Go Back   Cyber Tech Help Support Forums > Software > Malware Removal

Notices

Reply
 
Topic Tools
  #1  
Old June 18th, 2007, 10:49 PM
Panky Panky is offline
Member
 
Join Date: Mar 2007
Posts: 56
Tang.A virus

Hello, sorry to bother once again, but this time there's a virus infecting som .exes here and some .exes there, it's a little bothersome... the name is the one I placed in the title.
Once I knew I was infected, I disabled the sys rest, scaned over with avg (only removed cookies), and cleaned with ATF-CLEANER. But I have the sensation the virus is there anyway :S Can you check this please?

Logfile of HijackThis v1.99.1
Scan saved at 18:41, on 2007-06-18
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Archivos de programa\Eset\nod32kui.exe
C:\Archivos de programa\MessengerPlus! 3\MsgPlus.exe
C:\Archivos de programa\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Archivos de programa\QuickTime\qttask.exe
C:\Archivos de programa\Java\jre1.5.0_03\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Archivos de programa\Archivos comunes\Autodesk Shared\Service\AdskScSrv.exe
C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Archivos de programa\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Archivos de programa\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Archivos de programa\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\Archivos de programa\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: PDF de Adobe - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Acceso directo a la página de propiedades de High Definition Audio] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [nod32kui] "C:\Archivos de programa\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Archivos de programa\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Archivos de programa\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - Global Startup: Adobe Gamma.lnk = C:\Archivos de programa\Archivos comunes\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Translate English Word - res://c:\archivos de programa\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Convertir a PDF de Adobe - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convertir a PDF existente - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convertir destino de vínculo a PDF existente - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convertir destino de vínculo en archivo PDF de Adobe - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convertir selección a archivo PDF existente - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convertir selección a PDF de Adobe - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convertir vínculos seleccionados a PDF de Adobe - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convertir vínculos seleccionados a PDF existente - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: RapidShare-Download - res://C:\DOCUME~1\ADMINI~1\CONFIG~1\Temp\ir_ext_temp_1\A utoPlay\Docs\more-rapid.exe/RsMenExt.html
O8 - Extra context menu item: Translate Page into English - res://c:\archivos de programa\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\archivos de programa\bonjour\mdnsnsp.dll
O16 - DPF: {7B41B7AC-3496-4C13-A70F-DE6B60A6A8A8} (MGAME manager Class) - http://www.legendofares.com/download...nagerv1001.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/game...Plugin9USA.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab31267.cab
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Archivos de programa\Archivos comunes\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Archivos de programa\Archivos comunes\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762# # (Bonjour Service) - Apple Computer, Inc. - C:\Archivos de programa\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Archivos de programa\Archivos comunes\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Archivos de programa\Archivos comunes\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Archivos de programa\Archivos comunes\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Archivos de programa\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Archivos de programa\Viewpoint\Common\ViewpointService.exe

COMBOFIX

"Administrador" - 2007-06-18 15:15:56 Service Pack 2 [SAFE MODE]
ComboFix 07-05.09.V - Running from: "C:\Documents and Settings\Administrador\Escritorio\bx\"


((((((((((((((((((((((((((((((( Files Created from 2007-05-06 to 2007-06-18 ))))))))))))))))))))))))))))))))))


2007-06-18 02:42 <DIR> d-------- C:\Archivos de programa\The Rosetta Stone
2007-06-17 17:27 84,992 -rahs---- C:\eraseme_57013.exe
2007-06-17 14:25 84,992 -rahs---- C:\eraseme_16540.exe
2007-06-16 16:43 <DIR> d-------- C:\Archivos de programa\Legend Of Ares
2007-06-16 10:43 84,992 -rahs---- C:\eraseme_15628.exe
2007-06-16 10:38 84,992 -rahs---- C:\eraseme_88770.exe
2007-06-12 19:35 167,936 --a------ C:\WINDOWS\system32\Engine3D021206.dll
2007-06-11 18:48 <DIR> d-------- C:\Archivos de programa\Synthetic Aperture
2007-06-08 17:10 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Configuracin local
2007-06-06 18:11 20,016 --------- C:\WINDOWS\system32\drivers\pxhelp20.sys
2007-06-06 16:50 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DATOSD~1\AVS4YOU
2007-06-06 16:49 <DIR> d-------- C:\Archivos de programa\AVSMedia
2007-06-05 16:33 691 --a------ C:\WINDOWS\mozver.dat
2007-06-03 19:38 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2007-06-02 20:51 <DIR> d-------- C:\DOCUME~1\ADMINI~1\DATOSD~1\Ahead
2007-06-02 20:49 <DIR> d-------- C:\Archivos de programa\Nero
2007-06-02 20:49 <DIR> d-------- C:\Archivos de programa\Archivos comunes\Ahead
2007-05-31 20:05 <DIR> d-------- C:\Archivos de programa\Populous Reincarnated
2007-05-30 18:57 24,576 --a------ C:\WINDOWS\system32\EALTEST.EXE
2007-05-30 18:57 132,096 --a------ C:\WINDOWS\system32\EAEXEC.EXE
2007-05-30 18:56 <DIR> d-------- C:\Archivos de programa\bullfrog
2007-05-27 14:25 <DIR> d-------- C:\Fotos para trbajo panky
2007-05-26 20:37 <DIR> d-------- C:\Archivos de programa\MKVTOAVI
2007-05-26 04:39 <DIR> d-------- C:\POWERCG
2007-05-26 04:38 95,744 --a------ C:\WINDOWS\system32\FFX2.dll
2007-05-26 04:38 585,216 --a------ C:\WINDOWS\system32\FFX2dlg.dll
2007-05-26 04:35 137,728 --a------ C:\WINDOWS\UNNSTALL.EXE
2007-05-24 15:55 <DIR> d-------- C:\Archivos de programa\aws
2007-05-21 15:04 <DIR> d-------- C:\DOCUME~1\ADMINI~1\DATOSD~1\Orbit
2007-05-20 22:39 <DIR> d-------- C:\Downloads
2007-05-20 22:35 <DIR> d-------- C:\DOCUME~1\ADMINI~1\DATOSD~1\FlashGet
2007-05-20 22:34 <DIR> d-------- C:\Archivos de programa\FlashGet


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )))


2007-06-18 16:19:38 -------- d-----w C:\Archivos de programa\HJT
2007-06-18 13:52:43 -------- d-----w C:\DOCUME~1\ADMINI~1\DATOSD~1\dvdcss
2007-06-18 05:42:55 -------- d-----w C:\Archivos de programa\QuickTime
2007-06-17 02:47:07 -------- d-----w C:\Archivos de programa\Valve
2007-06-17 02:47:00 -------- d-----w C:\Archivos de programa\sXe Injected
2007-06-16 19:43:08 -------- d--h--w C:\Archivos de programa\InstallShield Installation Information
2007-06-08 16:23:12 -------- d-----w C:\Archivos de programa\Hamachi
2007-06-06 19:50:11 -------- d-----w C:\Archivos de programa\Archivos comunes\AVSMedia
2007-06-05 23:06:15 -------- d-----w C:\DOCUME~1\ADMINI~1\DATOSD~1\gtk-2.0
2007-06-05 19:33:49 -------- d-----w C:\Archivos de programa\DivX
2007-06-04 22:33:42 -------- d-----w C:\DOCUME~1\ADMINI~1\DATOSD~1\BSplayer Pro
2007-05-31 23:03:29 -------- d-----w C:\DOCUME~1\ADMINI~1\DATOSD~1\Hamachi
2007-05-25 02:20:40 25,544 ----a-w C:\WINDOWS\system32\drivers\hamachi.sys
2007-05-13 15:46:11 -------- d-----w C:\Archivos de programa\XviD
2007-05-13 15:46:09 -------- d-----w C:\Archivos de programa\AMVapp
2007-05-13 15:46:08 -------- d-----w C:\Archivos de programa\AviSynth 2.5
2007-05-13 15:46:07 -------- d-----w C:\Archivos de programa\DVD Decrypter
2007-05-13 15:46:04 -------- d-----w C:\Archivos de programa\DVD Decrypter(2)
2007-05-13 15:46:03 -------- d-----w C:\Archivos de programa\XviD(2)
2007-05-12 20:54:35 -------- d-----w C:\DOCUME~1\ADMINI~1\DATOSD~1\GeoVid
2007-05-11 22:49:45 -------- d-----w C:\Archivos de programa\Soulseek
2007-05-07 00:13:08 531,294 ----a-w C:\WINDOWS\system32\perfh00A.dat
2007-05-07 00:13:08 107,368 ----a-w C:\WINDOWS\system32\perfc00A.dat
2007-05-07 00:06:25 -------- d-----w C:\Archivos de programa\EA GAMES
2007-05-02 16:56:06 -------- d-----w C:\Archivos de programa\Webteh
2007-05-02 16:43:07 -------- d-----w C:\DOCUME~1\ADMINI~1\DATOSD~1\BSplayer
2007-05-01 21:33:49 -------- d-----w C:\Archivos de programa\Firefly Studios
2007-05-01 04:23:17 -------- d-----w C:\Archivos de programa\Microsoft Games
2007-04-27 20:44:48 58,652 ----a-w C:\Archivos de programa\AMVapp-uninst.exe
2007-04-25 19:26:57 46 ----a-w C:\WINDOWS\winomnifile.dat
2007-04-25 18:55:17 -------- d-----w C:\Archivos de programa\A4Proxy
2007-04-23 00:15:18 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-04-23 00:15:18 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-04-16 05:00:31 -------- d-----w C:\Archivos de programa\Pinnacle
2007-04-15 18:02:16 -------- d-----w C:\Archivos de programa\Archivos comunes\Macrovision Shared
2007-04-15 18:01:21 -------- d-----w C:\Archivos de programa\Bonjour
2007-04-11 00:44:48 -------- d-----w C:\Archivos de programa\Archivos comunes\Canopus Shared
2007-04-11 00:44:44 -------- d-----w C:\Archivos de programa\Canopus
2007-03-30 16:31:44 98,304 ----a-w C:\WINDOWS\system32CmdLineExt.dll
2007-03-30 02:24:45 19 ----a-w C:\WINDOWS\popcinfo.dat
2007-03-16 03:55:58 40,960 ----a-w C:\WINDOWS\system32\frapsvid.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"Acceso directo a la página de propiedades de High Definition Audio"="HDAudPropShortcut.exe"
"SoundMan"="SOUNDMAN.EXE"
"AlcWzrd"="ALCWZRD.EXE"
"Alcmtr"="ALCMTR.EXE"
"nod32kui"="\"C:\\Archivos de programa\\Eset\\nod32kui.exe\" /WAITSERVICE"
"MessengerPlus3"="\"C:\\Archivos de programa\\MessengerPlus! 3\\MsgPlus.exe\""
"Acrobat Assistant 7.0"="\"C:\\Archivos de programa\\Adobe\\Acrobat 7.0\\Distillr\\Acrotray.exe\""
@=""
"QuickTime Task"="\"C:\\Archivos de programa\\QuickTime\\qttask.exe\" -atboottime"
"SunJavaUpdateSched"="C:\\Archivos de programa\\Java\\jre1.5.0_03\\bin\\jusched.exe"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroChec k.exe"
"MSConfig"="C:\\WINDOWS\\PCHealth\\HelpCtr\\Binari es\\MSConfig.exe /auto"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\explorer]
"NoCDBurning"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [x]


HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\lsa
Authentication Packages msv1_0\0\0
Security Packages kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages scecli\0\0



HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\daemon tools
"C:\Archivos de programa\DAEMON Tools\daemon.exe" -lang 1033

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updatemgr
"C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcPro7_0_9 -reboot 1


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter HTTPFilter\0\0
LocalService Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnph ost\0SSDPSRV\0\0
NetworkService DnsCache\0\0
DcomLaunch DcomLaunch\0TermService\0\0
rpcss RpcSs\0\0
imgsvc StiSvc\0\0
termsvcs TermService\0\0
WudfServiceGroup WUDFSvc\0\0

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost


************************************************** ******************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-18 15:37:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


************************************************** ******************

Completion time: 2007-06-18 15:43:02
C:\ComboFix-quarantined-files.txt ... 2007-06-18 15:43
C:\ComboFix2.txt ... 2007-05-10 07:03

"Silent Runners.vbs", revision R50, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKLM\Software\Microsoft\Windows\CurrentVersion\Run \ {++}
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"Acceso directo a la página de propiedades de High Definition Audio" = "HDAudPropShortcut.exe" ["Windows (R) Server 2003 DDK provider"]
"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]
"AlcWzrd" = "ALCWZRD.EXE" ["RealTek Semicoductor Corp."]
"Alcmtr" = "ALCMTR.EXE" ["Realtek Semiconductor Corp."]
"nod32kui" = ""C:\Archivos de programa\Eset\nod32kui.exe" /WAITSERVICE" ["Eset "]
"MessengerPlus3" = ""C:\Archivos de programa\MessengerPlus! 3\MsgPlus.exe"" ["Patchou"]
"Acrobat Assistant 7.0" = ""C:\Archivos de programa\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"" ["Adobe Systems Inc."]
"(Default)" = "(empty string)" [file not found]
"QuickTime Task" = ""C:\Archivos de programa\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"SunJavaUpdateSched" = "C:\Archivos de programa\Java\jre1.5.0_03\bin\jusched.exe" ["Sun Microsystems, Inc."]
"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit" [MS]
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"MSConfig" = "C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig .exe /auto" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
\InProcServer32\(Default) = "C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{AE7CD045-E861-484f-8273-0445EE161910}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Conversion Toolbar Helper"
\InProcServer32\(Default) = "C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]
Reply With Quote


  #2  
Old June 18th, 2007, 10:49 PM
Panky Panky is offline
Member
 
Join Date: Mar 2007
Posts: 56
HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved\
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Archivos de programa\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}" = "Adobe.Acrobat.ContextMenu"
-> {HKLM...CLSID} = "Acrobat Elements Context Menu"
\InProcServer32\(Default) = "C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
"{6DEA92E9-8682-4b6a-97DE-354772FE5727}" = "Autodesk DWF Preview"
-> {HKLM...CLSID} = "ACDWFTHMBPRXY"
\InProcServer32\(Default) = "C:\Archivos de programa\Archivos comunes\Autodesk Shared\AcDwfThmbPrxy16.dll" ["Autodesk"]
"{8f7261d0-d2b9-11d2-9909-00605205b24c}" = "CuteFTP 8 Professional Shell Extension"
-> {HKLM...CLSID} = "CuteFTP 8 Professional Shell Extension"
\InProcServer32\(Default) = "C:\Archivos de programa\GlobalSCAPE\CuteFTP 8 Professional\CuteShell.dll" ["GlobalSCAPE Texas, LP."]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {HKLM...CLSID} = "DesktopContext Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {HKLM...CLSID} = "NVIDIA CPL Extension"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {HKLM...CLSID} = "Desktop Explorer"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {HKLM...CLSID} = "nView Desktop Context Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\ARCHIV~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\ARCHIV~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\ARCHIV~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\ARCHIV~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
"{B327765E-D724-4347-8B16-78AE18552FC3}" = "NeroDigitalIconHandler"
-> {HKLM...CLSID} = "NeroDigitalIconHandler Class"
\InProcServer32\(Default) = "C:\Archivos de programa\Archivos comunes\Ahead\lib\NeroDigitalExt.dll" ["Nero AG"]
"{7F1CF152-04F8-453A-B34C-E609530A9DC8}" = "NeroDigitalPropSheetHandler"
-> {HKLM...CLSID} = "NeroDigitalPropSheetHandler Class"
\InProcServer32\(Default) = "C:\Archivos de programa\Archivos comunes\Ahead\lib\NeroDigitalExt.dll" ["Nero AG"]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Archivos de programa\WinRAR\rarext.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellExecuteHooks\
<<!>> "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "AVG Anti-Spyware 7.5"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\She llServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
-> {HKLM...CLSID} = "WPDShServiceObj Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\
"AppInit_DLLs" = (value not set)

HKLM\Software\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Archivos de programa\Archivos comunes\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\Folder\shellex\ColumnHandler s\
{7D4D6379-F301-4311-BEBA-E26EB0561882}\(Default) = "NeroDigitalExt.NeroDigitalColumnHandler"
-> {HKLM...CLSID} = "NeroDigitalColumnHandler Class"
\InProcServer32\(Default) = "C:\Archivos de programa\Archivos comunes\Ahead\lib\NeroDigitalExt.dll" ["Nero AG"]
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandler s\
Adobe.Acrobat.ContextMenu\(Default) = "{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}"
-> {HKLM...CLSID} = "Acrobat Elements Context Menu"
\InProcServer32\(Default) = "C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["Anti-Malware Development a.s."]
CuteFTP 8 Professional\(Default) = "{8f7261d0-d2b9-11d2-9909-00605205b24c}"
-> {HKLM...CLSID} = "CuteFTP 8 Professional Shell Extension"
\InProcServer32\(Default) = "C:\Archivos de programa\GlobalSCAPE\CuteFTP 8 Professional\CuteShell.dll" ["GlobalSCAPE Texas, LP."]
NOD32 Context Menu Shell Extension\(Default) = "{B089FE88-FB52-11d3-BDF1-0050DA34150D}"
-> {HKLM...CLSID} = "NOD32 Context Menu Shell Extension"
\InProcServer32\(Default) = "C:\Archivos de programa\Eset\nodshex.dll" ["Eset "]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Archivos de programa\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\ARCHIV~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]

HKLM\Software\Classes\Directory\shellex\ContextMen uHandlers\
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["Anti-Malware Development a.s."]
CuteFTP 8 Professional\(Default) = "{8f7261d0-d2b9-11d2-9909-00605205b24c}"
-> {HKLM...CLSID} = "CuteFTP 8 Professional Shell Extension"
\InProcServer32\(Default) = "C:\Archivos de programa\GlobalSCAPE\CuteFTP 8 Professional\CuteShell.dll" ["GlobalSCAPE Texas, LP."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Archivos de programa\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\ARCHIV~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]

HKLM\Software\Classes\Folder\shellex\ContextMenuHa ndlers\
NOD32 Context Menu Shell Extension\(Default) = "{B089FE88-FB52-11d3-BDF1-0050DA34150D}"
-> {HKLM...CLSID} = "NOD32 Context Menu Shell Extension"
\InProcServer32\(Default) = "C:\Archivos de programa\Eset\nodshex.dll" ["Eset "]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Archivos de programa\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\ARCHIV~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKLM\Software\Microsoft\Windows\CurrentVersion\Pol icies\Explorer\

"NoCDBurning" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System\

"DisableRegistryTools" = (REG_DWORD) hex:0x00000000
{User Configuration|Administrative Templates|System|
Prevent access to registry editing tools}

HKLM\Software\Microsoft\Windows\CurrentVersion\Pol icies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Configur ación local\Datos de programa\Microsoft\Wallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Administrador\Configuración local\Datos de programa\Microsoft\Wallpaper1.bmp"


Startup items in "Administrador" & "All Users" startup folders:
---------------------------------------------------------------

C:\Documents and Settings\All Users\Menú Inicio\Programas\Inicio
"Adobe Gamma" -> shortcut to: "C:\Archivos de programa\Archivos comunes\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "C:\Archivos de programa\Bonjour\mdnsNSP.dll" ["Apple Computer, Inc."]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 19
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}"
-> {HKLM...CLSID} = "PDF de Adobe"
\InProcServer32\(Default) = "C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"
-> {HKLM...CLSID} = "Yahoo! Toolbar"
\InProcServer32\(Default) = "C:\Archivos de programa\Yahoo!\Companion\Installs\cpn\yt.dll" [file not found]
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}"
-> {HKLM...CLSID} = "PDF de Adobe"
\InProcServer32\(Default) = "C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}" = (no title provided)
-> {HKLM...CLSID} = "PDF de Adobe"
\InProcServer32\(Default) = "C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{182EC0BE-5110-49C8-A062-BEB1D02A220B}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]

HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Referencia"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Referencia"

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Archivos de programa\Messenger\msmsgs.exe" [MS]


All Non-Disabled Services (Display Name, Service Name, Path {Service DLL}):
---------------------------------------------------------------------------

##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762# #, Bonjour Service, ""C:\Archivos de programa\Bonjour\mDNSResponder.exe"" ["Apple Computer, Inc."]
.NET Runtime Optimization Service v2.0.50727_X86, clr_optimization_v2.0.50727_32, "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\msc orsvw.exe" [MS]
Adaptador de rendimiento de WMI, WmiApSrv, "C:\WINDOWS\system32\wbem\wmiapsrv.exe" [MS]
Adobe LM Service, Adobe LM Service, ""C:\Archivos de programa\Archivos comunes\Adobe Systems Shared\Service\Adobelmsvc.exe"" ["Adobe Systems"]
ASP.NET State Service, aspnet_state, "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\asp net_state.exe" [MS]
Autodesk Licensing Service, Autodesk Licensing Service, ""C:\Archivos de programa\Archivos comunes\Autodesk Shared\Service\AdskScSrv.exe"" ["Autodesk"]
AVG Anti-Spyware Guard, AVG Anti-Spyware Guard, "C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\guard.exe" ["Anti-Malware Development a.s."]
FLEXnet Licensing Service, FLEXnet Licensing Service, ""C:\Archivos de programa\Archivos comunes\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe"" ["Macrovision Europe Ltd."]
InstallDriver Table Manager, IDriverT, ""C:\Archivos de programa\Archivos comunes\InstallShield\Driver\11\Intel 32\IDriverT.exe"" ["Macrovision Corporation"]
Machine Debug Manager, MDM, ""C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE"" [MS]
Macromedia Licensing Service, Macromedia Licensing Service, ""C:\Archivos de programa\Archivos comunes\Macromedia Shared\Service\Macromedia Licensing.exe"" [null data]
MSSQL$SONY_MEDIAMGR, MSSQL$SONY_MEDIAMGR, "C:\Archivos de programa\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe -sSONY_MEDIAMGR" [MS]
MSSQLServerADHelper, MSSQLServerADHelper, "C:\Archivos de programa\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe" [MS]
NOD32 Kernel Service, NOD32krn, ""C:\Archivos de programa\Eset\nod32krn.exe"" ["Eset "]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]
Office Source Engine, ose, ""C:\Archivos de programa\Archivos comunes\Microsoft Shared\Source Engine\OSE.EXE"" [MS]
Servicio de aprovisionamiento de red, xmlprov, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\xmlprov.dll" [MS]}
Servicio del administrador de discos lógicos, dmadmin, "C:\WINDOWS\System32\dmadmin.exe /com" ["Microsoft Corp., VERITAS Software"]
Servicio del número de serie de medio portátil, WmdmPmSN, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\system32\MsPMSNSv.dll" [MS]}
SQLAgent$SONY_MEDIAMGR, SQLAgent$SONY_MEDIAMGR, "C:\Archivos de programa\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlagent.EXE -i SONY_MEDIAMGR" [MS]
User Privilege Service, usprserv, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {(missing data)}
Viewpoint Manager Service, Viewpoint Manager Service, ""C:\Archivos de programa\Viewpoint\Common\ViewpointService.exe"" ["Viewpoint Corporation"]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monito rs\
Adobe PDF Port\Driver = "C:\WINDOWS\system32\AdobePDF.dll" ["Adobe Systems Incorporated."]
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]


----------
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 106 seconds, including 4 seconds for message boxes)
Reply With Quote
  #3  
Old June 19th, 2007, 06:24 PM
Acrobaze Acrobaze is offline
Malware Removal Team
 
Join Date: Nov 2003
O/S: Windows 10 Home
Location: France
Posts: 11,994
Hi,

We'll begin with this tool :
Please download SDFix from here and save it to your desktop.

Reboot into Safe Mode (at startup tap the F8 key and select Safe Mode).


In Safe Mode, doubleclick on SDFix.exe and allow it to extract to it's own folder. Open the extracted folder and double click RunThis.bat to start the script.

Type Y to begin the script. It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot. When you hit any key, your computer will reboot. Your system will take longer that normal to restart as the fixtool will be running and removing files.

When your desktop loads, the utility will complete the removal and display Finished. Press any key again to end the script and load your desktop icons. Finally open the SDFix folder on your desktop and copy and paste the contents of Report.txt back in this thread with a new HijackThis log and a new ComboFix log please.
Reply With Quote
  #4  
Old June 19th, 2007, 09:24 PM
Panky Panky is offline
Member
 
Join Date: Mar 2007
Posts: 56
SDFix: Version 1.88

Run by Administrador on 2007-06-19 at 16:31

Microsoft Windows XP [Versi¢n 5.1.2600]

Running From: C:\DOCUME~1\ADMINI~1\ESCRIT~1\bx\SDFix

Safe Mode:
Checking Services:






Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Missing Security Center Service

Rebooting...


Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\Documents and Settings\Administrador\Datos de programa\addon.dat - Deleted
C:\WINDOWS\system32\plugin1.dat - Deleted



Removing Temp Files...

ADS Check:

Checking C:\WINDOWS
C:\WINDOWS
No streams found.

Checking C:\WINDOWS\system32
C:\WINDOWS\system32
No streams found.

Checking C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.

Checking C:\WINDOWS\system32\ntoskrnl.exe
C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\standard profile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\syste m32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Archivos de programa\\MSN Messenger\\msnmsgr.exe"="C:\\Archivos de programa\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger"
"C:\\Archivos de programa\\BitLord\\BitLord.exe"="C:\\Archivos de programa\\BitLord\\BitLord.exe:*:Enabled:BitLord"
"C:\\Archivos de programa\\Valve\\hl.exe"="C:\\Archivos de programa\\Valve\\hl.exe:*:Enabled:Half-Life Launcher"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\domainpr ofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\syste m32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files:
---------------

Backups Folder: - C:\DOCUME~1\ADMINI~1\ESCRIT~1\bx\SDFix\backups\bac kups.zip

Listing Files with Hidden Attributes:

C:\Archivos de programa\Autodesk\Autodesk DWF Viewer\_Setupx.dll
C:\eraseme_15628.exe
C:\eraseme_16540.exe
C:\eraseme_57013.exe
C:\eraseme_88770.exe
C:\Archivos de programa\Autodesk\Autodesk DWF Viewer\Setup.exe
C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp

Listing User Accounts:


Administrador Asistente de ayuda ASPNET
Invitado IUSR_PANKY IWAM_PANKY
SUPPORT_388945a0
Se ha completado el comando correctamente.


Finished

Logfile of HijackThis v1.99.1
Scan saved at 17:17, on 2007-06-19
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\Archivos comunes\Autodesk Shared\Service\AdskScSrv.exe
C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Archivos de programa\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Archivos de programa\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Archivos de programa\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Archivos de programa\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Archivos de programa\Eset\nod32kui.exe
C:\Archivos de programa\MessengerPlus! 3\MsgPlus.exe
C:\Archivos de programa\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Archivos de programa\QuickTime\qttask.exe
C:\Archivos de programa\Java\jre1.5.0_03\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\Archivos de programa\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: PDF de Adobe - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Acceso directo a la página de propiedades de High Definition Audio] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [nod32kui] "C:\Archivos de programa\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Archivos de programa\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Archivos de programa\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - Global Startup: Adobe Gamma.lnk = C:\Archivos de programa\Archivos comunes\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Translate English Word - res://c:\archivos de programa\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Convertir a PDF de Adobe - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convertir a PDF existente - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convertir destino de vínculo a PDF existente - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convertir destino de vínculo en archivo PDF de Adobe - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convertir selección a archivo PDF existente - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convertir selección a PDF de Adobe - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convertir vínculos seleccionados a PDF de Adobe - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convertir vínculos seleccionados a PDF existente - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: RapidShare-Download - res://C:\DOCUME~1\ADMINI~1\CONFIG~1\Temp\ir_ext_temp_1\A utoPlay\Docs\more-rapid.exe/RsMenExt.html
O8 - Extra context menu item: Translate Page into English - res://c:\archivos de programa\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\archivos de programa\bonjour\mdnsnsp.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {7B41B7AC-3496-4C13-A70F-DE6B60A6A8A8} (MGAME manager Class) - http://www.legendofares.com/download...nagerv1001.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/game...Plugin9USA.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab31267.cab
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Archivos de programa\Archivos comunes\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Archivos de programa\Archivos comunes\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762# # (Bonjour Service) - Apple Computer, Inc. - C:\Archivos de programa\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Archivos de programa\Archivos comunes\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Archivos de programa\Archivos comunes\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Archivos de programa\Archivos comunes\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Archivos de programa\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Archivos de programa\Viewpoint\Common\ViewpointService.exe
"Administrador" - 2007-06-19 17:18:21 Service Pack 2
ComboFix 07-05.09.V - Running from: "C:\Documents and Settings\Administrador\Escritorio\bx\"


((((((((((((((((((((((((((((((( Files Created from 2007-05-06 to 2007-06-19 ))))))))))))))))))))))))))))))))))


2007-06-18 21:35 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-06-18 21:35 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DATOSD~1\Kaspersky Lab
2007-06-18 02:42 <DIR> d-------- C:\Archivos de programa\The Rosetta Stone
2007-06-17 17:27 84,992 -rahs---- C:\eraseme_57013.exe
2007-06-17 14:25 84,992 -rahs---- C:\eraseme_16540.exe
2007-06-16 16:43 <DIR> d-------- C:\Archivos de programa\Legend Of Ares
2007-06-16 10:43 84,992 -rahs---- C:\eraseme_15628.exe
2007-06-16 10:38 84,992 -rahs---- C:\eraseme_88770.exe
2007-06-12 19:35 167,936 --a------ C:\WINDOWS\system32\Engine3D021206.dll
2007-06-11 18:48 <DIR> d-------- C:\Archivos de programa\Synthetic Aperture
2007-06-08 17:10 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Configuracin local
2007-06-06 18:11 20,016 --------- C:\WINDOWS\system32\drivers\pxhelp20.sys
2007-06-06 16:50 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DATOSD~1\AVS4YOU
2007-06-06 16:49 <DIR> d-------- C:\Archivos de programa\AVSMedia
2007-06-05 16:33 691 --a------ C:\WINDOWS\mozver.dat
2007-06-03 19:38 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2007-06-02 20:51 <DIR> d-------- C:\DOCUME~1\ADMINI~1\DATOSD~1\Ahead
2007-06-02 20:49 <DIR> d-------- C:\Archivos de programa\Nero
2007-06-02 20:49 <DIR> d-------- C:\Archivos de programa\Archivos comunes\Ahead
2007-05-31 20:05 <DIR> d-------- C:\Archivos de programa\Populous Reincarnated
2007-05-30 18:57 24,576 --a------ C:\WINDOWS\system32\EALTEST.EXE
2007-05-30 18:57 132,096 --a------ C:\WINDOWS\system32\EAEXEC.EXE
2007-05-30 18:56 <DIR> d-------- C:\Archivos de programa\bullfrog
2007-05-27 14:25 <DIR> d-------- C:\Fotos para trbajo panky
2007-05-26 20:37 <DIR> d-------- C:\Archivos de programa\MKVTOAVI
2007-05-26 04:39 <DIR> d-------- C:\POWERCG
2007-05-26 04:38 95,744 --a------ C:\WINDOWS\system32\FFX2.dll
2007-05-26 04:38 585,216 --a------ C:\WINDOWS\system32\FFX2dlg.dll
2007-05-26 04:35 137,728 --a------ C:\WINDOWS\UNNSTALL.EXE
2007-05-24 15:55 <DIR> d-------- C:\Archivos de programa\aws
2007-05-21 15:04 <DIR> d-------- C:\DOCUME~1\ADMINI~1\DATOSD~1\Orbit
2007-05-20 22:39 <DIR> d-------- C:\Downloads
2007-05-20 22:35 <DIR> d-------- C:\DOCUME~1\ADMINI~1\DATOSD~1\FlashGet
2007-05-20 22:34 <DIR> d-------- C:\Archivos de programa\FlashGet


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )))


2007-06-19 20:17:55 -------- d-----w C:\Archivos de programa\HJT
2007-06-19 00:50:31 -------- d-----w C:\Archivos de programa\Valve
2007-06-19 00:50:25 -------- d-----w C:\Archivos de programa\sXe Injected
2007-06-18 13:52:43 -------- d-----w C:\DOCUME~1\ADMINI~1\DATOSD~1\dvdcss
2007-06-18 05:42:55 -------- d-----w C:\Archivos de programa\QuickTime
2007-06-16 19:43:08 -------- d--h--w C:\Archivos de programa\InstallShield Installation Information
2007-06-08 16:23:12 -------- d-----w C:\Archivos de programa\Hamachi
2007-06-06 19:50:11 -------- d-----w C:\Archivos de programa\Archivos comunes\AVSMedia
2007-06-05 23:06:15 -------- d-----w C:\DOCUME~1\ADMINI~1\DATOSD~1\gtk-2.0
2007-06-05 19:33:49 -------- d-----w C:\Archivos de programa\DivX
2007-06-04 22:33:42 -------- d-----w C:\DOCUME~1\ADMINI~1\DATOSD~1\BSplayer Pro
2007-05-31 23:03:29 -------- d-----w C:\DOCUME~1\ADMINI~1\DATOSD~1\Hamachi
2007-05-25 02:20:40 25,544 ----a-w C:\WINDOWS\system32\drivers\hamachi.sys
2007-05-13 15:46:11 -------- d-----w C:\Archivos de programa\XviD
2007-05-13 15:46:09 -------- d-----w C:\Archivos de programa\AMVapp
2007-05-13 15:46:08 -------- d-----w C:\Archivos de programa\AviSynth 2.5
2007-05-13 15:46:07 -------- d-----w C:\Archivos de programa\DVD Decrypter
2007-05-13 15:46:04 -------- d-----w C:\Archivos de programa\DVD Decrypter(2)
2007-05-13 15:46:03 -------- d-----w C:\Archivos de programa\XviD(2)
2007-05-12 20:54:35 -------- d-----w C:\DOCUME~1\ADMINI~1\DATOSD~1\GeoVid
2007-05-11 22:49:45 -------- d-----w C:\Archivos de programa\Soulseek
2007-05-07 00:13:08 531,294 ----a-w C:\WINDOWS\system32\perfh00A.dat
2007-05-07 00:13:08 107,368 ----a-w C:\WINDOWS\system32\perfc00A.dat
2007-05-07 00:06:25 -------- d-----w C:\Archivos de programa\EA GAMES
2007-05-02 16:56:06 -------- d-----w C:\Archivos de programa\Webteh
2007-05-02 16:43:07 -------- d-----w C:\DOCUME~1\ADMINI~1\DATOSD~1\BSplayer
2007-05-01 21:33:49 -------- d-----w C:\Archivos de programa\Firefly Studios
2007-05-01 04:23:17 -------- d-----w C:\Archivos de programa\Microsoft Games
2007-04-27 20:44:48 58,652 ----a-w C:\Archivos de programa\AMVapp-uninst.exe
2007-04-25 19:26:57 46 ----a-w C:\WINDOWS\winomnifile.dat
2007-04-25 18:55:17 -------- d-----w C:\Archivos de programa\A4Proxy
2007-04-23 00:15:18 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-04-23 00:15:18 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-04-16 05:00:31 -------- d-----w C:\Archivos de programa\Pinnacle
2007-04-15 18:02:16 -------- d-----w C:\Archivos de programa\Archivos comunes\Macrovision Shared
2007-04-15 18:01:21 -------- d-----w C:\Archivos de programa\Bonjour
2007-04-11 00:44:48 -------- d-----w C:\Archivos de programa\Archivos comunes\Canopus Shared
2007-04-11 00:44:44 -------- d-----w C:\Archivos de programa\Canopus
2007-03-30 16:31:44 98,304 ----a-w C:\WINDOWS\system32CmdLineExt.dll
2007-03-30 02:24:45 19 ----a-w C:\WINDOWS\popcinfo.dat
2007-03-16 03:55:58 40,960 ----a-w C:\WINDOWS\system32\frapsvid.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"Acceso directo a la página de propiedades de High Definition Audio"="HDAudPropShortcut.exe"
"SoundMan"="SOUNDMAN.EXE"
"AlcWzrd"="ALCWZRD.EXE"
"Alcmtr"="ALCMTR.EXE"
"nod32kui"="\"C:\\Archivos de programa\\Eset\\nod32kui.exe\" /WAITSERVICE"
"MessengerPlus3"="\"C:\\Archivos de programa\\MessengerPlus! 3\\MsgPlus.exe\""
"Acrobat Assistant 7.0"="\"C:\\Archivos de programa\\Adobe\\Acrobat 7.0\\Distillr\\Acrotray.exe\""
"QuickTime Task"="\"C:\\Archivos de programa\\QuickTime\\qttask.exe\" -atboottime"
"SunJavaUpdateSched"="C:\\Archivos de programa\\Java\\jre1.5.0_03\\bin\\jusched.exe"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroChec k.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\explorer]
"NoCDBurning"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [x]


HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\lsa
Authentication Packages msv1_0\0\0
Security Packages kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages scecli\0\0



HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\daemon tools
"C:\Archivos de programa\DAEMON Tools\daemon.exe" -lang 1033

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updatemgr
"C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcPro7_0_9 -reboot 1


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter HTTPFilter\0\0
LocalService Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnph ost\0SSDPSRV\0\0
NetworkService DnsCache\0\0
DcomLaunch DcomLaunch\0TermService\0\0
rpcss RpcSs\0\0
imgsvc StiSvc\0\0
termsvcs TermService\0\0
WudfServiceGroup WUDFSvc\0\0

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost


************************************************** ******************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-19 17:19:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


************************************************** ******************

Completion time: 2007-06-19 17:19:47
C:\ComboFix-quarantined-files.txt ... 2007-06-19 17:19
C:\ComboFix2.txt ... 2007-06-18 15:43
C:\ComboFix3.txt ... 2007-05-10 07:03
Reply With Quote
  #5  
Old June 19th, 2007, 09:58 PM
Acrobaze Acrobaze is offline
Malware Removal Team
 
Join Date: Nov 2003
O/S: Windows 10 Home
Location: France
Posts: 11,994
Ok. Then now :

1- Download the attached file and save it to your C:\ drive. When saved it the file path
should be C:\Yourfile.txt

----------

Download and unzip Avenger to your desktop.
Check Load Script from File and then click the folder Icon on the right side of that section.
Then browse to C:\Yourfile.txt and click open to load it.
Then click the “green light” icon. This will begin execution of the script currently
in memory.
After you have clicked on the “green light” to begin execution of a script, The Avenger
will set itself up to run the next time you reboot your computer, and then will prompt you
to restart immediately.

After your system restarts, a log file should open with the results of Avenger’s actions.
This log file is located at C:\avenger.txt. The Avenger will also have backed up all the
files, etc., that you asked it to delete, and will have zipped them and moved the zip
archives to C:\avenger\backups.zip.

After the reboot :

2- I see that you have AVG Anti-Spyware 7.5 installed. So : run it but only update it.
(If their server is too busy, then download and install the full database from HERE.)
Now close AVG Anti-Spyware.

3- Reboot into Safe Mode. At startup tap F8 and select Safe Mode.

Make sure all windows are closed and run AVG Anti-Spyware. Click Scanner, then click on the Scan tab. Click Complete System Scan to begin scanning. When the scan is complete click Recommended Action and change it to Quarantine. Then click Apply all actions.

Once the scan has finished, click the Save report button, then click Save Report As. This will create a text file. Make sure you know where to find this file again.

4- Then reboot back to Normal Mode. Run a new scan with HijackThis and post that and the AVG Anti-Spyware log back here please.
Attached Files
File Type: txt Yourfile.txt (116 Bytes, 4 views)
Reply With Quote
  #6  
Old June 19th, 2007, 10:10 PM
Panky Panky is offline
Member
 
Join Date: Mar 2007
Posts: 56
I have ran a few times AVG Anti-Spyware, it's also updated, i'm doing the avenger thing ( which I don't think it will do something since NOD32 is the one that keeps deleting those files "erasemeXX.exe" ). Thanks
Reply With Quote
  #7  
Old June 19th, 2007, 10:12 PM
Panky Panky is offline
Member
 
Join Date: Mar 2007
Posts: 56
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Service s\mvtxegkw

*******************

Script file located at: \??\C:\tctcsnyi.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\eraseme_57013.exe deleted successfully.
File C:\eraseme_16540.exe deleted successfully.
File C:\eraseme_15628.exe deleted successfully.
File C:\eraseme_88770.exe deleted successfully.

Completed script processing.

*******************

Finished! Terminate.
Reply With Quote
  #8  
Old June 19th, 2007, 10:23 PM
Acrobaze Acrobaze is offline
Malware Removal Team
 
Join Date: Nov 2003
O/S: Windows 10 Home
Location: France
Posts: 11,994
Ok. They are deleted, now.

I don't see anything wrong neither in the HijackThis log, nor in the SilentRunners one.

To end, I recommend this online scan, to clean the possible remnants that we can't see with the logs :
http://www.pandasoftware.com/products/activescan.htm
It doesn't delete what it finds, but at the end, you can save its report and copy/paste it here.
Reply With Quote
Reply

Bookmarks

Topic Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump




All times are GMT +1. The time now is 10:32 AM.