Inactive Possible ZBot infection

[Melo102]

A litte background

I had an old AVG that wouldn't update anymore. I didn't ever update cause I use Chrome/Firefox with javascript/plugins disabled except for the permitted pages, and I don't download pirated software so I figured I was safe. And I was, until yesterday when I a window popped saying "548b7201a93b3552.exe" had crashed. Immediately "F4D56199000CD041592AC7B72830AC72.exe" opened, which I closed via the taskbar. There was also some other random .exe in the temp folder. Deleted everything.

After that, I went to msconfig and noticed an "imuma.exe" was on there. I deleted the file, but I couldn't disable it from msconfig nor delete the registry file (it kept popping up). Had to go to Safe Mode to do that.

Did a scan with the old AVG and it found an infected .js. Deleted too.

Afterwards I uninstalled AVG and installed Avast. Did a scan and it only found three files on System Restore folders. I then did the before windows boot scan and it only found some broken zip files and it flagged mIRC as Win32:mirc-Z. False alarm?


Anyway, here are the required logs:

------------------------------------

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.04.10.01

Windows XP Service Pack 2 x86 FAT32
Internet Explorer 6.0.2900.2180
Joa :: FAMFR-CHH5EC [administrator]

10/04/2012 01:29:25 AM
mbam-log-2012-04-10 (01-29-25).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra |

Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 181801
Time elapsed: 4 minute(s), 14 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 2
HKLM\SOFTWARE\Microsoft\Security Center|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) ->

Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) ->

Bad: (1) Good: (0) -> Quarantined and repaired successfully.

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\WINDOWS\Temp\regincd2.exe (Spyware.OnLineGames) -> Quarantined and deleted successfully.

(end)


----------------------------------------

 

[Melo102]

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2012-04-10 02:15:06
Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ExcelStor_Technology_J680 rev.V32OA60A
Running: hlt0h9uu.exe; Driver: C:\DOCUME~1\joa\CONFIG~1\Temp\ffryafoc.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateKey [0xF578628E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateValueKey [0xF57860F9]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0xF57FBD92]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

---- Devices - GMER 1.0.15 ----

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 865B0D38
Device \Driver\atapi \Device\Ide\IdePort0 865B0D38
Device \Driver\atapi \Device\Ide\IdePort1 865B0D38
Device \Driver\atapi \Device\Ide\IdePort2 865B0D38
Device \Driver\atapi \Device\Ide\IdePort3 865B0D38
Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-e 865B0D38
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1b 865B0D38
Device \Driver\d347prt \Device\Scsi\d347prt1Port4Path0Target1Lun0 86569870
Device \Driver\d347prt \Device\Scsi\d347prt1Port4Path0Target0Lun0 86569870
Device \Driver\d347prt \Device\Scsi\d347prt1 86569870
Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)
Device \FileSystem\Ntfs \Ntfs 86671500

AttachedDevice \FileSystem\Ntfs \Ntfs PQV2i.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)

Device \FileSystem\Fastfat \Fat aswSP.SYS (avast! self protection module/AVAST Software)
Device \FileSystem\Fastfat \Fat 86BC6B68

AttachedDevice \FileSystem\Fastfat \Fat PQV2i.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

---- Modules - GMER 1.0.15 ----

Module _________ F73BF000-F73D7000 (98304 bytes)

---- EOF - GMER 1.0.15 ----

 

[Melo102]

.
DDS (Ver_2011-08-26.01) - FAT32x86
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_06
Run by Joa at 2:40:16 on 2012-04-10
Microsoft Windows XP Professional 5.1.2600.2.1252.54.3082.18.1023.650 [GMT -3:00]
.
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\WINDOWS\System32\svchost.exe -k netsvcs
SVCHOST.EXE
SVCHOST.EXE
C:\Archivos de programa\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\AVAST Software\Avast\avastUI.exe
C:\Documents and Settings\Joa\Configuración local\Datos de programa\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Joa\Configuración local\Datos de programa\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Joa\Configuración local\Datos de programa\Google\Chrome\Application\chrome.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://google.com/
uInternet Settings,ProxyServer = localhost:8088
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\archivos de programa\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\archivos de programa\java\jre1.6.0_06\bin\ssv.dll
BHO: Hotspot Shield Class: {f9e4a054-e9b1-4bc3-83a3-76a1ae736170} - c:\archivos de programa\hotspot shield\hssie\HssIE.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [avast] "c:\archivos de programa\avast software\avast\avastUI.exe" /nogui
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: E&xportar a Microsoft Excel - c:\archiv~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\archivos de programa\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBC} - c:\archivos de programa\java\jre1.6.0_06\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\archiv~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: gamespot.com\www
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: Interfaces\{1B4E29EE-2AD8-41C3-A377-2F48FBFFA7A3} : NameServer = 192.168.1.1,8.8.8.8
[EDIT: SOME private torrent music sites I put myself in the hosts file]
.
Note: multiple HOSTS entries found. Please refer to Attach.txt
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\Joa\datos de programa\mozilla\firefox\profiles\3eot68cf.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://gamefaqs.com/
FF - component: c:\archivos de programa\mozilla firefox\components\qfaservices.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
============= SERVICES / DRIVERS ===============
.
R0 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [2005-8-15 155136]
R0 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [2005-8-15 5248]
R0 PQV2i;PQV2i;c:\windows\system32\drivers\PQV2i.sys [2004-7-29 138780]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2012-4-9 612184]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2012-4-9 337880]
R1 PQIMount;PQIMount;c:\windows\system32\drivers\PQIMount.sys [2004-7-29 46779]
R2 {09BB444F-B2E2-4009-BAF2-7B727681223E};BuddyVM;c:\archivos de programa\vmlaunch\BuddyVM.sys [2004-12-3 15872]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2012-4-9 20696]
R2 avast! Antivirus;avast! Antivirus;c:\archivos de programa\avast software\avast\AvastSvc.exe [2012-4-9 44768]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-4-10 40776]
S3 OracleServiceXE;OracleServiceXE;c:\oraclexe\app\oracle\product\10.2.0\server\bin\oracle.exe xe --> c:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE XE [?]
S3 OracleXETNSListener;OracleXETNSListener;c:\oraclexe\app\oracle\product\10.2.0\server\bin\TNSLSNR.EXE [2006-2-2 204800]
S4 OracleJobSchedulerXE;OracleJobSchedulerXE;c:\oraclexe\app\oracle\product\10.2.0\server\bin\extjob.exe xe --> c:\oraclexe\app\oracle\product\10.2.0\server\bin\extjob.exe XE [?]
S4 srvInetShaper;iNet Shaper;c:\archivos de programa\inet shaper\service\ins_service.exe --> c:\archivos de programa\inet shaper\service\ins_service.exe [?]
.
=============== Created Last 30 ================
.
2012-04-10 04:28:04 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-04-10 04:28:04 -------- d-----w- c:\documents and settings\Joa\datos de programa\Malwarebytes
2012-04-10 04:27:54 -------- d-----w- c:\documents and settings\all users\datos de programa\Malwarebytes
2012-04-10 04:27:53 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-04-10 04:27:53 -------- d-----w- c:\archivos de programa\Malwarebytes' Anti-Malware
2012-04-09 14:59:05 612184 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-04-09 14:58:39 41184 ----a-w- c:\windows\avastSS.scr
2012-04-09 14:58:15 -------- d-----w- c:\documents and settings\all users\datos de programa\AVAST Software
2012-04-09 14:58:15 -------- d-----w- c:\archivos de programa\AVAST Software
2012-03-18 22:05:20 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
==================== Find3M ====================
.
2006-05-24 18:24:06 623104 ----a-w- c:\archivos de programa\hfs.exe
.
============= FINISH: 2:40:34,10 ===============

 

[Melo102]

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 24/06/2005 01:16:02 PM
System Uptime: 10/04/2012 02:00:59 AM (0 hours ago)
.
Motherboard: Intel Corporation | | D865PERL
Processor: Intel(R) Pentium(R) 4 CPU 2.80GHz | J2E1 | 2793/200mhz
Processor: Intel(R) Pentium(R) 4 CPU 2.80GHz | J2E1 | 2793/200mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (FAT32) - 77 GiB total, 14,834 GiB free.
D: is CDROM (CDFS)
F: is CDROM ()
G: is CDROM ()
J: is FIXED (NTFS) - 298 GiB total, 0,09 GiB free.
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: NIC Fast Ethernet PCI Familia RTL8139 de Realtek
Device ID: PCI\VEN_10EC&DEV_8139&SUBSYS_813910EC&REV_10\4&2E98101C&0&08F0
Manufacturer: Realtek
Name: NIC Fast Ethernet PCI Familia RTL8139 de Realtek
PNP Device ID: PCI\VEN_10EC&DEV_8139&SUBSYS_813910EC&REV_10\4&2E98101C&0&08F0
Service: rtl8139
.
==== System Restore Points ===================
.
No restore point in system.
.
==== Hosts File Hijack ======================
.
Hosts: 193.189.73.82 btmusic.org
.
==== Installed Programs ======================
.
7-Zip 4.20
ABC (remove only)
AC3Filter (remove only)
Actualización de seguridad para el Reproductor de Windows Media (KB911564)
Actualización de seguridad para el Reproductor de Windows Media 9 (KB911565)
Actualización de seguridad para Windows XP (KB883939)
Actualización de seguridad para Windows XP (KB890046)
Actualización de seguridad para Windows XP (KB893066)
Actualización de seguridad para Windows XP (KB893756)
Actualización de seguridad para Windows XP (KB896358)
Actualización de seguridad para Windows XP (KB896422)
Actualización de seguridad para Windows XP (KB896423)
Actualización de seguridad para Windows XP (KB896424)
Actualización de seguridad para Windows XP (KB896428)
Actualización de seguridad para Windows XP (KB896688)
Actualización de seguridad para Windows XP (KB899587)
Actualización de seguridad para Windows XP (KB899588)
Actualización de seguridad para Windows XP (KB899589)
Actualización de seguridad para Windows XP (KB899591)
Actualización de seguridad para Windows XP (KB900725)
Actualización de seguridad para Windows XP (KB901017)
Actualización de seguridad para Windows XP (KB901214)
Actualización de seguridad para Windows XP (KB902400)
Actualización de seguridad para Windows XP (KB903235)
Actualización de seguridad para Windows XP (KB904706)
Actualización de seguridad para Windows XP (KB905414)
Actualización de seguridad para Windows XP (KB905749)
Actualización de seguridad para Windows XP (KB905915)
Actualización de seguridad para Windows XP (KB908519)
Actualización de seguridad para Windows XP (KB908531)
Actualización de seguridad para Windows XP (KB911562)
Actualización de seguridad para Windows XP (KB911567)
Actualización de seguridad para Windows XP (KB911927)
Actualización de seguridad para Windows XP (KB912812)
Actualización de seguridad para Windows XP (KB912919)
Actualización de seguridad para Windows XP (KB913446)
Actualización de seguridad para Windows XP (KB913580)
Actualización para Windows XP (KB894391)
Actualización para Windows XP (KB896727)
Actualización para Windows XP (KB898461)
Actualización para Windows XP (KB900485)
Actualización para Windows XP (KB910437)
Ad-aware 6 Professional
Adobe Flash Player 10 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader 7.0.5
µTorrent
AutoUpdate
avast! Free Antivirus
Better File Rename 5.5
CUE Splitter
DAEMON Tools
dBpowerAMP FLAC Codec
dBpowerAMP Monkeys Audio Codec
dBpowerAMP Music Converter
dBpowerAMP Wavpack Codec
Delete Virtual-Mate Launcher
Dev-C++ 5 beta 9 release (4.9.9.2)
DivX
DivX Codec 3.1alpha release
DivX Player
DVD Decrypter (Remove Only)
DVDPean Pro 3.5.1
Ethereal 0.10.12
Exact Audio Copy 0.95b4
ffdshow [rev 2033] [2008-07-05]
FLAC Installer 1.1.2a (remove only)
Google Chrome
Google Talk (remove only)
HijackThis 1.99.1
Hotspot Shield 1.17
Huffyuv AVI lossless video codec (Remove Only)
Image Resizer Powertoy for Windows XP
IrfanView (remove only)
Java(TM) 6 Update 6
Java(TM) SE Development Kit 6 Update 6
LiveUpdate 2.0 (Symantec Corporation)
Malwarebytes Anti-Malware version 1.61.0.1400
Microsoft .NET Framework 1.1
Microsoft Office Professional Edition 2003
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
mIRC
Monkey's Audio
Mozilla Firefox (1.0.6)
MSN Messenger 7.0
MWSnap 3
Nero 6 Ultra Edition
Norton Ghost 9.0
Norton PartitionMagic
Norton PartitionMagic 8.0
NVIDIA Drivers
Opera
Oracle Data Provider for .NET Help
Oracle Database 10g Express Edition
PC Wizard 2006.1.70
PCI Audio Driver
PowerDVD
QuickPar 0.9
QuickSFV (Remove only)
RedStapler Screen Saver
Revisión de Windows XP - KB873333
Revisión de Windows XP - KB873339
Revisión de Windows XP - KB885250
Revisión de Windows XP - KB885626
Revisión de Windows XP - KB885835
Revisión de Windows XP - KB885836
Revisión de Windows XP - KB886185
Revisión de Windows XP - KB887472
Revisión de Windows XP - KB887742
Revisión de Windows XP - KB888113
Revisión de Windows XP - KB888302
Revisión de Windows XP - KB890175
Revisión de Windows XP - KB890859
Revisión de Windows XP - KB891781
Revisión de Windows XP - KB893086
SMAC 1.2
Spybot - Search & Destroy 1.4
System Requirements Lab
Tag&Rename 3.2
Tau Analyzer (remove only)
Tor Control Panel
VLC media player 0.9.9
WebFldrs XP
Winamp (remove only)
Windows Genuine Advantage Notifications (KB905474)
Windows Installer 3.1 (KB893803)
Windows XP Service Pack 2
XviD MPEG-4 Video Codec
.
==== Event Viewer Messages From Past Week ========
.
09/04/2012 11:25:21 AM, error: Service Control Manager [7034] - El servicio AVG7 Update Service se terminó de manera inesperada. Esto ha sucedido 1 veces.
09/04/2012 11:25:18 AM, error: Service Control Manager [7034] - El servicio AVG E-mail Scanner se terminó de manera inesperada. Esto ha sucedido 1 veces.
09/04/2012 11:25:15 AM, error: Service Control Manager [7034] - El servicio AVG7 Alert Manager Server se terminó de manera inesperada. Esto ha sucedido 1 veces.
09/04/2012 10:04:05 AM, error: Service Control Manager [7026] - El controlador de inicialización siguiente no se cargó correctamente: AFD ASPI32 Avg7Core Avg7RsW Avg7RsXP Fips intelppm IPSec MRxSmb NetBIOS NetBT PQIMount RasAcd Rdbss sf Tcpip
09/04/2012 10:04:05 AM, error: Service Control Manager [7001] - El servicio Servicios IPSEC depende del servicio Controlador IPSEC, el cual no pudo iniciarse debido al siguiente error: Uno de los dispositivos vinculados al sistema no funciona.
09/04/2012 10:04:05 AM, error: Service Control Manager [7001] - El servicio Cliente DNS depende del servicio Controlador de protocolo TCP/IP, el cual no pudo iniciarse debido al siguiente error: Uno de los dispositivos vinculados al sistema no funciona.
09/04/2012 10:04:05 AM, error: Service Control Manager [7001] - El servicio Cliente DHCP depende del servicio NetBios a través de Tcpip, el cual no pudo iniciarse debido al siguiente error: Uno de los dispositivos vinculados al sistema no funciona.
09/04/2012 10:04:05 AM, error: Service Control Manager [7001] - El servicio Ayuda de NetBIOS sobre TCP/IP depende del servicio Entorno de compatibilidad de funciones de red AFD, el cual no pudo iniciarse debido al siguiente error: Uno de los dispositivos vinculados al sistema no funciona.
09/04/2012 10:03:37 AM, error: DCOM [10005] - DCOM ha obtenido un error "%1084" al intentar iniciar el servicio netman con argumentos "" para ejecutar el servidor: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
09/04/2012 10:03:27 AM, error: DCOM [10005] - DCOM ha obtenido un error "%1084" al intentar iniciar el servicio EventSystem con argumentos "" para ejecutar el servidor: {1BE1F766-5536-11D1-B726-00C04FB926AF}
09/04/2012 08:45:40 AM, error: DCOM [10005] - DCOM ha obtenido un error "%1058" al intentar iniciar el servicio MDM con argumentos "" para ejecutar el servidor: {0C0A3666-30C9-11D0-8F20-00805F2CD064}
.
==== End Of File ===========================

 

[Bobbye]

Thank you for the background. I will be glad to help you but I need some of the logs redone.

When open notepad for a log, you must go up and click on Format> Uncheck Word Wrap before you use Notepad. This will allow the logs to print in a readable format and not break an entry into 2 or 3 lines.

Please redo GMER and the DDS.txt log, (the Attach.txt log from DDS came out okay), Malwarebytes is okay. I also would appreciate having English text. Parts of some log appears to be in Spanish or Portuguese.

You do not need to repeat the scans- just redo the 2 logs and remember to uncheck Word Wrap on any future logs.

I can't identify either of the processes you left. Since you removed AVG (Combofix won't run with AVG) and use Avast, please go ahead with the following:

To run the Eset Online Virus Scan:
If you use Internet Explorer:

1. Open the ESETOnlineScan
2. Skip to #4 to "Continue with the directions"
   
   If you are using a browser other than Internet Explorer
3. Open Eset Smart Installer
   [o] Click on the esetsmartinstaller_enu.exelink and save to the desktop.
   [o] Double click on the desktop icon to run.
   [o] After successful installation of the ESET Smart Installer, the ESET Online Scanner will be launched in a new Window
   
4. Continue with the directions.
   
5. Check 'Yes I accept terms of use.'
6. Click Start button
7. Accept any security warnings from your browser.
   
   
8. Uncheck 'Remove found threats'
9. Check 'Scan archives/
10. Leave remaining settings as is.
11. Press the Start button.
12. ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
13. When the scan completes, press List of found threats
14. Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
15. Push the Back button, then Finish

NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
======================================
Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed

• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

--------------------------------------
Before you run the Combofix scan, please disable any security software you have running.

Download Combofix from HERE or HEREhttp://www.forospyware.com/sUBs/ComboFix.exe and save to the desktop

• Double click combofix.exe
  
  & follow the prompts.
• If prompted for Recovery Console, please allow.
• Once installed, you should see a blue screen prompt that says:
  • The Recovery Console was successfully installed.[/b]
  • Note: If Combofix was downloaded to a flash drive, the Recovery Console will not install- just bypass and go on.[/b]
  • Note: No query will be made if the Recovery Console is already on the system.
• .Close/disable all anti virus and anti malware programs
  (If you need help with this, please see HERE)
• .Close any open browsers.
• .Click on Yes, to continue scanning for malware
• .If Combofix asks you to update the program, allow
• When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..

Re-enable your Antivirus software.
Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
Note 2:If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart the computer.
Note 3:CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
=========================================
Note: If you have any problem running either of the above, please stop and tell me what it is.
==========================================
My Guidelines: please read and follow:

• Be patient. Malware cleaning takes time. I am also working with other members while I am helping you.
• Read my instructions carefully. If you don't understand or have a problem, ask me. Follow the order of the tasks I give you. Order is crucial in cleaning process.
• If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
• File sharing programs should be uninstalled or disabled during the cleaning process..
• Observe these:
  [o] Don't follow directions given to someone else
  [o] Don't use any other cleaning programs or scans while I'm helping you.
  [o] Don't use a Registry cleaner or make any changes in the Registry.
  [o] Don't download and install new programs- except those I give you.

Threads are closed after 5 days if there is no reply.

 

[Melo102]

Updated logs. If you need something translated let me know.

Will do the ESET thing now.

Thanks.

 

[Melo102]

ESET Log. Nothing found

----

C:\WINDOWS\Temp\hss2.tmp a variant of Win32/HotSpotShield application
C:\Archivos de programa\Hotspot Shield\bin\openvpnas.exe a variant of Win32/HotSpotShield application
---

ComboFix gave me a BSOD (BAD_POOL_HEADER or something), so I had to reboot. Windows did its scan and some of the ComboFix files got truncated so I probably will have to reinstall it. But I'm wary of running it again, honestly.


EDIT: Uninstalled combofix. Have a weird new service in services.msc "PEVSystemStart". Click Properties and it says the file can't be found. Went to registry, deleted all except one folder which it doesn't let me do ("error when deleting key") HKLM/SYSTEM/CurrentControlSet/Enum/Root/LEGACY_PEVSYSTEMSTART
Does it have to do anything with combofix?

 

[Bobbye]

[EDIT: SOME private torrent music sites I put myself in the hosts file]

Sorry, I can't accept this. I wanted the log reformatted- not edited. These may well be the reason for the infections. You have malware that you want removed, so please don't 'hide' files!

Please remove this:

Hosts: 193.189.73.82 btmusic.org

It appears that this is a suspended domain and you moved it here to access it. It is an oxymoron to try and clean a system while the user has made access to a suspended file sharing domain possible.
=======================================
Regarding the entries found in Eset:

Originally Posted by danieln
"9.1 Advertisements. AnchorFree may deliver third-party advertisements (“Advertisements”) within the content of any web page accessed. Advertisements may be injected into the top of the page, inserted directly into the page content, or even displayed to overlay the page...

There appears to be some controversy about whether this is actually a False Positive. However, since you use torrent sites, adware or a PUP may be included.

Please download OTMovit by Old Timer and save to your desktop.

• Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  

  :Files 
  C:\WINDOWS\Temp\hss2.tmp 
  C:\Archivos de programa\Hotspot Shield\bin\openvpnas.exe 
  :Commands
  [purity]
  [emptytemp]
  [start explorer]
  [Reboot]

• Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
==========================================
PEVSystemStart is part of Combofix and may not have been fully removed if the program was run previously.

Uninstall ComboFix and all Backups of the files it deleted

• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  

Now download and try the scan again.

NOTE: If, for some reason, Combofix refuses to run, try one of the following:
1. Run Combofix from Safe Mode. If it won't run, go one to #2.

2. Delete Combofix file, download fresh one, but rename combofix.exe to
friday.exe BEFORE saving it to your desktop.
Do NOT run it yet.

3.See which one of the following runs. You do not need to download all three versions:
This is a slight variation on the RKill:
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

• Rkill.com
• Rkill.scr
• Rkill.exe
• Double-click on the Rkill desktop icon to run the tool.
• If using Vista or Windows 7 right-click on it and choose Run As Administrator.
• A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
• If not, delete the file, then download and use the one provided in Link 2.
• If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
• Do not reboot until instructed.
• If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run, add the following:

Please download exeHelper by Raktor and save it to your desktop.

• Double-click on exeHelper.com or exeHelper.scr to run the fix tool.
• A black window should pop up, press any key to close once the fix is completed.
• A log file called exehelperlog.txt will be created and should open at the end of the scan)
• A copy of that log will also be saved in the directory where you ran exeHelper.com
• Copy and paste the contents of exehelperlog.txt in your next reply.

Note: If the window shows a message that says "Error deleting file", please re-run the tool again before posting a log and then post the two logs together (they both will be in the one file).
(Directions courtesy bleeping computer)

4. With both RKill and exehelper on board:
Go right to the renamed (Combofix) and double click on friday.exe to run
If it won't run in Normal Mode, run BOTH tools from safe mode, then try the double click on friday.exe to run.

If successful, please leave RKill, Exehelper and Combofix logs.
========================================
Reset your browser proxies

• For Firefox:
  o Open Firefox, click on "Tools" then "Options" and then on "Advanced".
  o Click on the "Network" tab, and then on the "Settings" button.
  o Please make sure that the "No Proxy" option is selected.
  
• For Internet Explorer:
  o Open Internet Explorer.
  o Click on "Tools" and then select "Internet Options".
  o Click on the "Connections" tab and click the "Lan Settings" button at the bottom.
  o Uncheck "Use a Proxy server for your LAN".
  o Click OK to close the Local Area Network (LAN) Settings window.
  o Click OK to close the Internet Options window.

====================================
Please update the following:
Note: Check each download screen for any pre-checked Toolbars or BHOs. Uncheck them before the download.
Adobe Reader > Current is vX(10.xx)> Adobe Reader Update
Java(TM) 6 > Current is v6u31> Java Updates .
Uninstall any earlier versions in of both as they are vulnerabilities for the system.
Edit: Current version of Java has been corrected to read v6u31
=====================================
Please remove this from the Trusted Zone: Trusted Zone: gamespot.com\www
Nothing needs to be in this zone. The security is lower and this puts the system at risk.
======================================
Please also run the following after Combofix:
Download CKScanner and save to your desktop.

• Doubleclick CKScanner.exe and click Search For Files.
• When the cursor hourglass disappears, click Save List To File.
• A message box will verify that the file is saved.
• Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.

=====================================

 

[Melo102]

Regarding the hosts file, I added them all myself. Haven't used bitorrent in ages, anyway, so some may be outdated.

About HotSpot Shield, I haven't used it forever. It was just a VPN to bypass my ISP torrent throttling. It did insert advertisements into pages when connected so that's probably why it's flagged as malware.

Will try combofix in safe mode.

Thanks.

 

[Melo102]

Combofix log (run in Normal mode, worked now)



ComboFix 12-04-12.03 - Joa 13/04/2012 0:15.1.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.54.3082.18.1023.608 [GMT -3:00]
Running from: c:\documents and settings\Joa\Escritorio\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\archivos de programa\Hotspot Shield\hssie\HsSIe.dll
c:\windows\system32\PowerToyReadme.htm
c:\windows\WindowsUpdate.log . . . . Failed to delete
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_NPF
-------\Legacy_STEC3
-------\Service_STEC3
.
.
((((((((((((((((((((((((( Files Created from 2012-03-13 to 2012-04-13 )))))))))))))))))))))))))))))))
.
.
2012-04-11 05:16 . 2012-04-11 05:16 -------- d-----w- C:\FOUND.005
2012-04-10 04:28 . 2012-04-10 04:28 -------- d-----w- c:\documents and settings\Joa\Datos de programa\Malwarebytes
2012-04-10 04:27 . 2012-04-10 04:27 -------- d-----w- c:\documents and settings\All Users\Datos de programa\Malwarebytes
2012-04-10 04:27 . 2012-04-10 04:27 -------- d-----w- c:\archivos de programa\Malwarebytes' Anti-Malware
2012-04-10 04:27 . 2012-04-04 18:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-04-09 14:59 . 2012-03-07 00:01 20696 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2012-04-09 14:59 . 2012-03-07 00:03 337880 ----a-w- c:\windows\system32\drivers\aswSP.sys
2012-04-09 14:59 . 2012-03-07 00:02 35672 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2012-04-09 14:59 . 2012-03-07 00:01 53848 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2012-04-09 14:59 . 2012-03-07 00:03 612184 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-04-09 14:59 . 2012-03-07 00:01 95704 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2012-04-09 14:59 . 2012-03-07 00:01 89048 ----a-w- c:\windows\system32\drivers\aswmon.sys
2012-04-09 14:59 . 2012-03-06 23:58 24920 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2012-04-09 14:58 . 2012-03-07 00:15 41184 ----a-w- c:\windows\avastSS.scr
2012-04-09 14:58 . 2012-03-07 00:15 201352 ----a-w- c:\windows\system32\aswBoot.exe
2012-04-09 14:58 . 2012-04-09 14:58 -------- d-----w- c:\documents and settings\All Users\Datos de programa\AVAST Software
2012-04-09 14:58 . 2012-04-09 14:58 -------- d-----w- c:\archivos de programa\AVAST Software
2012-03-18 22:05 . 2012-03-18 22:05 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2006-05-24 18:24 . 2006-05-24 18:24 623104 ----a-w- c:\archivos de programa\hfs.exe
2005-04-19 22:25 . 2005-09-06 15:59 53323 ----a-w- c:\archivos de programa\opera\program\plugins\PlugDef.dll
2005-07-16 08:41 . 2005-06-25 01:55 41573 ----a-w- c:\archivos de programa\mozilla firefox\components\jar50.dll
2005-07-16 08:41 . 2005-06-25 01:55 160871 ----a-w- c:\archivos de programa\mozilla firefox\components\xpinstal.dll
2005-07-16 08:41 . 2005-06-25 01:55 48223 ----a-w- c:\archivos de programa\mozilla firefox\components\jsd3250.dll
2005-07-16 08:41 . 2005-08-02 16:06 150912 ----a-w- c:\archivos de programa\mozilla firefox\components\fullsoft.dll
2005-07-16 08:41 . 2005-08-02 16:06 94208 ----a-w- c:\archivos de programa\mozilla firefox\components\BrandRes.dll
2005-07-16 08:41 . 2005-08-02 16:06 8813 ----a-w- c:\archivos de programa\mozilla firefox\components\qfaservices.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-03-07 00:15 123536 ----a-w- c:\archivos de programa\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2005-06-15 6803456]
"nwiz"="nwiz.exe" [2005-06-15 1519616]
"NvMediaCenter"="NvMCTray.dll" [2005-06-15 86016]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"avast"="c:\archivos de programa\AVAST Software\Avast\avastUI.exe" [2012-03-07 4241512]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-19 15360]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Menú Inicio\Programas\Inicio\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Joa^Menú Inicio^Programas^Inicio^Konfabulator.lnk]
path=c:\documents and settings\Joa\Menú Inicio\Programas\Inicio\Konfabulator.lnk
backup=c:\windows\pss\Konfabulator.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C-Media Mixer]
2002-10-15 21:00 1818624 ----a-w- c:\windows\mixer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-08-05 09:32 136176 ----a-w- c:\documents and settings\Joa\Configuración local\Datos de programa\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton Ghost 9.0]
2004-07-29 07:41 1122304 ----a-w- c:\archivos de programa\Symantec\Norton Ghost\Agent\GhostTray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2008-03-25 07:28 144784 ----a-w- c:\archivos de programa\Java\jre1.6.0_06\bin\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TorCP]
2005-12-11 19:51 225280 ----a-w- c:\archivos de programa\TorCP\TorCP.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"srvInetShaper"=2 (0x2)
"MDM"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Archivos de programa\\ABC\\abc.exe"=
"c:\\Archivos de programa\\Google\\Google Talk\\googletalk.exe"=
"c:\\WINDOWS\\System32\\dpvsetup.exe"=
"c:\\Archivos de programa\\mIRC\\mirc.exe"=
"c:\\Archivos de programa\\uTorrent\\utorrent.exe"=
"c:\\Archivos de programa\\hfs.exe"=
"c:\\Archivos de programa\\MSN Messenger\\msnmsgr.exe"=
"c:\\Documents and Settings\\Joa\\Escritorio\\utorrent 182.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"11297:UDP"= 11297:UDP:UDP 11297
"18377:TCP"= 18377:TCP:TCP 18377
.
R0 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [15/08/2005 02:02 AM 155136]
R0 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [15/08/2005 02:02 AM 5248]
R0 PQV2i;PQV2i;c:\windows\system32\drivers\PQV2i.sys [29/07/2004 03:33 AM 138780]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [09/04/2012 11:59 AM 612184]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [09/04/2012 11:59 AM 337880]
R1 PQIMount;PQIMount;c:\windows\system32\drivers\PQIMount.sys [29/07/2004 04:13 AM 46779]
R2 {09BB444F-B2E2-4009-BAF2-7B727681223E};BuddyVM;c:\archivos de programa\VMLaunch\BuddyVM.sys [03/12/2004 08:12 PM 15872]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [09/04/2012 11:59 AM 20696]
S3 OracleServiceXE;OracleServiceXE;c:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE XE --> c:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE XE [?]
S3 OracleXETNSListener;OracleXETNSListener;c:\oraclexe\app\oracle\product\10.2.0\server\BIN\TNSLSNR.EXE [02/02/2006 12:49 AM 204800]
S4 OracleJobSchedulerXE;OracleJobSchedulerXE;c:\oraclexe\app\oracle\product\10.2.0\server\Bin\extjob.exe XE --> c:\oraclexe\app\oracle\product\10.2.0\server\Bin\extjob.exe XE [?]
S4 srvInetShaper;iNet Shaper;c:\archivos de programa\iNet Shaper\Service\ins_service.exe --> c:\archivos de programa\iNet Shaper\Service\ins_service.exe [?]
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-12 c:\windows\Tasks\Winamp.job
- c:\archiv~1\Winamp\winamp.exe [2005-06-14 18:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
uInternet Settings,ProxyServer = localhost:8088
IE: E&xportar a Microsoft Excel - c:\archiv~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: gamespot.com\www
TCP: Interfaces\{1B4E29EE-2AD8-41C3-A377-2F48FBFFA7A3}: NameServer = 192.168.1.1,8.8.8.8
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Joa\Datos de programa\Mozilla\Firefox\Profiles\3eot68cf.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://gamefaqs.com/
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-AFProg - c:\archivos de programa\Hotspot Shield\AnchorFree\ctrl\AFController.exe
MSConfigStartUp-QuickTime Task - c:\archivos de programa\QuickTime\qttask.exe
AddRemove-TorCP - c:\archivos de programa\TorCP\tor-bundle-uninstall.exe
AddRemove-Google Chrome - c:\documents and settings\Joa\Configuración local\Datos de programa\Google\Chrome\Application\5.0.375.125\Installer\setup.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-13 00:23
Windows 5.1.2600 Service Pack 2 FAT NTAPI
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2212)
c:\windows\system32\browselc.dll
c:\archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
c:\windows\system32\ODBC32.dll
c:\archivos de programa\Microsoft Office\OFFICE11\msohev.dll
c:\archivos de programa\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll
c:\archivos de programa\Illustrate\dBpowerAMP\dBShell.dll
c:\windows\system32\shdoclc.dll
.
------------------------ Other Running Processes ------------------------
.
c:\archivos de programa\AVAST Software\Avast\AvastSvc.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2012-04-13 00:26:14 - machine was rebooted
ComboFix-quarantined-files.txt 2012-04-13 03:26
.
Pre-Run: 15.530.688.512 bytes libres
Post-Run: 15.431.434.240 bytes libres
.
- - End Of File - - 10A212EB29947EA7C66BBE4ED0C37496

 

[Bobbye]

Please run this Custom CFScript:

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:

File::
c:\archivos de programa\iNet Shaper\Service\ins_service.exe

DDS::
Trusted Zone: gamespot.com\www
uInternet Settings,ProxyServer = localhost:8088
Folder::
C:\FOUND.005
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\sharedtools\msconfig\startupreg\KernelFaultCheck]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TorCP]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"srvInetShaper"=-
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"srvInetShaper"=
"c:\\Archivos de programa\\mIRC\\mirc.exe"=
"c:\\Archivos de programa\\uTorrent\\utorrent.exe"=-
"c:\\Documents and Settings\\Joa\\Escritorio\\utorrent 182.exe"=-

Clearjavacache::

Driver::
srvInetShaper
FCopy::

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
==============================================
Please note: Due to user's placement of suspended domain for torrents in Host Files, this system will not be declared 'clean' when finished.

 

[Melo102]

Just to be clear, what does the script do? I don't want to render utorrent useless, even though I haven't used it in a long while. Same for mIRC.

 

[Bobbye]

The script removes. them. If you don't want them removed although I consider them to be a danger to the computer, remove those references from the code.

As I said, I will not consider this system clean with the entries I mentioned.