[thedeadlystoat]

I still have Combofix in my desktop, I guess I don't have to download it again, right?

[Advertisements]

I suppose you could run the one in your desktop. CF will ask you if you wanted to update, just choose yes.

[Salagubang]

I suppose you could run the one in your desktop. CF will ask you if you wanted to update, just choose yes.

[thedeadlystoat]

Ok, I am logging out from the ailing computer to start combofix.

[Salagubang]

Any updates?

[thedeadlystoat]

Combofix says it's almost done

[thedeadlystoat]

Just to clear any doubt, I was writing from the healthy computer until now. I left combofix to be the only thing running in this ailing computer, where I write you from to post the log. Here it is:


ComboFix 11-03-06.04 - Manuel 07/03/2011 1:06.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.52.3082.18.1014.222 [GMT -6:00]
Running from: c:\users\Manuel\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-02-07 to 2011-03-07 )))))))))))))))))))))))))))))))
.
.
2011-03-07 07:24 . 2011-03-07 07:25 -------- d-----w- c:\users\Manuel\AppData\Local\temp
2011-03-07 07:24 . 2011-03-07 07:24 -------- d-----w- c:\users\Marisa\AppData\Local\temp
2011-03-07 07:24 . 2011-03-07 07:24 -------- d-----w- c:\users\José Luis\AppData\Local\temp
2011-03-07 07:24 . 2011-03-07 07:24 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-03-07 07:24 . 2011-03-07 07:24 -------- d-----w- c:\users\Administracion\AppData\Local\temp
2011-03-07 03:01 . 2011-03-06 23:16 -------- d-----w- C:\5ee6d7096802433b333940f9703214
2011-03-03 08:48 . 2011-03-03 08:48 -------- d-----w- C:\_OTL
2011-03-03 04:28 . 2011-03-03 09:49 -------- d-----w- c:\users\Manuel\AppData\Local\Temp(119)
2011-03-01 05:11 . 2011-03-01 05:11 -------- d-----w- c:\users\Manuel\AppData\Local\ESET
2011-03-01 05:00 . 2011-03-01 05:00 -------- d-----w- c:\program files\ESET
2011-03-01 04:49 . 2011-03-01 04:49 -------- d-----w- c:\users\Manuel\AppData\Roaming\VS Revo Group
2011-02-26 08:31 . 2011-03-06 22:19 -------- d-----w- c:\programdata\AVAST Software
2011-02-26 08:31 . 2011-02-26 08:31 -------- d-----w- c:\program files\AVAST Software
2011-02-26 06:21 . 2011-02-26 06:21 -------- d-----w- C:\avrescue
2011-02-26 04:34 . 2011-02-26 04:34 -------- d-----w- c:\users\Manuel\AppData\Roaming\Avira
2011-02-26 03:29 . 2011-02-26 03:29 -------- d-----w- C:\_OTM
2011-02-24 20:13 . 2011-02-24 20:13 -------- d-----w- C:\$AVG
2011-02-24 20:06 . 2011-02-24 20:06 -------- d--h--w- c:\programdata\Common Files
2011-02-24 20:01 . 2011-02-26 04:15 -------- d-----w- c:\programdata\AVG10
2011-02-24 19:59 . 2011-02-24 19:59 -------- d-----w- c:\program files\AVG
2011-02-24 02:57 . 2011-02-25 11:51 -------- d-----w- c:\programdata\MFAData
2011-02-24 01:58 . 2011-02-24 01:58 -------- d-----w- c:\programdata\Avira
2011-02-24 01:58 . 2011-02-24 01:58 -------- d-----w- c:\program files\Avira
2011-02-23 20:50 . 2011-02-23 20:50 -------- d-----w- c:\users\Manuel\AppData\Local\VS Revo Group
2011-02-23 20:50 . 2009-12-30 17:21 27192 ----a-w- c:\windows\system32\drivers\revoflt.sys
2011-02-23 20:50 . 2011-02-25 11:49 -------- d-----w- c:\program files\VS Revo Group
2011-02-23 07:35 . 2011-02-25 11:49 -------- d-----w- c:\program files\CCleaner
2011-02-23 04:41 . 2011-02-23 04:41 -------- d-----w- c:\users\Manuel\AppData\Roaming\Malwarebytes
2011-02-23 04:41 . 2010-12-21 00:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-02-23 04:41 . 2011-02-25 11:49 -------- d-----w- c:\programdata\Malwarebytes
2011-02-23 04:41 . 2011-02-23 04:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-02-23 04:41 . 2010-12-21 00:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-02-22 08:26 . 2011-01-13 09:41 5890896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{A1D787DC-211C-4C78-BC9E-6A8AF617F8D1}\mpengine.dll
2011-02-22 06:16 . 2011-02-22 06:17 -------- d-----w- c:\users\Manuel\dwhelper
2011-02-09 04:33 . 2011-02-09 04:33 -------- d-----w- C:\PerfLogs
2011-02-09 03:21 . 2011-02-25 11:51 -------- d-----w- C:\38e107bdc5e10e2e5e
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-21 21:04 . 2010-12-21 21:04 137144 ----a-w- c:\windows\system32\drivers\eamonm.sys
2010-12-21 21:04 . 2010-12-21 21:04 115008 ----a-w- c:\windows\system32\drivers\ehdrv.sys
2010-12-21 19:47 . 2010-12-21 19:47 33120 ----a-w- c:\windows\system32\drivers\epfwndis.sys
2010-12-21 19:47 . 2010-12-21 19:47 134000 ----a-w- c:\windows\system32\drivers\epfw.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9a6be539-96ea-454d-898b-61891e0844d5}]
2010-06-14 00:10 2734688 ----a-w- c:\program files\Online_Radio_America\tbOnli.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{9a6be539-96ea-454d-898b-61891e0844d5}"= "c:\program files\Online_Radio_America\tbOnli.dll" [2010-06-14 2734688]
.
[HKEY_CLASSES_ROOT\clsid\{9a6be539-96ea-454d-898b-61891e0844d5}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{9A6BE539-96EA-454D-898B-61891E0844D5}"= "c:\program files\Online_Radio_America\tbOnli.dll" [2010-06-14 2734688]
.
[HKEY_CLASSES_ROOT\clsid\{9a6be539-96ea-454d-898b-61891e0844d5}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-09 1232896]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-09-29 151552]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-12-12 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-12-12 106496]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-12-12 81920]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-17 815104]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2007-01-17 634880]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-12-13 421160]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-21 963976]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2011-01-12 2219184]
.
c:\users\Administracion\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
2WireSetup.lnk - c:\program files\Prodigy Infinitum\WebWorks.exe [2007-12-21 651264]
.
c:\users\Jos‚ Luis\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Recorte de pantalla e Inicio r pido de OneNote 2007.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 07:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-12-13 23:16 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 23:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-145477139-2247490657-2326864482-1000]
"EnableNotificationsRef"=dword:00000002
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-145477139-2247490657-2326864482-1001]
"EnableNotificationsRef"=dword:00000002
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-145477139-2247490657-2326864482-1002]
"EnableNotificationsRef"=dword:00000002
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-145477139-2247490657-2326864482-500]
"EnableNotificationsRef"=dword:00000002
.
R2 gupdate;Servicio de actualización de Google (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 135664]
R3 NETw2v32;Controlador de conexión de red Intel® PRO/Wireless 2200BG para Windows Vista;c:\windows\system32\DRIVERS\NETw2v32.sys [2006-11-02 2589184]
R3 Revoflt;Revoflt;c:\windows\system32\DRIVERS\revoflt.sys [2009-12-30 27192]
S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [2010-12-21 115008]
S2 eamonm;eamonm;c:\windows\system32\DRIVERS\eamonm.sys [2010-12-21 137144]
S2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [2011-01-12 810144]
.
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-07 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-08-02 18:24]
.
2011-03-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 04:24]
.
2011-03-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 04:24]
.
2011-03-07 c:\windows\Tasks\User_Feed_Synchronization-{18D5EA73-F2B9-4043-9B23-A38431E2E374}.job
- c:\windows\system32\msfeedssync.exe [2010-03-30 04:54]
.
2011-03-07 c:\windows\Tasks\User_Feed_Synchronization-{79B37A82-D378-47A7-95FE-AE69C4ADACDE}.job
- c:\windows\system32\msfeedssync.exe [2010-03-30 04:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local;<local>
IE: E&xportar a Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-07 01:24
Windows 6.0.6000 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2011-03-07 01:29:55
ComboFix-quarantined-files.txt 2011-03-07 07:29
ComboFix2.txt 2011-03-06 21:53
.
Pre-Run: 103,756,918,784 bytes libres
Post-Run: 103,824,707,584 bytes libres
.
- - End Of File - - 7D6E087CDF5D9B03DAAB359A7127F03B

[Salagubang]

We're nearly there. Moving onto the malware sweep for leftovers.

Step One

Malwarebytes' Anti-Malware
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Step Two

Please do a scan with ESET OnlineScan

Note: If you run this in a browser other than IE you will be asked to download and install esetsmartinstaller_enu.exe

• Click the button.
• Check
• Click the button.
• Accept any security warnings from your browser and allow it to install the ActiveX control.
• Check
• Push the Start button.
• ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
• When the scan completes, push
• Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
• Push the button.
• Push

Step Three

Run OTL and post a fresh OTL scan.

[thedeadlystoat]

Ok, I also still have Mbam, no problem with running it right?

[Salagubang]

Ok, I also still have Mbam, no problem with running it right?

Yep.

[thedeadlystoat]

Ok, it's scanning. Thanks for your patience man, not only about the mbam scan, but overall.

[thedeadlystoat]

The MBAM log is in Spanish, will that be a problem?

[Salagubang]

The MBAM log is in Spanish, will that be a problem?

No it wont be a problem.

[thedeadlystoat]

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Versión de la Base de Datos: 5979

Windows 6.0.6000
Internet Explorer 8.0.6001.18904

07/03/2011 01:56:57 a.m.
mbam-log-2011-03-07 (01-56-57).txt

Tipos de Análisis: Análisis Rápido
Objetos examinados: 184800
Tiempo transcurrido: 5 minuto(s), 26 segundo(s)

Procesos en Memoria Infectados: 0
Módulos de Memoria Infectados: 0
Claves del Registro Infectadas: 0
Valores del Registro Infectados: 0
Elementos de Datos del Registro Infectados: 0
Carpetas Infectadas: 0
Archivos Infectados: 0

Procesos en Memoria Infectados:
(No se han detectado elementos maliciosos)

Módulos de Memoria Infectados:
(No se han detectado elementos maliciosos)

Claves del Registro Infectadas:
(No se han detectado elementos maliciosos)

Valores del Registro Infectados:
(No se han detectado elementos maliciosos)

Elementos de Datos del Registro Infectados:
(No se han detectado elementos maliciosos)

Carpetas Infectadas:
(No se han detectado elementos maliciosos)

Archivos Infectados:
(No se han detectado elementos maliciosos)

[thedeadlystoat]

Do I need to deactivate anything before the ESET scan?

[Salagubang]

Do I need to deactivate anything before the ESET scan?

No it wont be necessary.