TechSpot

Show hidden files messed up after virus rampage

By Chaos999
Aug 13, 2011
  1. Hello

    I have recurred to this forum several times to solve some minor problems or find some info about a topic, but now i come asking for help.

    I had de bad luck to get mi flash memory into a computer that was infected with something. I didn't noticed until I got home and got the USB into my own PC. Then i realized that my folders on the USB "dissapeared" and became shortcuts, a problem I have seen before on other people's memories.

    I quickly ran a scan on the flash drive with Kaspersky internet security 2009 (databases up to date) and it found an infection as Trojan.win32.inject.bgsv and deleted it right away. Then I simply formated my flash drive.

    Sadly that wasn't all I would see from that nasty virus.

    Soon I realized some changes on my folder options. I couldn't see the hidden stuff anymore. Going to the options and cheking the showall option was of no use because y just kept getting back to the nohidden option by itself.

    I suspected the virus had taken over my pc while i wasnt watching (curse you kaspersky) so i ran Dr. Web cure it! software, wich i trust more for removal, on full protection mode, then waited for 6 hours until it was finished (damn), but it didn't found anything suspicious (kind of a let down).

    I google it a bit and found that some people fixed that problem changing a couple of entry values on the registry and i gave it a shot, but when tried it I noticed that there was nothing to fix (all values were as they were supposed to be) and I couldn't find anything else that refers my problem, so I came here.

    I have ran Hijackthis and I'm attaching the log on this thread. I hope you can help.

    Thanks in advance and sorry for any spelling errors, english is not my native language.

    Also all my folder options used to be in spanish, but since the problem started they actually are shown in english, wich is odd.

    I have this info on my pc in case it is of any use:

    Os: Windows XP professional v. 2002 service pack 3 (fully updated)
    AV: Kaspersky internet security 2009 (fully updated)
     

    Attached Files:

  2. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Welcome aboard [​IMG]

    Please, complete all steps listed here: http://www.techspot.com/vb/topic58138.html
    Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
    Attached logs won't be reviewed.

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.
     
  3. Chaos999

    Chaos999 TS Rookie Topic Starter Posts: 19

    Hi, thanks for your fast response. I have read your instructions, and those of the thread you gave me and follwed them. Here is the MBAM report log. As a side note, the first time I ran the quick scan, at some point i got a windows msg saying tha MBAM had found an error and had to close, but it went just fine the second time. I dunno if it means something or was just random.

    Malwarebytes' Anti-Malware 1.51.1.1800
    www.malwarebytes.org

    Versión de la Base de Datos: 7457

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 6.0.2900.5512

    13/08/2011 02:25:23 p.m.
    mbam-log-2011-08-13 (14-25-23).txt

    Tipos de Análisis: Análisis Rápido
    Objetos examinados: 180067
    Tiempo transcurrido: 7 minuto(s), 51 segundo(s)

    Procesos en Memoria Infectados: 0
    Módulos de Memoria Infectados: 0
    Claves del Registro Infectadas: 0
    Valores del Registro Infectados: 0
    Elementos de Datos del Registro Infectados: 0
    Carpetas Infectadas: 0
    Archivos Infectados: 0

    Procesos en Memoria Infectados:
    (No se han detectado elementos maliciosos)

    Módulos de Memoria Infectados:
    (No se han detectado elementos maliciosos)

    Claves del Registro Infectadas:
    (No se han detectado elementos maliciosos)

    Valores del Registro Infectados:
    (No se han detectado elementos maliciosos)

    Elementos de Datos del Registro Infectados:
    (No se han detectado elementos maliciosos)

    Carpetas Infectadas:
    (No se han detectado elementos maliciosos)

    Archivos Infectados:
    (No se han detectado elementos maliciosos)

    Will update this post shortly after step 3 (gotta go offline for it)

    [EDIT] adding gmer log report

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit quick scan 2011-08-13 14:40:12
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST340014A rev.8.10
    Running: vuu6pe9g.exe; Driver: C:\DOCUME~1\LORDOF~1\CONFIG~1\Temp\uxldapob.sys


    ---- System - GMER 1.0.15 ----

    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwEnumerateKey [0xEDC9D0A8]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwEnumerateValueKey [0xEDC9D110]

    Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) FsRtlCheckLockForReadAccess
    Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) IoIsOperationSynchronous

    ---- Devices - GMER 1.0.15 ----

    Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [F7324B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\atapi \Device\Ide\IdePort0 [F7324B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\atapi \Device\Ide\IdePort1 [F7324B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e [F7324B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\aamb7t56 \Device\Scsi\aamb7t561 865721E8
    Device \FileSystem\Ntfs \Ntfs 867D61E8
    Device \FileSystem\Fastfat \Fat 86039430

    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \Driver\Tcpip \Device\Ip kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
    AttachedDevice \Driver\Tcpip \Device\Tcp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
    AttachedDevice \Driver\Tcpip \Device\Udp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
    AttachedDevice \Driver\Tcpip \Device\RawIp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)

    ---- EOF - GMER 1.0.15 ----

    [EDIT] adding DDS report log

    DDS.txt

    .
    DDS (Ver_2011-06-23.01) - NTFSx86
    Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_26
    Run by Lord of Chaos at 14:47:35 on 2011-08-13
    Microsoft Windows XP Professional 5.1.2600.3.1252.34.3082.18.991.417 [GMT -5:00]
    .
    AV: Kaspersky Internet Security *Disabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
    FW: Kaspersky Internet Security *Disabled*
    .
    ============== Running Processes ===============
    .
    C:\windows\system32\svchost -k DcomLaunch
    svchost.exe
    C:\windows\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\windows\system32\spoolsv.exe
    C:\windows\Explorer.EXE
    C:\WINDOWS\system32\inetsrv\inetinfo.exe
    C:\Archivos de programa\Java\jre6\bin\jqs.exe
    C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\windows\system32\ICO.EXE
    C:\windows\system32\FSRremoS.EXE
    C:\Archivos de programa\DivX\DivX Update\DivXUpdate.exe
    C:\Archivos de programa\Archivos comunes\Java\Java Update\jusched.exe
    C:\windows\system32\ctfmon.exe
    C:\Archivos de programa\DAEMON Tools Lite\DTLite.exe
    C:\windows\system32\Pelmiced.exe
    C:\windows\system32\tcpsvcs.exe
    C:\windows\System32\snmp.exe
    C:\Archivos de programa\TuneUp Utilities 2011\TuneUpUtilitiesService32.exe
    C:\WINDOWS\system32\mqsvc.exe
    C:\WINDOWS\system32\mqtgsvc.exe
    C:\Archivos de programa\TuneUp Utilities 2011\TuneUpUtilitiesApp32.exe
    C:\Archivos de programa\Mozilla Firefox\firefox.exe
    C:\Archivos de programa\Mozilla Firefox\plugin-container.exe
    C:\windows\system32\wscntfy.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2431232
    uURLSearchHooks: softonic.com4 Toolbar: {0974848a-b5bc-49f2-9778-307742b4a55d} - c:\archivos de programa\softonic.com4\tbsoft.dll
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\archivos de programa\adobe\acrobat 7.0\activex\AcroIEHelper.dll
    BHO: softonic.com4 Toolbar: {0974848a-b5bc-49f2-9778-307742b4a55d} - c:\archivos de programa\softonic.com4\tbsoft.dll
    BHO: Winamp Toolbar Loader: {25cee8ec-5730-41bc-8b58-22ddc8ab8c20} - c:\archivos de programa\winamp toolbar\winamptb.dll
    BHO: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\archivos de programa\conduitengine\ConduitEngine.dll
    BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\archivos de programa\divx\divx plus web player\npdivx32.dll
    BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - c:\archivos de programa\bitcomet\tools\BitCometBHO_1.5.4.11.dll
    BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\archivos de programa\kaspersky lab\kaspersky internet security 2009\ievkbd.dll
    BHO: DivX HiQ: {593ddec6-7468-4cdd-90e1-42dadaa222e9} - c:\archivos de programa\divx\divx plus web player\npdivx32.dll
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\archivos de programa\archivos comunes\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Catcher Class: {adecbed6-0366-4377-a739-e69dfba04663} - c:\archivos de programa\moyea\flv downloader\MoyeaCth.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\archivos de programa\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\archivos de programa\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: Barra de Herramientas MSN: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\archivos de programa\msn toolbar\01.01.1601.0\msgr.es.es-mx\msntb.dll
    TB: DAEMON Tools Toolbar: {32099aac-c132-4136-9e9a-4e364a424e17} - c:\archivos de programa\daemon tools toolbar\DTToolbar.dll
    TB: Winamp Toolbar: {ebf2ba02-9094-4c5a-858b-bb198f3d8de2} - c:\archivos de programa\winamp toolbar\winamptb.dll
    TB: softonic.com4 Toolbar: {0974848a-b5bc-49f2-9778-307742b4a55d} - c:\archivos de programa\softonic.com4\tbsoft.dll
    TB: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\archivos de programa\conduitengine\ConduitEngine.dll
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [DAEMON Tools Lite] "c:\archivos de programa\daemon tools lite\DTLite.exe" -autorun
    uRunOnce: [<NO NAME>] c:\archivos de programa\mozilla firefox\firefox.exe http://www.symantec.com/techsupp/se...0000015.00000022&c=00000082.00000049.000000b9
    mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
    mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
    mRun: [MsmqIntCert] regsvr32 /s mqrt.dll
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Mouse Suite 98 Daemon] ICO.EXE
    mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
    mRun: [AVP] "c:\archivos de programa\kaspersky lab\kaspersky internet security 2009\avp.exe"
    mRun: [Malwarebytes Anti-Malware (reboot)] "c:\archivos de programa\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
    mRun: [LogMeIn Hamachi Ui] "c:\archivos de programa\logmein hamachi\hamachi-2-ui.exe" --auto-start
    mRun: [DivXUpdate] "c:\archivos de programa\divx\divx update\DivXUpdate.exe" /CHECKNOW
    mRun: [SunJavaUpdateSched] "c:\archivos de programa\archivos comunes\java\java update\jusched.exe"
    mRunOnce: [Malwarebytes' Anti-Malware] c:\archivos de programa\malwarebytes' anti-malware\mbamgui.exe /install /silent
    dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
    dRunOnce: [<NO NAME>]
    StartupFolder: c:\docume~1\alluse~1\menini~1\progra~1\inicio\adobeg~1.lnk - c:\archivos de programa\archivos comunes\adobe\calibration\Adobe Gamma Loader.exe
    uPolicies-explorer: DisallowRun = 0 (0x0)
    mPolicies-explorer: DisallowRun = 0 (0x0)
    IE: &D&escargar &con BitComet - c:\archivos de programa\bitcomet\BitComet.exe/AddLink.htm
    IE: &D&escargar todo con BitComet - c:\archivos de programa\bitcomet\BitComet.exe/AddAllLink.htm
    IE: &Winamp Search - c:\documents and settings\all users\datos de programa\winamp toolbar\ietoolbar\resources\en-us\local\search.html
    IE: Add to Banner Ad Blocker - c:\archivos de programa\kaspersky lab\kaspersky internet security 2009\ie_banner_deny.htm
    IE: E&xportar a Microsoft Excel - c:\archiv~1\micros~2\office10\EXCEL.EXE/3000
    IE: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://c:\archivos de programa\bitcomet\tools\BitCometBHO_1.5.4.11.dll/206
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\archivos de programa\messenger\msmsgs.exe
    IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\archivos de programa\kaspersky lab\kaspersky internet security 2009\SCIEPlgn.dll
    IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\archivos de programa\windows live\writer\WriterBrowserExtension.dll
    DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/ES-MX/a-UNO1/GAME_UNO1.cab
    DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
    DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4.1/jinstall-141-win.cab
    DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://www.adobe.com/products/acrobat/nos/gp.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
    DPF: {DAF7E6E6-D53A-439A-B28D-12271406B8A9} - hxxp://mobileapps.blackberry.com/devicesoftware/AxLoader.cab
    DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
    Notify: igfxcui - igfxsrvc.dll
    Notify: klogon - c:\windows\system32\klogon.dll
    Notify: LogCrypt - LogCrypt.dll
    AppInit_DLLs: c:\archiv~1\kasper~1\kasper~1\mzvkbd3.dll,c:\archiv~1\kasper~1\kasper~1\adialhk.dll,c:\archiv~1\kasper~1\kasper~1\kloehk.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,
    IFEO: hamachi-2-ui.exe - "c:\archivos de programa\tuneup utilities 2011\TUAutoReactivator32.exe"
    IFEO: softwareupdate.exe - "c:\archivos de programa\tuneup utilities 2011\TUAutoReactivator32.exe"
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\documents and settings\lord of chaos\datos de programa\mozilla\firefox\profiles\6i6unky1.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2431232&SearchSource=3&q={searchTerms}
    FF - prefs.js: browser.search.selectedEngine - softonic.com4 Customized Web Search
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.mx/ig
    FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50ffwinampab&query=
    FF - component: c:\archivos de programa\daemon tools toolbar\firefoxdtt\components\DTToolbarFF.dll
    FF - component: c:\archivos de programa\dap\dapfirefox\components\DAPFireFox.dll
    FF - component: c:\documents and settings\lord of chaos\datos de programa\mozilla\firefox\profiles\6i6unky1.default\extensions\{0b38152b-1b20-484d-a11f-5e04a9b0661f}\components\WinampTBPlayer.dll
    FF - component: c:\documents and settings\lord of chaos\datos de programa\mozilla\firefox\profiles\6i6unky1.default\extensions\{b042753d-f57e-4e8e-a01b-7379a6d4cefb}\components\IBitCometExtension.dll
    FF - component: c:\documents and settings\lord of chaos\datos de programa\mozilla\firefox\profiles\6i6unky1.default\extensions\speedtest@gotomyhelp.com\components\NetDiag.dll
    FF - plugin: c:\archivos de programa\archivos comunes\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
    FF - plugin: c:\archivos de programa\divx\divx ovs helper\npovshelper.dll
    FF - plugin: c:\archivos de programa\divx\divx plus web player\npdivx32.dll
    FF - plugin: c:\archivos de programa\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\archivos de programa\microsoft\office live\npOLW.dll
    FF - plugin: c:\archivos de programa\mozilla firefox\plugins\npdeployJava1.dll
    FF - plugin: c:\archivos de programa\mpcstar\codecs\quicktime\plugins\npqtplugin.dll
    FF - plugin: c:\archivos de programa\mpcstar\codecs\quicktime\plugins\npqtplugin2.dll
    FF - plugin: c:\archivos de programa\mpcstar\codecs\quicktime\plugins\npqtplugin3.dll
    FF - plugin: c:\archivos de programa\mpcstar\codecs\quicktime\plugins\npqtplugin4.dll
    FF - plugin: c:\archivos de programa\mpcstar\codecs\quicktime\plugins\npqtplugin5.dll
    FF - plugin: c:\archivos de programa\mpcstar\codecs\quicktime\plugins\npqtplugin6.dll
    FF - plugin: c:\archivos de programa\mpcstar\codecs\real\browser\plugins\nppl3260.dll
    FF - plugin: c:\archivos de programa\mpcstar\codecs\real\browser\plugins\nprpjplug.dll
    .
    ---- FIREFOX POLICIES ----
    FF - user.js: network.http.max-persistent-connections-per-server - 4
    FF - user.js: nglayout.initialpaint.delay - 600
    FF - user.js: content.notify.interval - 600000
    FF - user.js: content.max.tokenizing.time - 1800000
    FF - user.js: content.switch.threshold - 600000
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2008-7-21 121872]
    R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-1-29 33808]
    R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2009-7-19 226832]
    R2 AVP;Kaspersky Internet Security;c:\archivos de programa\kaspersky lab\kaspersky internet security 2009\avp.exe [2008-11-11 208616]
    R2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\archivos de programa\tuneup utilities 2011\TuneUpUtilitiesService32.exe [2010-10-27 1483072]
    R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [2008-3-13 26640]
    R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2008-4-30 24592]
    R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\archivos de programa\tuneup utilities 2011\TuneUpUtilitiesDriver32.sys [2010-10-7 10064]
    S1 smtpdrv;smtpdrv;c:\windows\system32\drivers\smtpdrv.sys --> c:\windows\system32\drivers\smtpdrv.sys [?]
    S2 NetCM;Network Connection Manager;c:\archivos de programa\common files\microsoft shared\speech\svchost.exe --> c:\archivos de programa\common files\microsoft shared\speech\svchost.exe [?]
    S3 GGSAFERDriver;GGSAFER Driver;\??\c:\archivos de programa\garena\safedrv.sys --> c:\archivos de programa\garena\safedrv.sys [?]
    S4 Hamachi2Svc;LogMeIn Hamachi 2.0 Tunneling Engine;c:\archivos de programa\logmein hamachi\hamachi-2.exe [2011-3-28 1242504]
    .
    =============== Created Last 30 ================
    .
    2011-08-13 19:07:05 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-08-13 19:07:01 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-08-13 03:33:15 388096 ----a-r- c:\documents and settings\lord of chaos\datos de programa\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
    2011-08-10 13:37:27 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
    2011-08-10 13:36:32 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
    .
    ==================== Find3M ====================
    .
    2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
    2011-06-24 14:10:39 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
    2011-06-21 18:19:04 669696 ----a-w- c:\windows\system32\wininet.dll
    2011-06-21 18:19:04 61952 ----a-w- c:\windows\system32\tdc.ocx
    2011-06-21 18:19:03 81920 ----a-w- c:\windows\system32\ieencode.dll
    2011-06-21 18:16:11 371200 ----a-w- c:\windows\system32\html.iec
    2011-06-21 01:03:21 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-06-20 17:44:48 293888 ----a-w- c:\windows\system32\winsrv.dll
    2011-06-06 11:35:25 1859072 ----a-w- c:\windows\system32\win32k.sys
    .
    ============= FINISH: 14:48:57.21 ===============

    Attach.txt

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-06-23.01)
    .
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 17/10/2006 10:50:05 p.m.
    System Uptime: 13/08/2011 10:20:53 a.m. (4 hours ago)
    .
    Motherboard: Intel | | D865GKD
    Processor: Intel(R) Pentium(R) 4 CPU 2.80GHz | WMT478/NWD | 2800/100mhz
    .
    ==== Disk Partitions =========================
    .
    A: is Removable
    C: is FIXED (NTFS) - 37 GiB total, 6.335 GiB free.
    D: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID:
    Description: Módem PCI
    Device ID: PCI\VEN_0086&DEV_1080&SUBSYS_10001028&REV_04\4&3A321F38&0&00F0
    Manufacturer:
    Name: Módem PCI
    PNP Device ID: PCI\VEN_0086&DEV_1080&SUBSYS_10001028&REV_04\4&3A321F38&0&00F0
    Service:
    .
    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: Intel(R) PRO/100 VE Network Connection
    Device ID: PCI\VEN_8086&DEV_1050&SUBSYS_02C71014&REV_02\4&3A321F38&0&40F0
    Manufacturer: Intel
    Name: Intel(R) PRO/100 VE Network Connection
    PNP Device ID: PCI\VEN_8086&DEV_1050&SUBSYS_02C71014&REV_02\4&3A321F38&0&40F0
    Service: E100B
    .
    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: Hamachi Network Interface
    Device ID: ROOT\NET\0000
    Manufacturer: LogMeIn, Inc.
    Name: Hamachi Network Interface
    PNP Device ID: ROOT\NET\0000
    Service: hamachi
    .
    ==== System Restore Points ===================
    .
    No restore point in system.
    .
    ==== Installed Programs ======================
    .
    Actualización de seguridad para Windows XP (KB2507938)
    Actualización de seguridad para Windows XP (KB2536276-v2)
    Actualización de seguridad para Windows XP (KB2555917)
    Actualización de seguridad para Windows XP (KB2559049)
    Actualización de seguridad para Windows XP (KB2562937)
    Actualización de seguridad para Windows XP (KB2566454)
    Actualización de seguridad para Windows XP (KB2567680)
    Actualización de seguridad para Windows XP (KB2570222)
    Adobe Flash Player 10 Plugin
    Adobe Photoshop CS
    Adobe Shockwave Player 11.5
    Apple Application Support
    Apple Software Update
    Astroburn Pro
    BitComet 1.27
    BlackBerry Device Software Updater
    Conduit Engine
    DAEMON Tools Lite
    DAEMON Tools Toolbar
    Defraggler
    Fraps
    Free Video to MP3 Converter version 4.2.19.324
    Garena 2010
    HiJackThis
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows XP (KB954550-v5)
    IcoFX 1.6.4
    Instalación de DivX
    Java Auto Updater
    Junk Mail filter update
    Kaspersky Internet Security 2009
    LogMeIn Hamachi
    Magic Video Converter Trial Version (English) 8.0.2.18
    Malwarebytes' Anti-Malware versión 1.51.1.1800
    Metal Slug Series with Enabled MAME 0.78
    Metin2
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Choice Guard
    Microsoft Office XP Professional con FrontPage
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    mIRC
    Mozilla Firefox 5.0 (x86 es-ES)
    MpcStar 5.1
    MSXML 4.0 SP2 (KB973688)
    OpenAL
    PBP Unpacker v0.94
    Populus
    QuickTime
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    softonic.com4 Toolbar
    Songr
    Star Wars Galactic Battlegrounds: Saga
    TotalAudioConverter
    TuneUp Utilities 2011
    TuneUp Utilities Language Pack (en-US)
    Uninstall 1.0.0.1
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    VC80CRTRedist - 8.0.50727.4053
    Windows Live Call
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Mail
    Windows Live Messenger
    Windows Live Sign-in Assistant
    Windows Live Writer
    WinDS PRO
    .
    ==== Event Viewer Messages From Past Week ========
    .
    13/08/2011 02:39:46 p.m., ERROR: atapi [9] - El dispositivo, \Device\Ide\IdePort0, no respondió en el tiempo de espera permitido.
    13/08/2011 02:38:30 p.m., ERROR: atapi [9] - El dispositivo, \Device\Ide\IdePort0, no respondió en el tiempo de espera permitido.
    13/08/2011 02:35:46 p.m., ERROR: atapi [9] - El dispositivo, \Device\Ide\IdePort0, no respondió en el tiempo de espera permitido.
    12/08/2011 09:47:08 p.m., ERROR: Service Control Manager [7011] - Intervalo de espera (30000 ms.) para la respuesta de transacción del servicio TuneUp.UtilitiesSvc.
    12/08/2011 09:46:10 p.m., ERROR: Service Control Manager [7023] - El servicio Servicio de restauración de sistema terminó con el error: El sistema no puede hallar el archivo especificado.
    12/08/2011 09:46:06 p.m., ERROR: SRService [104] - Error en el proceso de inicialización de Restaurar sistema.
    12/08/2011 09:02:35 p.m., ERROR: Service Control Manager [7011] - Intervalo de espera (30000 ms.) para la respuesta de transacción del servicio TuneUp.UtilitiesSvc.
    12/08/2011 09:01:59 p.m., ERROR: Service Control Manager [7023] - El servicio Servicio de restauración de sistema terminó con el error: El sistema no puede hallar el archivo especificado.
    12/08/2011 09:01:57 p.m., ERROR: SRService [104] - Error en el proceso de inicialización de Restaurar sistema.
    12/08/2011 02:34:40 p.m., ERROR: Service Control Manager [7023] - El servicio Servicio de restauración de sistema terminó con el error: El sistema no puede hallar el archivo especificado.
    12/08/2011 02:34:34 p.m., ERROR: SRService [104] - Error en el proceso de inicialización de Restaurar sistema.
    12/08/2011 02:34:12 p.m., ERROR: Dhcp [1002] - La concesión de la dirección IP 192.168.1.103 para la tarjeta de red con la dirección de red 0011254BFC35 ha sido denegada por el servidor DHCP 192.168.1.254 (el servidor DHCP envió un mensaje DHCPNACK).
    11/08/2011 10:22:04 a.m., ERROR: Service Control Manager [7011] - Intervalo de espera (30000 ms.) para la respuesta de transacción del servicio TuneUp.UtilitiesSvc.
    11/08/2011 06:35:37 p.m., ERROR: Service Control Manager [7023] - El servicio Servicio de restauración de sistema terminó con el error: El sistema no puede hallar el archivo especificado.
    11/08/2011 06:35:35 p.m., ERROR: SRService [104] - Error en el proceso de inicialización de Restaurar sistema.
    10/08/2011 05:10:03 p.m., ERROR: Service Control Manager [7011] - Intervalo de espera (30000 ms.) para la respuesta de transacción del servicio TuneUp.UtilitiesSvc.
    09/08/2011 04:44:38 p.m., ERROR: Service Control Manager [7011] - Intervalo de espera (30000 ms.) para la respuesta de transacción del servicio TuneUp.UtilitiesSvc.
    08/08/2011 05:48:59 p.m., ERROR: Service Control Manager [7011] - Intervalo de espera (30000 ms.) para la respuesta de transacción del servicio TuneUp.UtilitiesSvc.
    07/08/2011 11:35:17 a.m., ERROR: Dhcp [1002] - La concesión de la dirección IP 192.168.1.103 para la tarjeta de red con la dirección de red 0011254BFC35 ha sido denegada por el servidor DHCP 192.168.1.254 (el servidor DHCP envió un mensaje DHCPNACK).
    06/08/2011 11:06:24 a.m., ERROR: Service Control Manager [7011] - Intervalo de espera (30000 ms.) para la respuesta de transacción del servicio TuneUp.UtilitiesSvc.
    .
    ==== End Of File ===========================

    Thats about it. If I missed something, please let me know (and sorry), but I think I did it right.
     
  4. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Let's see, if we can recover your missing/hidden features.
    Download and run UnHide
    Let me know, if it worked.
     
  5. Chaos999

    Chaos999 TS Rookie Topic Starter Posts: 19

    Hi. I downloaded and ran the tool. hidden stuff isn't hidden anymore, but the option on the folder options are still messed up. However i just noticed something, I made a new hidden folder for experimentation and i noticed i can see it even while hidden.

    anyway, the option NOHIDDEN is still checked and keeps checking itself and still in english.

    At this point i could consider myself satisfied since hidden folders are visible now, but if there was some way to completelly fix this peculiarity, it would be great. It just bugs me knowing something is not quite right.

    Thanks again for all the time you dedicated to my problem
     
  6. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Download TDSSKiller and save it to your desktop.
    • Doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
    • If an infected file is detected, the default action will be Cure, click on Continue.
    • If a suspicious file is detected, the default action will be Skip, click on Continue.
    • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
    • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.
     
  7. Chaos999

    Chaos999 TS Rookie Topic Starter Posts: 19

    Here it is what you asked. No reboot required.

    2011/08/13 18:49:02.0781 2680 TDSS rootkit removing tool 2.5.15.0 Aug 11 2011 16:32:13
    2011/08/13 18:49:04.0421 2680 ================================================================================
    2011/08/13 18:49:04.0421 2680 SystemInfo:
    2011/08/13 18:49:04.0421 2680
    2011/08/13 18:49:04.0421 2680 OS Version: 5.1.2600 ServicePack: 3.0
    2011/08/13 18:49:04.0421 2680 Product type: Workstation
    2011/08/13 18:49:04.0421 2680 ComputerName: PCCHAOS
    2011/08/13 18:49:04.0421 2680 UserName: Lord of Chaos
    2011/08/13 18:49:04.0421 2680 Windows directory: C:\windows
    2011/08/13 18:49:04.0421 2680 System windows directory: C:\windows
    2011/08/13 18:49:04.0421 2680 Processor architecture: Intel x86
    2011/08/13 18:49:04.0421 2680 Number of processors: 2
    2011/08/13 18:49:04.0421 2680 Page size: 0x1000
    2011/08/13 18:49:04.0421 2680 Boot type: Normal boot
    2011/08/13 18:49:04.0421 2680 ================================================================================
    2011/08/13 18:49:05.0890 2680 Initialize success
    2011/08/13 18:49:13.0843 0296 ================================================================================
    2011/08/13 18:49:13.0843 0296 Scan started
    2011/08/13 18:49:13.0843 0296 Mode: Manual;
    2011/08/13 18:49:13.0843 0296 ================================================================================
    2011/08/13 18:49:14.0906 0296 ACPI (cf2a07e1751a2d612d7e13aa431ab057) C:\windows\system32\DRIVERS\ACPI.sys
    2011/08/13 18:49:15.0000 0296 ACPIEC (1c905333c0b9f3d7c68ddf25e54b00f9) C:\windows\system32\drivers\ACPIEC.sys
    2011/08/13 18:49:15.0156 0296 aeaudio (3cb6ae5435987b1f8c83fd2730479878) C:\windows\system32\drivers\aeaudio.sys
    2011/08/13 18:49:15.0296 0296 aec (8bed39e3c35d6a489438b8141717a557) C:\windows\system32\drivers\aec.sys
    2011/08/13 18:49:15.0421 0296 AFD (355556d9e580915118cd7ef736653a89) C:\windows\System32\drivers\afd.sys
    2011/08/13 18:49:15.0906 0296 ASAPIW2k (4f9cbbf95e8f7a0d4c0edcfe3b78102e) C:\windows\system32\drivers\ASAPIW2k.sys
    2011/08/13 18:49:16.0296 0296 Aspi32 (b979979ab8027f7f53fb16ec4229b7db) C:\windows\system32\drivers\Aspi32.sys
    2011/08/13 18:49:16.0453 0296 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\windows\system32\DRIVERS\asyncmac.sys
    2011/08/13 18:49:16.0593 0296 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\windows\system32\DRIVERS\atapi.sys
    2011/08/13 18:49:16.0781 0296 Atmarpc (9916c1225104ba14794209cfa8012159) C:\windows\system32\DRIVERS\atmarpc.sys
    2011/08/13 18:49:16.0921 0296 audstub (d9f724aa26c010a217c97606b160ed68) C:\windows\system32\DRIVERS\audstub.sys
    2011/08/13 18:49:17.0078 0296 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\windows\system32\drivers\Beep.sys
    2011/08/13 18:49:17.0390 0296 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\windows\system32\drivers\cbidf2k.sys
    2011/08/13 18:49:17.0578 0296 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\windows\system32\drivers\Cdaudio.sys
    2011/08/13 18:49:17.0718 0296 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\windows\system32\drivers\Cdfs.sys
    2011/08/13 18:49:17.0859 0296 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\windows\system32\DRIVERS\cdrom.sys
    2011/08/13 18:49:18.0500 0296 Disk (044452051f3e02e7963599fc8f4f3e25) C:\windows\system32\DRIVERS\disk.sys
    2011/08/13 18:49:18.0687 0296 dmboot (c252a99c0a78b39faa2e2d1d048b1050) C:\windows\system32\drivers\dmboot.sys
    2011/08/13 18:49:18.0906 0296 dmio (33b4d4039cd2cb25351a7bf13b2988d9) C:\windows\system32\drivers\dmio.sys
    2011/08/13 18:49:19.0046 0296 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\windows\system32\drivers\dmload.sys
    2011/08/13 18:49:19.0234 0296 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\windows\system32\drivers\DMusic.sys
    2011/08/13 18:49:19.0468 0296 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\windows\system32\drivers\drmkaud.sys
    2011/08/13 18:49:19.0703 0296 E100B (98b46b331404a951cabad8b4877e1276) C:\windows\system32\DRIVERS\e100b325.sys
    2011/08/13 18:49:20.0000 0296 Fastfat (38d332a6d56af32635675f132548343e) C:\windows\system32\drivers\Fastfat.sys
    2011/08/13 18:49:20.0218 0296 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\windows\system32\DRIVERS\fdc.sys
    2011/08/13 18:49:20.0343 0296 Fips (e5e61f2c07344e91dbfb7eafde549ab4) C:\windows\system32\drivers\Fips.sys
    2011/08/13 18:49:20.0453 0296 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\windows\system32\DRIVERS\flpydisk.sys
    2011/08/13 18:49:20.0562 0296 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\windows\system32\drivers\fltmgr.sys
    2011/08/13 18:49:20.0734 0296 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\windows\system32\drivers\Fs_Rec.sys
    2011/08/13 18:49:20.0890 0296 Ftdisk (cc5f3af5711a1c7c8fa1d43bb16b401a) C:\windows\system32\DRIVERS\ftdisk.sys
    2011/08/13 18:49:21.0125 0296 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\windows\system32\DRIVERS\msgpc.sys
    2011/08/13 18:49:21.0234 0296 hamachi (833051c6c6c42117191935f734cfbd97) C:\windows\system32\DRIVERS\hamachi.sys
    2011/08/13 18:49:21.0890 0296 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\windows\system32\DRIVERS\hidusb.sys
    2011/08/13 18:49:22.0078 0296 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\windows\system32\Drivers\HTTP.sys
    2011/08/13 18:49:22.0328 0296 i8042prt (4a2490a66e8271901e89dd5fb79748ae) C:\windows\system32\DRIVERS\i8042prt.sys
    2011/08/13 18:49:22.0453 0296 ialm (cfc89f98c436c6687bd818abb6a4480b) C:\windows\system32\DRIVERS\ialmnt5.sys
    2011/08/13 18:49:22.0578 0296 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\windows\system32\DRIVERS\imapi.sys
    2011/08/13 18:49:22.0781 0296 IntelIde (cdc98c84965ac816b3f76ec388e24078) C:\windows\system32\DRIVERS\intelide.sys
    2011/08/13 18:49:22.0890 0296 intelppm (49a060498c09db18c3ea9939789005ab) C:\windows\system32\DRIVERS\intelppm.sys
    2011/08/13 18:49:22.0984 0296 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\windows\system32\drivers\ip6fw.sys
    2011/08/13 18:49:23.0093 0296 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\windows\system32\DRIVERS\ipfltdrv.sys
    2011/08/13 18:49:23.0187 0296 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\windows\system32\DRIVERS\ipinip.sys
    2011/08/13 18:49:23.0281 0296 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\windows\system32\DRIVERS\ipnat.sys
    2011/08/13 18:49:23.0390 0296 IPSec (23c74d75e36e7158768dd63d92789a91) C:\windows\system32\DRIVERS\ipsec.sys
    2011/08/13 18:49:23.0500 0296 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\windows\system32\DRIVERS\irenum.sys
    2011/08/13 18:49:23.0609 0296 isapnp (0f3d281b0410fe5d482aada37d20524b) C:\windows\system32\DRIVERS\isapnp.sys
    2011/08/13 18:49:23.0750 0296 Kbdclass (188ddd286bc0daea6984858c6a4d7bbf) C:\windows\system32\DRIVERS\kbdclass.sys
    2011/08/13 18:49:23.0875 0296 kl1 (cd6a8fa9395460ffe7fd8881a6c67254) C:\windows\system32\drivers\kl1.sys
    2011/08/13 18:49:23.0984 0296 klbg (f9089982ed97340984e3dd60edd75490) C:\windows\system32\drivers\klbg.sys
    2011/08/13 18:49:24.0062 0296 KLFLTDEV (73eb94ad1c85b4a3c5a8b4d879f668b9) C:\windows\system32\DRIVERS\klfltdev.sys
    2011/08/13 18:49:24.0187 0296 KLIF (2627c389ba33065b2e98118ce9d71e57) C:\windows\system32\DRIVERS\klif.sys
    2011/08/13 18:49:24.0296 0296 klim5 (cd16a39c6f61c2ae0272e1f431353bf7) C:\windows\system32\DRIVERS\klim5.sys
    2011/08/13 18:49:24.0421 0296 kmixer (692bcf44383d056aed41b045a323d378) C:\windows\system32\drivers\kmixer.sys
    2011/08/13 18:49:24.0531 0296 KSecDD (b467646c54cc746128904e1654c750c1) C:\windows\system32\drivers\KSecDD.sys
    2011/08/13 18:49:24.0765 0296 MDC8021X (d7010580bf4e45d5e793a1fe75758c69) C:\windows\system32\DRIVERS\mdc8021x.sys
    2011/08/13 18:49:24.0859 0296 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\windows\system32\drivers\mnmdd.sys
    2011/08/13 18:49:24.0937 0296 Modem (9024556e739b8469d2b8f5f0e4c9bc9f) C:\windows\system32\drivers\Modem.sys
    2011/08/13 18:49:25.0031 0296 Mouclass (6fd36b4994a2363659a65c9f970cfdb7) C:\windows\system32\DRIVERS\mouclass.sys
    2011/08/13 18:49:25.0109 0296 mouhid (8ee532e516b2d23d686cfc1cc0a15c25) C:\windows\system32\DRIVERS\mouhid.sys
    2011/08/13 18:49:25.0203 0296 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\windows\system32\drivers\MountMgr.sys
    2011/08/13 18:49:25.0312 0296 MQAC (70c14f5cca5cf73f8a645c73a01d8726) C:\WINDOWS\system32\drivers\mqac.sys
    2011/08/13 18:49:25.0437 0296 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\windows\system32\DRIVERS\mrxdav.sys
    2011/08/13 18:49:25.0562 0296 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\windows\system32\DRIVERS\mrxsmb.sys
    2011/08/13 18:49:25.0718 0296 Msfs (c941ea2454ba8350021d774daf0f1027) C:\windows\system32\drivers\Msfs.sys
    2011/08/13 18:49:25.0828 0296 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\windows\system32\drivers\MSKSSRV.sys
    2011/08/13 18:49:25.0937 0296 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\windows\system32\drivers\MSPCLOCK.sys
    2011/08/13 18:49:26.0031 0296 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\windows\system32\drivers\MSPQM.sys
    2011/08/13 18:49:26.0125 0296 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\windows\system32\DRIVERS\mssmbios.sys
    2011/08/13 18:49:26.0234 0296 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\windows\system32\drivers\Mup.sys
    2011/08/13 18:49:26.0343 0296 NDIS (1df7f42665c94b825322fae71721130d) C:\windows\system32\drivers\NDIS.sys
    2011/08/13 18:49:26.0484 0296 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\windows\system32\DRIVERS\ndistapi.sys
    2011/08/13 18:49:26.0625 0296 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\windows\system32\DRIVERS\ndisuio.sys
    2011/08/13 18:49:26.0968 0296 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\windows\system32\DRIVERS\ndiswan.sys
    2011/08/13 18:49:27.0453 0296 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\windows\system32\drivers\NDProxy.sys
    2011/08/13 18:49:27.0625 0296 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\windows\system32\DRIVERS\netbios.sys
    2011/08/13 18:49:27.0937 0296 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\windows\system32\DRIVERS\netbt.sys
    2011/08/13 18:49:28.0421 0296 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\windows\system32\drivers\Npfs.sys
    2011/08/13 18:49:28.0828 0296 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\windows\system32\drivers\Ntfs.sys
    2011/08/13 18:49:28.0984 0296 NTIDrvr (3c25d8a23c366fbe1511b4a250a1a2ad) C:\windows\system32\DRIVERS\NTIDrvr.sys
    2011/08/13 18:49:29.0078 0296 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\windows\system32\drivers\Null.sys
    2011/08/13 18:49:29.0156 0296 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\windows\system32\DRIVERS\nwlnkflt.sys
    2011/08/13 18:49:29.0250 0296 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\windows\system32\DRIVERS\nwlnkfwd.sys
    2011/08/13 18:49:29.0359 0296 NwlnkIpx (8b8b1be2dba4025da6786c645f77f123) C:\windows\system32\DRIVERS\nwlnkipx.sys
    2011/08/13 18:49:29.0453 0296 NwlnkNb (56d34a67c05e94e16377c60609741ff8) C:\windows\system32\DRIVERS\nwlnknb.sys
    2011/08/13 18:49:29.0531 0296 NwlnkSpx (c0bb7d1615e1acbdc99757f6ceaf8cf0) C:\windows\system32\DRIVERS\nwlnkspx.sys
    2011/08/13 18:49:29.0656 0296 Parport (e7855cbd8bd1fda085a3f92cff7906e2) C:\windows\system32\DRIVERS\parport.sys
    2011/08/13 18:49:29.0750 0296 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\windows\system32\drivers\PartMgr.sys
    2011/08/13 18:49:29.0843 0296 ParVdm (fad44d704ecd7d39ad01415b8bb34204) C:\windows\system32\drivers\ParVdm.sys
    2011/08/13 18:49:29.0984 0296 PCI (f11bc84ae6c7b003b5e0c8eeb4a1f444) C:\windows\system32\DRIVERS\pci.sys
    2011/08/13 18:49:30.0125 0296 PCIIde (33d63f0a9021acb4d75d83b646b93a30) C:\windows\system32\DRIVERS\pciide.sys
    2011/08/13 18:49:30.0234 0296 Pcmcia (f50c27cca56dc97b3a45e7f0059bd2ba) C:\windows\system32\drivers\Pcmcia.sys
    2011/08/13 18:49:30.0531 0296 pelmouse (e541a80cdffd6077c761b4578efc0450) C:\windows\system32\DRIVERS\pelmouse.sys
    2011/08/13 18:49:30.0609 0296 pelusblf (6432858a4493e906a7d61b9b17a0672a) C:\windows\system32\DRIVERS\pelusblf.sys
    2011/08/13 18:49:30.0890 0296 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\windows\system32\DRIVERS\raspptp.sys
    2011/08/13 18:49:31.0015 0296 PSched (09298ec810b07e5d582cb3a3f9255424) C:\windows\system32\DRIVERS\psched.sys
    2011/08/13 18:49:31.0078 0296 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\windows\system32\DRIVERS\ptilink.sys
    2011/08/13 18:49:31.0187 0296 PxHelp20 (e42e3433dbb4cffe8fdd91eab29aea8e) C:\windows\system32\DRIVERS\PxHelp20.sys
    2011/08/13 18:49:31.0515 0296 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\windows\system32\DRIVERS\rasacd.sys
    2011/08/13 18:49:31.0625 0296 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\windows\system32\DRIVERS\rasl2tp.sys
    2011/08/13 18:49:31.0734 0296 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\windows\system32\DRIVERS\raspppoe.sys
    2011/08/13 18:49:31.0828 0296 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\windows\system32\DRIVERS\raspti.sys
    2011/08/13 18:49:31.0937 0296 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\windows\system32\DRIVERS\rdbss.sys
    2011/08/13 18:49:32.0062 0296 RDPCDD (4912d5b403614ce99c28420f75353332) C:\windows\system32\DRIVERS\RDPCDD.sys
    2011/08/13 18:49:32.0187 0296 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\windows\system32\DRIVERS\rdpdr.sys
    2011/08/13 18:49:32.0296 0296 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\windows\system32\drivers\RDPWD.sys
    2011/08/13 18:49:32.0406 0296 redbook (20950948970a0ea329b4254052bcf093) C:\windows\system32\DRIVERS\redbook.sys
    2011/08/13 18:49:32.0546 0296 RimUsb (f17713d108aca124a139fde877eef68a) C:\windows\system32\Drivers\RimUsb.sys
    2011/08/13 18:49:32.0625 0296 RimVSerPort (2c4fb2e9f039287767c384e46ee91030) C:\windows\system32\DRIVERS\RimSerial.sys
    2011/08/13 18:49:32.0718 0296 RMCAST (96f7a9a7bf0c9c0440a967440065d33c) C:\WINDOWS\system32\drivers\RMCast.sys
    2011/08/13 18:49:32.0921 0296 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\windows\system32\DRIVERS\secdrv.sys
    2011/08/13 18:49:33.0062 0296 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\windows\system32\DRIVERS\serenum.sys
    2011/08/13 18:49:33.0140 0296 Serial (f41b42b92ae9c1191858c3f80cc24a9c) C:\windows\system32\DRIVERS\serial.sys
    2011/08/13 18:49:33.0234 0296 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\windows\system32\drivers\Sfloppy.sys
    2011/08/13 18:49:33.0500 0296 smwdm (f41896d591106713649b7eba668324e6) C:\windows\system32\drivers\smwdm.sys
    2011/08/13 18:49:33.0718 0296 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\windows\system32\drivers\splitter.sys
    2011/08/13 18:49:33.0843 0296 sptd (614deea4bdcec3fd5a07bdc705723ad7) C:\windows\System32\Drivers\sptd.sys
    2011/08/13 18:49:33.0843 0296 Suspicious file (NoAccess): C:\windows\System32\Drivers\sptd.sys. md5: 614deea4bdcec3fd5a07bdc705723ad7
    2011/08/13 18:49:33.0859 0296 sptd - detected LockedFile.Multi.Generic (1)
    2011/08/13 18:49:33.0968 0296 sr (ccb3065c3ee63a4515fe84af9e78d1dd) C:\windows\system32\DRIVERS\sr.sys
    2011/08/13 18:49:34.0093 0296 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\windows\system32\DRIVERS\srv.sys
    2011/08/13 18:49:34.0234 0296 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\windows\system32\DRIVERS\swenum.sys
    2011/08/13 18:49:34.0343 0296 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\windows\system32\drivers\swmidi.sys
    2011/08/13 18:49:34.0593 0296 symlcbrd (6596892dd5abbe48f5876a551867a166) C:\WINDOWS\system32\drivers\symlcbrd.sys
    2011/08/13 18:49:34.0812 0296 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\windows\system32\drivers\sysaudio.sys
    2011/08/13 18:49:34.0921 0296 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\windows\system32\DRIVERS\tcpip.sys
    2011/08/13 18:49:35.0046 0296 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\windows\system32\drivers\TDPIPE.sys
    2011/08/13 18:49:35.0156 0296 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\windows\system32\drivers\TDTCP.sys
    2011/08/13 18:49:35.0265 0296 TermDD (88155247177638048422893737429d9e) C:\windows\system32\DRIVERS\termdd.sys
    2011/08/13 18:49:35.0500 0296 TuneUpUtilitiesDrv (f2107c9d85ec0df116939ccce06ae697) C:\Archivos de programa\TuneUp Utilities 2011\TuneUpUtilitiesDriver32.sys
    2011/08/13 18:49:35.0609 0296 tunmp (8f861eda21c05857eb8197300a92501c) C:\windows\system32\DRIVERS\tunmp.sys
    2011/08/13 18:49:35.0687 0296 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\windows\system32\drivers\Udfs.sys
    2011/08/13 18:49:35.0859 0296 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\windows\system32\DRIVERS\update.sys
    2011/08/13 18:49:36.0000 0296 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\windows\system32\DRIVERS\usbehci.sys
    2011/08/13 18:49:36.0093 0296 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\windows\system32\DRIVERS\usbhub.sys
    2011/08/13 18:49:36.0218 0296 usbprint (a717c8721046828520c9edf31288fc00) C:\windows\system32\DRIVERS\usbprint.sys
    2011/08/13 18:49:36.0343 0296 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\windows\system32\DRIVERS\USBSTOR.SYS
    2011/08/13 18:49:36.0437 0296 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\windows\system32\DRIVERS\usbuhci.sys
    2011/08/13 18:49:36.0546 0296 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\windows\System32\drivers\vga.sys
    2011/08/13 18:49:36.0687 0296 VolSnap (c41ffdc191e6c832e2e53c967eae0a16) C:\windows\system32\drivers\VolSnap.sys
    2011/08/13 18:49:36.0828 0296 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\windows\system32\DRIVERS\wanarp.sys
    2011/08/13 18:49:36.0984 0296 wdmaud (6768acf64b18196494413695f0c3a00f) C:\windows\system32\drivers\wdmaud.sys
    2011/08/13 18:49:37.0187 0296 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\windows\System32\drivers\ws2ifsl.sys
    2011/08/13 18:49:37.0296 0296 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\windows\system32\DRIVERS\WudfPf.sys
    2011/08/13 18:49:37.0437 0296 {6080A529-897E-4629-A488-ABA0C29B635E} (5ff57eedf48f189859d6e9bf81e297c5) C:\windows\system32\drivers\ialmsbw.sys
    2011/08/13 18:49:37.0546 0296 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91} (c2eb14d84069443437f1b3b856bcb665) C:\windows\system32\drivers\ialmkchw.sys
    2011/08/13 18:49:37.0578 0296 MBR (0x1B8) (792f61657fece3d17a9122b4ee282847) \Device\Harddisk0\DR0
    2011/08/13 18:49:37.0750 0296 Boot (0x1200) (f50488eb12186df63203fd52768c3b6f) \Device\Harddisk0\DR0\Partition0
    2011/08/13 18:49:37.0750 0296 ================================================================================
    2011/08/13 18:49:37.0750 0296 Scan finished
    2011/08/13 18:49:37.0750 0296 ================================================================================
    2011/08/13 18:49:37.0765 1136 Detected object count: 1
    2011/08/13 18:49:37.0765 1136 Actual detected object count: 1
    2011/08/13 18:50:41.0718 1136 LockedFile.Multi.Generic(sptd) - User select action: Skip
    2011/08/13 18:50:58.0500 2932 ================================================================================
    2011/08/13 18:50:58.0500 2932 Scan started
    2011/08/13 18:50:58.0500 2932 Mode: Manual;
    2011/08/13 18:50:58.0500 2932 ================================================================================
    2011/08/13 18:50:59.0015 2932 ACPI (cf2a07e1751a2d612d7e13aa431ab057) C:\windows\system32\DRIVERS\ACPI.sys
    2011/08/13 18:50:59.0078 2932 ACPIEC (1c905333c0b9f3d7c68ddf25e54b00f9) C:\windows\system32\drivers\ACPIEC.sys
    2011/08/13 18:50:59.0234 2932 aeaudio (3cb6ae5435987b1f8c83fd2730479878) C:\windows\system32\drivers\aeaudio.sys
    2011/08/13 18:50:59.0343 2932 aec (8bed39e3c35d6a489438b8141717a557) C:\windows\system32\drivers\aec.sys
    2011/08/13 18:50:59.0453 2932 AFD (355556d9e580915118cd7ef736653a89) C:\windows\System32\drivers\afd.sys
    2011/08/13 18:50:59.0890 2932 ASAPIW2k (4f9cbbf95e8f7a0d4c0edcfe3b78102e) C:\windows\system32\drivers\ASAPIW2k.sys
    2011/08/13 18:51:00.0156 2932 Aspi32 (b979979ab8027f7f53fb16ec4229b7db) C:\windows\system32\drivers\Aspi32.sys
    2011/08/13 18:51:00.0281 2932 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\windows\system32\DRIVERS\asyncmac.sys
    2011/08/13 18:51:00.0375 2932 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\windows\system32\DRIVERS\atapi.sys
    2011/08/13 18:51:00.0515 2932 Atmarpc (9916c1225104ba14794209cfa8012159) C:\windows\system32\DRIVERS\atmarpc.sys
    2011/08/13 18:51:00.0625 2932 audstub (d9f724aa26c010a217c97606b160ed68) C:\windows\system32\DRIVERS\audstub.sys
    2011/08/13 18:51:00.0718 2932 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\windows\system32\drivers\Beep.sys
    2011/08/13 18:51:00.0937 2932 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\windows\system32\drivers\cbidf2k.sys
    2011/08/13 18:51:01.0093 2932 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\windows\system32\drivers\Cdaudio.sys
    2011/08/13 18:51:01.0187 2932 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\windows\system32\drivers\Cdfs.sys
    2011/08/13 18:51:01.0296 2932 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\windows\system32\DRIVERS\cdrom.sys
    2011/08/13 18:51:01.0687 2932 Disk (044452051f3e02e7963599fc8f4f3e25) C:\windows\system32\DRIVERS\disk.sys
    2011/08/13 18:51:01.0796 2932 dmboot (c252a99c0a78b39faa2e2d1d048b1050) C:\windows\system32\drivers\dmboot.sys
    2011/08/13 18:51:01.0906 2932 dmio (33b4d4039cd2cb25351a7bf13b2988d9) C:\windows\system32\drivers\dmio.sys
    2011/08/13 18:51:01.0984 2932 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\windows\system32\drivers\dmload.sys
    2011/08/13 18:51:02.0078 2932 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\windows\system32\drivers\DMusic.sys
    2011/08/13 18:51:02.0218 2932 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\windows\system32\drivers\drmkaud.sys
    2011/08/13 18:51:02.0343 2932 E100B (98b46b331404a951cabad8b4877e1276) C:\windows\system32\DRIVERS\e100b325.sys
    2011/08/13 18:51:02.0546 2932 Fastfat (38d332a6d56af32635675f132548343e) C:\windows\system32\drivers\Fastfat.sys
    2011/08/13 18:51:02.0671 2932 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\windows\system32\DRIVERS\fdc.sys
    2011/08/13 18:51:02.0781 2932 Fips (e5e61f2c07344e91dbfb7eafde549ab4) C:\windows\system32\drivers\Fips.sys
    2011/08/13 18:51:02.0875 2932 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\windows\system32\DRIVERS\flpydisk.sys
    2011/08/13 18:51:02.0984 2932 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\windows\system32\drivers\fltmgr.sys
    2011/08/13 18:51:03.0093 2932 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\windows\system32\drivers\Fs_Rec.sys
    2011/08/13 18:51:03.0171 2932 Ftdisk (cc5f3af5711a1c7c8fa1d43bb16b401a) C:\windows\system32\DRIVERS\ftdisk.sys
    2011/08/13 18:51:03.0359 2932 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\windows\system32\DRIVERS\msgpc.sys
    2011/08/13 18:51:03.0437 2932 hamachi (833051c6c6c42117191935f734cfbd97) C:\windows\system32\DRIVERS\hamachi.sys
    2011/08/13 18:51:03.0562 2932 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\windows\system32\DRIVERS\hidusb.sys
    2011/08/13 18:51:03.0703 2932 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\windows\system32\Drivers\HTTP.sys
    2011/08/13 18:51:03.0921 2932 i8042prt (4a2490a66e8271901e89dd5fb79748ae) C:\windows\system32\DRIVERS\i8042prt.sys
    2011/08/13 18:51:04.0000 2932 ialm (cfc89f98c436c6687bd818abb6a4480b) C:\windows\system32\DRIVERS\ialmnt5.sys
    2011/08/13 18:51:04.0109 2932 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\windows\system32\DRIVERS\imapi.sys
    2011/08/13 18:51:04.0281 2932 IntelIde (cdc98c84965ac816b3f76ec388e24078) C:\windows\system32\DRIVERS\intelide.sys
    2011/08/13 18:51:04.0390 2932 intelppm (49a060498c09db18c3ea9939789005ab) C:\windows\system32\DRIVERS\intelppm.sys
    2011/08/13 18:51:04.0500 2932 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\windows\system32\drivers\ip6fw.sys
    2011/08/13 18:51:04.0593 2932 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\windows\system32\DRIVERS\ipfltdrv.sys
    2011/08/13 18:51:04.0687 2932 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\windows\system32\DRIVERS\ipinip.sys
    2011/08/13 18:51:04.0765 2932 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\windows\system32\DRIVERS\ipnat.sys
    2011/08/13 18:51:04.0859 2932 IPSec (23c74d75e36e7158768dd63d92789a91) C:\windows\system32\DRIVERS\ipsec.sys
    2011/08/13 18:51:04.0968 2932 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\windows\system32\DRIVERS\irenum.sys
    2011/08/13 18:51:05.0078 2932 isapnp (0f3d281b0410fe5d482aada37d20524b) C:\windows\system32\DRIVERS\isapnp.sys
    2011/08/13 18:51:05.0187 2932 Kbdclass (188ddd286bc0daea6984858c6a4d7bbf) C:\windows\system32\DRIVERS\kbdclass.sys
    2011/08/13 18:51:05.0312 2932 kl1 (cd6a8fa9395460ffe7fd8881a6c67254) C:\windows\system32\drivers\kl1.sys
    2011/08/13 18:51:05.0421 2932 klbg (f9089982ed97340984e3dd60edd75490) C:\windows\system32\drivers\klbg.sys
    2011/08/13 18:51:05.0531 2932 KLFLTDEV (73eb94ad1c85b4a3c5a8b4d879f668b9) C:\windows\system32\DRIVERS\klfltdev.sys
    2011/08/13 18:51:05.0640 2932 KLIF (2627c389ba33065b2e98118ce9d71e57) C:\windows\system32\DRIVERS\klif.sys
    2011/08/13 18:51:05.0750 2932 klim5 (cd16a39c6f61c2ae0272e1f431353bf7) C:\windows\system32\DRIVERS\klim5.sys
    2011/08/13 18:51:05.0859 2932 kmixer (692bcf44383d056aed41b045a323d378) C:\windows\system32\drivers\kmixer.sys
    2011/08/13 18:51:05.0937 2932 KSecDD (b467646c54cc746128904e1654c750c1) C:\windows\system32\drivers\KSecDD.sys
    2011/08/13 18:51:06.0156 2932 MDC8021X (d7010580bf4e45d5e793a1fe75758c69) C:\windows\system32\DRIVERS\mdc8021x.sys
    2011/08/13 18:51:06.0250 2932 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\windows\system32\drivers\mnmdd.sys
    2011/08/13 18:51:06.0343 2932 Modem (9024556e739b8469d2b8f5f0e4c9bc9f) C:\windows\system32\drivers\Modem.sys
    2011/08/13 18:51:06.0453 2932 Mouclass (6fd36b4994a2363659a65c9f970cfdb7) C:\windows\system32\DRIVERS\mouclass.sys
    2011/08/13 18:51:06.0515 2932 mouhid (8ee532e516b2d23d686cfc1cc0a15c25) C:\windows\system32\DRIVERS\mouhid.sys
    2011/08/13 18:51:06.0625 2932 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\windows\system32\drivers\MountMgr.sys
    2011/08/13 18:51:06.0703 2932 MQAC (70c14f5cca5cf73f8a645c73a01d8726) C:\WINDOWS\system32\drivers\mqac.sys
    2011/08/13 18:51:06.0828 2932 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\windows\system32\DRIVERS\mrxdav.sys
    2011/08/13 18:51:06.0921 2932 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\windows\system32\DRIVERS\mrxsmb.sys
    2011/08/13 18:51:07.0046 2932 Msfs (c941ea2454ba8350021d774daf0f1027) C:\windows\system32\drivers\Msfs.sys
    2011/08/13 18:51:07.0140 2932 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\windows\system32\drivers\MSKSSRV.sys
    2011/08/13 18:51:07.0250 2932 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\windows\system32\drivers\MSPCLOCK.sys
    2011/08/13 18:51:07.0343 2932 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\windows\system32\drivers\MSPQM.sys
    2011/08/13 18:51:07.0421 2932 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\windows\system32\DRIVERS\mssmbios.sys
    2011/08/13 18:51:07.0531 2932 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\windows\system32\drivers\Mup.sys
    2011/08/13 18:51:07.0640 2932 NDIS (1df7f42665c94b825322fae71721130d) C:\windows\system32\drivers\NDIS.sys
    2011/08/13 18:51:07.0750 2932 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\windows\system32\DRIVERS\ndistapi.sys
    2011/08/13 18:51:07.0843 2932 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\windows\system32\DRIVERS\ndisuio.sys
    2011/08/13 18:51:07.0921 2932 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\windows\system32\DRIVERS\ndiswan.sys
    2011/08/13 18:51:08.0031 2932 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\windows\system32\drivers\NDProxy.sys
    2011/08/13 18:51:08.0109 2932 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\windows\system32\DRIVERS\netbios.sys
    2011/08/13 18:51:08.0203 2932 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\windows\system32\DRIVERS\netbt.sys
    2011/08/13 18:51:08.0359 2932 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\windows\system32\drivers\Npfs.sys
    2011/08/13 18:51:08.0468 2932 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\windows\system32\drivers\Ntfs.sys
    2011/08/13 18:51:08.0593 2932 NTIDrvr (3c25d8a23c366fbe1511b4a250a1a2ad) C:\windows\system32\DRIVERS\NTIDrvr.sys
    2011/08/13 18:51:08.0671 2932 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\windows\system32\drivers\Null.sys
    2011/08/13 18:51:08.0750 2932 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\windows\system32\DRIVERS\nwlnkflt.sys
    2011/08/13 18:51:08.0828 2932 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\windows\system32\DRIVERS\nwlnkfwd.sys
    2011/08/13 18:51:08.0921 2932 NwlnkIpx (8b8b1be2dba4025da6786c645f77f123) C:\windows\system32\DRIVERS\nwlnkipx.sys
    2011/08/13 18:51:09.0000 2932 NwlnkNb (56d34a67c05e94e16377c60609741ff8) C:\windows\system32\DRIVERS\nwlnknb.sys
    2011/08/13 18:51:09.0093 2932 NwlnkSpx (c0bb7d1615e1acbdc99757f6ceaf8cf0) C:\windows\system32\DRIVERS\nwlnkspx.sys
    2011/08/13 18:51:09.0203 2932 Parport (e7855cbd8bd1fda085a3f92cff7906e2) C:\windows\system32\DRIVERS\parport.sys
    2011/08/13 18:51:09.0296 2932 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\windows\system32\drivers\PartMgr.sys
    2011/08/13 18:51:09.0406 2932 ParVdm (fad44d704ecd7d39ad01415b8bb34204) C:\windows\system32\drivers\ParVdm.sys
    2011/08/13 18:51:09.0515 2932 PCI (f11bc84ae6c7b003b5e0c8eeb4a1f444) C:\windows\system32\DRIVERS\pci.sys
    2011/08/13 18:51:09.0671 2932 PCIIde (33d63f0a9021acb4d75d83b646b93a30) C:\windows\system32\DRIVERS\pciide.sys
    2011/08/13 18:51:09.0781 2932 Pcmcia (f50c27cca56dc97b3a45e7f0059bd2ba) C:\windows\system32\drivers\Pcmcia.sys
    2011/08/13 18:51:10.0093 2932 pelmouse (e541a80cdffd6077c761b4578efc0450) C:\windows\system32\DRIVERS\pelmouse.sys
    2011/08/13 18:51:10.0187 2932 pelusblf (6432858a4493e906a7d61b9b17a0672a) C:\windows\system32\DRIVERS\pelusblf.sys
    2011/08/13 18:51:10.0453 2932 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\windows\system32\DRIVERS\raspptp.sys
    2011/08/13 18:51:10.0578 2932 PSched (09298ec810b07e5d582cb3a3f9255424) C:\windows\system32\DRIVERS\psched.sys
    2011/08/13 18:51:10.0640 2932 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\windows\system32\DRIVERS\ptilink.sys
    2011/08/13 18:51:10.0734 2932 PxHelp20 (e42e3433dbb4cffe8fdd91eab29aea8e) C:\windows\system32\DRIVERS\PxHelp20.sys
    2011/08/13 18:51:11.0062 2932 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\windows\system32\DRIVERS\rasacd.sys
    2011/08/13 18:51:11.0156 2932 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\windows\system32\DRIVERS\rasl2tp.sys
    2011/08/13 18:51:11.0203 2932 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\windows\system32\DRIVERS\raspppoe.sys
    2011/08/13 18:51:11.0296 2932 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\windows\system32\DRIVERS\raspti.sys
    2011/08/13 18:51:11.0375 2932 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\windows\system32\DRIVERS\rdbss.sys
    2011/08/13 18:51:11.0437 2932 RDPCDD (4912d5b403614ce99c28420f75353332) C:\windows\system32\DRIVERS\RDPCDD.sys
    2011/08/13 18:51:11.0578 2932 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\windows\system32\DRIVERS\rdpdr.sys
    2011/08/13 18:51:11.0687 2932 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\windows\system32\drivers\RDPWD.sys
    2011/08/13 18:51:11.0796 2932 redbook (20950948970a0ea329b4254052bcf093) C:\windows\system32\DRIVERS\redbook.sys
    2011/08/13 18:51:11.0906 2932 RimUsb (f17713d108aca124a139fde877eef68a) C:\windows\system32\Drivers\RimUsb.sys
    2011/08/13 18:51:12.0000 2932 RimVSerPort (2c4fb2e9f039287767c384e46ee91030) C:\windows\system32\DRIVERS\RimSerial.sys
    2011/08/13 18:51:12.0093 2932 RMCAST (96f7a9a7bf0c9c0440a967440065d33c) C:\WINDOWS\system32\drivers\RMCast.sys
    2011/08/13 18:51:12.0296 2932 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\windows\system32\DRIVERS\secdrv.sys
    2011/08/13 18:51:12.0390 2932 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\windows\system32\DRIVERS\serenum.sys
    2011/08/13 18:51:12.0484 2932 Serial (f41b42b92ae9c1191858c3f80cc24a9c) C:\windows\system32\DRIVERS\serial.sys
    2011/08/13 18:51:12.0578 2932 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\windows\system32\drivers\Sfloppy.sys
    2011/08/13 18:51:12.0859 2932 smwdm (f41896d591106713649b7eba668324e6) C:\windows\system32\drivers\smwdm.sys
    2011/08/13 18:51:13.0031 2932 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\windows\system32\drivers\splitter.sys
    2011/08/13 18:51:13.0171 2932 sptd (614deea4bdcec3fd5a07bdc705723ad7) C:\windows\System32\Drivers\sptd.sys
    2011/08/13 18:51:13.0171 2932 Suspicious file (NoAccess): C:\windows\System32\Drivers\sptd.sys. md5: 614deea4bdcec3fd5a07bdc705723ad7
    2011/08/13 18:51:13.0187 2932 sptd - detected LockedFile.Multi.Generic (1)
    2011/08/13 18:51:13.0296 2932 sr (ccb3065c3ee63a4515fe84af9e78d1dd) C:\windows\system32\DRIVERS\sr.sys
    2011/08/13 18:51:13.0437 2932 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\windows\system32\DRIVERS\srv.sys
    2011/08/13 18:51:13.0562 2932 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\windows\system32\DRIVERS\swenum.sys
    2011/08/13 18:51:13.0671 2932 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\windows\system32\drivers\swmidi.sys
    2011/08/13 18:51:13.0890 2932 symlcbrd (6596892dd5abbe48f5876a551867a166) C:\WINDOWS\system32\drivers\symlcbrd.sys
    2011/08/13 18:51:14.0109 2932 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\windows\system32\drivers\sysaudio.sys
    2011/08/13 18:51:14.0250 2932 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\windows\system32\DRIVERS\tcpip.sys
    2011/08/13 18:51:14.0359 2932 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\windows\system32\drivers\TDPIPE.sys
    2011/08/13 18:51:14.0468 2932 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\windows\system32\drivers\TDTCP.sys
    2011/08/13 18:51:14.0578 2932 TermDD (88155247177638048422893737429d9e) C:\windows\system32\DRIVERS\termdd.sys
    2011/08/13 18:51:14.0796 2932 TuneUpUtilitiesDrv (f2107c9d85ec0df116939ccce06ae697) C:\Archivos de programa\TuneUp Utilities 2011\TuneUpUtilitiesDriver32.sys
    2011/08/13 18:51:14.0906 2932 tunmp (8f861eda21c05857eb8197300a92501c) C:\windows\system32\DRIVERS\tunmp.sys
    2011/08/13 18:51:15.0000 2932 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\windows\system32\drivers\Udfs.sys
    2011/08/13 18:51:15.0156 2932 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\windows\system32\DRIVERS\update.sys
    2011/08/13 18:51:15.0281 2932 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\windows\system32\DRIVERS\usbehci.sys
    2011/08/13 18:51:15.0375 2932 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\windows\system32\DRIVERS\usbhub.sys
    2011/08/13 18:51:15.0468 2932 usbprint (a717c8721046828520c9edf31288fc00) C:\windows\system32\DRIVERS\usbprint.sys
    2011/08/13 18:51:15.0578 2932 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\windows\system32\DRIVERS\USBSTOR.SYS
    2011/08/13 18:51:15.0671 2932 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\windows\system32\DRIVERS\usbuhci.sys
    2011/08/13 18:51:15.0796 2932 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\windows\System32\drivers\vga.sys
    2011/08/13 18:51:15.0953 2932 VolSnap (c41ffdc191e6c832e2e53c967eae0a16) C:\windows\system32\drivers\VolSnap.sys
    2011/08/13 18:51:16.0093 2932 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\windows\system32\DRIVERS\wanarp.sys
    2011/08/13 18:51:16.0234 2932 wdmaud (6768acf64b18196494413695f0c3a00f) C:\windows\system32\drivers\wdmaud.sys
    2011/08/13 18:51:16.0437 2932 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\windows\System32\drivers\ws2ifsl.sys
    2011/08/13 18:51:16.0546 2932 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\windows\system32\DRIVERS\WudfPf.sys
    2011/08/13 18:51:16.0687 2932 {6080A529-897E-4629-A488-ABA0C29B635E} (5ff57eedf48f189859d6e9bf81e297c5) C:\windows\system32\drivers\ialmsbw.sys
    2011/08/13 18:51:16.0796 2932 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91} (c2eb14d84069443437f1b3b856bcb665) C:\windows\system32\drivers\ialmkchw.sys
    2011/08/13 18:51:16.0843 2932 MBR (0x1B8) (792f61657fece3d17a9122b4ee282847) \Device\Harddisk0\DR0
    2011/08/13 18:51:16.0968 2932 Boot (0x1200) (f50488eb12186df63203fd52768c3b6f) \Device\Harddisk0\DR0\Partition0
    2011/08/13 18:51:16.0984 2932 ================================================================================
    2011/08/13 18:51:16.0984 2932 Scan finished
    2011/08/13 18:51:16.0984 2932 ================================================================================
    2011/08/13 18:51:17.0000 1284 Detected object count: 1
    2011/08/13 18:51:17.0000 1284 Actual detected object count: 1
    2011/08/13 18:51:20.0812 1284 LockedFile.Multi.Generic(sptd) - User select action: Skip
     
  8. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Download aswMBR to your desktop.
    Double click the aswMBR.exe to run it.
    Click the "Scan" button to start scan:
    [​IMG]

    On completion of the scan click "Save log", save it to your desktop and post in your next reply:
    [​IMG]

    NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

    ===============================================================

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to yourname.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    Rkill.com
    Rkill.scr
    Rkill.exe

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  9. Chaos999

    Chaos999 TS Rookie Topic Starter Posts: 19

    Hey there, just finished what you asked, here is the results. As a side note, when I ran combofix it did asked me to install recovery console, I clicked YES, but then an error msg popped up saying that partition couldn't be numbered correctly (or something like that) and recovery console was not installed. combofix however continued the scan and thats the log I posted.

    Anyway, I noticed changes. the folder options have returned to normal (most of them), including the show hidden files, its now on spanish and it keeps checked (or not) as i choose. There are stil a couple of options still on english, like the show friendly tree, but the options are now saving correctly.

    aswMBR

    aswMBR version 0.9.8.978 Copyright(c) 2011 AVAST Software
    Run date: 2011-08-13 19:25:13
    -----------------------------
    19:25:13.093 OS Version: Windows 5.1.2600 Service Pack 3
    19:25:13.093 Number of processors: 2 586 0x304
    19:25:13.093 ComputerName: PCCHAOS UserName:
    19:25:13.656 Initialize success
    19:25:19.453 AVAST engine defs: 11081301
    19:25:21.796 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
    19:25:21.796 Disk 0 Vendor: ST340014A 8.10 Size: 38162MB BusType: 3
    19:25:23.812 Disk 0 MBR read successfully
    19:25:23.812 Disk 0 MBR scan
    19:25:23.843 Disk 0 Windows XP default MBR code
    19:25:23.843 Disk 0 scanning sectors +78140160
    19:25:23.921 Disk 0 scanning C:\windows\system32\drivers
    19:25:41.890 Service scanning
    19:25:42.593 Service sptd C:\windows\System32\Drivers\sptd.sys **LOCKED** 32
    19:25:43.171 Modules scanning
    19:25:55.687 Disk 0 trace - called modules:
    19:25:55.718 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys sptd.sys pciide.sys PCIIDEX.SYS
    19:25:55.718 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86723ab8]
    19:25:55.734 3 CLASSPNP.SYS[f7541fd7] -> nt!IofCallDriver -> \Device\00000073[0x86765258]
    19:25:55.734 5 ACPI.sys[f738f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x86768d98]
    19:25:56.140 AVAST engine scan C:\windows
    19:26:02.218 AVAST engine scan C:\windows\system32
    19:28:30.187 AVAST engine scan C:\windows\system32\drivers
    19:28:52.406 AVAST engine scan C:\Documents and Settings\Lord of Chaos
    19:35:28.437 AVAST engine scan C:\Documents and Settings\All Users
    19:42:31.484 Scan finished successfully
    19:42:44.453 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Lord of Chaos\Escritorio\MBR.dat"
    19:42:44.468 The log file has been saved successfully to "C:\Documents and Settings\Lord of Chaos\Escritorio\aswMBR.txt"

    ComboFix

    ComboFix 11-08-14.01 - Lord of Chaos 13/08/2011 19:47:37.2.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.34.3082.18.991.397 [GMT -5:00]
    Running from: c:\documents and settings\Lord of Chaos\Escritorio\ComboFix.exe
    AV: Kaspersky Internet Security *Disabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
    FW: Kaspersky Internet Security *Disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
    .
    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\Lord of Chaos\Datos de programa\PriceGong
    c:\documents and settings\Lord of Chaos\Datos de programa\PriceGong\Data\1.xml
    c:\documents and settings\Lord of Chaos\Datos de programa\PriceGong\Data\a.xml
    c:\documents and settings\Lord of Chaos\Datos de programa\PriceGong\Data\b.xml
    c:\documents and settings\Lord of Chaos\Datos de programa\PriceGong\Data\c.xml
    c:\documents and settings\Lord of Chaos\Datos de programa\PriceGong\Data\d.xml
    c:\documents and settings\Lord of Chaos\Datos de programa\PriceGong\Data\e.xml
    c:\documents and settings\Lord of Chaos\Datos de programa\PriceGong\Data\f.xml
    c:\documents and settings\Lord of Chaos\Datos de programa\PriceGong\Data\g.xml
    c:\documents and settings\Lord of Chaos\Datos de programa\PriceGong\Data\h.xml
    c:\documents and settings\Lord of Chaos\Datos de programa\PriceGong\Data\i.xml
    c:\documents and settings\Lord of Chaos\Datos de programa\PriceGong\Data\J.xml
    c:\documents and settings\Lord of Chaos\Datos de programa\PriceGong\Data\k.xml
    c:\documents and settings\Lord of Chaos\Datos de programa\PriceGong\Data\l.xml
    c:\documents and settings\Lord of Chaos\Datos de programa\PriceGong\Data\m.xml
    c:\documents and settings\Lord of Chaos\Datos de programa\PriceGong\Data\mru.xml
    c:\documents and settings\Lord of Chaos\Datos de programa\PriceGong\Data\n.xml
    c:\documents and settings\Lord of Chaos\Datos de programa\PriceGong\Data\o.xml
    c:\documents and settings\Lord of Chaos\Datos de programa\PriceGong\Data\p.xml
    c:\documents and settings\Lord of Chaos\Datos de programa\PriceGong\Data\q.xml
    c:\documents and settings\Lord of Chaos\Datos de programa\PriceGong\Data\r.xml
    c:\documents and settings\Lord of Chaos\Datos de programa\PriceGong\Data\s.xml
    c:\documents and settings\Lord of Chaos\Datos de programa\PriceGong\Data\t.xml
    c:\documents and settings\Lord of Chaos\Datos de programa\PriceGong\Data\u.xml
    c:\documents and settings\Lord of Chaos\Datos de programa\PriceGong\Data\v.xml
    c:\documents and settings\Lord of Chaos\Datos de programa\PriceGong\Data\w.xml
    c:\documents and settings\Lord of Chaos\Datos de programa\PriceGong\Data\x.xml
    c:\documents and settings\Lord of Chaos\Datos de programa\PriceGong\Data\y.xml
    c:\documents and settings\Lord of Chaos\Datos de programa\PriceGong\Data\z.xml
    c:\documents and settings\Lord of Chaos\WINDOWS
    C:\Thumbs.db
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Service_smtpdrv
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-07-14 to 2011-08-14 )))))))))))))))))))))))))))))))
    .
    .
    2011-08-13 19:07 . 2011-07-07 00:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-08-13 19:07 . 2011-07-07 00:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-08-13 03:33 . 2011-08-13 03:33 388096 ----a-r- c:\documents and settings\Lord of Chaos\Datos de programa\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2011-08-10 13:37 . 2011-06-24 14:10 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
    2011-08-10 13:36 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-07-15 13:29 . 2004-08-03 21:15 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2011-07-08 14:02 . 2002-09-10 12:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
    2011-06-24 14:10 . 2006-10-18 03:43 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
    2011-06-21 18:19 . 2004-08-19 13:42 669696 ----a-w- c:\windows\system32\wininet.dll
    2011-06-21 18:19 . 2004-08-03 20:59 61952 ----a-w- c:\windows\system32\tdc.ocx
    2011-06-21 18:19 . 2004-08-19 13:42 81920 ----a-w- c:\windows\system32\ieencode.dll
    2011-06-21 18:16 . 2004-08-19 13:23 371200 ----a-w- c:\windows\system32\html.iec
    2011-06-21 01:03 . 2011-05-22 14:39 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-06-20 17:44 . 2004-08-19 13:42 293888 ----a-w- c:\windows\system32\winsrv.dll
    2011-06-06 11:35 . 2004-08-19 13:30 1859072 ----a-w- c:\windows\system32\win32k.sys
    2011-06-26 03:04 . 2011-05-09 11:48 142296 ----a-w- c:\archivos de programa\mozilla firefox\components\browsercomps.dll
    .
    .
    ------- Sigcheck -------
    Note: Unsigned files aren't necessarily malware.
    .
    [-] 2009-09-20 . C1CE50ED49C5D436BAAE3A76F206B0FC . 14336 . . [5.1.2600.5512] . . c:\windows\system32\lsass.exe
    [7] 2008-04-14 . 671ACA589DA3733FAC878A751C5BF0ED . 13312 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\lsass.exe
    .
    [-] 2009-09-21 . 3E36FA37BA0587C76373214E6FFCB356 . 112640 . . [5.1.2600.5755] . . c:\windows\system32\services.exe
    [7] 2009-02-09 . AA6E1769469F9D15603A619FC1FB9E18 . 111104 . . [5.1.2600.5755] . . c:\windows\$hf_mig$\KB956572\SP3QFE\services.exe
    [7] 2008-04-14 . D658A8C2FC7B2AD53D1259741A09EE04 . 109056 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\services.exe
    .
    [-] 2009-09-20 . 40751D7E3A3BFA1FB8C3D56ACFCB617F . 511488 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe
    [7] 2008-04-14 . 213C80D912880BBF04453D09FFCCB28C . 510976 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\winlogon.exe
    .
    [-] 2009-09-20 . 88CFAD56A0BF2D730B040AA66C8272BD . 16896 . . [5.1.2600.5512] . . c:\windows\system32\svchost.exe
    [7] 2008-04-14 . 4F2340F0BD5B6365C38E74DD391919A8 . 14336 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\svchost.exe
    .
    [-] 2009-09-13 . 782456326A2E059F1D6FBABBCEE97EC5 . 1038336 . . [6.00.2900.5512] . . c:\windows\explorer.exe
    [7] 2008-04-14 . 7522F548A84ABAD8FA516DE5AB3931EF . 1036288 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\explorer.exe
    [-] 2007-06-13 . DBB6B75CC6CB2CF8EC0BAFCA08AED6BE . 1035776 . . [6.00.2900.3156] . . c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{0974848a-b5bc-49f2-9778-307742b4a55d}"= "c:\archivos de programa\softonic.com4\tbsoft.dll" [2010-10-18 3908192]
    .
    [HKEY_CLASSES_ROOT\clsid\{0974848a-b5bc-49f2-9778-307742b4a55d}]
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0974848a-b5bc-49f2-9778-307742b4a55d}]
    2010-10-18 18:26 3908192 ----a-w- c:\archivos de programa\softonic.com4\tbsoft.dll
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
    2010-10-18 18:26 3908192 ----a-w- c:\archivos de programa\ConduitEngine\ConduitEngine.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{0974848a-b5bc-49f2-9778-307742b4a55d}"= "c:\archivos de programa\softonic.com4\tbsoft.dll" [2010-10-18 3908192]
    "{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\archivos de programa\ConduitEngine\ConduitEngine.dll" [2010-10-18 3908192]
    .
    [HKEY_CLASSES_ROOT\clsid\{0974848a-b5bc-49f2-9778-307742b4a55d}]
    .
    [HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{0974848A-B5BC-49F2-9778-307742B4A55D}"= "c:\archivos de programa\softonic.com4\tbsoft.dll" [2010-10-18 3908192]
    .
    [HKEY_CLASSES_ROOT\clsid\{0974848a-b5bc-49f2-9778-307742b4a55d}]
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "DAEMON Tools Lite"="c:\archivos de programa\DAEMON Tools Lite\DTLite.exe" [2011-01-20 1305408]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 208952]
    "PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
    "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
    "MsmqIntCert"="mqrt.dll" [2008-04-14 177152]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2003-08-28 155648]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2003-08-28 118784]
    "Mouse Suite 98 Daemon"="ICO.EXE" [2003-11-20 57344]
    "AVP"="c:\archivos de programa\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2009-07-21 208616]
    "Malwarebytes Anti-Malware (reboot)"="c:\archivos de programa\Malwarebytes' Anti-Malware\mbam.exe" [2011-07-07 1047656]
    "LogMeIn Hamachi Ui"="c:\archivos de programa\LogMeIn Hamachi\hamachi-2-ui.exe" [2011-03-28 1910152]
    "DivXUpdate"="c:\archivos de programa\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]
    "SunJavaUpdateSched"="c:\archivos de programa\Archivos comunes\Java\Java Update\jusched.exe" [2011-04-08 254696]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
    .
    c:\documents and settings\All Users\Men£ Inicio\Programas\Inicio\
    Adobe Gamma Loader.lnk - c:\archivos de programa\Archivos comunes\Adobe\Calibration\Adobe Gamma Loader.exe [2010-8-5 113664]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
    "Taskman"=""
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "QuickTime Task"="c:\archivos de programa\MpcStar\Codecs\QuickTime\QTTask.exe" -atboottime
    "PinnacleDriverCheck"=c:\windows\system32\PSDrvCheck.exe -CheckReg
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Archivos de programa\\BitComet\\BitComet.exe"=
    "c:\\Archivos de programa\\Windows Live\\Messenger\\msnmsgr.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "10143:TCP"= 10143:TCP:BitComet 10143 TCP
    "10143:UDP"= 10143:UDP:BitComet 10143 UDP
    "23648:TCP"= 23648:TCP:Gnutella
    "23648:UDP"= 23648:UDP:Gnutella
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
    "AllowInboundEchoRequest"= 1 (0x1)
    .
    R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [29/01/2008 05:29 p.m. 33808]
    R0 sptd;sptd;\SystemRoot\\SystemRoot\System32\Drivers\sptd.sys --> \SystemRoot\\SystemRoot\System32\Drivers\sptd.sys [?]
    R2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\archivos de programa\TuneUp Utilities 2011\TuneUpUtilitiesService32.exe [27/10/2010 06:23 p.m. 1483072]
    R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [13/03/2008 06:02 p.m. 26640]
    R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [30/04/2008 05:06 p.m. 24592]
    R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\archivos de programa\TuneUp Utilities 2011\TuneUpUtilitiesDriver32.sys [07/10/2010 01:34 p.m. 10064]
    S2 NetCM;Network Connection Manager;c:\archivos de programa\Common Files\Microsoft Shared\Speech\svchost.exe --> c:\archivos de programa\Common Files\Microsoft Shared\Speech\svchost.exe [?]
    S3 GGSAFERDriver;GGSAFER Driver;\??\c:\archivos de programa\Garena\safedrv.sys --> c:\archivos de programa\Garena\safedrv.sys [?]
    S4 Hamachi2Svc;LogMeIn Hamachi 2.0 Tunneling Engine;c:\archivos de programa\LogMeIn Hamachi\hamachi-2.exe [28/03/2011 04:41 p.m. 1242504]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
    .
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    UxTuneUp
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-05-24 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\archivos de programa\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2431232
    IE: &D&escargar &con BitComet - c:\archivos de programa\BitComet\BitComet.exe/AddLink.htm
    IE: &D&escargar todo con BitComet - c:\archivos de programa\BitComet\BitComet.exe/AddAllLink.htm
    IE: &Winamp Search - c:\documents and settings\All Users\Datos de programa\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
    IE: Add to Banner Ad Blocker - c:\archivos de programa\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
    IE: E&xportar a Microsoft Excel - c:\archiv~1\MICROS~2\Office10\EXCEL.EXE/3000
    TCP: DhcpNameServer = 192.168.1.254
    DPF: {DAF7E6E6-D53A-439A-B28D-12271406B8A9} - hxxp://mobileapps.blackberry.com/devicesoftware/AxLoader.cab
    FF - ProfilePath - c:\documents and settings\Lord of Chaos\Datos de programa\Mozilla\Firefox\Profiles\6i6unky1.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2431232&SearchSource=3&q={searchTerms}
    FF - prefs.js: browser.search.selectedEngine - softonic.com4 Customized Web Search
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.mx/ig
    FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50ffwinampab&query=
    FF - user.js: network.http.max-persistent-connections-per-server - 4
    FF - user.js: nglayout.initialpaint.delay - 600
    FF - user.js: content.notify.interval - 600000
    FF - user.js: content.max.tokenizing.time - 1800000
    FF - user.js: content.switch.threshold - 600000
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-08-13 19:59
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-789336058-299502267-1417001333-1003\Software\Microsoft\SystemCertificates\AddressBook*]
    @Allowed: (Read) (RestrictedCode)
    @Allowed: (Read) (RestrictedCode)
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'explorer.exe'(3808)
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    c:\windows\system32\pelscrll.dll
    c:\windows\system32\PELCOMM.dll
    c:\windows\system32\PELHOOKS.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\LEXBCES.EXE
    c:\windows\system32\LEXPPS.EXE
    c:\windows\system32\msdtc.exe
    c:\windows\system32\inetsrv\inetinfo.exe
    c:\archivos de programa\Java\jre6\bin\jqs.exe
    c:\archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
    c:\windows\system32\tcpsvcs.exe
    c:\windows\System32\snmp.exe
    c:\windows\system32\mqsvc.exe
    c:\windows\system32\mqtgsvc.exe
    c:\windows\system32\ICO.EXE
    c:\windows\system32\Pelmiced.exe
    c:\windows\system32\wscntfy.exe
    c:\archivos de programa\TuneUp Utilities 2011\TuneUpUtilitiesApp32.exe
    .
    **************************************************************************
    .
    Completion time: 2011-08-13 20:08:08 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-08-14 01:07
    .
    Pre-Run: 6,640,910,336 bytes libres
    Post-Run: 7,203,459,072 bytes libres
    .
    Current=2 Default=2 Failed=1 LastKnownGood=4 Sets=1,2,3,4
    - - End Of File - - 731820108B4CF4804E0CBCBE3D37F72A
     
  10. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Good news :)

    Any other outstanding issues?

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box
    • Click OK
    Windows Vista/7 users: click Start, in "Start search" type notepad and press Enter.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    FCopy::
    c:\windows\ServicePackFiles\i386\lsass.exe | c:\windows\system32\lsass.exe
    c:\windows\$hf_mig$\KB956572\SP3QFE\services.exe | c:\windows\system32\services.exe
    c:\windows\ServicePackFiles\i386\winlogon.exe | c:\windows\system32\winlogon.exe
    c:\windows\ServicePackFiles\i386\svchost.exe | c:\windows\system32\svchost.exe
    c:\windows\ServicePackFiles\i386\explorer.exe | c:\windows\explorer.exe
    
    
    File::
    c:\archivos de programa\Common Files\Microsoft Shared\Speech\svchost.exe
    
    Driver::
    NetCM
    
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
    "Taskman"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000000
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
    "DisableMonitoring"=dword:00000000
    
    

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
     
  11. Chaos999

    Chaos999 TS Rookie Topic Starter Posts: 19

    here it is. same error when starting ComboFix, "Boot partition cannot be enumbered correctly".
    Not noticeable changes on PC

    ComboFix 11-08-14.01 - Lord of Chaos 13/08/2011 22:29:03.3.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.34.3082.18.991.616 [GMT -5:00]
    Running from: c:\documents and settings\Lord of Chaos\Escritorio\ComboFix.exe
    Command switches used :: c:\documents and settings\Lord of Chaos\Escritorio\CFScript.txt
    AV: Kaspersky Internet Security *Disabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
    FW: Kaspersky Internet Security *Disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
    .
    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .
    FILE ::
    "c:\archivos de programa\Common Files\Microsoft Shared\Speech\svchost.exe"
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    .
    --------------- FCopy ---------------
    .
    c:\windows\ServicePackFiles\i386\lsass.exe --> c:\windows\system32\lsass.exe
    c:\windows\$hf_mig$\KB956572\SP3QFE\services.exe --> c:\windows\system32\services.exe
    c:\windows\ServicePackFiles\i386\winlogon.exe --> c:\windows\system32\winlogon.exe
    c:\windows\ServicePackFiles\i386\svchost.exe --> c:\windows\system32\svchost.exe
    c:\windows\ServicePackFiles\i386\explorer.exe --> c:\windows\explorer.exe
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Legacy_NETCM
    -------\Service_NetCM
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-07-14 to 2011-08-14 )))))))))))))))))))))))))))))))
    .
    .
    2011-08-13 19:07 . 2011-07-07 00:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-08-13 19:07 . 2011-07-07 00:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-08-13 03:33 . 2011-08-13 03:33 388096 ----a-r- c:\documents and settings\Lord of Chaos\Datos de programa\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2011-08-10 13:37 . 2011-06-24 14:10 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
    2011-08-10 13:36 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-07-15 13:29 . 2004-08-03 21:15 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2011-07-08 14:02 . 2002-09-10 12:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
    2011-06-24 14:10 . 2006-10-18 03:43 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
    2011-06-21 18:19 . 2004-08-19 13:42 669696 ----a-w- c:\windows\system32\wininet.dll
    2011-06-21 18:19 . 2004-08-03 20:59 61952 ----a-w- c:\windows\system32\tdc.ocx
    2011-06-21 18:19 . 2004-08-19 13:42 81920 ----a-w- c:\windows\system32\ieencode.dll
    2011-06-21 18:16 . 2004-08-19 13:23 371200 ----a-w- c:\windows\system32\html.iec
    2011-06-21 01:03 . 2011-05-22 14:39 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-06-20 17:44 . 2004-08-19 13:42 293888 ----a-w- c:\windows\system32\winsrv.dll
    2011-06-06 11:35 . 2004-08-19 13:30 1859072 ----a-w- c:\windows\system32\win32k.sys
    2011-06-26 03:04 . 2011-05-09 11:48 142296 ----a-w- c:\archivos de programa\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2011-08-14_00.59.15 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2011-08-14 03:39 . 2011-08-14 03:39 16384 c:\windows\Temp\Perflib_Perfdata_7c8.dat
    + 2011-08-14 03:17 . 2011-08-14 03:17 16384 c:\windows\Temp\Perflib_Perfdata_614.dat
    + 2011-08-14 03:39 . 2011-08-14 03:39 16384 c:\windows\Temp\Perflib_Perfdata_3ac.dat
    + 2004-08-19 13:43 . 2008-04-14 02:19 14336 c:\windows\system32\dllcache\svchost.exe
    + 2004-08-19 13:42 . 2008-04-14 02:19 13312 c:\windows\system32\dllcache\lsass.exe
    + 2007-06-10 06:14 . 2011-08-14 03:39 231249 c:\windows\system32\inetsrv\MetaBase.bin
    + 2009-07-19 18:27 . 2011-08-14 03:38 843808 c:\windows\system32\drivers\fidbox2.dat
    + 2004-08-19 13:43 . 2008-04-14 02:19 510976 c:\windows\system32\dllcache\winlogon.exe
    + 2004-08-19 13:43 . 2009-02-09 11:16 111104 c:\windows\system32\dllcache\services.exe
    - 2009-07-19 18:27 . 2011-08-14 00:57 3308064 c:\windows\system32\drivers\fidbox.dat
    + 2009-07-19 18:27 . 2011-08-14 03:38 3308064 c:\windows\system32\drivers\fidbox.dat
    + 2004-08-19 13:42 . 2008-04-14 02:18 1036288 c:\windows\system32\dllcache\explorer.exe
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{0974848a-b5bc-49f2-9778-307742b4a55d}"= "c:\archivos de programa\softonic.com4\tbsoft.dll" [2010-10-18 3908192]
    .
    [HKEY_CLASSES_ROOT\clsid\{0974848a-b5bc-49f2-9778-307742b4a55d}]
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0974848a-b5bc-49f2-9778-307742b4a55d}]
    2010-10-18 18:26 3908192 ----a-w- c:\archivos de programa\softonic.com4\tbsoft.dll
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
    2010-10-18 18:26 3908192 ----a-w- c:\archivos de programa\ConduitEngine\ConduitEngine.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{0974848a-b5bc-49f2-9778-307742b4a55d}"= "c:\archivos de programa\softonic.com4\tbsoft.dll" [2010-10-18 3908192]
    "{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\archivos de programa\ConduitEngine\ConduitEngine.dll" [2010-10-18 3908192]
    .
    [HKEY_CLASSES_ROOT\clsid\{0974848a-b5bc-49f2-9778-307742b4a55d}]
    .
    [HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{0974848A-B5BC-49F2-9778-307742B4A55D}"= "c:\archivos de programa\softonic.com4\tbsoft.dll" [2010-10-18 3908192]
    .
    [HKEY_CLASSES_ROOT\clsid\{0974848a-b5bc-49f2-9778-307742b4a55d}]
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "DAEMON Tools Lite"="c:\archivos de programa\DAEMON Tools Lite\DTLite.exe" [2011-01-20 1305408]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 208952]
    "PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
    "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
    "MsmqIntCert"="mqrt.dll" [2008-04-14 177152]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2003-08-28 155648]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2003-08-28 118784]
    "Mouse Suite 98 Daemon"="ICO.EXE" [2003-11-20 57344]
    "AVP"="c:\archivos de programa\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2009-07-21 208616]
    "Malwarebytes Anti-Malware (reboot)"="c:\archivos de programa\Malwarebytes' Anti-Malware\mbam.exe" [2011-07-07 1047656]
    "LogMeIn Hamachi Ui"="c:\archivos de programa\LogMeIn Hamachi\hamachi-2-ui.exe" [2011-03-28 1910152]
    "DivXUpdate"="c:\archivos de programa\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]
    "SunJavaUpdateSched"="c:\archivos de programa\Archivos comunes\Java\Java Update\jusched.exe" [2011-04-08 254696]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
    .
    c:\documents and settings\All Users\Men£ Inicio\Programas\Inicio\
    Adobe Gamma Loader.lnk - c:\archivos de programa\Archivos comunes\Adobe\Calibration\Adobe Gamma Loader.exe [2010-8-5 113664]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
    "Taskman"=""
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "QuickTime Task"="c:\archivos de programa\MpcStar\Codecs\QuickTime\QTTask.exe" -atboottime
    "PinnacleDriverCheck"=c:\windows\system32\PSDrvCheck.exe -CheckReg
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Archivos de programa\\BitComet\\BitComet.exe"=
    "c:\\Archivos de programa\\Windows Live\\Messenger\\msnmsgr.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "10143:TCP"= 10143:TCP:BitComet 10143 TCP
    "10143:UDP"= 10143:UDP:BitComet 10143 UDP
    "23648:TCP"= 23648:TCP:Gnutella
    "23648:UDP"= 23648:UDP:Gnutella
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
    "AllowInboundEchoRequest"= 1 (0x1)
    .
    R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [29/01/2008 05:29 p.m. 33808]
    R0 sptd;sptd;\SystemRoot\\SystemRoot\System32\Drivers\sptd.sys --> \SystemRoot\\SystemRoot\System32\Drivers\sptd.sys [?]
    R2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\archivos de programa\TuneUp Utilities 2011\TuneUpUtilitiesService32.exe [27/10/2010 06:23 p.m. 1483072]
    R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [13/03/2008 06:02 p.m. 26640]
    R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [30/04/2008 05:06 p.m. 24592]
    R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\archivos de programa\TuneUp Utilities 2011\TuneUpUtilitiesDriver32.sys [07/10/2010 01:34 p.m. 10064]
    S3 GGSAFERDriver;GGSAFER Driver;\??\c:\archivos de programa\Garena\safedrv.sys --> c:\archivos de programa\Garena\safedrv.sys [?]
    S4 Hamachi2Svc;LogMeIn Hamachi 2.0 Tunneling Engine;c:\archivos de programa\LogMeIn Hamachi\hamachi-2.exe [28/03/2011 04:41 p.m. 1242504]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
    .
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    UxTuneUp
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-05-24 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\archivos de programa\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2431232
    IE: &D&escargar &con BitComet - c:\archivos de programa\BitComet\BitComet.exe/AddLink.htm
    IE: &D&escargar todo con BitComet - c:\archivos de programa\BitComet\BitComet.exe/AddAllLink.htm
    IE: &Winamp Search - c:\documents and settings\All Users\Datos de programa\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
    IE: Add to Banner Ad Blocker - c:\archivos de programa\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
    IE: E&xportar a Microsoft Excel - c:\archiv~1\MICROS~2\Office10\EXCEL.EXE/3000
    TCP: DhcpNameServer = 192.168.1.254
    DPF: {DAF7E6E6-D53A-439A-B28D-12271406B8A9} - hxxp://mobileapps.blackberry.com/devicesoftware/AxLoader.cab
    FF - ProfilePath - c:\documents and settings\Lord of Chaos\Datos de programa\Mozilla\Firefox\Profiles\6i6unky1.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2431232&SearchSource=3&q={searchTerms}
    FF - prefs.js: browser.search.selectedEngine - softonic.com4 Customized Web Search
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.mx/ig
    FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50ffwinampab&query=
    FF - user.js: network.http.max-persistent-connections-per-server - 4
    FF - user.js: nglayout.initialpaint.delay - 600
    FF - user.js: content.notify.interval - 600000
    FF - user.js: content.max.tokenizing.time - 1800000
    FF - user.js: content.switch.threshold - 600000
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-08-13 22:39
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-789336058-299502267-1417001333-1003\Software\Microsoft\SystemCertificates\AddressBook*]
    @Allowed: (Read) (RestrictedCode)
    @Allowed: (Read) (RestrictedCode)
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'explorer.exe'(2004)
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    c:\windows\system32\pelscrll.dll
    c:\windows\system32\PELCOMM.dll
    c:\windows\system32\PELHOOKS.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\LEXBCES.EXE
    c:\windows\system32\LEXPPS.EXE
    c:\windows\system32\msdtc.exe
    c:\windows\system32\inetsrv\inetinfo.exe
    c:\archivos de programa\Java\jre6\bin\jqs.exe
    c:\archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
    c:\windows\system32\tcpsvcs.exe
    c:\windows\System32\snmp.exe
    c:\windows\system32\mqsvc.exe
    c:\windows\system32\mqtgsvc.exe
    c:\windows\system32\ICO.EXE
    c:\windows\system32\Pelmiced.exe
    c:\archivos de programa\TuneUp Utilities 2011\TuneUpUtilitiesApp32.exe
    c:\windows\system32\wscntfy.exe
    .
    **************************************************************************
    .
    Completion time: 2011-08-13 22:45:25 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-08-14 03:45
    ComboFix2.txt 2011-08-14 01:08
    .
    Pre-Run: 7,212,285,952 bytes libres
    Post-Run: 7,187,042,304 bytes libres
    .
    Current=2 Default=2 Failed=1 LastKnownGood=4 Sets=1,2,3,4
    - - End Of File - - 2647D92A89410E1EEE9402348A099EB7
     
  12. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Download BootCheck.exe to your desktop.

    • Double click BootCheck.exe to run the check
    • When complete, a Notepad window will open with some text in it
    • Save the Notepad file to your desktop as BootCheck.txt
    • Copy the contents of BootCheck.txt and post it in your next reply
     
  13. Chaos999

    Chaos999 TS Rookie Topic Starter Posts: 19

    here it is:

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !

    Contents of boot.ini:
     
  14. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    It looks like boot.ini may be missing...

    Click Start, click Run, type sysdm.cpl, and then click OK.
    On the Advanced tab, click Settings under Startup and Recovery.
    Under System Startup, click Edit. This will open boot.ini file in Notepad.
    Copy all content, and post it in your next reply.
     
  15. Chaos999

    Chaos999 TS Rookie Topic Starter Posts: 19

    It says Boot.ini cannot be found and asks me if i want to create a new one. I Clicked Cancel so I can get your instructions on this matter.

    I don't suppose this is good =/
     
  16. Broni

    Broni Malware Annihilator Posts: 52,898   +344

  17. Chaos999

    Chaos999 TS Rookie Topic Starter Posts: 19

    Hum. I don't have a Windows CD. is there some other options?
     
  18. Broni

    Broni Malware Annihilator Posts: 52,898   +344

  19. Chaos999

    Chaos999 TS Rookie Topic Starter Posts: 19

    I just finished what you asked. Also answering a previous post:

    [boot loader]
    timeout=30
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="MICROSOFT WINDOWS XP PRO" /fastdetect
     
  20. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Perfect!

    Re-run Combofix and see if recovery console will install (you can see from your issues why recovery console is an important troubleshooting tool).
     
  21. Chaos999

    Chaos999 TS Rookie Topic Starter Posts: 19

    Combo fix ran just fine, recovery console installed succesfully, no reboot required after CF. No noticeable changes.

    ComboFix 11-08-15.06 - Lord of Chaos 14/08/2011 18:50:08.4.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.34.3082.18.991.512 [GMT -5:00]
    Running from: c:\documents and settings\Lord of Chaos\Escritorio\ComboFix.exe
    AV: Kaspersky Internet Security *Disabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
    FW: Kaspersky Internet Security *Disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-07-14 to 2011-08-14 )))))))))))))))))))))))))))))))
    .
    .
    2011-08-14 21:16 . 2011-08-14 21:16 -------- d-----w- c:\documents and settings\Lord of Chaos\Datos de programa\ImgBurn
    2011-08-14 21:14 . 2011-08-14 21:14 -------- d-----w- c:\archivos de programa\ImgBurn
    2011-08-13 19:07 . 2011-07-07 00:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-08-13 19:07 . 2011-07-07 00:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-08-13 03:33 . 2011-08-13 03:33 388096 ----a-r- c:\documents and settings\Lord of Chaos\Datos de programa\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2011-08-10 13:37 . 2011-06-24 14:10 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
    2011-08-10 13:36 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-07-15 13:29 . 2004-08-03 21:15 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2011-07-08 14:02 . 2002-09-10 12:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
    2011-06-24 14:10 . 2006-10-18 03:43 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
    2011-06-21 18:19 . 2004-08-19 13:42 669696 ----a-w- c:\windows\system32\wininet.dll
    2011-06-21 18:19 . 2004-08-03 20:59 61952 ----a-w- c:\windows\system32\tdc.ocx
    2011-06-21 18:19 . 2004-08-19 13:42 81920 ----a-w- c:\windows\system32\ieencode.dll
    2011-06-21 18:16 . 2004-08-19 13:23 371200 ----a-w- c:\windows\system32\html.iec
    2011-06-21 01:03 . 2011-05-22 14:39 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-06-20 17:44 . 2004-08-19 13:42 293888 ----a-w- c:\windows\system32\winsrv.dll
    2011-06-06 11:35 . 2004-08-19 13:30 1859072 ----a-w- c:\windows\system32\win32k.sys
    2011-06-26 03:04 . 2011-05-09 11:48 142296 ----a-w- c:\archivos de programa\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2011-08-14_00.59.15 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2011-08-14 23:35 . 2011-08-14 23:35 16384 c:\windows\Temp\Perflib_Perfdata_228.dat
    + 2011-08-14 23:35 . 2011-08-14 23:35 16384 c:\windows\Temp\Perflib_Perfdata_1c4.dat
    + 2004-08-19 13:43 . 2008-04-14 02:19 14336 c:\windows\system32\svchost.exe
    + 2004-08-19 13:42 . 2008-04-14 02:19 13312 c:\windows\system32\lsass.exe
    + 2004-08-19 13:43 . 2008-04-14 02:19 14336 c:\windows\system32\dllcache\svchost.exe
    + 2004-08-19 13:42 . 2008-04-14 02:19 13312 c:\windows\system32\dllcache\lsass.exe
    + 2004-08-19 13:43 . 2008-04-14 02:19 510976 c:\windows\system32\winlogon.exe
    + 2004-08-19 13:43 . 2009-02-09 11:16 111104 c:\windows\system32\services.exe
    + 2007-06-10 06:14 . 2011-08-14 23:36 231249 c:\windows\system32\inetsrv\MetaBase.bin
    + 2009-07-19 18:27 . 2011-08-14 22:36 843808 c:\windows\system32\drivers\fidbox2.dat
    + 2004-08-19 13:43 . 2008-04-14 02:19 510976 c:\windows\system32\dllcache\winlogon.exe
    + 2004-08-19 13:43 . 2009-02-09 11:16 111104 c:\windows\system32\dllcache\services.exe
    + 2009-07-19 18:27 . 2011-08-14 22:36 3308064 c:\windows\system32\drivers\fidbox.dat
    - 2009-07-19 18:27 . 2011-08-14 00:57 3308064 c:\windows\system32\drivers\fidbox.dat
    + 2004-08-19 13:42 . 2008-04-14 02:18 1036288 c:\windows\system32\dllcache\explorer.exe
    + 2004-08-19 13:42 . 2008-04-14 02:18 1036288 c:\windows\explorer.exe
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{0974848a-b5bc-49f2-9778-307742b4a55d}"= "c:\archivos de programa\softonic.com4\tbsoft.dll" [2010-10-18 3908192]
    .
    [HKEY_CLASSES_ROOT\clsid\{0974848a-b5bc-49f2-9778-307742b4a55d}]
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0974848a-b5bc-49f2-9778-307742b4a55d}]
    2010-10-18 18:26 3908192 ----a-w- c:\archivos de programa\softonic.com4\tbsoft.dll
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
    2010-10-18 18:26 3908192 ----a-w- c:\archivos de programa\ConduitEngine\ConduitEngine.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{0974848a-b5bc-49f2-9778-307742b4a55d}"= "c:\archivos de programa\softonic.com4\tbsoft.dll" [2010-10-18 3908192]
    "{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\archivos de programa\ConduitEngine\ConduitEngine.dll" [2010-10-18 3908192]
    .
    [HKEY_CLASSES_ROOT\clsid\{0974848a-b5bc-49f2-9778-307742b4a55d}]
    .
    [HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{0974848A-B5BC-49F2-9778-307742B4A55D}"= "c:\archivos de programa\softonic.com4\tbsoft.dll" [2010-10-18 3908192]
    .
    [HKEY_CLASSES_ROOT\clsid\{0974848a-b5bc-49f2-9778-307742b4a55d}]
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "DAEMON Tools Lite"="c:\archivos de programa\DAEMON Tools Lite\DTLite.exe" [2011-01-20 1305408]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 208952]
    "PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
    "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
    "MsmqIntCert"="mqrt.dll" [2008-04-14 177152]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2003-08-28 155648]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2003-08-28 118784]
    "Mouse Suite 98 Daemon"="ICO.EXE" [2003-11-20 57344]
    "AVP"="c:\archivos de programa\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2009-07-21 208616]
    "Malwarebytes Anti-Malware (reboot)"="c:\archivos de programa\Malwarebytes' Anti-Malware\mbam.exe" [2011-07-07 1047656]
    "LogMeIn Hamachi Ui"="c:\archivos de programa\LogMeIn Hamachi\hamachi-2-ui.exe" [2011-03-28 1910152]
    "DivXUpdate"="c:\archivos de programa\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]
    "SunJavaUpdateSched"="c:\archivos de programa\Archivos comunes\Java\Java Update\jusched.exe" [2011-04-08 254696]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
    .
    c:\documents and settings\All Users\Men£ Inicio\Programas\Inicio\
    Adobe Gamma Loader.lnk - c:\archivos de programa\Archivos comunes\Adobe\Calibration\Adobe Gamma Loader.exe [2010-8-5 113664]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "QuickTime Task"="c:\archivos de programa\MpcStar\Codecs\QuickTime\QTTask.exe" -atboottime
    "PinnacleDriverCheck"=c:\windows\system32\PSDrvCheck.exe -CheckReg
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Archivos de programa\\BitComet\\BitComet.exe"=
    "c:\\Archivos de programa\\Windows Live\\Messenger\\msnmsgr.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "10143:TCP"= 10143:TCP:BitComet 10143 TCP
    "10143:UDP"= 10143:UDP:BitComet 10143 UDP
    "23648:TCP"= 23648:TCP:Gnutella
    "23648:UDP"= 23648:UDP:Gnutella
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
    "AllowInboundEchoRequest"= 1 (0x1)
    .
    R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [29/01/2008 05:29 p.m. 33808]
    R0 sptd;sptd;\SystemRoot\\SystemRoot\System32\Drivers\sptd.sys --> \SystemRoot\\SystemRoot\System32\Drivers\sptd.sys [?]
    R2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\archivos de programa\TuneUp Utilities 2011\TuneUpUtilitiesService32.exe [27/10/2010 06:23 p.m. 1483072]
    R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [13/03/2008 06:02 p.m. 26640]
    R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [30/04/2008 05:06 p.m. 24592]
    R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\archivos de programa\TuneUp Utilities 2011\TuneUpUtilitiesDriver32.sys [07/10/2010 01:34 p.m. 10064]
    S3 GGSAFERDriver;GGSAFER Driver;\??\c:\archivos de programa\Garena\safedrv.sys --> c:\archivos de programa\Garena\safedrv.sys [?]
    S4 Hamachi2Svc;LogMeIn Hamachi 2.0 Tunneling Engine;c:\archivos de programa\LogMeIn Hamachi\hamachi-2.exe [28/03/2011 04:41 p.m. 1242504]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
    .
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    UxTuneUp
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-05-24 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\archivos de programa\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2431232
    IE: &D&escargar &con BitComet - c:\archivos de programa\BitComet\BitComet.exe/AddLink.htm
    IE: &D&escargar todo con BitComet - c:\archivos de programa\BitComet\BitComet.exe/AddAllLink.htm
    IE: &Winamp Search - c:\documents and settings\All Users\Datos de programa\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
    IE: Add to Banner Ad Blocker - c:\archivos de programa\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
    IE: E&xportar a Microsoft Excel - c:\archiv~1\MICROS~2\Office10\EXCEL.EXE/3000
    TCP: DhcpNameServer = 192.168.1.254
    DPF: {DAF7E6E6-D53A-439A-B28D-12271406B8A9} - hxxp://mobileapps.blackberry.com/devicesoftware/AxLoader.cab
    FF - ProfilePath - c:\documents and settings\Lord of Chaos\Datos de programa\Mozilla\Firefox\Profiles\6i6unky1.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2431232&SearchSource=3&q={searchTerms}
    FF - prefs.js: browser.search.selectedEngine - softonic.com4 Customized Web Search
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.mx/ig
    FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50ffwinampab&query=
    FF - user.js: network.http.max-persistent-connections-per-server - 4
    FF - user.js: nglayout.initialpaint.delay - 600
    FF - user.js: content.notify.interval - 600000
    FF - user.js: content.max.tokenizing.time - 1800000
    FF - user.js: content.switch.threshold - 600000
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-08-14 18:56
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-789336058-299502267-1417001333-1003\Software\Microsoft\SystemCertificates\AddressBook*]
    @Allowed: (Read) (RestrictedCode)
    @Allowed: (Read) (RestrictedCode)
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'explorer.exe'(984)
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    c:\windows\system32\pelscrll.dll
    c:\windows\system32\PELCOMM.dll
    c:\windows\system32\PELHOOKS.dll
    .
    Completion time: 2011-08-14 19:00:05
    ComboFix-quarantined-files.txt 2011-08-15 00:00
    ComboFix2.txt 2011-08-14 03:45
    ComboFix3.txt 2011-08-14 01:08
    .
    Pre-Run: 7,478,067,200 bytes libres
    Post-Run: 7,458,967,552 bytes libres
    .
    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="MICROSOFT WINDOWS XP PRO" /fastdetect
    .
    Current=2 Default=2 Failed=1 LastKnownGood=4 Sets=1,2,3,4
    - - End Of File - - BB743F02EAA08E532C3AACECB1C4A454
     
  22. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Good job :)

    Download OTL to your Desktop.

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Click the Scan All Users checkbox.
    • Under the Custom Scan box paste this in:


    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\Fonts\*.ini
    %systemroot%\Fonts\*.ini2
    %systemroot%\Fonts\*.exe
    %systemroot%\system32\spool\prtprocs\w32x86\*.*
    %systemroot%\REPAIR\*.bak1
    %systemroot%\REPAIR\*.ini
    %systemroot%\system32\*.jpg
    %systemroot%\*.jpg
    %systemroot%\*.png
    %systemroot%\*.scr
    %systemroot%\*._sy
    %APPDATA%\Adobe\Update\*.*
    %ALLUSERSPROFILE%\Favorites\*.*
    %APPDATA%\Microsoft\*.*
    %PROGRAMFILES%\*.*
    %APPDATA%\Update\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\System32\config\*.sav
    %PROGRAMFILES%\bak. /s
    %systemroot%\system32\bak. /s
    %ALLUSERSPROFILE%\Start Menu\*.lnk /x
    %systemroot%\system32\config\systemprofile\*.dat /x
    %systemroot%\*.config
    %systemroot%\system32\*.db
    %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
    %USERPROFILE%\Desktop\*.exe
    %PROGRAMFILES%\Common Files\*.*
    %systemroot%\*.src
    %systemroot%\install\*.*
    %systemroot%\system32\DLL\*.*
    %systemroot%\system32\HelpFiles\*.*
    %systemroot%\system32\rundll\*.*
    %systemroot%\winn32\*.*
    %systemroot%\Java\*.*
    %systemroot%\system32\test\*.*
    %systemroot%\system32\Rundll32\*.*
    %systemroot%\AppPatch\Custom\*.*
    %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
    %PROGRAMFILES%\PC-Doctor\Downloads\*.*
    %PROGRAMFILES%\Internet Explorer\*.tmp
    %PROGRAMFILES%\Internet Explorer\*.dat
    %USERPROFILE%\My Documents\*.exe
    %USERPROFILE%\*.exe
    %systemroot%\ADDINS\*.*
    %systemroot%\assembly\*.bak2
    %systemroot%\Config\*.*
    %systemroot%\REPAIR\*.bak2
    %systemroot%\SECURITY\Database\*.sdb /x
    %systemroot%\SYSTEM\*.bak2
    %systemroot%\Web\*.bak2
    %systemroot%\Driver Cache\*.*
    %PROGRAMFILES%\Mozilla Firefox\0*.exe
    %ProgramFiles%\Microsoft Common\*.*
    %ProgramFiles%\TinyProxy.
    %USERPROFILE%\Favorites\*.url /x
    %systemroot%\system32\*.bk
    %systemroot%\*.te
    %systemroot%\system32\system32\*.*
    %ALLUSERSPROFILE%\*.dat /x
    %systemroot%\system32\drivers\*.rmv
    dir /b "%systemroot%\system32\*.exe" | find /i " " /c
    dir /b "%systemroot%\*.exe" | find /i " " /c
    %PROGRAMFILES%\Microsoft\*.*
    %systemroot%\System32\Wbem\proquota.exe
    %PROGRAMFILES%\Mozilla Firefox\*.dat
    %USERPROFILE%\Cookies\*.txt /x
    %SystemRoot%\system32\fonts\*.*
    %systemroot%\system32\winlog\*.*
    %systemroot%\system32\Language\*.*
    %systemroot%\system32\Settings\*.*
    %systemroot%\system32\*.quo
    %SYSTEMROOT%\AppPatch\*.exe
    %SYSTEMROOT%\inf\*.exe
    %SYSTEMROOT%\Installer\*.exe
    %systemroot%\system32\config\*.bak2
    %systemroot%\system32\Computers\*.*
    %SystemRoot%\system32\Sound\*.*
    %SystemRoot%\system32\SpecialImg\*.*
    %SystemRoot%\system32\code\*.*
    %SystemRoot%\system32\draft\*.*
    %SystemRoot%\system32\MSSSys\*.*
    %ProgramFiles%\Javascript\*.*
    %systemroot%\pchealth\helpctr\System\*.exe /s
    %systemroot%\Web\*.exe
    %systemroot%\system32\msn\*.*
    %systemroot%\system32\*.tro
    %AppData%\Microsoft\Installer\msupdates\*.*
    %ProgramFiles%\Messenger\*.*
    %systemroot%\system32\systhem32\*.*
    %systemroot%\system\*.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
    /md5start
    /md5stop


    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
  23. Chaos999

    Chaos999 TS Rookie Topic Starter Posts: 19

    This is not working =(

    I did as you told, and also disabled kaspersky to ensure no interruptions. The scan starts allright, and goes for a couple minutes, but when it gets to "scanning firefox setting" it won't progress anymore. I left it for around 40 minutes and nothing happened and the window wasn't responding anymore. so I closed it and rebooted the PC and ran it again, left for over an hour but to no good.

    What should i do?
     
  24. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Uninstall Firefox temporarily and try again.
     
  25. Chaos999

    Chaos999 TS Rookie Topic Starter Posts: 19

    Still not working. I have uninstalled Firefox, but OTL still freezes at "scanning firefox settings", as it was still installed, even after rebooting the pc. Also 3 news:

    kaspersky is now displaying the out of date databases warning, should i update or let it be until repair is finished?

    for some reason the hide system hidden files is now uncheking itself every time i reboot the pc. so now i see the thumbs file on every folder among other things. perhaps have something to do with the unfinished OTL scan.... =(

    Also, plz let me know when i can reinstall Firefox (or some other browser), because it was the only web browser I had (other than IE), and its quite dificult to post here with my extremely obsolete IE v6.0
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...