TechSpot

Possible ZBot infection

By Melo102
Apr 10, 2012
  1. A litte background

    I had an old AVG that wouldn't update anymore. I didn't ever update cause I use Chrome/Firefox with javascript/plugins disabled except for the permitted pages, and I don't download pirated software so I figured I was safe. And I was, until yesterday when I a window popped saying "548b7201a93b3552.exe" had crashed. Immediately "F4D56199000CD041592AC7B72830AC72.exe" opened, which I closed via the taskbar. There was also some other random .exe in the temp folder. Deleted everything.

    After that, I went to msconfig and noticed an "imuma.exe" was on there. I deleted the file, but I couldn't disable it from msconfig nor delete the registry file (it kept popping up). Had to go to Safe Mode to do that.

    Did a scan with the old AVG and it found an infected .js. Deleted too.

    Afterwards I uninstalled AVG and installed Avast. Did a scan and it only found three files on System Restore folders. I then did the before windows boot scan and it only found some broken zip files and it flagged mIRC as Win32:mirc-Z. False alarm?


    Anyway, here are the required logs:

    ------------------------------------

    Malwarebytes Anti-Malware 1.61.0.1400
    www.malwarebytes.org

    Database version: v2012.04.10.01

    Windows XP Service Pack 2 x86 FAT32
    Internet Explorer 6.0.2900.2180
    Joa :: FAMFR-CHH5EC [administrator]

    10/04/2012 01:29:25 AM
    mbam-log-2012-04-10 (01-29-25).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra |

    Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 181801
    Time elapsed: 4 minute(s), 14 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 2
    HKLM\SOFTWARE\Microsoft\Security Center|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) ->

    Bad: (1) Good: (0) -> Quarantined and repaired successfully.
    HKLM\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) ->

    Bad: (1) Good: (0) -> Quarantined and repaired successfully.

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 1
    C:\WINDOWS\Temp\regincd2.exe (Spyware.OnLineGames) -> Quarantined and deleted successfully.

    (end)


    ----------------------------------------
     
  2. Melo102

    Melo102 TS Rookie Topic Starter

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit quick scan 2012-04-10 02:15:06
    Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ExcelStor_Technology_J680 rev.V32OA60A
    Running: hlt0h9uu.exe; Driver: C:\DOCUME~1\joa\CONFIG~1\Temp\ffryafoc.sys


    ---- System - GMER 1.0.15 ----

    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateKey [0xF578628E]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateValueKey [0xF57860F9]

    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0xF57FBD92]
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

    ---- Devices - GMER 1.0.15 ----

    Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 865B0D38
    Device \Driver\atapi \Device\Ide\IdePort0 865B0D38
    Device \Driver\atapi \Device\Ide\IdePort1 865B0D38
    Device \Driver\atapi \Device\Ide\IdePort2 865B0D38
    Device \Driver\atapi \Device\Ide\IdePort3 865B0D38
    Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-e 865B0D38
    Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1b 865B0D38
    Device \Driver\d347prt \Device\Scsi\d347prt1Port4Path0Target1Lun0 86569870
    Device \Driver\d347prt \Device\Scsi\d347prt1Port4Path0Target0Lun0 86569870
    Device \Driver\d347prt \Device\Scsi\d347prt1 86569870
    Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)
    Device \FileSystem\Ntfs \Ntfs 86671500

    AttachedDevice \FileSystem\Ntfs \Ntfs PQV2i.sys (StorageCraft Volume Snap-Shot/StorageCraft)
    AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)

    Device \FileSystem\Fastfat \Fat aswSP.SYS (avast! self protection module/AVAST Software)
    Device \FileSystem\Fastfat \Fat 86BC6B68

    AttachedDevice \FileSystem\Fastfat \Fat PQV2i.sys (StorageCraft Volume Snap-Shot/StorageCraft)
    AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

    ---- Modules - GMER 1.0.15 ----

    Module _________ F73BF000-F73D7000 (98304 bytes)

    ---- EOF - GMER 1.0.15 ----
     
  3. Melo102

    Melo102 TS Rookie Topic Starter

    .
    DDS (Ver_2011-08-26.01) - FAT32x86
    Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_06
    Run by Joa at 2:40:16 on 2012-04-10
    Microsoft Windows XP Professional 5.1.2600.2.1252.54.3082.18.1023.650 [GMT -3:00]
    .
    AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\svchost -k DcomLaunch
    SVCHOST.EXE
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    SVCHOST.EXE
    SVCHOST.EXE
    C:\Archivos de programa\AVAST Software\Avast\AvastSvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\Explorer.EXE
    C:\Archivos de programa\AVAST Software\Avast\avastUI.exe
    C:\Documents and Settings\Joa\Configuración local\Datos de programa\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Joa\Configuración local\Datos de programa\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Joa\Configuración local\Datos de programa\Google\Chrome\Application\chrome.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://google.com/
    uInternet Settings,ProxyServer = localhost:8088
    BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\archivos de programa\adobe\acrobat 7.0\activex\AcroIEHelper.dll
    BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\archivos de programa\java\jre1.6.0_06\bin\ssv.dll
    BHO: Hotspot Shield Class: {f9e4a054-e9b1-4bc3-83a3-76a1ae736170} - c:\archivos de programa\hotspot shield\hssie\HssIE.dll
    EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [nwiz] nwiz.exe /install
    mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
    mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
    mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    mRun: [avast] "c:\archivos de programa\avast software\avast\avastUI.exe" /nogui
    dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
    IE: E&xportar a Microsoft Excel - c:\archiv~1\micros~2\office11\EXCEL.EXE/3000
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\archivos de programa\messenger\msmsgs.exe
    IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBC} - c:\archivos de programa\java\jre1.6.0_06\bin\ssv.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\archiv~1\micros~2\office11\REFIEBAR.DLL
    Trusted Zone: gamespot.com\www
    DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
    DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
    DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    TCP: Interfaces\{1B4E29EE-2AD8-41C3-A377-2F48FBFFA7A3} : NameServer = 192.168.1.1,8.8.8.8
    [EDIT: SOME private torrent music sites I put myself in the hosts file]
    .
    Note: multiple HOSTS entries found. Please refer to Attach.txt
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\documents and settings\Joa\datos de programa\mozilla\firefox\profiles\3eot68cf.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://gamefaqs.com/
    FF - component: c:\archivos de programa\mozilla firefox\components\qfaservices.dll
    .
    ---- FIREFOX POLICIES ----
    FF - user.js: network.cookie.cookieBehavior - 0
    FF - user.js: privacy.clearOnShutdown.cookies - false
    FF - user.js: security.warn_viewing_mixed - false
    FF - user.js: security.warn_viewing_mixed.show_once - false
    FF - user.js: security.warn_submit_insecure - false
    FF - user.js: security.warn_submit_insecure.show_once - false
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [2005-8-15 155136]
    R0 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [2005-8-15 5248]
    R0 PQV2i;PQV2i;c:\windows\system32\drivers\PQV2i.sys [2004-7-29 138780]
    R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2012-4-9 612184]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2012-4-9 337880]
    R1 PQIMount;PQIMount;c:\windows\system32\drivers\PQIMount.sys [2004-7-29 46779]
    R2 {09BB444F-B2E2-4009-BAF2-7B727681223E};BuddyVM;c:\archivos de programa\vmlaunch\BuddyVM.sys [2004-12-3 15872]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2012-4-9 20696]
    R2 avast! Antivirus;avast! Antivirus;c:\archivos de programa\avast software\avast\AvastSvc.exe [2012-4-9 44768]
    S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-4-10 40776]
    S3 OracleServiceXE;OracleServiceXE;c:\oraclexe\app\oracle\product\10.2.0\server\bin\oracle.exe xe --> c:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE XE [?]
    S3 OracleXETNSListener;OracleXETNSListener;c:\oraclexe\app\oracle\product\10.2.0\server\bin\TNSLSNR.EXE [2006-2-2 204800]
    S4 OracleJobSchedulerXE;OracleJobSchedulerXE;c:\oraclexe\app\oracle\product\10.2.0\server\bin\extjob.exe xe --> c:\oraclexe\app\oracle\product\10.2.0\server\bin\extjob.exe XE [?]
    S4 srvInetShaper;iNet Shaper;c:\archivos de programa\inet shaper\service\ins_service.exe --> c:\archivos de programa\inet shaper\service\ins_service.exe [?]
    .
    =============== Created Last 30 ================
    .
    2012-04-10 04:28:04 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2012-04-10 04:28:04 -------- d-----w- c:\documents and settings\Joa\datos de programa\Malwarebytes
    2012-04-10 04:27:54 -------- d-----w- c:\documents and settings\all users\datos de programa\Malwarebytes
    2012-04-10 04:27:53 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-04-10 04:27:53 -------- d-----w- c:\archivos de programa\Malwarebytes' Anti-Malware
    2012-04-09 14:59:05 612184 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2012-04-09 14:58:39 41184 ----a-w- c:\windows\avastSS.scr
    2012-04-09 14:58:15 -------- d-----w- c:\documents and settings\all users\datos de programa\AVAST Software
    2012-04-09 14:58:15 -------- d-----w- c:\archivos de programa\AVAST Software
    2012-03-18 22:05:20 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    .
    ==================== Find3M ====================
    .
    2006-05-24 18:24:06 623104 ----a-w- c:\archivos de programa\hfs.exe
    .
    ============= FINISH: 2:40:34,10 ===============
     
  4. Melo102

    Melo102 TS Rookie Topic Starter

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 24/06/2005 01:16:02 PM
    System Uptime: 10/04/2012 02:00:59 AM (0 hours ago)
    .
    Motherboard: Intel Corporation | | D865PERL
    Processor: Intel(R) Pentium(R) 4 CPU 2.80GHz | J2E1 | 2793/200mhz
    Processor: Intel(R) Pentium(R) 4 CPU 2.80GHz | J2E1 | 2793/200mhz
    .
    ==== Disk Partitions =========================
    .
    A: is Removable
    C: is FIXED (FAT32) - 77 GiB total, 14,834 GiB free.
    D: is CDROM (CDFS)
    F: is CDROM ()
    G: is CDROM ()
    J: is FIXED (NTFS) - 298 GiB total, 0,09 GiB free.
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: NIC Fast Ethernet PCI Familia RTL8139 de Realtek
    Device ID: PCI\VEN_10EC&DEV_8139&SUBSYS_813910EC&REV_10\4&2E98101C&0&08F0
    Manufacturer: Realtek
    Name: NIC Fast Ethernet PCI Familia RTL8139 de Realtek
    PNP Device ID: PCI\VEN_10EC&DEV_8139&SUBSYS_813910EC&REV_10\4&2E98101C&0&08F0
    Service: rtl8139
    .
    ==== System Restore Points ===================
    .
    No restore point in system.
    .
    ==== Hosts File Hijack ======================
    .
    Hosts: 193.189.73.82 btmusic.org
    .
    ==== Installed Programs ======================
    .
    7-Zip 4.20
    ABC (remove only)
    AC3Filter (remove only)
    Actualización de seguridad para el Reproductor de Windows Media (KB911564)
    Actualización de seguridad para el Reproductor de Windows Media 9 (KB911565)
    Actualización de seguridad para Windows XP (KB883939)
    Actualización de seguridad para Windows XP (KB890046)
    Actualización de seguridad para Windows XP (KB893066)
    Actualización de seguridad para Windows XP (KB893756)
    Actualización de seguridad para Windows XP (KB896358)
    Actualización de seguridad para Windows XP (KB896422)
    Actualización de seguridad para Windows XP (KB896423)
    Actualización de seguridad para Windows XP (KB896424)
    Actualización de seguridad para Windows XP (KB896428)
    Actualización de seguridad para Windows XP (KB896688)
    Actualización de seguridad para Windows XP (KB899587)
    Actualización de seguridad para Windows XP (KB899588)
    Actualización de seguridad para Windows XP (KB899589)
    Actualización de seguridad para Windows XP (KB899591)
    Actualización de seguridad para Windows XP (KB900725)
    Actualización de seguridad para Windows XP (KB901017)
    Actualización de seguridad para Windows XP (KB901214)
    Actualización de seguridad para Windows XP (KB902400)
    Actualización de seguridad para Windows XP (KB903235)
    Actualización de seguridad para Windows XP (KB904706)
    Actualización de seguridad para Windows XP (KB905414)
    Actualización de seguridad para Windows XP (KB905749)
    Actualización de seguridad para Windows XP (KB905915)
    Actualización de seguridad para Windows XP (KB908519)
    Actualización de seguridad para Windows XP (KB908531)
    Actualización de seguridad para Windows XP (KB911562)
    Actualización de seguridad para Windows XP (KB911567)
    Actualización de seguridad para Windows XP (KB911927)
    Actualización de seguridad para Windows XP (KB912812)
    Actualización de seguridad para Windows XP (KB912919)
    Actualización de seguridad para Windows XP (KB913446)
    Actualización de seguridad para Windows XP (KB913580)
    Actualización para Windows XP (KB894391)
    Actualización para Windows XP (KB896727)
    Actualización para Windows XP (KB898461)
    Actualización para Windows XP (KB900485)
    Actualización para Windows XP (KB910437)
    Ad-aware 6 Professional
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 11 Plugin
    Adobe Reader 7.0.5
    µTorrent
    AutoUpdate
    avast! Free Antivirus
    Better File Rename 5.5
    CUE Splitter
    DAEMON Tools
    dBpowerAMP FLAC Codec
    dBpowerAMP Monkeys Audio Codec
    dBpowerAMP Music Converter
    dBpowerAMP Wavpack Codec
    Delete Virtual-Mate Launcher
    Dev-C++ 5 beta 9 release (4.9.9.2)
    DivX
    DivX Codec 3.1alpha release
    DivX Player
    DVD Decrypter (Remove Only)
    DVDPean Pro 3.5.1
    Ethereal 0.10.12
    Exact Audio Copy 0.95b4
    ffdshow [rev 2033] [2008-07-05]
    FLAC Installer 1.1.2a (remove only)
    Google Chrome
    Google Talk (remove only)
    HijackThis 1.99.1
    Hotspot Shield 1.17
    Huffyuv AVI lossless video codec (Remove Only)
    Image Resizer Powertoy for Windows XP
    IrfanView (remove only)
    Java(TM) 6 Update 6
    Java(TM) SE Development Kit 6 Update 6
    LiveUpdate 2.0 (Symantec Corporation)
    Malwarebytes Anti-Malware version 1.61.0.1400
    Microsoft .NET Framework 1.1
    Microsoft Office Professional Edition 2003
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    mIRC
    Monkey's Audio
    Mozilla Firefox (1.0.6)
    MSN Messenger 7.0
    MWSnap 3
    Nero 6 Ultra Edition
    Norton Ghost 9.0
    Norton PartitionMagic
    Norton PartitionMagic 8.0
    NVIDIA Drivers
    Opera
    Oracle Data Provider for .NET Help
    Oracle Database 10g Express Edition
    PC Wizard 2006.1.70
    PCI Audio Driver
    PowerDVD
    QuickPar 0.9
    QuickSFV (Remove only)
    RedStapler Screen Saver
    Revisión de Windows XP - KB873333
    Revisión de Windows XP - KB873339
    Revisión de Windows XP - KB885250
    Revisión de Windows XP - KB885626
    Revisión de Windows XP - KB885835
    Revisión de Windows XP - KB885836
    Revisión de Windows XP - KB886185
    Revisión de Windows XP - KB887472
    Revisión de Windows XP - KB887742
    Revisión de Windows XP - KB888113
    Revisión de Windows XP - KB888302
    Revisión de Windows XP - KB890175
    Revisión de Windows XP - KB890859
    Revisión de Windows XP - KB891781
    Revisión de Windows XP - KB893086
    SMAC 1.2
    Spybot - Search & Destroy 1.4
    System Requirements Lab
    Tag&Rename 3.2
    Tau Analyzer (remove only)
    Tor Control Panel
    VLC media player 0.9.9
    WebFldrs XP
    Winamp (remove only)
    Windows Genuine Advantage Notifications (KB905474)
    Windows Installer 3.1 (KB893803)
    Windows XP Service Pack 2
    XviD MPEG-4 Video Codec
    .
    ==== Event Viewer Messages From Past Week ========
    .
    09/04/2012 11:25:21 AM, error: Service Control Manager [7034] - El servicio AVG7 Update Service se terminó de manera inesperada. Esto ha sucedido 1 veces.
    09/04/2012 11:25:18 AM, error: Service Control Manager [7034] - El servicio AVG E-mail Scanner se terminó de manera inesperada. Esto ha sucedido 1 veces.
    09/04/2012 11:25:15 AM, error: Service Control Manager [7034] - El servicio AVG7 Alert Manager Server se terminó de manera inesperada. Esto ha sucedido 1 veces.
    09/04/2012 10:04:05 AM, error: Service Control Manager [7026] - El controlador de inicialización siguiente no se cargó correctamente: AFD ASPI32 Avg7Core Avg7RsW Avg7RsXP Fips intelppm IPSec MRxSmb NetBIOS NetBT PQIMount RasAcd Rdbss sf Tcpip
    09/04/2012 10:04:05 AM, error: Service Control Manager [7001] - El servicio Servicios IPSEC depende del servicio Controlador IPSEC, el cual no pudo iniciarse debido al siguiente error: Uno de los dispositivos vinculados al sistema no funciona.
    09/04/2012 10:04:05 AM, error: Service Control Manager [7001] - El servicio Cliente DNS depende del servicio Controlador de protocolo TCP/IP, el cual no pudo iniciarse debido al siguiente error: Uno de los dispositivos vinculados al sistema no funciona.
    09/04/2012 10:04:05 AM, error: Service Control Manager [7001] - El servicio Cliente DHCP depende del servicio NetBios a través de Tcpip, el cual no pudo iniciarse debido al siguiente error: Uno de los dispositivos vinculados al sistema no funciona.
    09/04/2012 10:04:05 AM, error: Service Control Manager [7001] - El servicio Ayuda de NetBIOS sobre TCP/IP depende del servicio Entorno de compatibilidad de funciones de red AFD, el cual no pudo iniciarse debido al siguiente error: Uno de los dispositivos vinculados al sistema no funciona.
    09/04/2012 10:03:37 AM, error: DCOM [10005] - DCOM ha obtenido un error "%1084" al intentar iniciar el servicio netman con argumentos "" para ejecutar el servidor: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
    09/04/2012 10:03:27 AM, error: DCOM [10005] - DCOM ha obtenido un error "%1084" al intentar iniciar el servicio EventSystem con argumentos "" para ejecutar el servidor: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    09/04/2012 08:45:40 AM, error: DCOM [10005] - DCOM ha obtenido un error "%1058" al intentar iniciar el servicio MDM con argumentos "" para ejecutar el servidor: {0C0A3666-30C9-11D0-8F20-00805F2CD064}
    .
    ==== End Of File ===========================
     
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Thank you for the background. I will be glad to help you but I need some of the logs redone.

    When open notepad for a log, you must go up and click on Format> Uncheck Word Wrap before you use Notepad. This will allow the logs to print in a readable format and not break an entry into 2 or 3 lines.

    Please redo GMER and the DDS.txt log, (the Attach.txt log from DDS came out okay), Malwarebytes is okay. I also would appreciate having English text. Parts of some log appears to be in Spanish or Portuguese.

    You do not need to repeat the scans- just redo the 2 logs and remember to uncheck Word Wrap on any future logs.

    I can't identify either of the processes you left. Since you removed AVG (Combofix won't run with AVG) and use Avast, please go ahead with the following:

    To run the Eset Online Virus Scan:
    If you use Internet Explorer:
    1. Open the ESETOnlineScan
    2. Skip to #4 to "Continue with the directions"

      If you are using a browser other than Internet Explorer
    3. Open Eset Smart Installer
      [o] Click on the esetsmartinstaller_enu.exelink and save to the desktop.
      [o] Double click on the desktop icon to run.
      [o] After successful installation of the ESET Smart Installer, the ESET Online Scanner will be launched in a new Window
    4. Continue with the directions.
    5. Check 'Yes I accept terms of use.'
    6. Click Start button
    7. Accept any security warnings from your browser.
      [​IMG]
    8. Uncheck 'Remove found threats'
    9. Check 'Scan archives/
    10. Leave remaining settings as is.
    11. Press the Start button.
    12. ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    13. When the scan completes, press List of found threats
    14. Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    15. Push the Back button, then Finish
    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
    ======================================
    Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    Before you run the Combofix scan, please disable any security software you have running.

    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe [​IMG]& follow the prompts.
    • If prompted for Recovery Console, please allow.
    • Once installed, you should see a blue screen prompt that says:
      • The Recovery Console was successfully installed.[/b]
      • Note: If Combofix was downloaded to a flash drive, the Recovery Console will not install- just bypass and go on.[/b]
      • Note: No query will be made if the Recovery Console is already on the system.
    • .Close/disable all anti virus and anti malware programs
      (If you need help with this, please see HERE)
    • .Close any open browsers.
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.
    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2:If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart the computer.
    Note 3:CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    =========================================
    Note: If you have any problem running either of the above, please stop and tell me what it is.
    ==========================================
    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time. I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me. Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't follow directions given to someone else
      [o] Don't use any other cleaning programs or scans while I'm helping you.
      [o] Don't use a Registry cleaner or make any changes in the Registry.
      [o] Don't download and install new programs- except those I give you.
    Threads are closed after 5 days if there is no reply.
     
  6. Melo102

    Melo102 TS Rookie Topic Starter

    Updated logs. If you need something translated let me know.

    Will do the ESET thing now.

    Thanks.
     
  7. Melo102

    Melo102 TS Rookie Topic Starter

    ESET Log. Nothing found

    ----

    C:\WINDOWS\Temp\hss2.tmp a variant of Win32/HotSpotShield application
    C:\Archivos de programa\Hotspot Shield\bin\openvpnas.exe a variant of Win32/HotSpotShield application
    ---

    ComboFix gave me a BSOD (BAD_POOL_HEADER or something), so I had to reboot. Windows did its scan and some of the ComboFix files got truncated so I probably will have to reinstall it. But I'm wary of running it again, honestly.


    EDIT: Uninstalled combofix. Have a weird new service in services.msc "PEVSystemStart". Click Properties and it says the file can't be found. Went to registry, deleted all except one folder which it doesn't let me do ("error when deleting key") HKLM/SYSTEM/CurrentControlSet/Enum/Root/LEGACY_PEVSYSTEMSTART
    Does it have to do anything with combofix?
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Sorry, I can't accept this. I wanted the log reformatted- not edited. These may well be the reason for the infections. You have malware that you want removed, so please don't 'hide' files!

    Please remove this:
    It appears that this is a suspended domain and you moved it here to access it. It is an oxymoron to try and clean a system while the user has made access to a suspended file sharing domain possible.
    =======================================
    Regarding the entries found in Eset:
    There appears to be some controversy about whether this is actually a False Positive. However, since you use torrent sites, adware or a PUP may be included.

    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
      Code:
      :Files 
      C:\WINDOWS\Temp\hss2.tmp 
      C:\Archivos de programa\Hotspot Shield\bin\openvpnas.exe 
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    ==========================================
    PEVSystemStart is part of Combofix and may not have been fully removed if the program was run previously.

    Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]
    Now download and try the scan again.

    NOTE: If, for some reason, Combofix refuses to run, try one of the following:
    1. Run Combofix from Safe Mode. If it won't run, go one to #2.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to
    friday.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    3.See which one of the following runs. You do not need to download all three versions:
    This is a slight variation on the RKill:
    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.
    • Rkill.com
    • Rkill.scr
    • Rkill.exe
    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, add the following:

    Please download exeHelper by Raktor and save it to your desktop.
    • Double-click on exeHelper.com or exeHelper.scr to run the fix tool.
    • A black window should pop up, press any key to close once the fix is completed.
    • A log file called exehelperlog.txt will be created and should open at the end of the scan)
    • A copy of that log will also be saved in the directory where you ran exeHelper.com
    • Copy and paste the contents of exehelperlog.txt in your next reply.

    Note: If the window shows a message that says "Error deleting file", please re-run the tool again before posting a log and then post the two logs together (they both will be in the one file).
    (Directions courtesy bleeping computer)

    4. With both RKill and exehelper on board:
    Go right to the renamed (Combofix) and double click on friday.exe to run
    If it won't run in Normal Mode, run BOTH tools from safe mode, then try the double click on friday.exe to run.

    If successful, please leave RKill, Exehelper and Combofix logs.
    ========================================
    Reset your browser proxies
    • For Firefox:
      o Open Firefox, click on "Tools" then "Options" and then on "Advanced".
      o Click on the "Network" tab, and then on the "Settings" button.
      o Please make sure that the "No Proxy" option is selected.
    • For Internet Explorer:
      o Open Internet Explorer.
      o Click on "Tools" and then select "Internet Options".
      o Click on the "Connections" tab and click the "Lan Settings" button at the bottom.
      o Uncheck "Use a Proxy server for your LAN".
      o Click OK to close the Local Area Network (LAN) Settings window.
      o Click OK to close the Internet Options window.
    ====================================
    Please update the following:
    Note: Check each download screen for any pre-checked Toolbars or BHOs. Uncheck them before the download.
    Adobe Reader > Current is vX(10.xx)> Adobe Reader Update
    Java(TM) 6 > Current is v6u31> Java Updates .
    Uninstall any earlier versions in of both as they are vulnerabilities for the system.
    Edit: Current version of Java has been corrected to read v6u31
    =====================================
    Please remove this from the Trusted Zone: Trusted Zone: gamespot.com\www
    Nothing needs to be in this zone. The security is lower and this puts the system at risk.
    ======================================
    Please also run the following after Combofix:
    Download CKScanner and save to your desktop.
    • Doubleclick CKScanner.exe and click Search For Files.
    • When the cursor hourglass disappears, click Save List To File.
    • A message box will verify that the file is saved.
    • Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.
    =====================================
     
  9. Melo102

    Melo102 TS Rookie Topic Starter

    Regarding the hosts file, I added them all myself. Haven't used bitorrent in ages, anyway, so some may be outdated.

    About HotSpot Shield, I haven't used it forever. It was just a VPN to bypass my ISP torrent throttling. It did insert advertisements into pages when connected so that's probably why it's flagged as malware.

    Will try combofix in safe mode.

    Thanks.
     
  10. Melo102

    Melo102 TS Rookie Topic Starter

    Combofix log (run in Normal mode, worked now)



    ComboFix 12-04-12.03 - Joa 13/04/2012 0:15.1.2 - FAT32x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.54.3082.18.1023.608 [GMT -3:00]
    Running from: c:\documents and settings\Joa\Escritorio\ComboFix.exe
    AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
    * Created a new restore point
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\archivos de programa\Hotspot Shield\hssie\HsSIe.dll
    c:\windows\system32\PowerToyReadme.htm
    c:\windows\WindowsUpdate.log . . . . Failed to delete
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Legacy_NPF
    -------\Legacy_STEC3
    -------\Service_STEC3
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-03-13 to 2012-04-13 )))))))))))))))))))))))))))))))
    .
    .
    2012-04-11 05:16 . 2012-04-11 05:16 -------- d-----w- C:\FOUND.005
    2012-04-10 04:28 . 2012-04-10 04:28 -------- d-----w- c:\documents and settings\Joa\Datos de programa\Malwarebytes
    2012-04-10 04:27 . 2012-04-10 04:27 -------- d-----w- c:\documents and settings\All Users\Datos de programa\Malwarebytes
    2012-04-10 04:27 . 2012-04-10 04:27 -------- d-----w- c:\archivos de programa\Malwarebytes' Anti-Malware
    2012-04-10 04:27 . 2012-04-04 18:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-04-09 14:59 . 2012-03-07 00:01 20696 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2012-04-09 14:59 . 2012-03-07 00:03 337880 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2012-04-09 14:59 . 2012-03-07 00:02 35672 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2012-04-09 14:59 . 2012-03-07 00:01 53848 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2012-04-09 14:59 . 2012-03-07 00:03 612184 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2012-04-09 14:59 . 2012-03-07 00:01 95704 ----a-w- c:\windows\system32\drivers\aswmon2.sys
    2012-04-09 14:59 . 2012-03-07 00:01 89048 ----a-w- c:\windows\system32\drivers\aswmon.sys
    2012-04-09 14:59 . 2012-03-06 23:58 24920 ----a-w- c:\windows\system32\drivers\aavmker4.sys
    2012-04-09 14:58 . 2012-03-07 00:15 41184 ----a-w- c:\windows\avastSS.scr
    2012-04-09 14:58 . 2012-03-07 00:15 201352 ----a-w- c:\windows\system32\aswBoot.exe
    2012-04-09 14:58 . 2012-04-09 14:58 -------- d-----w- c:\documents and settings\All Users\Datos de programa\AVAST Software
    2012-04-09 14:58 . 2012-04-09 14:58 -------- d-----w- c:\archivos de programa\AVAST Software
    2012-03-18 22:05 . 2012-03-18 22:05 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2006-05-24 18:24 . 2006-05-24 18:24 623104 ----a-w- c:\archivos de programa\hfs.exe
    2005-04-19 22:25 . 2005-09-06 15:59 53323 ----a-w- c:\archivos de programa\opera\program\plugins\PlugDef.dll
    2005-07-16 08:41 . 2005-06-25 01:55 41573 ----a-w- c:\archivos de programa\mozilla firefox\components\jar50.dll
    2005-07-16 08:41 . 2005-06-25 01:55 160871 ----a-w- c:\archivos de programa\mozilla firefox\components\xpinstal.dll
    2005-07-16 08:41 . 2005-06-25 01:55 48223 ----a-w- c:\archivos de programa\mozilla firefox\components\jsd3250.dll
    2005-07-16 08:41 . 2005-08-02 16:06 150912 ----a-w- c:\archivos de programa\mozilla firefox\components\fullsoft.dll
    2005-07-16 08:41 . 2005-08-02 16:06 94208 ----a-w- c:\archivos de programa\mozilla firefox\components\BrandRes.dll
    2005-07-16 08:41 . 2005-08-02 16:06 8813 ----a-w- c:\archivos de programa\mozilla firefox\components\qfaservices.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2012-03-07 00:15 123536 ----a-w- c:\archivos de programa\AVAST Software\Avast\ashShell.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2005-06-15 6803456]
    "nwiz"="nwiz.exe" [2005-06-15 1519616]
    "NvMediaCenter"="NvMCTray.dll" [2005-06-15 86016]
    "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
    "avast"="c:\archivos de programa\AVAST Software\Avast\avastUI.exe" [2012-03-07 4241512]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-19 15360]
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^Adobe Reader Speed Launch.lnk]
    path=c:\documents and settings\All Users\Menú Inicio\Programas\Inicio\Adobe Reader Speed Launch.lnk
    backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^Joa^Menú Inicio^Programas^Inicio^Konfabulator.lnk]
    path=c:\documents and settings\Joa\Menú Inicio\Programas\Inicio\Konfabulator.lnk
    backup=c:\windows\pss\Konfabulator.lnkStartup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
    c:\windows\system32\dumprep 0 -k [X]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C-Media Mixer]
    2002-10-15 21:00 1818624 ----a-w- c:\windows\mixer.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
    2010-08-05 09:32 136176 ----a-w- c:\documents and settings\Joa\Configuración local\Datos de programa\Google\Update\GoogleUpdate.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton Ghost 9.0]
    2004-07-29 07:41 1122304 ----a-w- c:\archivos de programa\Symantec\Norton Ghost\Agent\GhostTray.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2008-03-25 07:28 144784 ----a-w- c:\archivos de programa\Java\jre1.6.0_06\bin\jusched.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TorCP]
    2005-12-11 19:51 225280 ----a-w- c:\archivos de programa\TorCP\TorCP.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "srvInetShaper"=2 (0x2)
    "MDM"=2 (0x2)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Archivos de programa\\ABC\\abc.exe"=
    "c:\\Archivos de programa\\Google\\Google Talk\\googletalk.exe"=
    "c:\\WINDOWS\\System32\\dpvsetup.exe"=
    "c:\\Archivos de programa\\mIRC\\mirc.exe"=
    "c:\\Archivos de programa\\uTorrent\\utorrent.exe"=
    "c:\\Archivos de programa\\hfs.exe"=
    "c:\\Archivos de programa\\MSN Messenger\\msnmsgr.exe"=
    "c:\\Documents and Settings\\Joa\\Escritorio\\utorrent 182.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "11297:UDP"= 11297:UDP:UDP 11297
    "18377:TCP"= 18377:TCP:TCP 18377
    .
    R0 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [15/08/2005 02:02 AM 155136]
    R0 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [15/08/2005 02:02 AM 5248]
    R0 PQV2i;PQV2i;c:\windows\system32\drivers\PQV2i.sys [29/07/2004 03:33 AM 138780]
    R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [09/04/2012 11:59 AM 612184]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [09/04/2012 11:59 AM 337880]
    R1 PQIMount;PQIMount;c:\windows\system32\drivers\PQIMount.sys [29/07/2004 04:13 AM 46779]
    R2 {09BB444F-B2E2-4009-BAF2-7B727681223E};BuddyVM;c:\archivos de programa\VMLaunch\BuddyVM.sys [03/12/2004 08:12 PM 15872]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [09/04/2012 11:59 AM 20696]
    S3 OracleServiceXE;OracleServiceXE;c:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE XE --> c:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE XE [?]
    S3 OracleXETNSListener;OracleXETNSListener;c:\oraclexe\app\oracle\product\10.2.0\server\BIN\TNSLSNR.EXE [02/02/2006 12:49 AM 204800]
    S4 OracleJobSchedulerXE;OracleJobSchedulerXE;c:\oraclexe\app\oracle\product\10.2.0\server\Bin\extjob.exe XE --> c:\oraclexe\app\oracle\product\10.2.0\server\Bin\extjob.exe XE [?]
    S4 srvInetShaper;iNet Shaper;c:\archivos de programa\iNet Shaper\Service\ins_service.exe --> c:\archivos de programa\iNet Shaper\Service\ins_service.exe [?]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-04-12 c:\windows\Tasks\Winamp.job
    - c:\archiv~1\Winamp\winamp.exe [2005-06-14 18:36]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://google.com/
    uInternet Settings,ProxyServer = localhost:8088
    IE: E&xportar a Microsoft Excel - c:\archiv~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    Trusted Zone: gamespot.com\www
    TCP: Interfaces\{1B4E29EE-2AD8-41C3-A377-2F48FBFFA7A3}: NameServer = 192.168.1.1,8.8.8.8
    DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    FF - ProfilePath - c:\documents and settings\Joa\Datos de programa\Mozilla\Firefox\Profiles\3eot68cf.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://gamefaqs.com/
    FF - user.js: network.cookie.cookieBehavior - 0
    FF - user.js: privacy.clearOnShutdown.cookies - false
    FF - user.js: security.warn_viewing_mixed - false
    FF - user.js: security.warn_viewing_mixed.show_once - false
    FF - user.js: security.warn_submit_insecure - false
    FF - user.js: security.warn_submit_insecure.show_once - false
    .
    - - - - ORPHANS REMOVED - - - -
    .
    MSConfigStartUp-AFProg - c:\archivos de programa\Hotspot Shield\AnchorFree\ctrl\AFController.exe
    MSConfigStartUp-QuickTime Task - c:\archivos de programa\QuickTime\qttask.exe
    AddRemove-TorCP - c:\archivos de programa\TorCP\tor-bundle-uninstall.exe
    AddRemove-Google Chrome - c:\documents and settings\Joa\Configuración local\Datos de programa\Google\Chrome\Application\5.0.375.125\Installer\setup.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-04-13 00:23
    Windows 5.1.2600 Service Pack 2 FAT NTAPI
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'explorer.exe'(2212)
    c:\windows\system32\browselc.dll
    c:\archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    c:\windows\system32\ODBC32.dll
    c:\archivos de programa\Microsoft Office\OFFICE11\msohev.dll
    c:\archivos de programa\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll
    c:\archivos de programa\Illustrate\dBpowerAMP\dBShell.dll
    c:\windows\system32\shdoclc.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\archivos de programa\AVAST Software\Avast\AvastSvc.exe
    c:\windows\system32\wscntfy.exe
    .
    **************************************************************************
    .
    Completion time: 2012-04-13 00:26:14 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-04-13 03:26
    .
    Pre-Run: 15.530.688.512 bytes libres
    Post-Run: 15.431.434.240 bytes libres
    .
    - - End Of File - - 10A212EB29947EA7C66BBE4ED0C37496
     
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:
    Code:
    File::
    c:\archivos de programa\iNet Shaper\Service\ins_service.exe
    
    DDS::
    Trusted Zone: gamespot.com\www
    uInternet Settings,ProxyServer = localhost:8088
    Folder::
    C:\FOUND.005
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\sharedtools\msconfig\startupreg\KernelFaultCheck]
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TorCP]
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "srvInetShaper"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "srvInetShaper"=
    "c:\\Archivos de programa\\mIRC\\mirc.exe"=
    "c:\\Archivos de programa\\uTorrent\\utorrent.exe"=-
    "c:\\Documents and Settings\\Joa\\Escritorio\\utorrent 182.exe"=-
    
    Clearjavacache::
    
    Driver::
    srvInetShaper
    FCopy::
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
    ==============================================
    Please note: Due to user's placement of suspended domain for torrents in Host Files, this system will not be declared 'clean' when finished.
     
  12. Melo102

    Melo102 TS Rookie Topic Starter

    Just to be clear, what does the script do? I don't want to render utorrent useless, even though I haven't used it in a long while. Same for mIRC.
     
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    The script removes. them. If you don't want them removed although I consider them to be a danger to the computer, remove those references from the code.

    As I said, I will not consider this system clean with the entries I mentioned.
     

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...