------- d-----w- c:\documents and settings\Administrador\Datos de programa\TuneUp Software
2009-08-19 03:21 . 2009-08-19 03:21 -------- d-----w- c:\documents and settings\Administrador\Datos de programa\Malwarebytes
2009-08-19 03:18 . 2009-08-19 03:18 -------- d-----w- c:\documents and settings\Administrador\DoctorWeb
2009-08-19 03:01 . 2009-08-19 03:01 -------- d-sh--w- c:\documents and settings\Default User\IETldCache
2009-08-19 02:52 . 2009-08-19 02:52 -------- d-----w- c:\documents and settings\Zet\DoctorWeb
2009-08-19 02:40 . 2009-08-19 02:40 -------- d-----w- c:\documents and settings\Zet\Datos de programa\Malwarebytes
2009-08-19 02:40 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-19 02:40 . 2009-08-19 02:40 -------- d-----w- c:\archivos de programa\Malwarebytes' Anti-Malware
2009-08-19 02:40 . 2009-08-19 02:40 -------- d-----w- c:\docume~1\ALLUSE~1\DATOSD~1\Malwarebytes
2009-08-19 02:40 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-19 02:32 . 2009-08-19 02:34 -------- d-----w- c:\archivos de programa\CCleaner
2009-08-18 21:08 . 2009-08-18 21:08 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-08-18 19:27 . 2009-08-18 19:27 -------- d-----w- c:\docume~1\ALLUSE~1\DATOSD~1\Blizzard
2009-08-18 19:14 . 2009-08-18 19:14 -------- d-----w- c:\documents and settings\Zet\Datos de programa\DragonicaSCB
2009-08-18 15:35 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-08-05 09:00 . 2009-08-05 09:00 205312 -c----w- c:\windows\system32\dllcache\mswebdvd.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-20 06:56 . 2009-03-31 20:49 -------- d-----w- c:\docume~1\ALLUSE~1\DATOSD~1\Microsoft Help
2009-08-20 06:54 . 2009-06-27 21:47 -------- d-----w- c:\documents and settings\Zet\Datos de programa\.purple
2009-08-19 09:58 . 2009-02-02 20:16 -------- d-----w- c:\documents and settings\Zet\Datos de programa\uTorrent
2009-08-19 09:18 . 2009-03-12 02:19 -------- d-----w- c:\docume~1\ALLUSE~1\DATOSD~1\Spybot - Search & Destroy
2009-08-19 03:36 . 2002-09-10 14:00 655714 ----a-w- c:\windows\system32\perfh00A.dat
2009-08-19 03:36 . 2002-09-10 14:00 149580 ----a-w- c:\windows\system32\perfc00A.dat
2009-08-19 03:13 . 2009-03-22 14:25 -------- d-----w- c:\archivos de programa\Microsoft Silverlight
2009-08-18 22:05 . 2009-03-22 14:34 -------- d-----w- c:\archivos de programa\Spybot - Search & Destroy Updated
2009-08-18 21:00 . 2009-07-10 02:24 -------- d-----w- c:\archivos de programa\ESET
2009-08-05 09:00 . 2004-08-19 15:42 205312 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 19:03 . 2004-08-19 15:41 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-16 07:00 . 2009-07-15 19:48 -------- d---a-w- c:\docume~1\ALLUSE~1\DATOSD~1\TEMP
2009-07-15 19:51 . 2009-07-15 19:47 -------- d-----w- c:\archivos de programa\AoA Audio Extractor
2009-07-14 23:24 . 2009-01-29 17:49 -------- d--h--w- c:\archivos de programa\InstallShield Installation Information
2009-07-14 23:20 . 2009-07-14 23:20 -------- d-----w- c:\archivos de programa\Microsoft Visual Studio .NET
2009-07-14 20:56 . 2009-02-14 17:03 -------- d-----w- c:\documents and settings\Zet\Datos de programa\mIRC
2009-07-14 18:29 . 2009-02-14 17:03 -------- d-----w- c:\archivos de programa\mIRC
2009-07-14 17:44 . 2009-06-23 22:45 -------- d-----w- c:\documents and settings\Zet\Datos de programa\teamspeak2
2009-07-14 03:43 . 2004-08-19 15:42 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-13 01:24 . 2009-06-27 21:47 -------- d-----w- c:\documents and settings\Zet\Datos de programa\gtk-2.0
2009-07-10 02:06 . 2009-07-10 01:57 -------- d-----w- c:\documents and settings\Administrador\Datos de programa\BitDefender
2009-07-10 00:49 . 2009-07-10 00:44 -------- d-----w- c:\docume~1\ALLUSE~1\DATOSD~1\BitDefender
2009-07-10 00:44 . 2009-07-10 00:43 -------- d-----w- c:\archivos de programa\Archivos comunes\BitDefender
2009-07-09 23:59 . 2009-03-12 03:28 -------- d-----w- c:\archivos de programa\USB Disk Security
2009-07-09 14:20 . 2009-07-09 14:20 -------- d-----w- c:\archivos de programa\You Ripper
2009-07-07 23:11 . 2009-01-31 15:13 -------- d-----w- c:\documents and settings\Zet\Datos de programa\LimeWire
2009-07-05 17:12 . 2009-01-29 19:08 -------- d-----w- c:\archivos de programa\QT Lite
2009-07-03 16:57 . 2004-08-19 15:42 915456 ----a-w- c:\windows\system32\wininet.dll
2009-07-02 22:28 . 2009-01-29 19:08 -------- d-----w- c:\docume~1\ALLUSE~1\DATOSD~1\Apple Computer
2009-07-02 22:28 . 2009-07-02 22:28 -------- d-----w- c:\archivos de programa\Apple Software Update
2009-07-02 22:28 . 2009-07-02 22:28 -------- d-----w- c:\docume~1\ALLUSE~1\DATOSD~1\Apple
2009-07-02 15:55 . 2009-01-29 19:08 -------- d-----w- c:\archivos de programa\CyberLink
2009-06-27 21:46 . 2009-06-27 21:43 -------- d-----w- c:\archivos de programa\Pidgin
2009-06-27 21:43 . 2009-06-27 21:43 -------- d-----w- c:\archivos de programa\Archivos comunes\GTK
2009-06-23 22:45 . 2009-06-23 22:44 -------- d-----w- c:\archivos de programa\Teamspeak2_RC2
2009-06-23 02:03 . 2009-06-23 02:03 -------- d-----w- c:\documents and settings\Zet\Datos de programa\Magna
2009-06-16 14:39 . 2004-08-19 15:42 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:39 . 2002-09-10 14:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-10 14:14 . 2004-08-19 15:41 85504 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 13:21 . 2009-01-29 17:39 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 06:15 . 2004-08-19 15:42 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-03 19:10 . 2004-08-19 15:42 1297408 ----a-w- c:\windows\system32\quartz.dll
2009-05-31 21:47 . 2009-05-31 21:47 604416 ----a-w- c:\windows\system32\TUProgSt.exe
2009-05-31 21:47 . 2009-05-31 21:47 361216 ----a-w- c:\windows\system32\TuneUpDefragService.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TuneUp MemOptimizer"="c:\archivos de programa\TuneUp Utilities 2009\MemOptimizer.exe" [2009-04-27 163072]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"USB Antivirus"="c:\archivos de programa\USB Disk Security\USBGuard.exe" [2008-09-23 798720]
"egui"="c:\archivos de programa\ESET\ESET Smart Security\egui.exe" [2009-02-06 2021400]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"MaxRecentDocs"= 11 (0xb)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"=hex(2):58,50,69,7a,65,5f,4c,6f,67,6f,6e,2e,65,78,65,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\wbsys.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /p \??\i:\0autocheck autochk /p \??\i:\0autocheck autochk /r \??\i:\0autocheck autochk *\0lsdelete

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]
@=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Google Update"="c:\documents and settings\Zet\Configuración local\Datos de programa\Google\Update\GoogleUpdate.exe" /c
"TaskSwitchXP"=c:\archivos de programa\TaskSwitchXP\TaskSwitchXP.exe
"SpybotSD TeaTimer"=c:\archivos de programa\Spybot - Search & Destroy Updated\TeaTimer.exe
"SoftAuto.exe"="c:\archivos de programa\Creative\Software Update 3\SoftAuto.exe"
"CTZDetec.exe"=c:\archivos de programa\Creative\Creative Media Lite\CTZDetec.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"mouseElf"=c:\archiv~1\SCROLL~1\MouseElf.EXE
"Tweak UI"=RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
"UnlockerAssistant"="c:\archivos de programa\Unlocker\UnlockerAssistant.exe" -H
"nwiz"=nwiz.exe /install
"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
"SunJavaUpdateSched"="c:\archivos de programa\Java\jre6\bin\jusched.exe"
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
"googletalk"=c:\archivos de programa\Google\Google Talk\googletalk.exe /autostart
"RTHDCPL"=RTHDCPL.EXE
"Alcmtr"=ALCMTR.EXE
"egui"="c:\archivos de programa\ESET\ESET Smart Security\egui.exe" /hide /waitservice

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Archivos de programa\\Google\\Google Talk\\googletalk.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Archivos de programa\\LimeWire\\LimeWire.exe"=
"c:\\Archivos de programa\\uTorrent\\utorrent.exe"=
"c:\\Archivos de programa\\Mozilla Firefox\\firefox.exe"=
"c:\\Archivos de programa\\Java\\jre6\\bin\\java.exe"=
"c:\\Archivos de programa\\Skype\\Phone\\Skype.exe"=
"c:\\Archivos de programa\\mIRC\\mirc.exe"=
"c:\\Archivos de programa\\Opera\\opera.exe"=
"c:\\Archivos de programa\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Archivos de programa\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Archivos de programa\\Windows Live\\Sync\\WindowsLiveSync.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [19/08/2009 06:06 a.m. 64160]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [06/02/2009 02:23 p.m. 106208]
R2 ekrn;ESET Service;c:\archivos de programa\ESET\ESET Smart Security\ekrn.exe [06/02/2009 02:23 p.m. 727720]
R2 OracleServiceXE;OracleServiceXE;c:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE XE --> c:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE XE [?]
R2 OracleXETNSListener;OracleXETNSListener;c:\oraclexe\app\oracle\product\10.2.0\server\BIN\TNSLSNR.EXE [02/02/2006 12:49 a.m. 204800]
R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [31/05/2009 05:47 p.m. 604416]
R3 genmcmnUSB;USB Scroll Mouse Driver;c:\windows\system32\drivers\gflmouhid.sys [29/01/2009 02:32 p.m. 6656]
S2 BDVEDISK;BDVEDISK;\??\c:\archivos de programa\BitDefender\BitDefender 2009\BDVEDISK.sys --> c:\archivos de programa\BitDefender\BitDefender 2009\BDVEDISK.sys [?]
S2 MsDtsServer;SQL Server Integration Services;c:\archivos de programa\Microsoft SQL Server\90\DTS\Binn\MsDtsSrvr.exe [14/10/2005 03:45 a.m. 199384]
S2 NOD32FiXTemDono;Eset Nod32 Boot;c:\windows\system32\regedt32.exe [10/09/2002 10:00 a.m. 18944]
S2 oxakajts;PCI Bus za4a0 Helper;c:\windows\System32\svchost.exe -k netsvcs [19/08/2004 11:43 a.m. 14336]
S3 gHidPnp;USB Device Enhanced Function Driver;c:\windows\system32\Drivers\gHidPnp.Sys --> c:\windows\system32\Drivers\gHidPnp.Sys [?]
S3 gMouUsb;USB Mouse Device Drv;c:\windows\system32\DRIVERS\gMouUsb.sys --> c:\windows\system32\DRIVERS\gMouUsb.sys [?]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\archivos de programa\Lavasoft\Ad-Aware\AAWService.exe [03/07/2009 10:49 a.m. 1029456]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\archivos de programa\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [02/12/2006 06:17 a.m. 2805000]
S4 OracleJobSchedulerXE;OracleJobSchedulerXE;c:\oraclexe\app\oracle\product\10.2.0\server\Bin\extjob.exe XE --> c:\oraclexe\app\oracle\product\10.2.0\server\Bin\extjob.exe XE [?]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
oxakajts
UxTuneUp

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
- - - - ORPHANS REMOVED - - - -

BHO-{A79629CE-A690-42C2-A4C3-A4B43D0AC881} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.microsoft.com
mStart Page = hxxp://www.microsoft.com
mWindow Title = Microsoft Internet Explorer
IE: Download with ImTOO YouTube Video Converter - c:\archivos de programa\ImTOO\YouTube Video Converter\upod_link.HTM
IE: E&xport to Microsoft Excel - c:\archiv~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: E&xportar a Microsoft Excel - c:\archiv~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\docume~1\Zet\DATOSD~1\Mozilla\Firefox\Profiles\p6wxuo0i.default\
FF - plugin: c:\archivos de programa\Windows Live\Photo Gallery\NPWLPG.dll

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-20 09:06
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\msftesql]
"ImagePath"="\"c:\archivos de programa\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe\" -s:MSSQL.1 -f:MSSQLSERVER"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-776561741-2049760794-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
@Denied: (Full) (LocalSystem)

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\h–€|ÿÿÿÿ¤•€|ù•9~*]
"A0C0110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"
.
Completion time: 2009-08-20 9:08
ComboFix-quarantined-files.txt 2009-08-20 13:08

Pre-Run: 9.255.424.000 bytes libres
Post-Run: 9.882.087.424 bytes libres

Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
259 --- E O F --- 2009-07-16 02:08
0

#4 User is offline   Rorschach112 

  • Ralphie
  • Group: Geek U Moderator
  • Posts: 47,261
  • Joined: 23-March 07
  • Location:Dublin
  • Operating System:XP

Posted 20 August 2009 - 11:42 AM

hi

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Quote

File::

Folder::

Registry::



Driver::
oxakajts


NetSvc::
oxakajts

KillAll::


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
0

#5 User is offline   Zet 

  • Member
  • PipPip
  • Group: Member
  • Posts: 19
  • Joined: 20-August 09
  • Operating System:XP

Posted 20 August 2009 - 04:46 PM

Im about to do that right now.
After that thing i did on the first post with combofix, Eset SS4 dosent say the virus its on the computer anymore, neither the other programs i mentioned up; but still i cant log into msn with windows live messenger, but i can with ie: pidgin.

And my USB drives are still without format, but when i plug em on other computers says its ok. ;S
Ill post te log in a sec, be right back.
0

#6 User is offline   Zet 

  • Member
  • PipPip
  • Group: Member
  • Posts: 19
  • Joined: 20-August 09
  • Operating System:XP

Posted 20 August 2009 - 05:12 PM

ComboFix 09-08-19.0C - Zet 20/08/2009 19:11.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.591.3082.18.2047.1496 [GMT -4:00]
Running from: f:\instaladores imagenes old 60\Instaladores\Combo-Fix.exe
Command switches used :: f:\instaladores imagenes old 60\Instaladores\CFScript.txt
AV: BitDefender Antivirus *On-access scanning disabled* (Outdated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
AV: ESET Smart Security 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: BitDefender Cortafuego *disabled* {4055920F-2E99-48A8-A270-4243D2B8F242}
FW: Cortafuegos personal de ESET *disabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_OXAKAJTS
-------\Service_oxakajts


((((((((((((((((((((((((( Files Created from 2009-07-20 to 2009-08-20 )))))))))))))))))))))))))))))))
.

2009-08-19 14:21 . 2009-08-19 14:21 1201 ----a-w- c:\documents and settings\Zet\Datos de programa\.purple\certificates\x509\tls_peers\login.facebook.com
2009-08-19 12:13 . 2009-07-03 14:49 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-08-19 10:06 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-08-19 10:00 . 2009-08-19 10:00 -------- dc-h--w- c:\documents and settings\All Users\Datos de programa\{EF63305C-BAD7-4144-9208-D65528260864}
2009-08-19 10:00 . 2009-07-08 17:28 2920112 -c--a-w- c:\documents and settings\All Users\Datos de programa\{EF63305C-BAD7-4144-9208-D65528260864}\Ad-AwareAE.exe
2009-08-19 09:59 . 2009-08-19 10:06 -------- d-----w- c:\documents and settings\All Users\Datos de programa\Lavasoft
2009-08-19 09:59 . 2009-08-19 09:59 -------- d-----w- c:\archivos de programa\Lavasoft
2009-08-19 03:29 . 2009-08-19 03:29 -------- d-----w- c:\documents and settings\Administrador\Datos de programa\TuneUp Software
2009-08-19 03:21 . 2009-08-19 03:21 -------- d-----w- c:\documents and settings\Administrador\Datos de programa\Malwarebytes
2009-08-19 03:18 . 2009-08-19 03:18 -------- d-----w- c:\documents and settings\Administrador\DoctorWeb
2009-08-19 03:01 . 2009-08-19 03:01 -------- d-sh--w- c:\documents and settings\Default User\IETldCache
2009-08-19 02:52 . 2009-08-19 02:52 -------- d-----w- c:\documents and settings\Zet\DoctorWeb
2009-08-19 02:40 . 2009-08-19 02:40 -------- d-----w- c:\documents and settings\Zet\Datos de programa\Malwarebytes
2009-08-19 02:40 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-19 02:40 . 2009-08-19 02:40 -------- d-----w- c:\archivos de programa\Malwarebytes' Anti-Malware
2009-08-19 02:40 . 2009-08-19 02:40 -------- d-----w- c:\documents and settings\All Users\Datos de programa\Malwarebytes
2009-08-19 02:40 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-19 02:32 . 2009-08-19 02:34 -------- d-----w- c:\archivos de programa\CCleaner
2009-08-18 21:08 . 2009-08-18 21:08 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-08-18 19:27 . 2009-08-18 19:27 -------- d-----w- c:\documents and settings\All Users\Datos de programa\Blizzard
2009-08-18 19:14 . 2009-08-18 19:14 -------- d-----w- c:\documents and settings\Zet\Datos de programa\DragonicaSCB
2009-08-18 15:35 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-08-05 09:00 . 2009-08-05 09:00 205312 -c----w- c:\windows\system32\dllcache\mswebdvd.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-20 06:56 . 2009-03-31 20:49 -------- d-----w- c:\documents and settings\All Users\Datos de programa\Microsoft Help
2009-08-20 06:54 . 2009-06-27 21:47 -------- d-----w- c:\documents and settings\Zet\Datos de programa\.purple
2009-08-19 09:58 . 2009-02-02 20:16 -------- d-----w- c:\documents and settings\Zet\Datos de programa\uTorrent
2009-08-19 09:18 . 2009-03-12 02:19 -------- d-----w- c:\documents and settings\All Users\Datos de programa\Spybot - Search & Destroy
2009-08-19 03:36 . 2002-09-10 14:00 655714 ----a-w- c:\windows\system32\perfh00A.dat
2009-08-19 03:36 . 2002-09-10 14:00 149580 ----a-w- c:\windows\system32\perfc00A.dat
2009-08-19 03:13 . 2009-03-22 14:25 -------- d-----w- c:\archivos de programa\Microsoft Silverlight
2009-08-18 22:05 . 2009-03-22 14:34 -------- d-----w- c:\archivos de programa\Spybot - Search & Destroy Updated
2009-08-18 21:00 . 2009-07-10 02:24 -------- d-----w- c:\archivos de programa\ESET
2009-08-05 09:00 . 2004-08-19 15:42 205312 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 19:03 . 2004-08-19 15:41 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-16 07:00 . 2009-07-15 19:48 -------- d---a-w- c:\documents and settings\All Users\Datos de programa\TEMP
2009-07-15 19:51 . 2009-07-15 19:47 -------- d-----w- c:\archivos de programa\AoA Audio Extractor
2009-07-14 23:24 . 2009-01-29 17:49 -------- d--h--w- c:\archivos de programa\InstallShield Installation Information
2009-07-14 23:20 . 2009-07-14 23:20 -------- d-----w- c:\archivos de programa\Microsoft Visual Studio .NET
2009-07-14 20:56 . 2009-02-14 17:03 -------- d-----w- c:\documents and settings\Zet\Datos de programa\mIRC
2009-07-14 18:29 . 2009-02-14 17:03 -------- d-----w- c:\archivos de programa\mIRC
2009-07-14 17:44 . 2009-06-23 22:45 -------- d-----w- c:\documents and settings\Zet\Datos de programa\teamspeak2
2009-07-14 03:43 . 2004-08-19 15:42 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-13 02:22 . 2009-07-13 02:22 2141 ----a-w- c:\documents and settings\Zet\Datos de programa\.purple\certificates\x509\tls_peers\omega.contacts.msn.com
2009-07-13 01:24 . 2009-06-27 21:47 -------- d-----w- c:\documents and settings\Zet\Datos de programa\gtk-2.0
2009-07-12 22:48 . 2009-07-12 22:48 2095 ----a-w- c:\documents and settings\Zet\Datos de programa\.purple\certificates\x509\tls_peers\login.live.com
2009-07-10 02:06 . 2009-07-10 01:57 -------- d-----w- c:\documents and settings\Administrador\Datos de programa\BitDefender
2009-07-10 00:49 . 2009-07-10 00:44 -------- d-----w- c:\documents and settings\All Users\Datos de programa\BitDefender
2009-07-10 00:44 . 2009-07-10 00:43 -------- d-----w- c:\archivos de programa\Archivos comunes\BitDefender
2009-07-09 23:59 . 2009-03-12 03:28 -------- d-----w- c:\archivos de programa\USB Disk Security
2009-07-09 23:30 . 2009-07-09 23:30 2165 ----a-w- c:\documents and settings\Zet\Datos de programa\.purple\certificates\x509\tls_peers\rsi.hotmail.com
2009-07-09 14:20 . 2009-07-09 14:20 -------- d-----w- c:\archivos de programa\You Ripper
2009-07-07 23:11 . 2009-01-31 15:13 -------- d-----w- c:\documents and settings\Zet\Datos de programa\LimeWire
2009-07-05 17:12 . 2009-01-29 19:08 -------- d-----w- c:\archivos de programa\QT Lite
2009-07-03 16:57 . 2004-08-19 15:42 915456 ----a-w- c:\windows\system32\wininet.dll
2009-07-02 22:28 . 2009-01-29 19:08 -------- d-----w- c:\documents and settings\All Users\Datos de programa\Apple Computer
2009-07-02 22:28 . 2009-07-02 22:28 -------- d-----w- c:\archivos de programa\Apple Software Update
2009-07-02 22:28 . 2009-07-02 22:28 -------- d-----w- c:\documents and settings\All Users\Datos de programa\Apple
2009-07-02 15:55 . 2009-01-29 19:08 -------- d-----w- c:\archivos de programa\CyberLink
2009-06-27 23:55 . 2009-06-27 23:55 2145 ----a-w- c:\documents and settings\Zet\Datos de programa\.purple\certificates\x509\tls_peers\ows.messenger.msn.com
2009-06-27 21:50 . 2009-06-27 21:50 1065 ----a-w- c:\documents and settings\Zet\Datos de programa\.purple\certificates\x509\tls_peers\gmail.com
2009-06-27 21:46 . 2009-06-27 21:43 -------- d-----w- c:\archivos de programa\Pidgin
2009-06-27 21:43 . 2009-06-27 21:43 -------- d-----w- c:\archivos de programa\Archivos comunes\GTK
2009-06-23 22:45 . 2009-06-23 22:44 -------- d-----w- c:\archivos de programa\Teamspeak2_RC2
2009-06-23 02:03 . 2009-06-23 02:03 -------- d-----w- c:\documents and settings\Zet\Datos de programa\Magna
2009-06-16 14:39 . 2004-08-19 15:42 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:39 . 2002-09-10 14:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-10 14:14 . 2004-08-19 15:41 85504 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 13:21 . 2009-01-29 17:39 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 06:15 . 2004-08-19 15:42 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-03 19:10 . 2004-08-19 15:42 1297408 ----a-w- c:\windows\system32\quartz.dll
2009-05-31 21:47 . 2009-05-31 21:47 604416 ----a-w- c:\windows\system32\TUProgSt.exe
2009-05-31 21:47 . 2009-05-31 21:47 361216 ----a-w- c:\windows\system32\TuneUpDefragService.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-08-20_13.07.04 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-20 23:16 . 2009-08-20 23:16 16384 c:\windows\temp\Perflib_Perfdata_1f0.dat
+ 2005-09-23 12:28 . 2005-09-23 12:28 74240 c:\windows\system32\mscories.dll
+ 2005-09-23 12:28 . 2005-09-23 12:28 83456 c:\windows\system32\dfshim.dll
+ 2005-09-23 12:28 . 2005-09-23 12:28 28160 c:\windows\Microsoft.NET\Framework\v2.0.50727\WMINet_Utils.dll
+ 2005-09-23 12:28 . 2005-09-23 12:28 71680 c:\windows\Microsoft.NET\Framework\v2.0.50727\TLBREF.DLL
+ 2005-09-23 12:28 . 2005-09-23 12:28 86016 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Web.RegularExpressions.dll
+ 2007-04-13 01:21 . 2007-04-13 01:21 47616 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.EnterpriseServices.Thunk.dll
+ 2005-09-23 12:28 . 2005-09-23 12:28 81920 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Drawing.Design.dll
- 2008-07-25 15:17 . 2008-07-25 15:17 81920 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Drawing.Design.dll
+ 2005-09-23 12:28 . 2005-09-23 12:28 81920 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Configuration.Install.dll
- 2008-07-25 15:17 . 2008-07-25 15:17 81920 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Configuration.Install.dll
+ 2005-09-23 12:29 . 2005-09-23 12:29 85504 c:\windows\Microsoft.NET\Framework\v2.0.50727\ShFusRes.dll
- 2008-07-25 15:17 . 2008-07-25 15:17 32768 c:\windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
+ 2005-09-23 12:28 . 2005-09-23 12:28 32768 c:\windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
+ 2005-09-23 12:28 . 2005-09-23 12:28 53248 c:\windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
- 2008-07-25 15:17 . 2008-07-25 15:17 53248 c:\windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
+ 2005-09-23 12:28 . 2005-09-23 12:28 78336 c:\windows\Microsoft.NET\Framework\v2.0.50727\PerfCounter.dll
+ 2007-04-13 01:21 . 2007-04-13 01:21 15360 c:\windows\Microsoft.NET\Framework\v2.0.50727\normalization.dll
+ 2005-09-23 12:29 . 2005-09-23 12:29 22528 c:\windows\Microsoft.NET\Framework\v2.0.50727\MUI\0409\mscorsecr.dll
+ 2005-09-23 12:28 . 2005-09-23 12:28 10240 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscortim.dll
+ 2005-09-23 12:28 . 2005-09-23 12:28 67072 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsec.dll
+ 2005-09-23 12:28 . 2005-09-23 12:28 81408 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorld.dll
+ 2007-04-13 01:21 . 2007-04-13 01:21 36864 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorie.dll
+ 2005-09-23 12:28 . 2005-09-23 12:28 73216 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscordbc.dll
- 2008-07-25 15:16 . 2008-07-25 15:16 69632 c:\windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
+ 2005-09-23 12:28 . 2005-09-23 12:28 69632 c:\windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
+ 2007-04-13 01:20 . 2007-04-13 01:20 87040 c:\windows\Microsoft.NET\Framework\v2.0.50727\MmcAspExt.dll
- 2008-07-25 15:16 . 2008-07-25 15:16 12800 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
+ 2005-09-23 12:28 . 2005-09-23 12:28 12800 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
+ 2005-09-23 12:28 . 2005-09-23 12:28 32768 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft.Vsa.dll
- 2008-07-25 15:16 . 2008-07-25 15:16 32768 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft.Vsa.dll
- 2008-07-25 15:16 . 2008-07-25 15:16 28672 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft.VisualBasic.Vsa.dll
+ 2005-09-23 12:28 . 2005-09-23 12:28 28672 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft.VisualBasic.Vsa.dll
+ 2005-09-23 12:28 . 2005-09-23 12:28 73728 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft.Build.Utilities.dll
+ 2005-09-23 12:28 . 2005-09-23 12:28 36864 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft.Build.Framework.dll
- 2008-07-25 15:16 . 2008-07-25 15:16 36864 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft.Build.Framework.dll
+ 2005-09-23 12:28 . 2005-09-23 12:28 40960 c:\windows\Microsoft.NET\Framework\v2.0.50727\jsc.exe
- 2008-07-25 15:16 . 2008-07-25 15:16 40960 c:\windows\Microsoft.NET\Framework\v2.0.50727\jsc.exe
+ 2005-09-23 12:28 . 2005-09-23 12:28 72192 c:\windows\Microsoft.NET\Framework\v2.0.50727\ISymWrapper.dll
- 2008-07-25 15:17 . 2008-07-25 15:17 72192 c:\windows\Microsoft.NET\Framework\v2.0.50727\ISymWrapper.dll
+ 2005-09-23 12:28 . 2005-09-23 12:28 55296 c:\windows\Microsoft.NET\Framework\v2.0.50727\InstallUtilLib.dll
+ 2007-04-13 01:21 . 2007-04-13 01:21 28672 c:\windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
- 2008-07-25 15:17 . 2008-07-25 15:17 28672 c:\windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
+ 2005-09-23 12:28 . 2005-09-23 12:28 36864 c:\windows\Microsoft.NET\Framework\v2.0.50727\IEHost.dll
+ 2005-09-23 12:28 . 2005-09-23 12:28 52736 c:\windows\Microsoft.NET\Framework\v2.0.50727\dfdll.dll
+ 2005-09-23 12:28 . 2005-09-23 12:28 31936 c:\windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
+ 2005-09-23 12:28 . 2005-09-23 12:28 68608 c:\windows\Microsoft.NET\Framework\v2.0.50727\CustomMarshalers.dll
+ 2005-09-23 12:28 . 2005-09-23 12:28 17920 c:\windows\Microsoft.NET\Framework\v2.0.50727\Culture.dll
+ 2005-09-23 12:28 . 2005-09-23 12:28 13312 c:\windows\Microsoft.NET\Framework\v2.0.50727\cscompmgd.dll
- 2008-07-25 15:16 . 2008-07-25 15:16 13312 c:\windows\Microsoft.NET\Framework\v2.0.50727\cscompmgd.dll
+ 2005-09-23 12:28 . 2005-09-23 12:28 76984 c:\windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
+ 2007-04-13 01:21 . 2007-04-13 01:21 88576 c:\windows\Microsoft.NET\Framework\v2.0.50727\CORPerfMonExt.dll
+ 2007-04-13 01:20 . 2007-04-13 01:20 32600 c:\windows\Microsoft.NET\Framework\v2.0.50727\aspnet_wp.exe
+ 2007-04-13 01:20 . 2007-04-13 01:20 33632 c:\windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
+ 2007-04-13 01:20 . 2007-04-13 01:20 32608 c:\windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis.exe
+ 2005-09-23 12:28 . 2005-09-23 12:28 13824 c:\windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regbrowsers.exe
+ 2007-04-13 01:20 . 2007-04-13 01:20 75264 c:\windows\Microsoft.NET\Framework\v2.0.50727\aspnet_rc.dll
+ 2007-04-13 01:20 . 2007-04-13 01:20 23552 c:\windows\Microsoft.NET\Framework\v2.0.50727\Aspnet_perf.dll
+ 2007-04-13 01:20 . 2007-04-13 01:20 10752 c:\windows\Microsoft.NET\Framework\v2.0.50727\aspnet_filter.dll
+ 2005-09-23 12:28 . 2005-09-23 12:28 36864 c:\windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
- 2008-07-25 15:16 . 2008-07-25 15:16 36864 c:\windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
+ 2007-04-13 01:21 . 2007-04-13 01:21 58712 c:\windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
+ 2005-09-23 12:28 . 2005-09-23 12:28 87552 c:\windows\Microsoft.NET\Framework\v2.0.50727\alink.dll
- 2008-07-25 15:17 . 2008-07-25 15:17 10752 c:\windows\Microsoft.NET\Framework\v2.0.50727\Accessibility.dll
+ 2005-09-23 12:28 . 2005-09-23 12:28 10752 c:\windows\Microsoft.NET\Framework\v2.0.50727\Accessibility.dll
+ 2005-09-23 12:28 . 2005-09-23 12:28 18944 c:\windows\Microsoft.NET\Framework\v2.0.50727\1033\alinkui.dll
+ 2005-09-23 12:28 . 2005-09-23 12:28 86528 c:\windows\Microsoft.NET\Framework\v1.0.3705\mscormmc.dll
+ 2005-09-23 12:28 . 2005-09-23 12:28 72704 c:\windows\Microsoft.NET\Framework\NETFXSBS10.exe
+ 2006-12-22 11:02 . 2006-12-22 11:02 6144 c:\windows\system32\mui\0409\mscorees.dll
+ 2005-09-23 12:28 . 2005-09-23 12:28 9216 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsn.dll
- 2008-07-25 15:16 . 2008-07-25 15:16 7168 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft_VsaVb.dll
+ 2005-09-23 12:28 . 2005-09-23 12:28 7168 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft_VsaVb.dll
+ 2005-09-23 12:28 . 2005-09-23 12:28 5632 c:\windows\Microsoft.NET\Framework\v2.0.50727\IIEHost.dll
+ 2005-09-23 12:28 . 2005-09-23 12:28 8192 c:\windows\Microsoft.NET\Framework\v2.0.50727\IEExecRemote.dll
- 2008-07-25 15:17 . 2008-07-25 15:17 8192 c:\windows\Microsoft.NET\Framework\v2.0.50727\IEExecRemote.dll
+ 2007-04-13 01:21 . 2007-04-13 01:21 9728 c:\windows\Microsoft.NET\Framework\v2.0.50727\IEExec.exe
- 2008-07-25 15:17 . 2008-07-25 15:17 9728 c:\windows\Microsoft.NET\Framework\v2.0.50727\IEExec.exe
+ 2007-04-13 01:20 . 2007-04-13 01:20 5120 c:\windows\Microsoft.NET\Framework\v2.0.50727\dfsvc.exe
- 2008-07-25 15:16 . 2008-07-25 15:16 5120 c:\windows\Microsoft.NET\Framework\v2.0.50727\dfsvc.exe
+ 2007-04-13 01:20 . 2007-04-13 01:20 8192 c:\windows\Microsoft.NET\Framework\v2.0.50727\aspnet_isapi.dll
+ 2005-09-23 12:28 . 2005-09-23 12:28 4608 c:\windows\Microsoft.NET\Framework\v2.0.50727\1033\CvtResUI.dll
+ 2005-09-23 12:28 . 2005-09-23 12:28 7680 c:\windows\Microsoft.NET\Framework\SharedReg12.dll
+ 2005-09-23 12:28 . 2005-09-23 12:28 7680 c:\windows\Microsoft.NET\Framework\sbscmp20_perfcounter.dll
+ 2005-09-23 12:28 . 2005-09-23 12:28 150016 c:\windows\system32\mscorier.dll
+ 2009-04-02 03:51 . 2009-08-20 23:16 215033 c:\windows\system32\inetsrv\MetaBase.bin
- 2009-04-02 03:51 . 2009-08-20 13:00 215033 c:\windows\system32\inetsrv\MetaBase.bin
+ 2007-04-13 01:20 . 2007-04-13 01:20 406016 c:\windows\Microsoft.NET\Framework\v2.0.50727\webengine.dll
+ 2005-09-23 12:28 . 2005-09-23 12:28 823296 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Web.Services.dll
+ 2005-09-23 12:28 . 2005-09-23 12:28 835584 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Web.Mobile.dll
- 2008-07-25 15:17 . 2008-07-25 15:17 835584 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Web.Mobile.dll
+ 2007-04-13 01:21 . 2007-04-13 01:21 260096 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Transactions.dll
+ 2005-09-23 12:28 . 2005-09-23 12:28 131072 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Runtime.Serialization.Formatters.Soap.dll
- 2008-07-25 15:17 . 2008-07-25 15:17 131072 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Runtime.Serialization.Formatters.Soap.dll
+ 2007-04-13 01:21 . 2007-04-13 01:21 299008 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Runtime.Remoting.dll
- 2008-07-25 15:17 . 2008-07-25 15:17 258048 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Messaging.dll
+ 2005-09-23 12:28 . 2005-09-23 12:28 258048 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Messaging.dll
- 2008-07-25 15:17 . 2008-07-25 15:17 372736 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Management.dll
+ 2007-04-13 01:21 . 2007-04-13 01:21 372736 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Management.dll
+ 2007-04-13 01:21 . 2007-04-13 01:21 114176 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.EnterpriseServices.Wrapper.dll
- 2008-07-25 15:17 . 2008-07-25 15:17 258048 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.EnterpriseServices.dll
+ 2007-04-13 01:21 . 2007-04-13 01:21 258048 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.EnterpriseServices.dll
+ 2007-04-13 01:21 . 2007-04-13 01:21 577536 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Drawing.dll
+ 2007-04-13 01:21 . 2007-04-13 01:21 188416 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.DirectoryServices.Protocols.dll
- 2008-07-25 15:17 . 2008-07-25 15:17 188416 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.DirectoryServices.Protocols.dll
+ 2005-09-23 12:28 . 2005-09-23 12:28 397312 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.DirectoryServices.dll
+ 2007-04-13 01:21 . 2007-04-13 01:21 716800 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Data.SqlXml.dll
+ 2007-04-13 01:21 . 2007-04-13 01:21 482304 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Data.OracleClient.dll
- 2008-07-25 15:17 . 2008-07-25 15:17 110592 c:\windows\Microsoft.NET\Framework\v2.0.50727\sysglobl.dll
+ 2007-04-13 01:21 . 2007-04-13 01:21 110592 c:\windows\Microsoft.NET\Framework\v2.0.50727\sysglobl.dll
+ 2007-04-13 01:21 . 2007-04-13 01:21 382464 c:\windows\Microsoft.NET\Framework\v2.0.50727\SOS.dll
+ 2005-09-23 12:28 . 2005-09-23 12:28 107520 c:\windows\Microsoft.NET\Framework\v2.0.50727\shfusion.dll
+ 2007-04-13 01:21 . 2007-04-13 01:21 136192 c:\windows\Microsoft.NET\Framework\v2.0.50727\peverify.dll
+ 2005-09-23 12:29 . 2005-09-23 12:29 330752 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
+ 2005-09-23 12:28 . 2005-09-23 12:28 288768 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll
+ 2007-04-13 01:21 . 2007-04-13 01:21 802304 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscordacwks.dll
+ 2005-09-23 12:29 . 2005-09-23 12:29 667648 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft.VisualBasic.dll
+ 2005-09-23 12:29 . 2005-09-23 12:29 372736 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft.VisualBasic.Compatibility.dll
- 2008-07-25 15:17 . 2008-07-25 15:17 372736 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft.VisualBasic.Compatibility.dll
+ 2005-09-23 12:29 . 2005-09-23 12:29 110592 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft.VisualBasic.Compatibility.Data.dll
- 2008-07-25 15:17 . 2008-07-25 15:17 110592 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft.VisualBasic.Compatibility.Data.dll
+ 2007-04-13 01:21 . 2007-04-13 01:21 749568 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft.JScript.dll
- 2008-07-25 15:16 . 2008-07-25 15:16 749568 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft.JScript.dll
+ 2007-04-13 01:21 . 2007-04-13 01:21 647168 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft.Build.Tasks.dll
+ 2007-04-13 01:21 . 2007-04-13 01:21 413696 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft.Build.Engine.dll
+ 2007-04-13 01:21 . 2007-04-13 01:21 228688 c:\windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe
+ 2005-09-23 12:28 . 2005-09-23 12:28 788992 c:\windows\Microsoft.NET\Framework\v2.0.50727\EventLogMessages.dll
+ 2005-09-23 12:29 . 2005-09-23 12:29 547840 c:\windows\Microsoft.NET\Framework\v2.0.50727\diasymreader.dll
- 2008-07-25 15:17 . 2008-07-25 15:17 106496 c:\windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe
+ 2005-09-23 12:28 . 2005-09-23 12:28 106496 c:\windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe
+ 2007-04-13 01:20 . 2007-04-13 01:20 507904 c:\windows\Microsoft.NET\Framework\v2.0.50727\AspNetMMCExt.dll
- 2008-07-25 15:16 . 2008-07-25 15:16 507904 c:\windows\Microsoft.NET\Framework\v2.0.50727\AspNetMMCExt.dll
+ 2005-09-23 12:28 . 2005-09-23 12:28 106496 c:\windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regsql.exe
- 2008-07-25 15:16 . 2008-07-25 15:16 106496 c:\windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regsql.exe
+ 2005-09-23 12:28 . 2005-09-23 12:28 138240 c:\windows\Microsoft.NET\Framework\v2.0.50727\AdoNetDiag.dll
+ 2005-09-23 12:28 . 2005-09-23 12:28 208896 c:\windows\Microsoft.NET\Framework\v2.0.50727\1033\Vsavb7rtUI.dll
+ 2005-09-23 12:29 . 2005-09-23 12:29 183808 c:\windows\Microsoft.NET\Framework\v2.0.50727\1033\vbc7ui.dll
+ 2005-09-23 12:28 . 2005-09-23 12:28 136192 c:\windows\Microsoft.NET\Framework\v2.0.50727\1033\cscompui.dll
+ 2007-04-13 01:20 . 2007-04-13 01:20 1330688 c:\windows\Microsoft.NET\Framework\v2.0.50727\VsaVb7rt.dll
+ 2007-04-13 01:21 . 2007-04-13 01:21 1166672 c:\windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
+ 2007-04-13 01:21 . 2007-04-13 01:21 5152768 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Windows.Forms.dll
+ 2007-04-13 01:21 . 2007-04-13 01:21 5156864 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Web.dll
+ 2007-04-13 01:21 . 2007-04-13 01:21 5001216 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Design.dll
+ 2005-09-23 12:28 . 2005-09-23 12:28 1144832 c:\windows\Microsoft.NET\Framework\v2.0.50727\cscomp.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TuneUp MemOptimizer"="c:\archivos de programa\TuneUp Utilities 2009\MemOptimizer.exe" [2009-04-27 163072]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"USB Antivirus"="c:\archivos de programa\USB Disk Security\USBGuard.exe" [2008-09-23 798720]
"egui"="c:\archivos de programa\ESET\ESET Smart Security\egui.exe" [2009-02-06 2021400]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"MaxRecentDocs"= 11 (0xb)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"=hex(2):58,50,69,7a,65,5f,4c,6f,67,6f,6e,2e,65,78,65,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\wbsys.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /p \??\i:\0autocheck autochk /p \??\i:\0autocheck autochk /r \??\i:\0autocheck autochk *\0lsdelete

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]
@=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Google Update"="c:\documents and settings\Zet\Configuración local\Datos de programa\Google\Update\GoogleUpdate.exe" /c
"TaskSwitchXP"=c:\archivos de programa\TaskSwitchXP\TaskSwitchXP.exe
"SpybotSD TeaTimer"=c:\archivos de programa\Spybot - Search & Destroy Updated\TeaTimer.exe
"SoftAuto.exe"="c:\archivos de programa\Creative\Software Update 3\SoftAuto.exe"
"CTZDetec.exe"=c:\archivos de programa\Creative\Creative Media Lite\CTZDetec.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"mouseElf"=c:\archiv~1\SCROLL~1\MouseElf.EXE
"Tweak UI"=RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
"UnlockerAssistant"="c:\archivos de programa\Unlocker\UnlockerAssistant.exe" -H
"nwiz"=nwiz.exe /install
"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
"SunJavaUpdateSched"="c:\archivos de programa\Java\jre6\bin\jusched.exe"
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
"googletalk"=c:\archivos de programa\Google\Google Talk\googletalk.exe /autostart
"RTHDCPL"=RTHDCPL.EXE
"Alcmtr"=ALCMTR.EXE
"egui"="c:\archivos de programa\ESET\ESET Smart Security\egui.exe" /hide /waitservice

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Archivos de programa\\Google\\Google Talk\\googletalk.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Archivos de programa\\LimeWire\\LimeWire.exe"=
"c:\\Archivos de programa\\uTorrent\\utorrent.exe"=
"c:\\Archivos de programa\\Mozilla Firefox\\firefox.exe"=
"c:\\Archivos de programa\\Java\\jre6\\bin\\java.exe"=
"c:\\Archivos de programa\\Skype\\Phone\\Skype.exe"=
"c:\\Archivos de programa\\mIRC\\mirc.exe"=
"c:\\Archivos de programa\\Opera\\opera.exe"=
"c:\\Archivos de programa\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Archivos de programa\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Archivos de programa\\Windows Live\\Sync\\WindowsLiveSync.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [19/08/2009 06:06 a.m. 64160]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [06/02/2009 02:23 p.m. 106208]
R2 ekrn;ESET Service;c:\archivos de programa\ESET\ESET Smart Security\ekrn.exe [06/02/2009 02:23 p.m. 727720]
R2 OracleServiceXE;OracleServiceXE;c:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE XE --> c:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE XE [?]
R2 OracleXETNSListener;OracleXETNSListener;c:\oraclexe\app\oracle\product\10.2.0\server\BIN\TNSLSNR.EXE [02/02/2006 12:49 a.m. 204800]
R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [31/05/2009 05:47 p.m. 604416]
R3 genmcmnUSB;USB Scroll Mouse Driver;c:\windows\system32\drivers\gflmouhid.sys [29/01/2009 02:32 p.m. 6656]
S2 BDVEDISK;BDVEDISK;\??\c:\archivos de programa\BitDefender\BitDefender 2009\BDVEDISK.sys --> c:\archivos de programa\BitDefender\BitDefender 2009\BDVEDISK.sys [?]
S2 MsDtsServer;SQL Server Integration Services;c:\archivos de programa\Microsoft SQL Server\90\DTS\Binn\MsDtsSrvr.exe [14/10/2005 03:45 a.m. 199384]
S2 NOD32FiXTemDono;Eset Nod32 Boot;c:\windows\system32\regedt32.exe [10/09/2002 10:00 a.m. 18944]
S3 gHidPnp;USB Device Enhanced Function Driver;c:\windows\system32\Drivers\gHidPnp.Sys --> c:\windows\system32\Drivers\gHidPnp.Sys [?]
S3 gMouUsb;USB Mouse Device Drv;c:\windows\system32\DRIVERS\gMouUsb.sys --> c:\windows\system32\DRIVERS\gMouUsb.sys [?]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\archivos de programa\Lavasoft\Ad-Aware\AAWService.exe [03/07/2009 10:49 a.m. 1029456]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\archivos de programa\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [02/12/2006 06:17 a.m. 2805000]
S4 OracleJobSchedulerXE;OracleJobSchedulerXE;c:\oraclexe\app\oracle\product\10.2.0\server\Bin\extjob.exe XE --> c:\oraclexe\app\oracle\product\10.2.0\server\Bin\extjob.exe XE [?]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-08-19 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\archivos de programa\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 14:49]

2009-08-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\archivos de programa\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-08-20 c:\windows\Tasks\Mantenimiento con 1 clic.job
- c:\archivos de programa\TuneUp Utilities 2009\OneClickStarter.exe [2009-04-27 13:46]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.microsoft.com
mStart Page = hxxp://www.microsoft.com
mWindow Title = Microsoft Internet Explorer
IE: Download with ImTOO YouTube Video Converter - c:\archivos de programa\ImTOO\YouTube Video Converter\upod_link.HTM
IE: E&xport to Microsoft Excel - c:\archiv~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: E&xportar a Microsoft Excel - c:\archiv~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Zet\Datos de programa\Mozilla\Firefox\Profiles\p6wxuo0i.default\
FF - plugin: c:\archivos de programa\Windows Live\Photo Gallery\NPWLPG.dll

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-20 19:16
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\msftesql]
"ImagePath"="\"c:\archivos de programa\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe\" -s:MSSQL.1 -f:MSSQLSERVER"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-776561741-2049760794-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
@Denied: (Full) (LocalSystem)

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\h–€|ÿÿÿÿ¤•€|ù•9~*]
"A0C0110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(228)
c:\windows\system32\WININET.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\Audiodev.dll
c:\windows\system32\WMVCore.DLL
c:\windows\system32\WMASF.DLL
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\CTSVCCDA.EXE
c:\archivos de programa\Creative\Shared Files\CTDevSrv.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\archivos de programa\Java\jre6\bin\jqs.exe
c:\archivos de programa\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe
c:\windows\system32\nvsvc32.exe
c:\oraclexe\app\oracle\product\10.2.0\server\BIN\oracle.exe
c:\archivos de programa\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\archivos de programa\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\archivos de programa\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\archivos de programa\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe
c:\windows\system32\wbem\wmiapsrv.exe
.
**************************************************************************
.
Completion time: 2009-08-20 19:19 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-20 23:19
ComboFix2.txt 2009-08-20 13:08

Pre-Run: 9.871.339.520 bytes libres
Post-Run: 9.671.729.152 bytes libres

Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
401 --- E O F --- 2009-07-16 02:08
0

#7 User is offline   Rorschach112 

  • Ralphie
  • Group: Geek U Moderator
  • Posts: 47,261
  • Joined: 23-March 07
  • Location:Dublin
  • Operating System:XP

Posted 21 August 2009 - 05:16 AM

hi

Download TFC to your desktop
  • Open the file and close any other windows.
  • It will close all programs itself when run, make sure to let it run uninterrupted.
  • Click the Start button to begin the process. The program should not take long to finish its job
  • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean





Please download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.






Go to Kaspersky website and perform an online antivirus scan.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases

  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

0

#8 User is offline   Zet 

  • Member
  • PipPip
  • Group: Member
  • Posts: 19
  • Joined: 20-August 09
  • Operating System:XP

Posted 21 August 2009 - 08:19 AM

Malwarebytes report
I speak spanish so ill traslate saying that havent found anything

Malwarebytes' Anti-Malware 1.40
Versión de la Base de Datos: 2669
Windows 5.1.2600 Service Pack 3

21/08/2009 10:37:35 a.m.
mbam-log-2009-08-21 (10-37-35).txt

Tipo de examen : Examen Rápido
Objetos examinados: 101884
Tiempo transcurrido: 3 minute(s), 12 second(s)

Procesos en Memoria Infectados: 0
Módulos en Memoria Infectados: 0
Claves del Registro Infectadas: 0
Valores del Registro Infectados: 0
Elementos de Datos del Registro Infectados: 0
Carpetas Infectadas: 0
Ficheros Infectados: 0

Procesos en Memoria Infectados:
(No se han detectado elementos maliciosos)

Módulos en Memoria Infectados:
(No se han detectado elementos maliciosos)

Claves del Registro Infectadas:
(No se han detectado elementos maliciosos)

Valores del Registro Infectados:
(No se han detectado elementos maliciosos)

Elementos de Datos del Registro Infectados:
(No se han detectado elementos maliciosos)

Carpetas Infectadas:
(No se han detectado elementos maliciosos)

Ficheros Infectados:
(No se han detectado elementos maliciosos)
0

#9 User is offline   Rorschach112 

  • Ralphie
  • Group: Geek U Moderator
  • Posts: 47,261
  • Joined: 23-March 07
  • Location:Dublin
  • Operating System:XP

Posted 21 August 2009 - 08:30 AM

kaspersky also
0

#10 User is offline   Zet 

  • Member
  • PipPip
  • Group: Member
  • Posts: 19
  • Joined: 20-August 09
  • Operating System:XP

Posted 21 August 2009 - 08:47 AM

doing it atm
0

#11 User is offline   Rorschach112 

  • Ralphie
  • Group: Geek U Moderator
  • Posts: 47,261
  • Joined: 23-March 07
  • Location:Dublin
  • Operating System:XP

Posted 21 August 2009 - 08:51 AM

ok
0

#12 User is offline   Zet 

  • Member
  • PipPip
  • Group: Member
  • Posts: 19
  • Joined: 20-August 09
  • Operating System:XP

Posted 21 August 2009 - 09:41 AM

still working on drive C:\ and 4 infections so far

This post has been edited by Zet: 21 August 2009 - 09:52 AM

0

#13 User is offline   Rorschach112 

  • Ralphie
  • Group: Geek U Moderator
  • Posts: 47,261
  • Joined: 23-March 07
  • Location:Dublin
  • Operating System:XP

Posted 21 August 2009 - 11:33 AM

aye it takes a while
0

#14 User is offline   Zet 

  • Member
  • PipPip
  • Group: Member
  • Posts: 19
  • Joined: 20-August 09
  • Operating System:XP

Posted 21 August 2009 - 12:47 PM

ok its over. here is the result of kaspersky scan

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Friday, August 21, 2009
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Friday, August 21, 2009 08:59:45
Records in database: 2669597
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\

Scan statistics:
Objects scanned: 139700
Threats found: 7
Infected objects found: 14
Suspicious objects found: 0
Scan duration: 03:32:27


File name / Threat / Threats count
C:\Archivos de programa\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.g 1
C:\Documents and Settings\Zet\Mis documentos\Mis archivos recibidos\khaloz3213657904\Historial\WPE PRO - modified(2).rar Infected: HackTool.Win32.Sniffer.WpePro.v 1
C:\Documents and Settings\Zet\Mis documentos\Mis archivos recibidos\khaloz3213657904\Historial\WPE PRO - modified(2).rar Infected: HackTool.Win32.Sniffer.WpePro.w 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\kbiwkmxrxuxysr.dll.vir Infected: Trojan.Win32.Agent.cumi 1
C:\System Volume Information\_restore{45A86B3A-D592-4CDA-96B1-7261400AC2A0}\RP0\A0000003.dll Infected: Trojan.Win32.Agent.cumi 1
E:\Instaladores\mirc635.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.g 1
F:\Instaladores Imagenes old 60\Instaladores\aircrack-ng-0.9.3-win.zip Infected: not-a-virus:PSWTool.Win32.AirCrack.c 1
F:\Instaladores Imagenes old 60\Instaladores\MU\speed hack mu.rar Infected: Hoax.MSIL.BadJoke.Agent.o 1
F:\Instaladores Imagenes old 60\Varios otros\wifi tools\air\aircrack-ng-0.9.3\aircrack-ng-0.9.3-win\bin\airodump-ng.exe Infected: not-a-virus:PSWTool.Win32.AirCrack.c 1
F:\Instaladores Imagenes old 60\Varios otros\wifi tools\air\aircrack-ng-win-0.9.1\bin\airodump-ng.exe Infected: not-a-virus:PSWTool.Win32.AirCrack.a 1
F:\Instaladores Imagenes old 60\Varios otros\wifi tools\air.rar Infected: not-a-virus:PSWTool.Win32.AirCrack.c 1
F:\Instaladores Imagenes old 60\Varios otros\wifi tools\air.rar Infected: not-a-virus:PSWTool.Win32.AirCrack.a 1
F:\Wow Hacks\WPE PRO - modified(2).rar Infected: HackTool.Win32.Sniffer.WpePro.v 1
F:\Wow Hacks\WPE PRO - modified(2).rar Infected: HackTool.Win32.Sniffer.WpePro.w 1

Selected area has been scanned.

==

the only real virus i can recognize from there is:
C:\Qoobox\Quarantine\C\WINDOWS\system32\kbiwkmxrxuxysr.dll.vir Infected: Trojan.Win32.Agent.cumi 1
C:\System Volume Information\_restore{45A86B3A-D592-4CDA-96B1-7261400AC2A0}\RP0\A0000003.dll Infected: Trojan.Win32.Agent.cumi 1

==

the rest, i know where they come from, what they do and stuff; sniffer is to cheat on a game a friend passed, bad joke is a program to hack a game too, and the other its a tool to hack wifi passwords.
Can't find anything suspicius about the problem with accessing my usb flashdrive and such, or why msn is blocked ;(
0

#15 User is offline   Rorschach112 

  • Ralphie
  • Group: Geek U Moderator
  • Posts: 47,261
  • Joined: 23-March 07
  • Location:Dublin
  • Operating System:XP

Posted 21 August 2009 - 02:09 PM

hi

CLICK HERE to download the HijackThis Installer:
  • Save HJTInstall.exe to your desktop.
  • Double-click on HJTInstall.exe to run the program.
  • By default it will install to C:\Program Files\Trend Micro\HijackThis.
  • Accept the license agreement by clicking the "I Accept" button.
  • Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
  • Click "Save log" to save the log file and then the log will open in Notepad.
  • Click on "Edit -> Select All" then click on "Edit -> Copy" to copy the entire contents of the log.
  • Come back here to this thread and paste the log in your next reply.
  • Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

0

Share this topic:


  • (2 Pages)
  • +
  • 1
  • 2

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users


Advertisements do not imply our endorsement of that product or service. Join to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks mentioned on this page are the property of their respective owners.

© Geeks to Go, Inc. | All Rights Reserved | Privacy Policy | Advertising | Contact | Link to us