Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91734 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

PLZ help torjan/virus eating my computer very fast


  • This topic is locked This topic is locked
17 replies to this topic

#1 Moe_J_AK

Moe_J_AK

    Authentic Member

  • Authentic Member
  • PipPip
  • 110 posts

Posted 02 May 2008 - 02:19 PM

Hi there, plz need help trojan/virus eating my pc, it changed my home page, to open my pc takes up to 2 minutes, just to get in here and write a post up to 5 minutes, displays thousands of pop ups, gives me a warning in the task bar that my pc is beeing attacked.. etc etc etc... antivirus wont do anything either... plz help need it

Here is my hjt log

Logfile of HijackThis v1.99.1
Scan saved at 16:18, on 2008-05-02
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Archivos de programa\Eset\nod32krn.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Archivos de programa\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\Archivos de programa\HP\HP Software Update\HPWuSchd2.exe
C:\Archivos de programa\Eset\nod32kui.exe
C:\Archivos de programa\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Windows Live\Messenger\MsnMsgr.Exe
C:\Archivos de programa\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Archivos de programa\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Archivos de programa\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Archivos de programa\Java\jre1.6.0_03\bin\jucheck.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://internetsearc...ce.com/ie6.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://internetsearchservice.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://internetsearchservice.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://internetsearc...ce.com/ie6.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://internetsearchservice.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://internetsearchservice.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: 527631 helper - {54160F28-994B-48DD-8D83-1B2F6B9EB054} - C:\WINDOWS\system32\527631\527631.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Aplicación auxiliar de inicio de sesión - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Archivos de programa\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\archivos de programa\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Archivos de programa\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Archivos de programa\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\es-la\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Archivos de programa\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\es-la\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\archivos de programa\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HP Software Update] C:\Archivos de programa\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Archivos de programa\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Archivos de programa\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\ARCHIV~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - HKCU\..\Run: [comrepl] C:\WINDOWS\system32\comrepl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Archivos de programa\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Enlace de descarga usando Mega Manager... - C:\Archivos de programa\Megaupload\Mega Manager\mm_file.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Archivos de programa\Yahoo!\Messenger\yhexbmeses.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Archivos de programa\Yahoo!\Messenger\yhexbmeses.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Archivos de programa\Paltalk Messenger\Paltalk.exe (file missing)
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zon...kr.cab56986.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...83/mcinsctl.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemreq.../sysreqlab2.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} (CPlayFirstddfotgControl Object) - http://aolsvc.aol.co...tg.1.0.0.33.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,20/mcgdmgr.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{CD62540E-21C1-468E-9A13-5D8F84C3411C}: NameServer = 85.255.114.109,85.255.112.149
O17 - HKLM\System\CCS\Services\Tcpip\..\{D4255FE7-61EE-4176-B32D-969BE7660FE2}: NameServer = 85.255.114.109,85.255.112.149
O17 - HKLM\System\CCS\Services\Tcpip\..\{D7CDDF3A-F833-4191-9093-C7E23BE1A7BF}: NameServer = 85.255.114.109,85.255.112.149
O17 - HKLM\System\CCS\Services\Tcpip\..\{DE3B6EE4-2B16-414B-9EF4-7256D807DC35}: NameServer = 85.255.114.109,85.255.112.149
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.109 85.255.112.149
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.109 85.255.112.149
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARCHIV~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARCHIV~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\ARCHIV~1\Google\GOOGLE~3\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Archivos de programa\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: khfGwWNf - C:\WINDOWS\SYSTEM32\khfGwWNf.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Apache Tomcat 4.1 - Alexandria Software Consulting - C:\Archivos de programa\Apache Group\Tomcat 4.1\bin\tomcat.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Archivos de programa\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Archivos de programa\Archivos comunes\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Archivos de programa\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software - C:\Archivos de programa\Sunbelt Software\Personal Firewall\kpf4ss.exe

PLZ help... any help will be much appreciated
thanks in advance...

    Advertisements

Register to Remove


#2 pskelley

pskelley

    R.I.P Always in our hearts

  • Authentic Member
  • PipPipPipPipPip
  • 3,879 posts
  • Interests:Computers, fishing, biking, basketball, travel

Posted 10 May 2008 - 05:17 PM

Welcome back to WhattheTech, You are infected, I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
This can be a tough infection to remove so do not expect fast or easy. If that works for you, start like this.

1) Your HJT log is out of date, follow these instructions:

Download Trend Micro Hijack This™
http://download.blee.../HJTInstall.exe
Doubleclick the HJTInstall.exe to start it.
By default it will install HijackThis in the Program Files\Trendmicro folder and create a desktop shortcut.
HijackThis will open after install. Press the Scan button below.
This will start the scan and open a log.
Copy and paste the contents of the log in your next reply using Add Reply.

Thanks
MS-MVP Windows Security 2007-8-9 Proud Member ASAP UNITE Member 2006

#3 Moe_J_AK

Moe_J_AK

    Authentic Member

  • Authentic Member
  • PipPip
  • 110 posts

Posted 10 May 2008 - 07:46 PM

Hi there =)
Ok here its my new HJT log with the new version

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:45, on 2008-05-10
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Archivos de programa\Eset\nod32krn.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Archivos de programa\HP\HP Software Update\HPWuSchd2.exe
C:\Archivos de programa\Eset\nod32kui.exe
C:\Archivos de programa\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Windows Live\Messenger\MsnMsgr.Exe
C:\Archivos de programa\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\System32\alg.exe
C:\Archivos de programa\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Archivos de programa\Java\jre1.6.0_03\bin\jucheck.exe
C:\WINDOWS\system32\rundll32.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\rundll32.exe
C:\Archivos de programa\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://internetsearc...ce.com/ie6.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://internetsearchservice.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://internetsearchservice.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://internetsearc...ce.com/ie6.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://internetsearchservice.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://internetsearchservice.com
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Archivos de programa\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\es-la\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\archivos de programa\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HP Software Update] C:\Archivos de programa\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Archivos de programa\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [BMcb2eff53] Rundll32.exe "C:\WINDOWS\system32\vsclbrfh.dll",s
O4 - HKLM\..\Run: [c81dcccf] rundll32.exe "C:\WINDOWS\system32\clxjjglq.dll",b
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Archivos de programa\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\ARCHIV~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - HKCU\..\Run: [comrepl] C:\WINDOWS\system32\comrepl.exe
O4 - HKLM\..\Policies\Explorer\Run: [some] C:\Archivos de programa\NetProject\scit.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Servicio de red')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Archivos de programa\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Enlace de descarga usando Mega Manager... - C:\Archivos de programa\Megaupload\Mega Manager\mm_file.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Archivos de programa\Yahoo!\Messenger\yhexbmeses.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Archivos de programa\Yahoo!\Messenger\yhexbmeses.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Archivos de programa\Paltalk Messenger\Paltalk.exe (file missing)
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zon...kr.cab56986.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...83/mcinsctl.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemreq.../sysreqlab2.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} (CPlayFirstddfotgControl Object) - http://aolsvc.aol.co...tg.1.0.0.33.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,20/mcgdmgr.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{CD62540E-21C1-468E-9A13-5D8F84C3411C}: NameServer = 85.255.114.109,85.255.112.149
O17 - HKLM\System\CCS\Services\Tcpip\..\{D4255FE7-61EE-4176-B32D-969BE7660FE2}: NameServer = 85.255.114.109,85.255.112.149
O17 - HKLM\System\CCS\Services\Tcpip\..\{DE3B6EE4-2B16-414B-9EF4-7256D807DC35}: NameServer = 85.255.114.109,85.255.112.149
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.109 85.255.112.149
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.109 85.255.112.149
O20 - AppInit_DLLs: C:\ARCHIV~1\Google\GOOGLE~3\GOEC62~1.DLL
O23 - Service: Apache Tomcat 4.1 - Alexandria Software Consulting - C:\Archivos de programa\Apache Group\Tomcat 4.1\bin\tomcat.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Archivos de programa\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Archivos de programa\Archivos comunes\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Archivos de programa\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software - C:\Archivos de programa\Sunbelt Software\Personal Firewall\kpf4ss.exe

--
End of file - 8982 bytes

Thanks a lot...

#4 pskelley

pskelley

    R.I.P Always in our hearts

  • Authentic Member
  • PipPipPipPipPip
  • 3,879 posts
  • Interests:Computers, fishing, biking, basketball, travel

Posted 11 May 2008 - 03:42 AM

Thanks for the new HJT log, read and follow the directions carefully.

1) Thanks to LonnyBJones and anyone else who helped with this fix.

Please download FixWareout from one of these sites:
http://downloads.sub.../Fixwareout.exe
http://download.blee.../Fixwareout.exe

Save it to yourDesktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts.
You will be asked to reboot your computer; please do so.
Your system may take longer than usual to load; this is normal.
Once the desktop loads post the text that will open (report.txt) and a new Hijackthis log.

(wait until you finish to post reports and logs)

2) Remove any old copies of combofix before you proceed.

Thanks to sUBs and anyone else who helped with this fix.

It is important that it is saved directly to your Desktop

Download ComboFix from Here to your Desktop
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the report from Fixwareout, the combofix log and a new HJT log.

Tutorial if needed:
http://www.bleepingc...to-use-combofix

Thanks
MS-MVP Windows Security 2007-8-9 Proud Member ASAP UNITE Member 2006

#5 Moe_J_AK

Moe_J_AK

    Authentic Member

  • Authentic Member
  • PipPip
  • 110 posts

Posted 11 May 2008 - 04:24 PM

hi there again..
ok here r the 3 reports u asked for..

FIXWAREOUT LOG:

Username "Mohamed" - 2008-05-11 16:41:44 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check
HKLM\SOFTWARE\~\Winlogon\ "System"="kdnkv.exe"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
"nameserver"="85.255.114.109 85.255.112.149" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{CD62540E-21C1-468E-9A13-5D8F84C3411C}
"nameserver"="85.255.114.109,85.255.112.149" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{D4255FE7-61EE-4176-B32D-969BE7660FE2}
"nameserver"="85.255.114.109,85.255.112.149" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{DE3B6EE4-2B16-414B-9EF4-7256D807DC35}
"nameserver"="85.255.114.109,85.255.112.149" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{CD62540E-21C1-468E-9A13-5D8F84C3411C}
"DhcpNameServer"="85.255.114.109,85.255.112.149" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{D7CDDF3A-F833-4191-9093-C7E23BE1A7BF}
"DhcpNameServer"="85.255.114.109,85.255.112.149" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{DE3B6EE4-2B16-414B-9EF4-7256D807DC35}
"DhcpNameServer"="85.255.114.109,85.255.112.149" <Value cleared.

Se vació con éxito la caché de resolución de DNS.


System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
....
~~~~~ Misc files.
C:\Documents and Settings\All Users\Favoritos\AdultGambling.url Deleted
C:\Documents and Settings\All Users\Favoritos\Free Online Dating.url Deleted
C:\Documents and Settings\All Users\Favoritos\###### Real Girls.url Deleted
C:\Documents and Settings\All Users\Favoritos\Kill Annoying Popups.url Deleted
C:\Documents and Settings\All Users\Favoritos\Online Sex Poker Rooms.url Deleted
C:\Documents and Settings\All Users\Favoritos\Play Adult-Poker.url Deleted
C:\Documents and Settings\All Users\Favoritos\Remove Toolbars.url Deleted
C:\Documents and Settings\All Users\Favoritos\Spyware Uninstall.url Deleted
C:\Documents and Settings\All Users\Favoritos\SPYWARE.url Deleted
C:\Documents and Settings\All Users\Favoritos\XXX personal photos.url Deleted
....
~~~~~ Checking for older varients.
C:\WINDOWS\System32\run_dos.dll Deleted
....
~~~~~ Other
C:\WINDOWS\Temp\kdnkv.ren 59392 2007-06-13

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvMcTray.dll,NvTaskbarInit"
"HP Software Update"="C:\\Archivos de programa\\HP\\HP Software Update\\HPWuSchd2.exe"
"nod32kui"="\"C:\\Archivos de programa\\Eset\\nod32kui.exe\" /WAITSERVICE"
"SunJavaUpdateSched"="\"C:\\Archivos de programa\\Java\\jre1.6.0_03\\bin\\jusched.exe\""
"c81dcccf"="rundll32.exe \"C:\\WINDOWS\\system32\\clxjjglq.dll\",b"
"BMcb2eff53"="Rundll32.exe \"C:\\WINDOWS\\system32\\vsclbrfh.dll\",s"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"MsnMsgr"="\"C:\\Archivos de programa\\Windows Live\\Messenger\\MsnMsgr.Exe\" /background"
"MSKAGENTEXE"="C:\\ARCHIV~1\\McAfee\\SPAMKI~1\\MSKAgent.exe"
"comrepl"="C:\\WINDOWS\\system32\\comrepl.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~


COMBO FIX LOG:

ComboFix 08-05-11.1 - Mohamed 2008-05-11 17:08:36.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.3082.18.53 [GMT -4:00]
Se ejecuta desde: C:\Documents and Settings\Mohamed\Escritorio\ComboFix.exe
* Creado un nuevo punto de restauración
* Resident AV is active


ADVERTENCIA - ESTE EQUIPO NO TIENE INSTALADA LA CONSOLA DE RECUPERACION!
.

(((((((((((((((((((((((((((((((((((( Otras eliminaciones )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Archivos de programa\NetProject
C:\Archivos de programa\NetProject\scm.exe
C:\Documents and Settings\Mohamed\Datos de programa\macromedia\Flash Player\#SharedObjects\ULY6P5SR\iforex.com
C:\Documents and Settings\Mohamed\Datos de programa\macromedia\Flash Player\#SharedObjects\ULY6P5SR\iforex.com\Emerp\Events\flash_object.swf\user_data.sol
C:\Documents and Settings\Mohamed\Datos de programa\macromedia\Flash Player\#SharedObjects\ULY6P5SR\www.broadcaster.com
C:\Documents and Settings\Mohamed\Datos de programa\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com
C:\Documents and Settings\Mohamed\Datos de programa\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com\settings.sol
C:\Documents and Settings\Mohamed\Datos de programa\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\Mohamed\Datos de programa\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\WINDOWS\dat.txt
C:\WINDOWS\Fonts\acrsecB.fon
C:\WINDOWS\pskt.ini
C:\WINDOWS\rs.txt
C:\WINDOWS\search_res.txt
C:\WINDOWS\smdat32a.sys
C:\WINDOWS\smdat32m.sys
C:\WINDOWS\system32\527631\527631.dll
C:\WINDOWS\system32\awtqrpnO.dll
C:\WINDOWS\system32\clxjjglq.dll
C:\WINDOWS\system32\FLoYxyxx.ini
C:\WINDOWS\system32\FLoYxyxx.ini2
C:\WINDOWS\system32\gpyiduro.ini
C:\WINDOWS\system32\hgmjkupt.dll
C:\WINDOWS\system32\khfGwWNf.dll
C:\WINDOWS\system32\nxhjexpn.dll
C:\WINDOWS\system32\qlgjjxlc.ini
C:\WINDOWS\system32\qxeirbau.dll
C:\WINDOWS\system32\tfoohucx.ini
C:\WINDOWS\system32\uabriexq.ini
C:\WINDOWS\system32\vsclbrfh.dll
C:\WINDOWS\system32\xxyxYoLF.dll

.
(((((((((((((((((( Archivos creados desde 2008-04-11 - 2008-05-11 )))))))))))))))))))))))))))))))))
.

2008-05-11 16:40 . 2008-05-11 16:49 <DIR> d-------- C:\fixwareout
2008-05-10 21:42 . 2008-05-10 21:42 <DIR> d-------- C:\Archivos de programa\Trend Micro
2008-05-10 21:42 . 2008-05-10 21:42 2,112 --a------ C:\WINDOWS\system32\ebhutueo.exe
2008-05-10 21:34 . 2008-05-10 21:34 1,482,295 ---hs---- C:\WINDOWS\system32\tfoohucx.tmp
2008-05-02 16:59 . 2008-05-10 21:27 109,738 --a------ C:\WINDOWS\BMcb2eff53.xml
2008-05-02 15:51 . 2008-05-11 17:24 <DIR> d-------- C:\WINDOWS\system32\527631

.
(((((((((((((((((((((((((((((((((((((( Reporte Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-09 06:19 --------- d-----w C:\Documents and Settings\Mohamed\Datos de programa\AdobeUM
2008-04-08 05:47 --------- d-----w C:\Archivos de programa\MSECache
2008-04-05 03:46 --------- d-----w C:\Archivos de programa\SystemRequirementsLab
2008-03-20 08:09 1,845,376 ----a-w C:\WINDOWS\system32\win32k.sys
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:35 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-16 09:02 662,016 ----a-w C:\WINDOWS\system32\wininet.dll
2005-10-30 17:20 88,576 ---ha-w C:\Documents and Settings\Mohamed\Datos de programa\rbap550.dll
2005-10-30 17:20 74,240 ---ha-w C:\Documents and Settings\Mohamed\Datos de programa\rbqt550.DLL
2005-10-30 17:20 58,880 ---ha-w C:\Documents and Settings\Mohamed\Datos de programa\MBSQTImporterPlugin6863.dll
2005-10-30 17:20 48,640 ---ha-w C:\Documents and Settings\Mohamed\Datos de programa\MBSQuickTimePlugin6863.dll
2005-10-30 17:20 37,888 ---ha-w C:\Documents and Settings\Mohamed\Datos de programa\MBSQTMovieExporterPlugin6863.dll
2005-10-30 17:20 31,744 ---ha-w C:\Documents and Settings\Mohamed\Datos de programa\MBSIconPlugin6867.dll
2005-10-30 17:20 25,600 ---ha-w C:\Documents and Settings\Mohamed\Datos de programa\MBSRegistrationPlugin6867.dll
2005-09-19 12:14 0 ----a-w C:\Archivos de programa\MCAFEE.C
.

((((((((((((((((((((((((((((((((( Cargando Puntos Reg ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* entradas vacˇas & entradas legˇtimas predeterminadas no son mostradas

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54160F28-994B-48DD-8D83-1B2F6B9EB054}]
C:\WINDOWS\system32\527631\527631.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B25823ED-E286-4736-916F-2FC6D94533B5}]
C:\WINDOWS\system32\xxyxYoLF.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 18:42 15360]
"MsnMsgr"="C:\Archivos de programa\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]
"MSKAGENTEXE"="C:\ARCHIV~1\McAfee\SPAMKI~1\MSKAgent.exe" [ ]
"comrepl"="C:\WINDOWS\system32\comrepl.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2001-12-16 13:55 2899968]
"nwiz"="nwiz.exe" [2001-12-16 13:55 782336 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2001-12-16 13:55 46080]
"HP Software Update"="C:\Archivos de programa\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 02:41 49152]
"nod32kui"="C:\Archivos de programa\Eset\nod32kui.exe" [2007-09-26 23:44 949376]
"SunJavaUpdateSched"="C:\Archivos de programa\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"c81dcccf"="C:\WINDOWS\system32\clxjjglq.dll" [ ]
"BMcb2eff53"="C:\WINDOWS\system32\vsclbrfh.dll" [ ]
"combofix"="C:\WINDOWS\system32\CF14746.exe" [2004-08-19 18:42 402944]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-19 18:42 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Archivos de programa\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Archivos de programa\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Archivos de programa\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfGwWNf]
khfGwWNf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\ARCHIV~1\Google\GOOGLE~3\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.NSVI"= nsvideo.dll
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"vidc.xvid"= xvid.dll
"msacm.divxa32"= DivXa32.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Archivos de programa\\Yahoo!\\Messenger\\YPager.exe"=
"C:\\Archivos de programa\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Archivos de programa\\Messenger\\msmsgs.exe"=
"C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe"=
"C:\\WINDOWS\\system32\\dpnsvr.exe"=
"C:\\Archivos de programa\\LimeWire1\\LimeWire.exe"=
"C:\\Archivos de programa\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"C:\\Archivos de programa\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Archivos de programa\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Archivos de programa\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Archivos de programa\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Archivos de programa\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Archivos de programa\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Archivos de programa\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Archivos de programa\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Archivos de programa\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Archivos de programa\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Archivos de programa\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Archivos de programa\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Archivos de programa\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Archivos de programa\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"C:\\Archivos de programa\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Archivos de programa\\Windows Live\\Messenger\\livecall.exe"=

R1 fwdrv;Firewall Driver;C:\WINDOWS\system32\drivers\fwdrv.sys [2007-04-26 10:21]
R1 khips;Kerio HIPS Driver;C:\WINDOWS\system32\drivers\khips.sys [2007-04-26 10:21]
R2 SPF4;Sunbelt Personal Firewall 4;"C:\Archivos de programa\Sunbelt Software\Personal Firewall\kpf4ss.exe" [2007-04-26 10:21]
S1 vdnt32;MemDRV;C:\WINDOWS\System32\vdnt32.sys [2005-02-22 20:17]
S2 Apache Tomcat 4.1;Apache Tomcat 4.1;C:\Archivos de programa\Apache Group\Tomcat 4.1\bin\tomcat.exe [2002-09-23 05:28]
S2 LARGAN;Largan.sys Digital Still Camera;C:\WINDOWS\system32\Drivers\largan.sys [2001-05-02 23:38]
S2 LARGANV;LARGAN Chameleon Video Camera;C:\WINDOWS\system32\DRIVERS\larganv.sys [2001-05-09 21:58]
S3 HPx9G+;HPx9G+ Device USB Driver;C:\WINDOWS\system32\DRIVERS\HPx9G2k.sys [2004-01-03 10:22]

.
Contenido de carpeta 'Tareas Programadas'
"2008-05-02 21:15:01 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Archivos de programa\TuneUp Utilities 2007\SystemOptimizer.exe
"2008-05-03 01:00:00 C:\WINDOWS\Tasks\mcafee antispyware.job"
- c:\archiv~1\mcafee\MCAFEE~3\MASCon.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-11 17:34:03
Windows 5.1.2600 Service Pack 2 NTFS

escaneando procesos ocultos ...

escaneando entradas ocultas de autostart ...

escaneando archivos ocultos ...

el escaneo se completo con exito
archivos ocultos: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Archivos de programa\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Archivos de programa\ESET\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Archivos de programa\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Archivos de programa\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Archivos de programa\HP\Digital Imaging\bin\hpqtra08.exe
C:\Archivos de programa\HP\HP Software Update\HPWUCli.exe
C:\Archivos de programa\HP\Digital Imaging\bin\hpqste08.exe
C:\Archivos de programa\Java\jre1.6.0_03\bin\jucheck.exe
.
**************************************************************************
.
Tiempo completado: 2008-05-11 17:45:34 - machine was rebooted [Mohamed]
ComboFix-quarantined-files.txt 2008-05-11 21:45:20

26 dirs 9,957,576,704 bytes libres
31 dirs 12,143,816,704 bytes libres

185 --- E O F --- 2008-04-09 06:41:11


HIJACKTHIS LOG:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 06:20:44 p.m., on 11/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\HP\HP Software Update\HPWuSchd2.exe
C:\Archivos de programa\Eset\nod32kui.exe
C:\Archivos de programa\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Windows Live\Messenger\MsnMsgr.Exe
C:\Archivos de programa\HP\Digital Imaging\bin\hpqtra08.exe
C:\Archivos de programa\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Archivos de programa\Eset\nod32krn.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Archivos de programa\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Archivos de programa\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Archivos de programa\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Archivos de programa\Java\jre1.6.0_03\bin\jucheck.exe
C:\Archivos de programa\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://internetsearchservice.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://internetsearc...ce.com/ie6.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://internetsearchservice.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Aplicación auxiliar de inicio de sesión - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Archivos de programa\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\archivos de programa\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Archivos de programa\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Archivos de programa\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\es-la\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Archivos de programa\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\es-la\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\archivos de programa\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HP Software Update] C:\Archivos de programa\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Archivos de programa\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Archivos de programa\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\ARCHIV~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - HKCU\..\Run: [comrepl] C:\WINDOWS\system32\comrepl.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Servicio de red')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Archivos de programa\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Enlace de descarga usando Mega Manager... - C:\Archivos de programa\Megaupload\Mega Manager\mm_file.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Archivos de programa\Yahoo!\Messenger\yhexbmeses.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Archivos de programa\Yahoo!\Messenger\yhexbmeses.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Archivos de programa\Paltalk Messenger\Paltalk.exe (file missing)
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zon...kr.cab56986.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...83/mcinsctl.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemreq.../sysreqlab2.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} (CPlayFirstddfotgControl Object) - http://aolsvc.aol.co...tg.1.0.0.33.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,20/mcgdmgr.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{CD62540E-21C1-468E-9A13-5D8F84C3411C}: NameServer = 85.255.114.109,85.255.112.149
O17 - HKLM\System\CCS\Services\Tcpip\..\{D4255FE7-61EE-4176-B32D-969BE7660FE2}: NameServer = 85.255.114.109,85.255.112.149
O17 - HKLM\System\CCS\Services\Tcpip\..\{DE3B6EE4-2B16-414B-9EF4-7256D807DC35}: NameServer = 85.255.114.109,85.255.112.149
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.109 85.255.112.149
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.109 85.255.112.149
O20 - AppInit_DLLs: C:\ARCHIV~1\Google\GOOGLE~3\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Archivos de programa\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apache Tomcat 4.1 - Alexandria Software Consulting - C:\Archivos de programa\Apache Group\Tomcat 4.1\bin\tomcat.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Archivos de programa\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Archivos de programa\Archivos comunes\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Archivos de programa\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software - C:\Archivos de programa\Sunbelt Software\Personal Firewall\kpf4ss.exe

--
End of file - 9467 bytes


THANKS AGAIN FOR THE HELP =)

#6 pskelley

pskelley

    R.I.P Always in our hearts

  • Authentic Member
  • PipPipPipPipPip
  • 3,879 posts
  • Interests:Computers, fishing, biking, basketball, travel

Posted 11 May 2008 - 04:42 PM

Thanks for returning your information, a look at the results will tell you how you got infected.

1) C:\Archivos de programa\Java\jre1.6.0_03\ <<< Java needs to be updated, see this:
http://forums.spybot...amp;postcount=2

2) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.

3) Please download ATF Cleaner by Atribune
http://www.atribune....ATF-Cleaner.exe
Save it to your Desktop. We will use this later.

4) Start > Control Panel > Add Remove programs and uninstall Paltalk Messenger if it is there.

5) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://internetsearchservice.com
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Archivos de programa\Paltalk Messenger\Paltalk.exe (file missing)
O17 - HKLM\System\CCS\Services\Tcpip\..\{CD62540E-21C1-468E-9A13-5D8F84C3411C}: NameServer = 85.255.114.109,85.255.112.149
O17 - HKLM\System\CCS\Services\Tcpip\..\{D4255FE7-61EE-4176-B32D-969BE7660FE2}: NameServer = 85.255.114.109,85.255.112.149
O17 - HKLM\System\CCS\Services\Tcpip\..\{DE3B6EE4-2B16-414B-9EF4-7256D807DC35}: NameServer = 85.255.114.109,85.255.112.149
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.109 85.255.112.149
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.109 85.255.112.149

Close all programs but HJT and all browser windows, then click on "Fix Checked"

6) Right click Start > Explore and navigate to these files/folders and delete them if there.

C:\Archivos de programa\Paltalk Messenger\ <<< delete that folder and contents

7) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart and post a new HJT log and tel me how the computer runs.

Gracias
MS-MVP Windows Security 2007-8-9 Proud Member ASAP UNITE Member 2006

#7 Moe_J_AK

Moe_J_AK

    Authentic Member

  • Authentic Member
  • PipPip
  • 110 posts

Posted 11 May 2008 - 09:21 PM

Hey, yes computer is running better than before... no more popups and no more warning of your computer might been infected....
here its my new HJT post...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:14:33 p.m., on 11/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\HP\HP Software Update\HPWuSchd2.exe
C:\Archivos de programa\Eset\nod32kui.exe
C:\Archivos de programa\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Windows Live\Messenger\MsnMsgr.Exe
C:\Archivos de programa\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Archivos de programa\Eset\nod32krn.exe
C:\Archivos de programa\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Archivos de programa\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Archivos de programa\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Archivos de programa\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Archivos de programa\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\HPZipm12.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://internetsearc...ce.com/ie6.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Aplicación auxiliar de inicio de sesión - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Archivos de programa\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\archivos de programa\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Archivos de programa\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Archivos de programa\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\es-la\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Archivos de programa\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\es-la\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\archivos de programa\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HP Software Update] C:\Archivos de programa\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Archivos de programa\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Archivos de programa\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\ARCHIV~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - HKCU\..\Run: [comrepl] C:\WINDOWS\system32\comrepl.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Servicio de red')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Archivos de programa\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Enlace de descarga usando Mega Manager... - C:\Archivos de programa\Megaupload\Mega Manager\mm_file.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Archivos de programa\Yahoo!\Messenger\yhexbmeses.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Archivos de programa\Yahoo!\Messenger\yhexbmeses.dll
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zon...kr.cab56986.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...83/mcinsctl.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemreq.../sysreqlab2.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} (CPlayFirstddfotgControl Object) - http://aolsvc.aol.co...tg.1.0.0.33.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,20/mcgdmgr.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -
O20 - AppInit_DLLs: C:\ARCHIV~1\Google\GOOGLE~3\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Archivos de programa\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apache Tomcat 4.1 - Alexandria Software Consulting - C:\Archivos de programa\Apache Group\Tomcat 4.1\bin\tomcat.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Archivos de programa\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Archivos de programa\Archivos comunes\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Archivos de programa\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software - C:\Archivos de programa\Sunbelt Software\Personal Firewall\kpf4ss.exe

--
End of file - 8346 bytes


So tell me whats next?...

and no way, Gracias a ti .... hahaha =)

#8 pskelley

pskelley

    R.I.P Always in our hearts

  • Authentic Member
  • PipPipPipPipPip
  • 3,879 posts
  • Interests:Computers, fishing, biking, basketball, travel

Posted 12 May 2008 - 05:12 AM

Thanks for returning your HJT log, which looks fine, and the feedback. Let's run a good scan to make sure nothing hides from HJT.

Run this online scan using Internet Explorer:
Kaspersky Online Scanner from http://www.kaspersky.com/virusscanner

Next Click on Launch Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.

Then post it here.
MS-MVP Windows Security 2007-8-9 Proud Member ASAP UNITE Member 2006

#9 Moe_J_AK

Moe_J_AK

    Authentic Member

  • Authentic Member
  • PipPip
  • 110 posts

Posted 19 May 2008 - 05:24 PM

Hi there again, and hey so sorry for take so long to write back, but im a college student, and the last week and this week had almost all my exams... so had no much time... to do the full scan with kaspersky antivirus... But finally it finished and here r the results... (many viruses :s) KASPERSKY ONLINE SCANNER REPORT Monday, May 19, 2008 10:29:41 AM Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600) Kaspersky Online Scanner version: 5.0.98.0 Kaspersky Anti-Virus database last update: 19/05/2008 Kaspersky Anti-Virus database records: 699430 Scan Settings Scan using the following antivirus database standard Scan Archives true Scan Mail Bases true Scan Target My Computer A:\ C:\ D:\ E:\ F:\ G:\ Scan Statistics Total number of scanned objects 187271 Number of viruses found 14 Number of infected objects 35 Number of suspicious objects 0 Duration of the scan process 09:29:17 Infected Object Name Virus Name Last Action C:\Archivos de programa\ESET\cache\CACHE.NDB Object is locked skipped C:\Archivos de programa\ESET\infected\BD4P4NCA.NQF Infected: Trojan-Downloader.Win32.Zlob.lou skipped C:\Archivos de programa\ESET\infected\EEZBL2DA.NQF Infected: Trojan-Downloader.Win32.Agent.dag skipped C:\Archivos de programa\ESET\infected\JS031DAA.NQF Infected: Trojan-Downloader.Win32.Zlob.lox skipped C:\Archivos de programa\ESET\infected\WDUXEPAA.NQF Infected: Trojan-Downloader.Win32.Zlob.cpx skipped C:\Archivos de programa\ESET\infected\Z0Y3Q4CA.NQF Infected: Trojan-Downloader.Win32.Zlob.lor skipped C:\Archivos de programa\ESET\logs\virlog.dat Object is locked skipped C:\Archivos de programa\ESET\logs\warnlog.dat Object is locked skipped C:\Archivos de programa\Sunbelt Software\Personal Firewall\logs\debug.log Object is locked skipped C:\Archivos de programa\Sunbelt Software\Personal Firewall\logs\debug.log.idx Object is locked skipped C:\Archivos de programa\Sunbelt Software\Personal Firewall\logs\error.log Object is locked skipped C:\Archivos de programa\Sunbelt Software\Personal Firewall\logs\error.log.idx Object is locked skipped C:\Archivos de programa\Sunbelt Software\Personal Firewall\logs\hips.log Object is locked skipped C:\Archivos de programa\Sunbelt Software\Personal Firewall\logs\hips.log.idx Object is locked skipped C:\Archivos de programa\Sunbelt Software\Personal Firewall\logs\ids.log Object is locked skipped C:\Archivos de programa\Sunbelt Software\Personal Firewall\logs\ids.log.idx Object is locked skipped C:\Archivos de programa\Sunbelt Software\Personal Firewall\logs\network.log Object is locked skipped C:\Archivos de programa\Sunbelt Software\Personal Firewall\logs\network.log.idx Object is locked skipped C:\Archivos de programa\Sunbelt Software\Personal Firewall\logs\system.log Object is locked skipped C:\Archivos de programa\Sunbelt Software\Personal Firewall\logs\system.log.idx Object is locked skipped C:\Archivos de programa\Sunbelt Software\Personal Firewall\logs\warning.log Object is locked skipped C:\Archivos de programa\Sunbelt Software\Personal Firewall\logs\warning.log.idx Object is locked skipped C:\Archivos de programa\Sunbelt Software\Personal Firewall\logs\web.log Object is locked skipped C:\Archivos de programa\Sunbelt Software\Personal Firewall\logs\web.log.idx Object is locked skipped C:\Documents and Settings\All Users\Datos de programa\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped C:\Documents and Settings\All Users\Datos de programa\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped C:\Documents and Settings\LocalService\Configuración local\Archivos temporales de Internet\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\LocalService\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Configuración local\Historial\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\Mohamed\Configuración local\Archivos temporales de Internet\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\Mohamed\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\Mohamed\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\Mohamed\Configuración local\Historial\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\Mohamed\Configuración local\Historial\History.IE5\MSHist012008051820080519\index.dat Object is locked skipped C:\Documents and Settings\Mohamed\Configuración local\Historial\History.IE5\MSHist012008051920080520\index.dat Object is locked skipped C:\Documents and Settings\Mohamed\Configuración local\temp\hpodvd09.log Object is locked skipped C:\Documents and Settings\Mohamed\Cookies\index.dat Object is locked skipped C:\Documents and Settings\Mohamed\Datos de programa\Sun\Java\Deployment\cache\6.0\12\4ef9724c-2dc1e9bd/MagicApplet.class Infected: Trojan-Downloader.Java.OpenConnection.ao skipped C:\Documents and Settings\Mohamed\Datos de programa\Sun\Java\Deployment\cache\6.0\12\4ef9724c-2dc1e9bd/OwnClassLoader.class Infected: Trojan.Java.ClassLoader.au skipped C:\Documents and Settings\Mohamed\Datos de programa\Sun\Java\Deployment\cache\6.0\12\4ef9724c-2dc1e9bd/Installer.class Infected: Trojan-Downloader.Java.Agent.a skipped C:\Documents and Settings\Mohamed\Datos de programa\Sun\Java\Deployment\cache\6.0\12\4ef9724c-2dc1e9bd ZIP: infected - 3 skipped C:\Documents and Settings\Mohamed\Datos de programa\Sun\Java\Deployment\cache\6.0\15\2d58608f-29c6d1af/HiPointInstallShieldRT.class Infected: Trojan-Downloader.Java.OpenConnection.ap skipped C:\Documents and Settings\Mohamed\Datos de programa\Sun\Java\Deployment\cache\6.0\15\2d58608f-29c6d1af ZIP: infected - 1 skipped C:\Documents and Settings\Mohamed\Datos de programa\Sun\Java\Deployment\cache\6.0\54\6e4d3ab6-5468362d/HiPointInstallShieldRT.class Infected: Trojan-Downloader.Java.OpenConnection.ap skipped C:\Documents and Settings\Mohamed\Datos de programa\Sun\Java\Deployment\cache\6.0\54\6e4d3ab6-5468362d ZIP: infected - 1 skipped C:\Documents and Settings\Mohamed\Datos de programa\Sun\Java\Deployment\cache\6.0\56\3929cbb8-1388e727/BlackBox.class Infected: Exploit.Java.ByteVerify skipped C:\Documents and Settings\Mohamed\Datos de programa\Sun\Java\Deployment\cache\6.0\56\3929cbb8-1388e727/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped C:\Documents and Settings\Mohamed\Datos de programa\Sun\Java\Deployment\cache\6.0\56\3929cbb8-1388e727/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped C:\Documents and Settings\Mohamed\Datos de programa\Sun\Java\Deployment\cache\6.0\56\3929cbb8-1388e727 ZIP: infected - 3 skipped C:\Documents and Settings\Mohamed\NTUSER.DAT Object is locked skipped C:\Documents and Settings\Mohamed\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\NetworkService\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\Zubaida\ntuser.dat Object is locked skipped C:\Documents and Settings\Zubaida\ntuser.dat.LOG Object is locked skipped C:\QooBox\Quarantine\C\WINDOWS\system32\awtqrpnO.dll.vir Infected: Trojan.Win32.Monder.gen skipped C:\QooBox\Quarantine\C\WINDOWS\system32\clxjjglq.dll.vir Infected: Trojan.Win32.Monder.dm skipped C:\QooBox\Quarantine\C\WINDOWS\system32\hgmjkupt.dll.vir Infected: Trojan.Win32.Monder.gen skipped C:\QooBox\Quarantine\C\WINDOWS\system32\khfGwWNf.dll.vir Infected: Trojan.Win32.Monder.gen skipped C:\QooBox\Quarantine\C\WINDOWS\system32\nxhjexpn.dll.vir Infected: Trojan.Win32.Monder.gen skipped C:\QooBox\Quarantine\C\WINDOWS\system32\qxeirbau.dll.vir Infected: Trojan.Win32.Monder.gen skipped C:\QooBox\Quarantine\C\WINDOWS\system32\vsclbrfh.dll.vir Infected: Trojan.Win32.Monder.dl skipped C:\QooBox\Quarantine\catchme2008-05-11_172849.97.zip/xxyxYoLF.dll Infected: Trojan.Win32.Monder.gen skipped C:\QooBox\Quarantine\catchme2008-05-11_172849.97.zip ZIP: infected - 1 skipped C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped C:\System Volume Information\_restore{7B8E128C-B3D4-4E6F-9ACB-F488008971FF}\RP1008\A0277857.exe Object is locked skipped C:\System Volume Information\_restore{7B8E128C-B3D4-4E6F-9ACB-F488008971FF}\RP1008\A0277866.exe Object is locked skipped C:\System Volume Information\_restore{7B8E128C-B3D4-4E6F-9ACB-F488008971FF}\RP1009\A0277899.exe Object is locked skipped C:\System Volume Information\_restore{7B8E128C-B3D4-4E6F-9ACB-F488008971FF}\RP1009\A0277906.exe Object is locked skipped C:\System Volume Information\_restore{7B8E128C-B3D4-4E6F-9ACB-F488008971FF}\RP1010\A0277916.exe Object is locked skipped C:\System Volume Information\_restore{7B8E128C-B3D4-4E6F-9ACB-F488008971FF}\RP1010\A0277928.exe Object is locked skipped C:\System Volume Information\_restore{7B8E128C-B3D4-4E6F-9ACB-F488008971FF}\RP1012\A0278955.dll Infected: Trojan.Win32.Monder.gen skipped C:\System Volume Information\_restore{7B8E128C-B3D4-4E6F-9ACB-F488008971FF}\RP1012\A0278967.dll Infected: Trojan.Win32.Monder.gen skipped C:\System Volume Information\_restore{7B8E128C-B3D4-4E6F-9ACB-F488008971FF}\RP1013\A0279037.dll Infected: Trojan.Win32.Monder.gen skipped C:\System Volume Information\_restore{7B8E128C-B3D4-4E6F-9ACB-F488008971FF}\RP1013\A0279038.dll Infected: Trojan.Win32.Monder.dm skipped C:\System Volume Information\_restore{7B8E128C-B3D4-4E6F-9ACB-F488008971FF}\RP1013\A0279039.dll Infected: Trojan.Win32.Monder.gen skipped C:\System Volume Information\_restore{7B8E128C-B3D4-4E6F-9ACB-F488008971FF}\RP1013\A0279040.dll Infected: Trojan.Win32.Monder.gen skipped C:\System Volume Information\_restore{7B8E128C-B3D4-4E6F-9ACB-F488008971FF}\RP1013\A0279041.dll Infected: Trojan.Win32.Monder.gen skipped C:\System Volume Information\_restore{7B8E128C-B3D4-4E6F-9ACB-F488008971FF}\RP1013\A0279042.dll Infected: Trojan.Win32.Monder.gen skipped C:\System Volume Information\_restore{7B8E128C-B3D4-4E6F-9ACB-F488008971FF}\RP1013\A0279043.dll Infected: Trojan.Win32.Monder.dl skipped C:\System Volume Information\_restore{7B8E128C-B3D4-4E6F-9ACB-F488008971FF}\RP1024\change.log Object is locked skipped C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped C:\WINDOWS\SchedLgU.Txt Object is locked skipped C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped C:\WINDOWS\Sti_Trace.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\default Object is locked skipped C:\WINDOWS\system32\config\default.LOG Object is locked skipped C:\WINDOWS\system32\config\SAM Object is locked skipped C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\SECURITY Object is locked skipped C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped C:\WINDOWS\system32\config\software Object is locked skipped C:\WINDOWS\system32\config\software.LOG Object is locked skipped C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\system Object is locked skipped C:\WINDOWS\system32\config\system.LOG Object is locked skipped C:\WINDOWS\system32\ebhutueo.exe Object is locked skipped C:\WINDOWS\system32\h323log.txt Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped C:\WINDOWS\wiadebug.log Object is locked skipped C:\WINDOWS\wiaservc.log Object is locked skipped C:\WINDOWS\WindowsUpdate.log Object is locked skipped E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped Scan process completed. Thanks once again for yout time =)...

#10 pskelley

pskelley

    R.I.P Always in our hearts

  • Authentic Member
  • PipPipPipPipPip
  • 3,879 posts
  • Interests:Computers, fishing, biking, basketball, travel

Posted 19 May 2008 - 07:06 PM

Not a problem...a little cleanup left to do like this:

Oops, first you need the Recovery Console.
I am sure you saw this:
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
ADVERTENCIA - ESTE EQUIPO NO TIENE INSTALADA LA CONSOLA DE RECUPERACION!

http://www.bleepingc...to-use-combofix
Review that information to understand Recovery Console. Installation is optional but if you do not have the CD's needed, as is explained, it can be installed before we remove combofix.
If you do not wish to install RC, let me know so I can continue with the cleanup.
If you install RC, post the C:\*CF-RC.txt*.

Since we do not need to scan with combofix, click NO

Posted Image

Posted Image

after that is done, you can delete combofix from your computer and do this.

1) C:\Archivos de programa\ESET\infected\ <<< clean the junk out of that folder.

2) C:\Documents and Settings\Mohamed\Datos de programa\Sun\Java\Deployment\cache\ <<< clean out the infected Java cache.
http://support.f-sec...javacache.shtml

3) C:\QooBox\Quarantine\ <<< delete that folder

4) Empty the Recycle Bin on the Desktop and restart the computer.

5) Follow these instructions to clen infected System Restore files.

Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Reboot

Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

Let me know how things are running, and I will post some good information for you and get you on your way.

Thanks...Phil
AKA...filippe
MS-MVP Windows Security 2007-8-9 Proud Member ASAP UNITE Member 2006

    Advertisements

Register to Remove


#11 Moe_J_AK

Moe_J_AK

    Authentic Member

  • Authentic Member
  • PipPip
  • 110 posts

Posted 24 May 2008 - 07:57 AM

Hi there my friend... ok i did everything u said but the one about the recovery, didnt work as it said in the instructios, i mean after a dragged the windows xp bootdisk on the combofix, combofix just opened itself and ask me to do a scan or not....i said not and it just dissapeared for the rest, i deleted all folder u told me... Thanks again =)

#12 Moe_J_AK

Moe_J_AK

    Authentic Member

  • Authentic Member
  • PipPip
  • 110 posts

Posted 24 May 2008 - 07:58 AM

ohhh and after i said no to the scan the combofix icon on the desktop just dissappeared from my desktop :s....

#13 pskelley

pskelley

    R.I.P Always in our hearts

  • Authentic Member
  • PipPipPipPipPip
  • 3,879 posts
  • Interests:Computers, fishing, biking, basketball, travel

Posted 24 May 2008 - 09:33 AM

Look for this file: C:\*CF-RC.txt and post it. After you do that, follow these instructions:

1) C:\Archivos de programa\ESET\infected\ <<< delete the contents of the folder in red

2) C:\Documents and Settings\Mohamed\Datos de programa\Sun\Java\Deployment\cache\ <<< delete the contents of the folder in red
http://support.f-sec...javacache.shtml

3) C:\QooBox\Quarantine\ <<< delete that complete folder

4) Empty the Recycle Bin on the Desktop and restart the computer

5) Follow these instructions to clean infected System Restore files:

Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Reboot

Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

Run a new Kaspersky Scan to make sure you got everything, no need to post a clean scan result.

Some good information for you:
http://users.telenet...owcomputer.html
http://www.microsoft...ps/mcgill1.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet...prevention.html
http://forums.spybot...hread.php?t=279
http://russelltexas....re/allclear.htm
http://forum.malware...wtopic.php?t=14
http://www.bleepingc...topict2520.html
http://cybercoyote.o...not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...pskelley
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
Want to help others? Join the ClassRoom and learn how.
http://forums.whatth...oom_t80368.html
MS-MVP Windows Security 2007-8-9 Proud Member ASAP UNITE Member 2006

#14 Moe_J_AK

Moe_J_AK

    Authentic Member

  • Authentic Member
  • PipPip
  • 110 posts

Posted 24 May 2008 - 09:42 AM

Hey PSKelly... sorry but im not being able to find any file C:\*CF-RC.txt .... :s .... the rest of the steps i already did, but that file im not being able to find it...or dont know if im doing anything wrong ... should i go on with the kaspersky scan?

#15 pskelley

pskelley

    R.I.P Always in our hearts

  • Authentic Member
  • PipPipPipPipPip
  • 3,879 posts
  • Interests:Computers, fishing, biking, basketball, travel

Posted 24 May 2008 - 09:46 AM

Yes, run a new Kaspersky scan to make sure it is clean. No need to post a clean scan. Thanks
MS-MVP Windows Security 2007-8-9 Proud Member ASAP UNITE Member 2006

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users