Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Regedit and Taskmgr "Disabled by Administrator" [Solved]


  • This topic is locked This topic is locked

#16
DannieRay

DannieRay

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Is the running order on both programs important?

Link to first one doesn't work, it says

"¡Vaya! Google Chrome no ha podido encontrar la página support.kaspersky.com.(cant find website)
Sugerencias: (suggestions)
Ve a (go to) kaspersky.­com
Ir al sitemap de la página kaspersky.­com/­sitemap"
  • 0

Advertisements


#17
gringo_pr

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
try this link - http://support.kaspe.../tdsskiller.exe


and no the order is not important
  • 0

#18
DannieRay

DannieRay

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Following the link.

Esta página web no está disponible
No es posible encontrar el servidor de support.kaspersky.com porque se ha producido un error en la búsqueda de DNS. DNS es el servicio de red que traduce el nombre de un sitio web en su dirección de Internet. Este error suele ocurrir porque la conexión a Internet no está disponible o porque la red no está configurada correctamente. También se puede producir porque el servidor de DNS no responda o porque un firewall no permita que Google Chrome acceda a la red.

google translated to:

This web page is not available
Unable to find the server support.kaspersky.com because an error in the DNS lookup. DNS is the network service that translates a website's name to its Internet address. This error usually occurs because the Internet connection is not available or because the network is not configured properly. It can also occur because the DNS server does not respond or because a firewall not allow Google Chrome to access the network.
  • 0

#19
gringo_pr

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
move to the next item and did you also try it in IE?
  • 0

#20
DannieRay

DannieRay

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Yes,similar errors on IE.

I did the first run of MBAR and it found some stuff.

On reboot the Windows File Protection error popped again,but it now closes if you put cancel and then yes.

Gonna run MBAR again to see if the infections are gone.
  • 0

#21
gringo_pr

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
OK I will be here
  • 0

#22
DannieRay

DannieRay

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
this was the log for the first run.

Malwarebytes Anti-Rootkit BETA 1.01.0.1020
www.malwarebytes.org

Database version: v2013.02.25.04

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 7.0.5730.13
Administrador :: DESKTOP [administrator]

25/02/2013 3:59:31
mbar-log-2013-02-25 (03-59-31).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 24732
Time elapsed: 9 minute(s), 32 second(s)

Memory Processes Detected: 2
c:\WINDOWS\Temp\winpcwop.exe (Spyware.Password) -> 3920 -> Delete on reboot.
c:\WINDOWS\system32\rundat.exe (Trojan.Agent) -> 3736 -> Delete on reboot.

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKLM\SOFTWARE\MICROSOFT\yOLE (Backdoor.Bot.Gen) -> Delete on reboot.

Registry Values Detected: 6
HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|Supports RAS Connections (Trojan.Agent) -> Data: rundat.exe -> Delete on reboot.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Supports RAS Connections (Trojan.Agent) -> Data: rundat.exe -> Delete on reboot.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|Supports RAS Connections (Trojan.Agent) -> Data: rundat.exe -> Delete on reboot.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|Supports RAS Connections (Trojan.Agent) -> Data: rundat.exe -> Delete on reboot.
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Supports RAS Connections (Trojan.Agent) -> Data: rundat.exe -> Delete on reboot.
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|Supports RAS Connections (Trojan.Agent) -> Data: rundat.exe -> Delete on reboot.

Registry Data Items Detected: 3
HKLM\SOFTWARE\MICROSOFT\SECURITY CENTER|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Delete on reboot.
HKLM\SOFTWARE\MICROSOFT\SECURITY CENTER|FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Delete on reboot.
HKLM\SOFTWARE\MICROSOFT\SECURITY CENTER|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Delete on reboot.

Folders Detected: 0
(No malicious items detected)

Files Detected: 6
c:\WINDOWS\Temp\winpcwop.exe (Spyware.Password) -> Delete on reboot.
c:\Documents and Settings\Administrador\Escritorio\RK_Quarantine\lfsgoypjc.exe.vir (PUP.BitMiner) -> Delete on reboot.
c:\Documents and Settings\Administrador\Escritorio\RK_Quarantine\winsvvtxe.exe.vir (Spyware.Password) -> Delete on reboot.
c:\WINDOWS\nigzss.txt (Malware.Trace) -> Delete on reboot.
c:\WINDOWS\sys.exe (Trojan.Banker) -> Delete on reboot.
c:\WINDOWS\system32\rundat.exe (Trojan.Agent) -> Delete on reboot.

(end)

running a second scan and it has already found this:

c:\WINDOWS\Temp\dvyypy.exe (Spyware.Password)

=(,these [bleep] things just won't stay gone. While this second scan finishes, allow me to thank you for your help. You've been great!
  • 0

#23
DannieRay

DannieRay

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Malwarebytes Anti-Rootkit BETA 1.01.0.1020
www.malwarebytes.org

Database version: v2013.02.25.04

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 7.0.5730.13
Administrador :: DESKTOP [administrator]

25/02/2013 4:22:04
mbar-log-2013-02-25 (04-22-04).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 24655
Time elapsed: 14 minute(s), 3 second(s)

Memory Processes Detected: 1
c:\WINDOWS\Temp\dvyypy.exe (Spyware.Password) -> 2728 -> Delete on reboot.

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 3
HKLM\SOFTWARE\MICROSOFT\SECURITY CENTER|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Delete on reboot.
HKLM\SOFTWARE\MICROSOFT\SECURITY CENTER|FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Delete on reboot.
HKLM\SOFTWARE\MICROSOFT\SECURITY CENTER|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Delete on reboot.

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
c:\WINDOWS\Temp\dvyypy.exe (Spyware.Password) -> Delete on reboot.

(end)

After this reboot I got an error that some remote process had failed and the computer would automatically reboot. I don't remember specifics and didn't have time to get a notebook and write it down.

And guess what, taskmanager and registry editor down again after that reboot, the windows file protection error did not appear.

Edited by DannieRay, 25 February 2013 - 01:41 AM.

  • 0

#24
gringo_pr

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
Hello DannieRay

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Please start by opening Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

File::
c:\windows\goxobx.exe

Driver::
abp470n5
kkwebzkt

NetSvc::
kkwebzkt

Save it to your desktop as CFScript.txt

Referring to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

  • 0

#25
DannieRay

DannieRay

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
ComboFix 13-02-24.01 - Administrador 25/02/2013 5:08.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.34.3082.18.958.488 [GMT -3:00]
Running from: c:\documents and settings\Administrador\Escritorio\ComboFix.exe
Command switches used :: c:\documents and settings\Administrador\Escritorio\CFScript.txt.txt
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_ABP470N5
-------\Service_abp470n5
.
.
((((((((((((((((((((((((( Files Created from 2013-01-25 to 2013-02-25 )))))))))))))))))))))))))))))))
.
.
2013-02-25 06:02 . 2008-04-14 10:48 32768 ------w- c:\windows\system32\asr_pfu.exe
2013-02-25 06:02 . 2008-04-14 10:48 10752 ------w- c:\windows\system32\smtpapi.dll
2013-02-25 06:02 . 2008-04-14 10:48 9728 ------w- c:\windows\system32\rwnh.dll
2013-02-25 06:02 . 2008-04-14 10:48 1306624 ------w- c:\windows\system32\dllcache\msxml6.dll
2013-02-25 06:02 . 2008-04-14 10:47 103424 ------w- c:\windows\system32\dllcache\dpcdll.dll
2013-02-25 06:02 . 2008-04-14 10:25 90624 ------w- c:\windows\system32\dllcache\msxml6r.dll
2013-02-25 06:02 . 2008-04-14 03:15 46592 ------w- c:\windows\system32\drivers\irbus.sys
2013-02-25 06:02 . 2008-04-14 03:13 9728 ------w- c:\windows\system32\comsdupd.exe
2013-02-25 06:00 . 2013-02-25 06:02 -------- d-----w- c:\windows\ServicePackFiles
2013-02-25 05:58 . 2006-12-29 03:31 19569 ----a-w- c:\windows\000001_.tmp
2013-02-25 05:58 . 2013-02-25 06:02 -------- d-----w- c:\windows\EHome
2013-02-25 04:00 . 2013-02-25 04:00 -------- d-----w- c:\windows\system32\wbem\snmp
2013-02-25 04:00 . 2013-02-25 06:01 -------- d-----w- c:\windows\system32\oobe
2013-02-25 04:00 . 2013-02-25 04:00 -------- d-----w- c:\windows\system32\xircom
2013-02-25 04:00 . 2013-02-25 04:00 -------- d-----w- c:\windows\srchasst
2013-02-25 04:00 . 2013-02-25 04:00 -------- d-----w- c:\windows\msagent
2013-02-25 04:00 . 2013-02-25 04:00 -------- d-----w- c:\archivos de programa\microsoft frontpage
2013-02-25 03:16 . 2013-02-25 03:16 115968 ----a-w- c:\windows\java.exe
2013-02-23 03:46 . 2013-02-23 03:46 -------- d-----w- c:\archivos de programa\Disk Heal
2013-02-23 00:37 . 2013-02-23 00:37 880640 ----a-w- c:\windows\system32\safari.exe
2013-02-23 00:09 . 2013-02-25 07:31 257090 ----a-w- c:\windows\goxobx.exe
2013-02-22 04:30 . 2013-02-22 04:30 -------- d-----w- c:\documents and settings\Administrador\Datos de programa\Malwarebytes
2013-02-22 04:30 . 2013-02-22 04:30 -------- d-----w- c:\documents and settings\All Users\Datos de programa\Malwarebytes
2013-02-22 04:30 . 2013-02-22 04:30 -------- d-----w- c:\archivos de programa\Malwarebytes' Anti-Malware
2013-02-22 04:30 . 2012-12-14 15:49 21104 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-02-22 04:24 . 2013-02-22 04:24 -------- d-----w- c:\archivos de programa\Defraggler
2013-02-22 04:12 . 2001-08-22 18:34 12416 ----a-w- c:\windows\system32\drivers\mouhid.sys
2013-02-22 04:02 . 2008-04-14 02:15 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2008-05-11 . 38FF5050D7BC47F344AE271B6C250201 . 3591680 . . [7.00.6000.16640] . . c:\windows\system32\mshtml.dll
[7] 2008-04-14 . 85B88C504D1527978F1C2FBE6A41E799 . 3066880 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\mshtml.dll
.
[-] 2008-05-11 . 39E5AA52B667BDD18690336E7E410EAF . 826368 . . [7.00.6000.16640] . . c:\windows\system32\wininet.dll
[7] 2008-04-14 . A9A84CFC20D5F4C609E9CBF9491B8DF6 . 668672 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\wininet.dll
.
[-] 2008-05-11 20:28 . C51B4A5C05A5475708E3C81C7765B71D . 27136 . . [11.0.5721.5145] . . c:\windows\system32\mspmsnsv.dll
.
[7] 2008-04-14 . 12CE2CACCF25D99944CA69F6A3A83441 . 93184 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\iexplore.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SarbyxTrayClock"="c:\archivos de programa\SarbyxTrayClock\trayclock.exe" [2006-10-19 60928]
"Windows Service Base"="safari.exe" [2013-02-23 880640]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2008-05-07 16862208]
"AVG_TRAY"="c:\archivos de programa\AVG\AVG2012\avgtray.exe" [2012-01-24 2490208]
"Adobe ARM"="c:\archivos de programa\Archivos comunes\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 921536]
"Windows Service Base"="safari.exe" [2013-02-23 880640]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-31 7634944]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"Windows Service Base"="safari.exe" [2013-02-23 880640]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"Windows Service Base"="safari.exe" [2013-02-23 880640]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_2"="shell32" [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMConfigurePrograms"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoSMHelp"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Dnscache"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"UacDisableNotify"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Archivos de programa\\AVG\\AVG2012\\avgnsx.exe"=
"c:\\Archivos de programa\\AVG\\AVG2012\\avgmfapx.exe"=
"c:\\Archivos de programa\\AVG\\AVG2012\\avgtray.exe"=
"c:\\WINDOWS\\system32\\netsh.exe"=
"c:\\Archivos de programa\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\WINDOWS\\RTHDCPL.EXE"=
"c:\\Documents and Settings\\Administrador\\Configuración local\\Datos de programa\\Google\\Chrome\\Application\\chrome.exe"=
"c:\\Archivos de programa\\Microsoft Office\\Office12\\POWERPNT.EXE"=
"c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil11f_ActiveX.exe"=
"c:\\Archivos de programa\\SarbyxTrayClock\\trayclock.exe"=
"c:\\Archivos de programa\\WinZip\\WZQKPICK32.EXE"=
"c:\\WINDOWS\\System32\\cmd.exe"= c:\\WINDOWS\\system32\\cmd.exe
"c:\\Archivos de programa\\Microsoft Application Virtualization Client\\sftlist.exe"=
"c:\\Archivos de programa\\Archivos comunes\\Microsoft Shared\\Virtualization Handler\\CVHSVC.EXE"=
"c:\\Archivos de programa\\Archivos comunes\\Java\\Java Update\\jusched.exe"=
"c:\\Archivos de programa\\Malwarebytes' Anti-Malware\\mbamgui.exe"=
"c:\\Archivos de programa\\AVG\\AVG2012\\avgemcx.exe"=
"c:\\Documents and Settings\\Administrador\\Configuración local\\Datos de programa\\Google\\Update\\GoogleUpdate.exe"=
"c:\\Archivos de programa\\Archivos comunes\\Adobe\\ARM\\1.0\\AdobeARM.exe"=
"c:\\Documents and Settings\\Administrador\\Configuración local\\Datos de programa\\Google\\Update\\1.3.21.135\\GoogleCrashHandler.exe"=
"c:\\Archivos de programa\\Malwarebytes' Anti-Malware\\mbamservice.exe"=
"c:\\WINDOWS\\inf\\unregmp2.exe"=
"c:\\WINDOWS\\system32\\safari.exe"=
"c:\\Archivos de programa\\Adobe\\Reader 10.0\\Reader\\Reader_sl.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3020:TCP"= 3020:TCP:cevoqtg
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [10/07/2011 21:14 23120]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [03/03/2012 0:31 717296]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [07/10/2011 2:23 230608]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [10/07/2011 21:14 295248]
R2 avgwd;WatchDog de AVG;c:\archivos de programa\AVG\AVG2012\avgwdsvc.exe [02/08/2011 2:09 192776]
R2 cvhsvc;Client Virtualization Handler;c:\archivos de programa\Archivos comunes\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [27/02/2010 21:33 899488]
R2 MBAMScheduler;MBAMScheduler;c:\archivos de programa\Malwarebytes' Anti-Malware\mbamscheduler.exe [22/02/2013 1:30 398184]
R2 sftlist;Application Virtualization Client;c:\archivos de programa\Microsoft Application Virtualization Client\sftlist.exe [02/12/2009 17:23 553320]
R2 WebUpdate4;Web Update Wizard Service V4;c:\windows\system32\WebUpdateSvc4.exe [22/06/2007 8:36 229592]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [22/02/2013 1:30 21104]
R3 Sftfs;Sftfs;c:\windows\system32\drivers\Sftfsxp.sys [02/12/2009 17:23 554344]
R3 Sftplay;Sftplay;c:\windows\system32\drivers\Sftplayxp.sys [02/12/2009 17:23 211304]
R3 Sftredir;Sftredir;c:\windows\system32\drivers\Sftredirxp.sys [02/12/2009 17:23 20584]
R3 Sftvol;Sftvol;c:\windows\system32\drivers\Sftvolxp.sys [02/12/2009 17:23 18280]
R3 sftvsa;Application Virtualization Service Agent;c:\archivos de programa\Microsoft Application Virtualization Client\sftvsa.exe [02/12/2009 17:23 209768]
S2 AVGIDSAgent;AVGIDSAgent;c:\archivos de programa\AVG\AVG2012\AVGIDSAgent.exe [12/10/2011 2:25 4502880]
S2 kkwebzkt;uwtnnozn;c:\windows\system32\svchost.exe -k netsvcs [14/04/2008 4:49 14336]
S2 MBAMService;MBAMService;c:\archivos de programa\Malwarebytes' Anti-Malware\mbamservice.exe [22/02/2013 1:30 756072]
S4 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [10/07/2011 21:14 134608]
S4 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [10/07/2011 21:14 24272]
S4 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [04/10/2011 2:21 16720]
S4 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [13/09/2011 2:30 32592]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - ABP470N5
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
kkwebzkt
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xportar a Microsoft Excel - c:\archiv~1\MICROS~1\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 200.75.0.4 200.75.25.224
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-02-25 05:15
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3564)
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\archivos de programa\Java\jre6\bin\jqs.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\nvsvc32.exe
c:\windows\system32\safari.exe
.
**************************************************************************
.
Completion time: 2013-02-25 05:16:46 - machine was rebooted
ComboFix-quarantined-files.txt 2013-02-25 08:16
.
Pre-Run: 60.745.306.112 bytes libres
Post-Run: 60.715.102.208 bytes libres
.
- - End Of File - - B6339FDB012CC71C9B2FE70786FA9B20

Still locked out of Regedit and taskmanager
  • 0

Advertisements


#26
gringo_pr

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
Hello DannieRay


just a headsup - this will be the last post for a couple of hours (8hours)

Lets get a deeper look into the system and lets see if something shows up.

Download and run OTL

Download OTL by Old Timer and save it to your Desktop.
  • Double click on OTL.exe to run it.
  • Under Output, ensure that Minimal Output is selected.
  • Under Extra Registry section, select Use SafeList.
  • Click the Scan All Users checkbox.
  • Click on Run Scan at the top left hand corner.
  • When done, two Notepad files will open.
    • OTL.txt <-- Will be opened and the that I need posted back here
    • Extra.txt <-- Will be minimized - save this one on your desktop in case I ask for it later
  • Please post the contents of OTL.txt in your next reply.

Gringo
  • 0

#27
DannieRay

DannieRay

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
OTL logfile created on: 25/02/2013 5:28:21 - Run 3
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\Administrador\Escritorio
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 0000040A | Country: España | Language: ESP | Date Format: dd/MM/yyyy

958,42 Mb Total Physical Memory | 398,80 Mb Available Physical Memory | 41,61% Memory free
2,26 Gb Paging File | 1,60 Gb Available in Paging File | 70,85% Paging File free
Paging file location(s): C:\pagefile.sys 1440 2880 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Archivos de programa
Drive C: | 76,68 Gb Total Space | 56,55 Gb Free Space | 73,74% Space Free | Partition Type: NTFS

Computer Name: DESKTOP | User Name: Administrador | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Administrador\Escritorio\OTL.exe (OldTimer Tools)
PRC - C:\WINDOWS\Temp\rncrye.exe ()
PRC - C:\WINDOWS\Temp\winrlmkal.exe ()
PRC - C:\WINDOWS\system32\safari.exe (Google Inc.)
PRC - C:\Documents and Settings\Administrador\Configuración local\Datos de programa\Google\Chrome\Application\chrome.exe (Google Inc.)
PRC - C:\Archivos de programa\Malwarebytes' Anti-Malware\mbamscheduler.exe (Malwarebytes Corporation)
PRC - C:\Archivos de programa\Archivos comunes\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
PRC - C:\Archivos de programa\AVG\AVG2012\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Archivos de programa\Archivos comunes\Microsoft Shared\Virtualization Handler\CVHSVC.EXE (Microsoft Corporation)
PRC - C:\Archivos de programa\Microsoft Application Virtualization Client\sftvsa.exe (Microsoft Corporation)
PRC - C:\Archivos de programa\Microsoft Application Virtualization Client\sftlist.exe (Microsoft Corporation)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\WINDOWS\system32\WebUpdateSvc4.exe (Data Perceptions / PowerProgrammer)
PRC - C:\Archivos de programa\SarbyxTrayClock\trayclock.exe (SarbyxLabs)


========== Modules (No Company Name) ==========

MOD - C:\WINDOWS\Temp\rncrye.exe ()
MOD - C:\WINDOWS\Temp\winrlmkal.exe ()
MOD - C:\Documents and Settings\Administrador\Configuración local\Datos de programa\Google\Chrome\Application\25.0.1364.97\ppgooglenaclpluginchrome.dll ()
MOD - C:\Documents and Settings\Administrador\Configuración local\Datos de programa\Google\Chrome\Application\25.0.1364.97\PepperFlash\pepflashplayer.dll ()
MOD - C:\Documents and Settings\Administrador\Configuración local\Datos de programa\Google\Chrome\Application\25.0.1364.97\pdf.dll ()
MOD - C:\Documents and Settings\Administrador\Configuración local\Datos de programa\Google\Chrome\Application\25.0.1364.97\ffmpegsumo.dll ()
MOD - C:\Archivos de programa\Archivos comunes\Adobe\Acrobat\ActiveX\PDFShell.ESP ()
MOD - C:\WINDOWS\system32\msdmo.dll ()
MOD - C:\WINDOWS\system32\nvshell.dll ()
MOD - C:\WINDOWS\system32\nvapi.dll ()


========== Services (SafeList) ==========

SRV - (kkwebzkt) -- C:\WINDOWS\system32\uwhnk.dll File not found
SRV - (HidServ) -- %SystemRoot%\System32\hidserv.dll File not found
SRV - (ERSvc) -- %SystemRoot%\System32\ersvc.dll File not found
SRV - (MBAMService) -- C:\Archivos de programa\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
SRV - (MBAMScheduler) -- C:\Archivos de programa\Malwarebytes' Anti-Malware\mbamscheduler.exe (Malwarebytes Corporation)
SRV - (AVGIDSAgent) -- C:\Archivos de programa\AVG\AVG2012\AVGIDSAgent.exe (AVG Technologies CZ, s.r.o.)
SRV - (avgwd) -- C:\Archivos de programa\AVG\AVG2012\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
SRV - (cvhsvc) -- C:\Archivos de programa\Archivos comunes\Microsoft Shared\Virtualization Handler\CVHSVC.EXE (Microsoft Corporation)
SRV - (osppsvc) -- C:\Archivos de programa\Archivos comunes\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE (Microsoft Corporation)
SRV - (ose) -- C:\Archivos de programa\Archivos comunes\Microsoft Shared\Source Engine\OSE.EXE (Microsoft Corporation)
SRV - (sftvsa) -- C:\Archivos de programa\Microsoft Application Virtualization Client\sftvsa.exe (Microsoft Corporation)
SRV - (sftlist) -- C:\Archivos de programa\Microsoft Application Virtualization Client\sftlist.exe (Microsoft Corporation)
SRV - (WebUpdate4) -- C:\WINDOWS\system32\WebUpdateSvc4.exe (Data Perceptions / PowerProgrammer)
SRV - (odserv) -- C:\Archivos de programa\Archivos comunes\Microsoft Shared\OFFICE12\ODSERV.EXE (Microsoft Corporation)


========== Driver Services (SafeList) ==========

DRV - (WDICA) -- File not found
DRV - (PDRFRAME) -- File not found
DRV - (PDRELI) -- File not found
DRV - (PDFRAME) -- File not found
DRV - (PDCOMP) -- File not found
DRV - (PCIDump) -- File not found
DRV - (mbr) -- C:\Windows\Temp\mbr.sys File not found
DRV - (lbrtfdc) -- File not found
DRV - (i2omgmt) -- File not found
DRV - (Changer) -- File not found
DRV - (catchme) -- C:\ComboFix\catchme.sys File not found
DRV - (MBAMProtector) -- C:\WINDOWS\system32\drivers\mbam.sys (Malwarebytes Corporation)
DRV - (sptd) -- C:\WINDOWS\system32\drivers\sptd.sys ()
DRV - (Avgldx86) -- C:\WINDOWS\system32\drivers\avgldx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (AVGIDSShim) -- C:\WINDOWS\system32\drivers\AVGIDSShim.sys (AVG Technologies CZ, s.r.o. )
DRV - (Avgrkx86) -- C:\WINDOWS\system32\drivers\avgrkx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (Avgmfx86) -- C:\WINDOWS\system32\drivers\avgmfx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (Avgtdix) -- C:\WINDOWS\system32\drivers\avgtdix.sys (AVG Technologies CZ, s.r.o.)
DRV - (AVGIDSFilter) -- C:\WINDOWS\system32\drivers\AVGIDSFilter.sys (AVG Technologies CZ, s.r.o. )
DRV - (AVGIDSEH) -- C:\WINDOWS\system32\drivers\AVGIDSEH.sys (AVG Technologies CZ, s.r.o. )
DRV - (AVGIDSDriver) -- C:\WINDOWS\system32\drivers\AVGIDSDriver.sys (AVG Technologies CZ, s.r.o. )
DRV - (Sftredir) -- C:\WINDOWS\system32\drivers\Sftredirxp.sys (Microsoft Corporation)
DRV - (Sftvol) -- C:\WINDOWS\system32\drivers\Sftvolxp.sys (Microsoft Corporation)
DRV - (Sftplay) -- C:\WINDOWS\system32\drivers\Sftplayxp.sys (Microsoft Corporation)
DRV - (Sftfs) -- C:\WINDOWS\system32\drivers\Sftfsxp.sys (Microsoft Corporation)
DRV - (nvatabus) -- C:\WINDOWS\System32\drivers\nvatabus.sys (NVIDIA Corporation)
DRV - (IntcAzAudAddService) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys (Realtek Semiconductor Corp.)
DRV - (nvnetbus) -- C:\WINDOWS\system32\drivers\nvnetbus.sys (NVIDIA Corporation)
DRV - (NVENETFD) -- C:\WINDOWS\system32\drivers\NVENETFD.sys (NVIDIA Corporation)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\..\SearchScopes,DefaultScope =
IE - HKLM\..\SearchScopes\{EF42295F-E2B1-4709-AEC0-C9AF5E616138}: "URL" = http://www.google.co...={searchTerms}1


IE - HKU\.DEFAULT\Software\Microsoft\Internet Explorer\SearchURL\g, = http://www.google.es...ID:1&hl=es&q=%s
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchURL\g, = http://www.google.es...ID:1&hl=es&q=%s
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.busca7.com/
IE - HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchURL\g, = http://www.google.es...ID:1&hl=es&q=%s
IE - HKU\S-1-5-19\..\SearchScopes,DefaultScope =

IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.busca7.com/
IE - HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchURL\g, = http://www.google.es...ID:1&hl=es&q=%s
IE - HKU\S-1-5-20\..\SearchScopes,DefaultScope =

IE - HKU\S-1-5-21-436374069-484763869-1801674531-500\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKU\S-1-5-21-436374069-484763869-1801674531-500\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.co...q={searchTerms}
IE - HKU\S-1-5-21-436374069-484763869-1801674531-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
IE - HKU\S-1-5-21-436374069-484763869-1801674531-500\Software\Microsoft\Internet Explorer\SearchURL\g, = http://www.google.es...ID:1&hl=es&q=%s
IE - HKU\S-1-5-21-436374069-484763869-1801674531-500\..\SearchScopes,DefaultScope =
IE - HKU\S-1-5-21-436374069-484763869-1801674531-500\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...ms}&FORM=IE8SRC
IE - HKU\S-1-5-21-436374069-484763869-1801674531-500\..\SearchScopes\{1B977990-FE78-49E1-B0DA-57B5543F5E8F}: "URL" = http://www.google.co...q={searchTerms}
IE - HKU\S-1-5-21-436374069-484763869-1801674531-500\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.bing.com/...ms}&FORM=IE8SRC
IE - HKU\S-1-5-21-436374069-484763869-1801674531-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Archivos de programa\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\ARCHIV~1\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Archivos de programa\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Documents and Settings\Administrador\Configuración local\Datos de programa\Google\Update\1.3.21.135\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Documents and Settings\Administrador\Configuración local\Datos de programa\Google\Update\1.3.21.135\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{1E73965B-8B48-48be-9C8D-68B920ABC1C4}: C:\Archivos de programa\AVG\AVG2012\Firefox4\ [2007/03/03 10:09:43 | 000,000,000 | ---D | M]

[2012/04/06 23:36:51 | 000,000,000 | ---D | M] (No name found) -- C:\Archivos de programa\Mozilla Firefox\extensions

========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{google:searchClient}{google:sourceId}{google:instantExtendedEnabledParameter}ie={inputEncoding}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&q={searchTerms}&{google:cursorPosition}sugkey={google:suggestAPIKeyParameter}
CHR - homepage: http://www.google.com/
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Documents and Settings\Administrador\Configuraci\u00F3n local\Datos de programa\Google\Chrome\Application\25.0.1364.97\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Documents and Settings\Administrador\Configuraci\u00F3n local\Datos de programa\Google\Chrome\Application\25.0.1364.97\pdf.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Documents and Settings\Administrador\Configuraci\u00F3n local\Datos de programa\Google\Chrome\Application\25.0.1364.97\gcswf32.dll
CHR - plugin: Iminent (Enabled) = C:\Documents and Settings\Administrador\Configuracin local\Datos de programa\Google\Chrome\User Data\Default\Extensions\igdhbblpcellaljokkpfhcjlagemhgjl\4.43.0_0\npIminent.dll
CHR - plugin: AVG Internet Security (Enabled) = C:\Documents and Settings\Administrador\Configuracin local\Datos de programa\Google\Chrome\User Data\Default\Extensions\jmfkcklnlgedgbglfkkgedjfmejoahla\12.0.0.1901_0\plugins/avgnpss.dll
CHR - plugin: Adobe Acrobat (Enabled) = C:\Archivos de programa\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll
CHR - plugin: Microsoft DRM (Enabled) = C:\Archivos de programa\Windows Media Player\npdrmv2.dll
CHR - plugin: Microsoft DRM (Enabled) = C:\Archivos de programa\Windows Media Player\npwmsdrm.dll
CHR - plugin: Windows Media Player Plug-in Dynamic Link Library (Enabled) = C:\Archivos de programa\Windows Media Player\npdsplay.dll
CHR - plugin: Java™ Platform SE 6 U31 (Enabled) = C:\Archivos de programa\Java\jre6\bin\plugin2\npjp2.dll
CHR - plugin: Google Update (Enabled) = C:\Documents and Settings\Administrador\Configuracin local\Datos de programa\Google\Update\1.3.21.99\npGoogleUpdate3.dll
CHR - plugin: Default Plug-in (Enabled) = default_plugin

O1 HOSTS File: ([2013/02/25 05:14:20 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Archivos de programa\Archivos comunes\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Archivos de programa\AVG\AVG2012\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [Adobe ARM] C:\Archivos de programa\Archivos comunes\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AVG_TRAY] C:\Archivos de programa\AVG\AVG2012\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [Windows Service Base] C:\WINDOWS\System32\safari.exe (Google Inc.)
O4 - HKU\.DEFAULT..\Run: [Windows Service Base] C:\WINDOWS\System32\safari.exe (Google Inc.)
O4 - HKU\S-1-5-18..\Run: [Windows Service Base] C:\WINDOWS\System32\safari.exe (Google Inc.)
O4 - HKU\S-1-5-21-436374069-484763869-1801674531-500..\Run: [SarbyxTrayClock] C:\Archivos de programa\SarbyxTrayClock\trayclock.exe (SarbyxLabs)
O4 - HKU\S-1-5-21-436374069-484763869-1801674531-500..\Run: [Windows Service Base] C:\WINDOWS\System32\safari.exe (Google Inc.)
O4 - HKU\.DEFAULT..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 File not found
O4 - HKU\S-1-5-18..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 File not found
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDesktopCleanupWizard = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoRemoteRecursiveEvents = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableStatusMessages = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: VerboseStatus = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoInternetOpenWith = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMHelp = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMMyPictures = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveTrack = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMHelp = 1
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMMyPictures = 1
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 1
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveTrack = 1
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 1
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMHelp = 1
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMMyPictures = 1
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 1
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveTrack = 1
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 1
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMHelp = 1
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMMyPictures = 1
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 1
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveTrack = 1
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 1
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
O7 - HKU\S-1-5-21-436374069-484763869-1801674531-500\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-436374069-484763869-1801674531-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-436374069-484763869-1801674531-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMHelp = 0
O7 - HKU\S-1-5-21-436374069-484763869-1801674531-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1
O7 - HKU\S-1-5-21-436374069-484763869-1801674531-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMMyPictures = 1
O7 - HKU\S-1-5-21-436374069-484763869-1801674531-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 1
O7 - HKU\S-1-5-21-436374069-484763869-1801674531-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveTrack = 1
O7 - HKU\S-1-5-21-436374069-484763869-1801674531-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 1
O7 - HKU\S-1-5-21-436374069-484763869-1801674531-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
O7 - HKU\S-1-5-21-436374069-484763869-1801674531-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-436374069-484763869-1801674531-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-436374069-484763869-1801674531-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1
O7 - HKU\S-1-5-21-436374069-484763869-1801674531-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 1
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 200.75.0.4 200.75.25.224
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{52BDC726-4B8F-49DF-A67E-971C9DF0323D}: DhcpNameServer = 200.75.0.4 200.75.25.224
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Archivos de programa\AVG\AVG2012\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Archivos de programa\Archivos comunes\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Archivos de programa\Archivos comunes\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O24 - Desktop Components:0 (Mi página de inicio actual) - About:Home
O24 - Desktop WallPaper: C:\Documents and Settings\Administrador\Configuración local\Datos de programa\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Administrador\Configuración local\Datos de programa\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2012/03/03 00:31:14 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2013/02/25 05:27:13 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrador\Escritorio\OTL.exe
[2013/02/25 05:07:34 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2013/02/25 05:07:34 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2013/02/25 05:07:34 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2013/02/25 05:07:34 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2013/02/25 05:07:27 | 000,000,000 | ---D | C] -- C:\Qoobox
[2013/02/25 05:07:05 | 005,116,814 | R--- | C] (Swearware) -- C:\Documents and Settings\Administrador\Escritorio\ComboFix.exe
[2013/02/25 03:40:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrador\Escritorio\mbar-1.01.0.1020
[2013/02/25 03:40:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Menú Inicio\Programas\WinRAR
[2013/02/25 03:40:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrador\Menú Inicio\Programas\WinRAR
[2013/02/25 03:04:19 | 000,000,000 | ---D | C] -- C:\WINDOWS\Prefetch
[2013/02/25 03:02:01 | 000,000,000 | ---D | C] -- C:\Archivos de programa\Messenger
[2013/02/25 03:02:00 | 001,306,624 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msxml6.dll
[2013/02/25 03:02:00 | 000,103,424 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\dpcdll.dll
[2013/02/25 03:02:00 | 000,090,624 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msxml6r.dll
[2013/02/25 03:02:00 | 000,046,592 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\irbus.sys
[2013/02/25 03:02:00 | 000,032,768 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\asr_pfu.exe
[2013/02/25 03:02:00 | 000,010,752 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\smtpapi.dll
[2013/02/25 03:02:00 | 000,009,728 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\rwnh.dll
[2013/02/25 03:02:00 | 000,009,728 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\comsdupd.exe
[2013/02/25 03:01:59 | 001,888,992 | ---- | C] (ATI Technologies Inc. ) -- C:\WINDOWS\System32\ati3duag.dll
[2013/02/25 03:01:59 | 001,737,856 | ---- | C] (Matrox Graphics Inc.) -- C:\WINDOWS\System32\mtxparhd.dll
[2013/02/25 03:01:59 | 000,870,784 | ---- | C] (ATI Technologies Inc. ) -- C:\WINDOWS\System32\ati3d1ag.dll
[2013/02/25 03:01:59 | 000,516,768 | ---- | C] (ATI Technologies Inc. ) -- C:\WINDOWS\System32\ativvaxx.dll
[2013/02/25 03:01:59 | 000,397,056 | ---- | C] (S3 Graphics, Inc.) -- C:\WINDOWS\System32\s3gnb.dll
[2013/02/25 03:01:59 | 000,377,984 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\ati2dvaa.dll
[2013/02/25 03:01:59 | 000,286,792 | ---- | C] (Smart Link) -- C:\WINDOWS\System32\slextspk.dll
[2013/02/25 03:01:59 | 000,229,376 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\ati2cqag.dll
[2013/02/25 03:01:59 | 000,201,728 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\ati2dvag.dll
[2013/02/25 03:01:59 | 000,188,508 | ---- | C] (Smart Link) -- C:\WINDOWS\System32\slgen.dll
[2013/02/25 03:01:59 | 000,148,480 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wscui.cpl
[2013/02/25 03:01:59 | 000,086,016 | ---- | C] (Conexant) -- C:\WINDOWS\System32\mdmxsdk.dll
[2013/02/25 03:01:59 | 000,073,832 | ---- | C] (Smart Link) -- C:\WINDOWS\System32\slcoinst.dll
[2013/02/25 03:01:59 | 000,073,796 | ---- | C] (Smart Link) -- C:\WINDOWS\System32\slserv.exe
[2013/02/25 03:01:59 | 000,071,680 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\blastcln.exe
[2013/02/25 03:01:59 | 000,032,866 | ---- | C] (Smart Link) -- C:\WINDOWS\System32\slrundll.exe
[2013/02/25 03:01:59 | 000,032,866 | ---- | C] (Smart Link) -- C:\WINDOWS\slrundll.exe
[2013/02/25 03:01:59 | 000,032,768 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\ativtmxx.dll
[2013/02/25 03:01:59 | 000,032,285 | ---- | C] (Conexant Systems, Inc.) -- C:\WINDOWS\System32\hsfcisp2.dll
[2013/02/25 03:01:59 | 000,028,672 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\vidcap.ax
[2013/02/25 03:01:59 | 000,023,040 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\ativmvxx.ax
[2013/02/25 03:01:59 | 000,009,728 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\ativdaxx.ax
[2013/02/25 03:01:57 | 000,000,000 | ---D | C] -- C:\Archivos de programa\msn
[2013/02/25 03:01:57 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\bits
[2013/02/25 03:00:10 | 000,000,000 | ---D | C] -- C:\WINDOWS\ServicePackFiles
[2013/02/25 03:00:06 | 000,063,663 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\drivers\ati1rvxx.sys
[2013/02/25 03:00:06 | 000,056,623 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\drivers\ati1btxx.sys
[2013/02/25 03:00:06 | 000,030,671 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\drivers\ati1raxx.sys
[2013/02/25 03:00:06 | 000,012,047 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\drivers\ati1pdxx.sys
[2013/02/25 03:00:06 | 000,011,615 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\drivers\ati1mdxx.sys
[2013/02/25 03:00:06 | 000,004,255 | ---- | C] (Intel® Corporation) -- C:\WINDOWS\System32\drivers\adv01nt5.dll
[2013/02/25 03:00:06 | 000,003,967 | ---- | C] (Intel® Corporation) -- C:\WINDOWS\System32\drivers\adv02nt5.dll
[2013/02/25 03:00:06 | 000,003,775 | ---- | C] (Intel® Corporation) -- C:\WINDOWS\System32\drivers\adv11nt5.dll
[2013/02/25 03:00:06 | 000,003,711 | ---- | C] (Intel® Corporation) -- C:\WINDOWS\System32\drivers\adv09nt5.dll
[2013/02/25 03:00:06 | 000,003,647 | ---- | C] (Intel® Corporation) -- C:\WINDOWS\System32\drivers\adv07nt5.dll
[2013/02/25 03:00:06 | 000,003,615 | ---- | C] (Intel® Corporation) -- C:\WINDOWS\System32\drivers\adv05nt5.dll
[2013/02/25 03:00:06 | 000,003,135 | ---- | C] (Intel® Corporation) -- C:\WINDOWS\System32\drivers\adv08nt5.dll
[2013/02/25 03:00:05 | 000,701,440 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\drivers\ati2mtag.sys
[2013/02/25 03:00:05 | 000,327,168 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\drivers\ati2mtaa.sys
[2013/02/25 03:00:05 | 000,104,960 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\drivers\atinrvxx.sys
[2013/02/25 03:00:05 | 000,073,216 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\drivers\atintuxx.sys
[2013/02/25 03:00:05 | 000,063,488 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\drivers\atinxsxx.sys
[2013/02/25 03:00:05 | 000,057,856 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\drivers\atinbtxx.sys
[2013/02/25 03:00:05 | 000,052,224 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\drivers\atinraxx.sys
[2013/02/25 03:00:05 | 000,036,480 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\bthprint.sys
[2013/02/25 03:00:05 | 000,036,463 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\drivers\ati1tuxx.sys
[2013/02/25 03:00:05 | 000,034,735 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\drivers\ati1xsxx.sys
[2013/02/25 03:00:05 | 000,031,744 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\drivers\atinxbxx.sys
[2013/02/25 03:00:05 | 000,029,455 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\drivers\ati1xbxx.sys
[2013/02/25 03:00:05 | 000,028,672 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\drivers\atinsnxx.sys
[2013/02/25 03:00:05 | 000,026,367 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\drivers\ati1snxx.sys
[2013/02/25 03:00:05 | 000,025,471 | ---- | C] (Intel® Corporation) -- C:\WINDOWS\System32\drivers\atv04nt5.dll
[2013/02/25 03:00:05 | 000,021,343 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\drivers\ati1ttxx.sys
[2013/02/25 03:00:05 | 000,021,183 | ---- | C] (Intel® Corporation) -- C:\WINDOWS\System32\drivers\atv01nt5.dll
[2013/02/25 03:00:05 | 000,017,279 | ---- | C] (Intel® Corporation) -- C:\WINDOWS\System32\drivers\atv10nt5.dll
[2013/02/25 03:00:05 | 000,014,336 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\drivers\atinpdxx.sys
[2013/02/25 03:00:05 | 000,014,143 | ---- | C] (Intel® Corporation) -- C:\WINDOWS\System32\drivers\atv06nt5.dll
[2013/02/25 03:00:05 | 000,013,824 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\drivers\atinttxx.sys
[2013/02/25 03:00:05 | 000,013,824 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\drivers\atinmdxx.sys
[2013/02/25 03:00:05 | 000,011,359 | ---- | C] (Intel® Corporation) -- C:\WINDOWS\System32\drivers\atv02nt5.dll
[2013/02/25 03:00:04 | 001,309,184 | ---- | C] (Smart Link) -- C:\WINDOWS\System32\drivers\mtlstrm.sys
[2013/02/25 03:00:04 | 000,452,736 | ---- | C] (Matrox Graphics Inc.) -- C:\WINDOWS\System32\drivers\mtxparhm.sys
[2013/02/25 03:00:04 | 000,404,990 | ---- | C] (Smart Link) -- C:\WINDOWS\System32\drivers\slntamr.sys
[2013/02/25 03:00:04 | 000,180,360 | ---- | C] (Smart Link) -- C:\WINDOWS\System32\drivers\ntmtlfax.sys
[2013/02/25 03:00:04 | 000,166,912 | ---- | C] (S3 Graphics, Inc.) -- C:\WINDOWS\System32\drivers\s3gnbm.sys
[2013/02/25 03:00:04 | 000,129,535 | ---- | C] (Smart Link) -- C:\WINDOWS\System32\drivers\slnt7554.sys
[2013/02/25 03:00:04 | 000,126,686 | ---- | C] (Smart Link) -- C:\WINDOWS\System32\drivers\mtlmnt5.sys
[2013/02/25 03:00:04 | 000,095,424 | ---- | C] (Smart Link) -- C:\WINDOWS\System32\drivers\slnthal.sys
[2013/02/25 03:00:04 | 000,030,592 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\rndismpx.sys
[2013/02/25 03:00:04 | 000,015,423 | ---- | C] (Intel® Corporation) -- C:\WINDOWS\System32\drivers\ch7xxnt5.dll
[2013/02/25 03:00:04 | 000,013,776 | ---- | C] (Smart Link) -- C:\WINDOWS\System32\drivers\recagent.sys
[2013/02/25 03:00:04 | 000,013,240 | ---- | C] (Smart Link) -- C:\WINDOWS\System32\drivers\slwdmsup.sys
[2013/02/25 03:00:04 | 000,012,672 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\mutohpen.sys
[2013/02/25 03:00:04 | 000,005,888 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\smbali.sys
[2013/02/25 03:00:04 | 000,003,901 | ---- | C] (Intel® Corporation) -- C:\WINDOWS\System32\drivers\siint5.dll
[2013/02/25 03:00:03 | 000,025,471 | ---- | C] (Intel® Corporation) -- C:\WINDOWS\System32\drivers\watv10nt.sys
[2013/02/25 03:00:03 | 000,022,271 | ---- | C] (Intel® Corporation) -- C:\WINDOWS\System32\drivers\watv06nt.sys
[2013/02/25 03:00:03 | 000,011,935 | ---- | C] (Intel® Corporation) -- C:\WINDOWS\System32\drivers\wadv11nt.sys
[2013/02/25 03:00:03 | 000,011,871 | ---- | C] (Intel® Corporation) -- C:\WINDOWS\System32\drivers\wadv09nt.sys
[2013/02/25 03:00:03 | 000,011,807 | ---- | C] (Intel® Corporation) -- C:\WINDOWS\System32\drivers\wadv07nt.sys
[2013/02/25 03:00:03 | 000,011,325 | ---- | C] (Intel® Corporation) -- C:\WINDOWS\System32\drivers\vchnt5.dll
[2013/02/25 03:00:03 | 000,011,295 | ---- | C] (Intel® Corporation) -- C:\WINDOWS\System32\drivers\wadv08nt.sys
[2013/02/25 02:58:23 | 000,000,000 | ---D | C] -- C:\WINDOWS\EHome
[2013/02/25 01:00:29 | 000,000,000 | ---D | C] -- C:\Archivos de programa\xerox
[2013/02/25 01:00:28 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\xircom
[2013/02/25 01:00:28 | 000,000,000 | ---D | C] -- C:\WINDOWS\srchasst
[2013/02/25 01:00:28 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\oobe
[2013/02/25 01:00:28 | 000,000,000 | ---D | C] -- C:\Archivos de programa\movie maker
[2013/02/25 01:00:26 | 000,000,000 | ---D | C] -- C:\Archivos de programa\msn gaming zone
[2013/02/25 01:00:26 | 000,000,000 | ---D | C] -- C:\WINDOWS\msagent
[2013/02/25 01:00:26 | 000,000,000 | ---D | C] -- C:\Archivos de programa\microsoft frontpage
[2013/02/25 00:54:51 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2013/02/25 00:53:54 | 000,000,000 | --SD | C] -- C:\Documents and Settings\All Users\Documentos\Mis vídeos
[2013/02/25 00:53:54 | 000,000,000 | --SD | C] -- C:\Documents and Settings\Administrador\Mis documentos\Mis vídeos
[2013/02/25 00:53:54 | 000,000,000 | --SD | C] -- C:\Documents and Settings\Administrador\Menú Inicio\Programas\Herramientas administrativas
[2013/02/25 00:53:44 | 000,000,000 | ---D | C] -- C:\WINDOWS\erdnt
[2013/02/23 00:46:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrador\Menú Inicio\Programas\Disk Heal
[2013/02/23 00:46:00 | 000,000,000 | ---D | C] -- C:\Archivos de programa\Disk Heal
[2013/02/22 21:55:44 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Administrador\Recent
[2013/02/22 21:37:33 | 000,880,640 | ---- | C] (Google Inc.) -- C:\WINDOWS\System32\safari.exe
[2013/02/22 21:09:42 | 000,257,090 | ---- | C] (Camshare Inc.) -- C:\WINDOWS\goxobx.exe
[2013/02/22 01:30:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrador\Datos de programa\Malwarebytes
[2013/02/22 01:30:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Menú Inicio\Programas\Malwarebytes' Anti-Malware
[2013/02/22 01:30:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Datos de programa\Malwarebytes
[2013/02/22 01:30:20 | 000,021,104 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2013/02/22 01:30:20 | 000,000,000 | ---D | C] -- C:\Archivos de programa\Malwarebytes' Anti-Malware
[2013/02/22 01:24:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Menú Inicio\Programas\Defraggler
[2013/02/22 01:24:17 | 000,000,000 | ---D | C] -- C:\Archivos de programa\Defraggler
[2012/02/03 10:44:06 | 001,787,984 | ---- | C] (Funmoods) -- C:\Documents and Settings\Administrador\Configuración local\Datos de programa\funmoods.exe
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2013/02/25 05:27:02 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrador\Escritorio\OTL.exe
[2013/02/25 05:20:00 | 000,257,090 | ---- | M] (Camshare Inc.) -- C:\WINDOWS\goxobx.exe
[2013/02/25 05:14:40 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2013/02/25 05:14:20 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2013/02/25 05:14:10 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2013/02/25 05:14:08 | 000,265,416 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2013/02/25 03:38:52 | 013,711,621 | ---- | M] () -- C:\Documents and Settings\Administrador\Escritorio\mbar-1.01.0.1020.zip
[2013/02/25 01:52:20 | 005,116,814 | R--- | M] (Swearware) -- C:\Documents and Settings\Administrador\Escritorio\ComboFix.exe
[2013/02/25 00:54:55 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2013/02/25 00:16:45 | 000,115,968 | ---- | M] () -- C:\WINDOWS\java.exe
[2013/02/25 00:03:15 | 000,671,843 | ---- | M] () -- C:\Documents and Settings\Administrador\Escritorio\adwcleaner.exe
[2013/02/24 23:55:47 | 000,955,663 | ---- | M] () -- C:\Documents and Settings\Administrador\Escritorio\SecurityCheck.exe
[2013/02/24 23:49:52 | 000,002,184 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2013/02/23 00:46:01 | 000,000,912 | ---- | M] () -- C:\Documents and Settings\Administrador\Escritorio\Disk Heal.lnk
[2013/02/23 00:35:46 | 000,000,117 | ---- | M] () -- C:\Documents and Settings\Administrador\Escritorio\enable.bat
[2013/02/23 00:33:56 | 000,000,610 | ---- | M] () -- C:\Documents and Settings\Administrador\Escritorio\UnHookExec.inf
[2013/02/23 00:32:02 | 000,000,306 | ---- | M] () -- C:\Documents and Settings\Administrador\Escritorio\EnableTM.reg
[2013/02/22 21:37:53 | 000,880,640 | ---- | M] (Google Inc.) -- C:\WINDOWS\System32\safari.exe
[2013/02/22 21:14:33 | 000,366,246 | ---- | M] () -- C:\WINDOWS\System32\perfh00A.dat
[2013/02/22 21:14:33 | 000,314,952 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2013/02/22 21:14:33 | 000,052,422 | ---- | M] () -- C:\WINDOWS\System32\perfc00A.dat
[2013/02/22 21:14:33 | 000,041,022 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2013/02/22 01:30:24 | 000,000,833 | ---- | M] () -- C:\Documents and Settings\All Users\Escritorio\Malwarebytes Anti-Malware.lnk
[2013/02/22 01:24:37 | 000,001,643 | ---- | M] () -- C:\Documents and Settings\All Users\Escritorio\Defraggler.lnk
[2013/02/22 01:19:32 | 000,000,731 | ---- | M] () -- C:\Documents and Settings\All Users\Escritorio\CCleaner.lnk
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2013/02/25 05:07:34 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2013/02/25 05:07:34 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2013/02/25 05:07:34 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2013/02/25 05:07:34 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2013/02/25 05:07:34 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2013/02/25 03:38:52 | 013,711,621 | ---- | C] () -- C:\Documents and Settings\Administrador\Escritorio\mbar-1.01.0.1020.zip
[2013/02/25 03:00:05 | 000,064,352 | ---- | C] () -- C:\WINDOWS\System32\drivers\ativmc20.cod
[2013/02/25 03:00:04 | 000,129,045 | ---- | C] () -- C:\WINDOWS\System32\drivers\cxthsfs2.cty
[2013/02/25 03:00:04 | 000,067,866 | ---- | C] () -- C:\WINDOWS\System32\drivers\netwlan5.img
[2013/02/25 00:54:55 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2013/02/25 00:54:52 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2013/02/25 00:16:44 | 000,115,968 | ---- | C] () -- C:\WINDOWS\java.exe
[2013/02/25 00:03:12 | 000,671,843 | ---- | C] () -- C:\Documents and Settings\Administrador\Escritorio\adwcleaner.exe
[2013/02/24 23:55:44 | 000,955,663 | ---- | C] () -- C:\Documents and Settings\Administrador\Escritorio\SecurityCheck.exe
[2013/02/23 00:46:01 | 000,000,912 | ---- | C] () -- C:\Documents and Settings\Administrador\Escritorio\Disk Heal.lnk
[2013/02/23 00:35:27 | 000,000,117 | ---- | C] () -- C:\Documents and Settings\Administrador\Escritorio\enable.bat
[2013/02/23 00:34:00 | 000,000,610 | ---- | C] () -- C:\Documents and Settings\Administrador\Escritorio\UnHookExec.inf
[2013/02/23 00:32:04 | 000,000,306 | ---- | C] () -- C:\Documents and Settings\Administrador\Escritorio\EnableTM.reg
[2013/02/22 01:30:24 | 000,000,833 | ---- | C] () -- C:\Documents and Settings\All Users\Escritorio\Malwarebytes Anti-Malware.lnk
[2013/02/22 01:24:37 | 000,001,643 | ---- | C] () -- C:\Documents and Settings\All Users\Escritorio\Defraggler.lnk
[2012/04/06 22:54:37 | 000,050,547 | ---- | C] () -- C:\WINDOWS\System32\wuwuninst.exe
[2012/03/17 16:08:03 | 000,000,038 | ---- | C] () -- C:\WINDOWS\Progs_.ini
[2012/03/13 22:23:06 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2012/03/03 14:53:38 | 000,006,656 | ---- | C] () -- C:\Documents and Settings\Administrador\Configuración local\Datos de programa\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012/03/03 10:21:52 | 000,165,376 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2012/03/03 10:21:51 | 000,000,038 | ---- | C] () -- C:\WINDOWS\avisplitter.ini
[2012/03/03 10:21:48 | 000,810,496 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2012/03/03 10:21:48 | 000,183,808 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2012/03/03 10:21:47 | 000,108,032 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2012/03/03 02:15:15 | 000,001,732 | ---- | C] () -- C:\WINDOWS\System32\drivers\nvphy.bin
[2012/03/03 01:41:27 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\ChCfg.exe
[2012/03/03 00:47:53 | 000,000,379 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2012/03/03 00:47:09 | 000,676,224 | ---- | C] () -- C:\WINDOWS\System32\OgaCheckControl.dll
[2012/03/03 00:42:49 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/03/03 00:32:07 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2012/03/03 00:29:02 | 000,021,900 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2012/03/03 00:25:52 | 000,004,205 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2012/03/03 00:24:26 | 000,265,416 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT

========== ZeroAccess Check ==========


[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shdocvw.dll -- [2008/04/14 04:48:38 | 001,499,648 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2008/04/14 04:48:22 | 000,472,064 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2008/04/14 04:48:48 | 000,273,920 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

< End of report >
  • 0

#28
gringo_pr

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
Hello DannieRay

I would like you to run this custom script for me now and when it is complete please give me the report and a status update for the computer.

Run OTL Script

  • Double-click OTL.exe to start the program.
  • Copy and Paste the following code into the Posted Image text box.
    :OTL
    O4 - HKU\.DEFAULT..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 File not found
    O4 - HKU\S-1-5-18..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 File not found
    O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - No CLSID value found.
    PRC - C:\WINDOWS\Temp\rncrye.exe ()
    PRC - C:\WINDOWS\Temp\winrlmkal.exe ()
    MOD - C:\WINDOWS\Temp\rncrye.exe ()
    MOD - C:\WINDOWS\Temp\winrlmkal.exe ()
    [2012/02/03 10:44:06 | 001,787,984 | ---- | C] (Funmoods) -- C:\Documents and Settings\Administrador\Configuración local\Datos de programa\funmoods.exe
    SRV - (kkwebzkt) -- C:\WINDOWS\system32\uwhnk.dll File not found  
    2013/02/22 21:37:33 | 000,880,640 | ---- | C] (Google Inc.) -- C:\WINDOWS\System32\safari.exe
    [2013/02/22 21:09:42 | 000,257,090 | ---- | C] (Camshare Inc.) -- C:\WINDOWS\goxobx.exe
    :Files
    ipconfig /flushdns /c
    C:\WINDOWS\Temp\rncrye.exe 
    C:\WINDOWS\Temp\winrlmkal.exe
    :Commands
    [PURITY]
    [emptyjava]
    [EMPTYFLASH]
    [reboot]
    
  • Then click the Run Fix button at the top.
  • Click Posted Image.
  • OTL may ask to reboot the machine. Please do so if asked.
  • The report should appear in Notepad after the reboot.Copy and Paste that report in your next reply.

    Note** if the report does not popup after the computer reboots you can find it here in this folder - C:\_OTL\MovedFiles

    It will be named - mmddyyyy_hhmmss.log

    Where mmddyyyy_hhmmss - are numbers representing the date and time the fix was run.

Let me know How things are doing

Gringo
  • 0

#29
DannieRay

DannieRay

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Still locked out of Regedit and tskmgr, the OTL log i had posted right before was from last night before I went to bed and turned the computer off.

========== OTL ==========
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce\\nltide_2 deleted successfully.
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\RunOnce\\nltide_2 not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{AEB6717E-7E19-11d0-97EE-00C04FD91972} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\ not found.
No active process named rncrye.exe was found!
No active process named winrlmkal.exe was found!
C:\Documents and Settings\Administrador\Configuración local\Datos de programa\funmoods.exe moved successfully.
Service kkwebzkt stopped successfully!
Service kkwebzkt deleted successfully!
File C:\WINDOWS\system32\uwhnk.dll File not found not found.
C:\WINDOWS\goxobx.exe moved successfully.
========== FILES ==========
< ipconfig /flushdns /c >
Configuración IP de Windows
No se puede vaciar la caché de resolución de DNS: Error de una función durante la ejecución.
C:\Documents and Settings\Administrador\Escritorio\cmd.bat deleted successfully.
C:\Documents and Settings\Administrador\Escritorio\cmd.txt deleted successfully.
File\Folder C:\WINDOWS\Temp\rncrye.exe not found.
File\Folder C:\WINDOWS\Temp\winrlmkal.exe not found.
========== COMMANDS ==========

[EMPTYJAVA]

User: Administrador
->Java cache emptied: 0 bytes

User: All Users

User: Default User

User: LocalService

User: NetworkService

Total Java Files Cleaned = 0,00 mb


[EMPTYFLASH]

User: Administrador
->Flash cache emptied: 487 bytes

User: All Users

User: Default User

User: LocalService

User: NetworkService

Total Flash Files Cleaned = 0,00 mb


OTL by OldTimer - Version 3.2.69.0 log created on 02252013_143412

Edited by DannieRay, 25 February 2013 - 11:44 AM.

  • 0

#30
gringo_pr

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
Hello DannieRay

I would like you to download an updated version of combofix.

update combofix

Delete the version of combofix you have now on your desktop and download a new one from here

Link 1
Link 2
Link 3
**Note: It is important that it is saved directly to your desktop**

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note:Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer
[/list]
"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP