Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page please help me with this
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
 
LinkBack Thread Tools
Old 02-15-2007, 04:27 PM   #1 (permalink)
Registered User
 
Join Date: Feb 2007
Posts: 14
OS: XP


please help me with this
Hi, thanks for your help, i can't get rid of some stuff in my computer.


Logfile of HijackThis v1.99.1
Scan saved at 21:23:59, on 15-02-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
c:\Apps\Powercinema\Kernel\TV\CLCapSvc.exe
C:\Archivos de programa\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Archivos de programa\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
c:\Apps\Powercinema\Kernel\TV\CLSched.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Archivos de programa\QuickTime\qttask.exe
C:\Archivos de programa\iTunes\iTunesHelper.exe
C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe
C:\Archivos de programa\Java\jre1.5.0_09\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Internet Explorer\IEXPLORE.EXE
C:\Archivos de programa\iPod\bin\iPodService.exe
C:\Archivos de programa\BitTorrent\bittorrent.exe
C:\Documents and Settings\Carolaa\Escritorio\hi.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.cl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.packardbell.cl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\archivos de programa\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\archivos de programa\google\googletoolbar2.dll
O4 - HKLM\..\Run: [kav] "C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Archivos de programa\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [THUNK CURB SAFE ITCH] C:\Documents and Settings\All Users\Datos de programa\2 bone thunk curb\help frag.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Archivos de programa\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [RULE DUMB] C:\DOCUME~1\Carolaa\DATOSD~1\DRAWJU~1\bindclock.exe
O4 - Startup: Adobe Gamma.lnk = C:\Archivos de programa\Archivos comunes\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Archivos de programa\Archivos comunes\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: mcregwiz.lnk = C:\Archivos de programa\McAfee.com\Agent\mcregwiz.exe
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\ARCHIV~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: text/html - (no CLSID) - (no file)
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Archivos de programa\Archivos comunes\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - c:\Apps\Powercinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - c:\Apps\Powercinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Archivos de programa\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Archivos de programa\Archivos comunes\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Archivos de programa\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
xsaintseiyax is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Sponsored Links
Old 02-16-2007, 05:51 PM   #2 (permalink)
Registered User
 
Join Date: Feb 2007
Posts: 14
OS: XP


don't fight for me
xsaintseiyax is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 02-17-2007, 07:22 PM   #3 (permalink)
Analyst, Security Team
 
Sempurna's Avatar
 
Join Date: Sep 2006
Posts: 1,302
OS: Windows XP SP2


Hi xsaintseiyax,

Welcome to Tech Support Forum!

I apologize for the delay getting to your log. The helpers here are all volunteers and we have been very busy here lately. If you are still having malware problems, I will be glad to help.

You have a Lop infection (also known as Swizzor) which is a cause of pop-ups. It can also affcect your internet connection. For this reason, we must address this infection first, before we clean the rest of your system.

Please download NoLop.exe and save it to your desktop from one of the links below:
Mirror 1
Mirror 2
Mirror 3
  • First close any other programs you have running as this fix will require a reboot.
  • Double-click NoLop.exe to run it.
  • Now click the button labeled Search and Destroy.
  • Your computer will now be scanned for infected files.
  • When scanning is finished you will be prompted to reboot only if infected, click OK.
  • Now click the REBOOT button.
  • A message should popup from NoLop. If not, double-click the program again and it will finish.
  • Please Post the contents of C:\NoLop.log along with a fresh HijackThis log.


If you receive an error, "mscomctl.ocx or one of its dependencies are not correctly registered", please download mscomctl.ocx to your system32 folder then rerun the program.


NEXT:

Please download fl.zip and save it to your desktop:
  • Extract the contents to a new folder on your desktop (right-click the zipped folder and select Extract All).
  • Within the folder, locate and double-click fl.bat.
  • It should produce a report at c:\findlop.txt. Post the contents of the report in your next reply


NEXT:

Please REBOOT your computer normally into Windows and post these logs in your next reply:
  1. The log from the NoLop.exe scan.
  2. The log from the fl.bat scan.
  3. A new HijackThis log.

Also, please let me know how things are running now and if you encountered any problems while you were following the directions I posted.
__________________

Keep this forum alive - if you've been helped at this forum, please do consider a donation. Thank you for your support.

Donation link for Tech Support Forum
Last edited by Sempurna; 02-17-2007 at 07:25 PM.
Sempurna is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 02-24-2007, 11:47 AM   #4 (permalink)
Registered User
 
Join Date: Feb 2007
Posts: 14
OS: XP


Hi, thanks for the help. There weren't problems following the directions that you posted, but there still pop-ups.

NoLop! Log by Skate_Punk_21

Fix running from: C:\Documents and Settings\Carolaa\Escritorio
[24-02-2007]
[16:23:18]

---Infection Files Found/Removed---
C:\WINDOWS\tasks\ACA0E87591939925.job

Beginning Removal...
Rebooting...
Removing Lop's Leftover Files/Folders...
Editing Registry...
**Fix Complete!**

---Listing AppData sub directories---

C:\Documents and Settings\Carolaa\Application Data\Microsoft
C:\Documents and Settings\Invitado\Application Data\Bang
C:\Documents and Settings\Invitado\Application Data\Microsoft

El volumen de la unidad C no tiene etiqueta.
El n£mero de serie del volumen es: 9C20-6F48

Directorio de C:\Documents and Settings\Carolaa\Application Data

28-08-2006 17:57 <DIR> .
28-08-2006 17:57 <DIR> ..
28-08-2006 17:57 <DIR> Microsoft
0 archivos 0 bytes
3 dirs 126.631.796.736 bytes libres
El volumen de la unidad C no tiene etiqueta.
El n£mero de serie del volumen es: 9C20-6F48

Directorio de C:\Documents and Settings\Invitado\Application Data

21-02-2007 23:03 <DIR> .
21-02-2007 23:03 <DIR> ..
21-02-2007 23:05 <DIR> bang
22-01-2006 18:30 <DIR> Microsoft
0 archivos 0 bytes
4 dirs 126.631.792.640 bytes libres
[TRACE] Enumerating jobs and queues
[TRACE] Activating job 'AppleSoftwareUpdate.job'
[TRACE] Printing all job properties

ApplicationName: 'C:\Archivos de programa\Apple Software Update\SoftwareUpdate.exe'
Parameters: '-Task'
WorkingDirectory: ''
Comment: ''
Creator: 'Cony'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 02/14/2007 7:15:00
NextRun: 02/28/2007 7:15:00
StartError: S_OK
ExitCode: 0
Status: SCHED_S_TASK_READY
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 0
SystemRequired = 0
Hidden = 0
TaskFlags: 0

1 Trigger

Trigger 0:
Type: Weekly
WeeksInterval: 1
DaysOfTheWeek: ...W...
StartDate: 11/11/2006
EndDate: 00/00/0000
StartTime: 07:15
MinutesDuration: 0
MinutesInterval: 0
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0



Logfile of HijackThis v1.99.1
Scan saved at 16:43:07, on 24-02-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
c:\Apps\Powercinema\Kernel\TV\CLCapSvc.exe
C:\Archivos de programa\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Archivos de programa\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
c:\Apps\Powercinema\Kernel\TV\CLSched.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Archivos de programa\QuickTime\qttask.exe
C:\Archivos de programa\iTunes\iTunesHelper.exe
C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe
C:\Archivos de programa\Java\jre1.5.0_09\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\BitTorrent\bittorrent.exe
C:\Archivos de programa\Save\Save.exe
C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Archivos de programa\Internet Explorer\IEXPLORE.EXE
C:\Archivos de programa\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Carolaa\Escritorio\hi.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.cl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.packardbell.cl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\archivos de programa\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\archivos de programa\google\googletoolbar2.dll
O4 - HKLM\..\Run: [kav] "C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Archivos de programa\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [THUNK CURB SAFE ITCH] C:\Documents and Settings\All Users\Datos de programa\2 bone thunk curb\help frag.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Archivos de programa\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [RULE DUMB] C:\DOCUME~1\Carolaa\DATOSD~1\DRAWJU~1\bindclock.exe
O4 - HKCU\..\Run: [WhenUSave] "C:\Archivos de programa\Save\Save.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Archivos de programa\Archivos comunes\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Archivos de programa\Archivos comunes\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: mcregwiz.lnk = C:\Archivos de programa\McAfee.com\Agent\mcregwiz.exe
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\ARCHIV~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: text/html - (no CLSID) - (no file)
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Archivos de programa\Archivos comunes\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - c:\Apps\Powercinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - c:\Apps\Powercinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Archivos de programa\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Archivos de programa\Archivos comunes\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Archivos de programa\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
xsaintseiyax is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 02-25-2007, 01:40 AM   #5 (permalink)
Analyst, Security Team
 
Sempurna's Avatar
 
Join Date: Sep 2006
Posts: 1,302
OS: Windows XP SP2


Hi xsaintseiyax,

Looks like we would have to manually fix this as the automatic fixer didn’t work.

OK, here’s what we do next.

Do you have Netpumper or Bitgrabber or BitRoll installed? If so, uninstall them via Start -> Control Panel -> Software -> Add or Remove Programs. This is because they are bundled with the malware you are dealing with (Swizzor aka Lop).

Also, please check to see if the following are present in Add or Remove Programs and uninstall them if found:

CiD Manager
CiD Help
Download Plugin for Internet Explorer
Messenger Plus!
Messenger Plus! 2
Messenger Plus! 3
Zone Media
DAEMON Tools WhenU SearchBar
Desktop Toolbar [WhenUSearch]
WhenU CrunchGames Bar
WhenU Save
WhenU SaveNow
WhenUSave
WhenUSearch
WhenUSearch Desktop Toolbar
WhenUSearch Toolbar
WhenUShop

If during uninstall, you are asked for uninstall Verification, please enter the numbers that will appear in the window.

Then reboot. <-- Important!


NEXT:

After reboot, please download Deljob.exe and save it on your desktop.

Double-click Deljob.exe.

A log named logit.txt should open afterwards. This log will be present on your desktop.

Please post the contents of the Deljob.exe log in your next reply together with a new HijackThis log.


NEXT:

Reconfigure Windows XP to show hidden files
  • Click Start -> My Computer.
  • Select the Tools menu and click Folder Options. Select the View tab.
  • Under the Hidden files and folders heading check "Show hidden files and folders".
  • Uncheck the "Hide protected operating system files (recommended)" option.
  • Uncheck the "Hide file extensions for known file types" option.
  • Click Yes to confirm. Click OK.

CAUTION : You will see many folders and files which you may not recognize. Most of these folders and files are LEGITIMATE. Please do NOT delete anything you deem suspicious unless you are specifically instructed to do so. To do otherwise may irreparably damage your system.


NEXT:

Then please run HijackThis and click "Scan." Place checks next to the following entries:

O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" –atboottime
O4 - HKLM\..\Run: [THUNK CURB SAFE ITCH] C:\Documents and Settings\All Users\Datos de programa\2 bone thunk curb\help frag.exe
O4 - HKCU\..\Run: [RULE DUMB] C:\DOCUME~1\Carolaa\DATOSD~1\DRAWJU~1\bindclock.exe
O4 - HKCU\..\Run: [WhenUSave] "C:\Archivos de programa\Save\Save.exe"
O18 - Filter: text/html - (no CLSID) - (no file)


Close ALL browsers (including this one) and other windows except for HijackThis, and click "Fix checked".


NEXT:

Please reboot your computer into Safe Mode by doing the following:
  • Reboot your computer.
  • After hearing your computer beep once during startup, but just before the Windows icon appears, begin tapping the F8 key on your keyboard. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, reboot the computer and try again.
  • Instead of Windows loading as normal, a menu should appear.
  • Using the arrow keys on the keyboard, scroll to and select the Safe Mode menu item, and then press Enter.


NEXT:

Using Windows Explorer, please navigate to and delete the following FOLDERS in BOLD (if they exist):

C:\Archivos de programa\Save
C:\Documents and Settings\All Users\Datos de programa\2 bone thunk curb
C:\Documents and Settings\Carolaa\Datos de programa\DRAWJU~1 <-- the filename begins with DRAWJU…)


Please let me know if you encountered any problems finding or deleting the folders.


NEXT:

Please reboot normally into Windows.

Please post the contents of the Deljob.exe log in your next reply together with a new HijackThis log.
__________________

Keep this forum alive - if you've been helped at this forum, please do consider a donation. Thank you for your support.

Donation link for Tech Support Forum
Last edited by Sempurna; 02-25-2007 at 01:43 AM.
Sempurna is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 03-02-2007, 04:23 PM   #6 (permalink)
Registered User
 
Join Date: Feb 2007
Posts: 14
OS: XP


Hi, thanks for the help again. There weren't problems deleting the folder.

--------------------------------------------------------
NO LOP JOBS FOUND
--------------------------------------------------------
FILES IN TASKS FOLDER

AppleSoftwareUpdate.job
--------------------------------------------------------
EXPORT APP DATA FOLDERS

El volumen de la unidad C no tiene etiqueta.
El n£mero de serie del volumen es: 9C20-6F48

Directorio de C:\Documents and Settings\Carolaa\Datos de programa

16-02-2007 00:14 <DIR> .
16-02-2007 00:14 <DIR> ..
21-02-2007 19:09 <DIR> Adobe
30-08-2005 17:15 <DIR> AdobeUM
18-11-2005 18:45 <DIR> APPLEC~1 Apple Computer
27-02-2007 10:53 <DIR> BITTOR~1 BitTorrent
02-03-2007 20:26 <DIR> BSplayer
16-02-2007 00:14 <DIR> BSPLAY~1 BSplayer Pro
04-07-2005 09:57 <DIR> CYBERL~1 CyberLink
20-10-2006 12:05 <DIR> DivX
14-02-2007 21:07 <DIR> DRAWJU~1 Draw junk bore
10-12-2006 16:16 <DIR> Google
14-03-2006 22:18 <DIR> Help
04-07-2005 03:07 <DIR> IDENTI~1 Identities
15-02-2007 16:30 <DIR> Lavasoft
30-08-2005 11:55 <DIR> LEADER~1 Leadertech
19-10-2006 18:47 <DIR> MACROM~1 Macromedia
04-09-2005 22:15 <DIR> MCAFEE~1.COM McAfee.com Personal Firewall
19-10-2006 18:43 <DIR> MICROS~1 Microsoft
27-05-2006 10:05 <DIR> MSNINS~1 MSNInstaller
25-12-2006 01:53 <DIR> RADLIG~1 RadLight Company
16-02-2006 14:28 <DIR> Real
30-08-2005 11:55 <DIR> Sonic
31-05-2006 22:06 <DIR> Sun
0 archivos 0 bytes
24 dirs 123.662.065.664 bytes libres
El volumen de la unidad C no tiene etiqueta.
El n£mero de serie del volumen es: 9C20-6F48

Directorio de C:\Documents and Settings\All Users

--------------------------------------------------------



Logfile of HijackThis v1.99.1
Scan saved at 21:20:58, on 02-03-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
c:\Apps\Powercinema\Kernel\TV\CLCapSvc.exe
C:\Archivos de programa\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Archivos de programa\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
c:\Apps\Powercinema\Kernel\TV\CLSched.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Archivos de programa\iTunes\iTunesHelper.exe
C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe
C:\Archivos de programa\Java\jre1.5.0_09\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\BitTorrent\bittorrent.exe
C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Archivos de programa\iPod\bin\iPodService.exe
C:\Documents and Settings\Carolaa\Escritorio\hi.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.cl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.packardbell.cl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\archivos de programa\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\archivos de programa\google\googletoolbar2.dll
O4 - HKLM\..\Run: [iTunesHelper] "C:\Archivos de programa\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Archivos de programa\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - Startup: Adobe Gamma.lnk = C:\Archivos de programa\Archivos comunes\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Archivos de programa\Archivos comunes\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: mcregwiz.lnk = C:\Archivos de programa\McAfee.com\Agent\mcregwiz.exe
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase9602.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\ARCHIV~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Archivos de programa\Archivos comunes\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - c:\Apps\Powercinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - c:\Apps\Powercinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Archivos de programa\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Archivos de programa\Archivos comunes\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Archivos de programa\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
xsaintseiyax is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 03-03-2007, 03:53 AM   #7 (permalink)
Analyst, Security Team
 
Sempurna's Avatar
 
Join Date: Sep 2006
Posts: 1,302
OS: Windows XP SP2


Hi xsaintseiyax,

You’re most welcome, xsaintseiyax.

Let's run some cleanup and diagnostic scans to make sure we're not leaving anything behind.

Please download CCleaner (freeware) and save it to your desktop:
  1. Run the CCleaner installer.
  2. During installation process, please UNCHECK "Add CCleaner Yahoo! Toolbar".
  3. Once installed, run CCleaner and click the Windows tab.
  4. Select the following:
    • Check everything under the Internet Explorer section.
    • Check everything under the Windows Explorer section.
    • Check everything under the System section.
    • Check ONLY Old Prefetch data under the Advanced section.
  5. Then, click the Applications tab:
    • UNCHECK everything there.
  6. Next, click the Options button, then click the Advanced button:
    • UNCHECK : "Only delete files in Windows Temp folders older than 48 hours".
  7. Next, click the Cleaner button, then click the Run Cleaner button (bottom right), then Exit.

CAUTION : Please do NOT use the Issues button. This is a built-in registry cleaner. If you don’t know how to use it, you may cause irreparable damage to your system.


NEXT:

Please do an online scan with Panda ActiveScan:
  1. Once you are on the Panda site click the "Scan your PC" button located at the bottom of the page.
  2. A new window will open... click the "Check Now" button.
  3. Enter your Country.
  4. Enter your State/Province.
  5. Enter your e-mail address.
  6. Select either Home User or Company.
  7. Click the big "Free Online Scan" button.
  8. If it wants to install an ActiveX component allow it.
  9. It will start downloading the files it requires for the scan (Note: It may take a couple of minutes).
  10. When the download is complete, click on "Local Disks" to start the scan.
  11. When the scan completes, if anything malicious is detected, click the "See Report" button; then "Save Report" and save it to a convenient location. Post the contents of the Panda scan report in your next reply.


NEXT:

Please do an online scan with Kaspersky Online Scanner:
  1. Click on Kaspersky Online Scanner.
  2. You will be prompted to install an ActiveX component from Kaspersky, click Yes.
  3. The program will launch and then begin downloading the latest definition files.
  4. Once the files have been downloaded click on Next.
  5. Now click on Scan Settings.
  6. In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
      Extended
    • Scan Options:
      Scan Archives
      Scan Mail Bases
  7. Click OK.
  8. Now under select a target to scan:
    • Select My Computer.
  9. This program will start and scan your system.
  10. The scan will take a while so be patient and let it run.
  11. Once the scan is complete it will display if your system has been infected.
    • Now click on the Save Report As button.
    • In the File name: field, type kavscan.
    • In the Save as type: field, select Text file (*.txt).
  12. Save the file to your desktop.
  13. Copy and paste that information in your next post.

Note for Internet Explorer 7 users: If at any time you have trouble with the Accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.


NEXT:

Please download ComboScan by Deckard and save it to your desktop:
  • Close all applications and windows (including this one).
  • Double-click on comboscan.exe to run it, and follow the prompts.
  • When the scan is complete, two text files will open – ComboScan.txt (this one will be maximized) and Supplementary.txt (this one will be minimized).
  • Copy (Ctrl + A then Ctrl + C) and paste (Ctrl + V) the contents of ComboScan.txt in your next reply.
  • Please attach Supplementary.txt to your post.
  • If you are unable to attach Supplementary.txt, then please copy and paste its contents in your post.


NEXT:

Please REBOOT your computer normally into Windows and post these logs in your next reply:
  1. The log from the Panda scan.
  2. The log from the Kaspersky scan.
  3. The logs from ComboScan.

(You might have to paste the logs in multiple posts in the event they are too long and breach the post length of the forum software).

Also, please let me know how things are running now and if you encountered any problems while you were following the directions I posted.
__________________

Keep this forum alive - if you've been helped at this forum, please do consider a donation. Thank you for your support.

Donation link for Tech Support Forum
Sempurna is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 03-06-2007, 01:56 PM   #8 (permalink)
Registered User
 
Join Date: Feb 2007
Posts: 14
OS: XP


Hi
thanks again.


Incident Status Location

Adware:Adware/SaveNow Not disinfected C:\Documents and Settings\Carolaa\Mis documentos\bsplayer214.942_clip.exe[BSplayer_WhenUSave_InstallerInst.exe]
Adware:Adware/WhenUSearch Not disinfected C:\Documents and Settings\Carolaa\Mis documentos\SetupInstRe.exe
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Cony\Cookies\cony@adultfriendfinder[2].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Cony\Cookies\cony@as-eu.falkag[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Cony\Cookies\cony@atdmt[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Cony\Cookies\cony@doubleclick[1].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Cony\Cookies\cony@hg1.hitbox[1].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Cony\Cookies\cony@hitbox[2].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Cony\Cookies\cony@questionmarket[2].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Cony\Cookies\cony@statcounter[2].txt
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\Cony\Cookies\cony@tradedoubler[2].txt
Spyware:Cookie/Weborama Not disinfected C:\Documents and Settings\Cony\Cookies\cony@weborama[1].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Cony\Cookies\cony@www2.addfreestats[1].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Cony\Cookies\cony@www6.addfreestats[1].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Cony\Cookies\cony@xiti[1].txt
Potentially unwanted tool:Application/ErrorSafe Not disinfected C:\Documents and Settings\Cony\Datos de programa\errorsafescannerinstall_es[1].exe
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Cony\Datos de programa\Sun\Java\Deployment\cache\javapi\v1.0\jar\arr3.jar-44f46a27-6de26627.zip[Gummy.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Cony\Datos de programa\Sun\Java\Deployment\cache\javapi\v1.0\jar\arr3.jar-44f46a27-6de26627.zip[Counter.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Cony\Datos de programa\Sun\Java\Deployment\cache\javapi\v1.0\jar\arr3.jar-44f46a27-6de26627.zip[VerifierBug.class]
Virus:Trj/Classloader.AD Disinfected C:\Documents and Settings\Cony\Datos de programa\Sun\Java\Deployment\cache\javapi\v1.0\jar\arr3.jar-44f46a27-6de26627.zip[Beyond.class]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Invitado\Configuración local\Temp\Cookies\invitado@atdmt[1].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Invitado\Datos de programa\Mozilla\Firefox\Profiles\iqlkdkt7.default\cookies.txt[.hitbox.com/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Invitado\Datos de programa\Mozilla\Firefox\Profiles\iqlkdkt7.default\cookies.txt[.ehg-eline.hitbox.com/]
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Invitado\Datos de programa\Mozilla\Firefox\Profiles\iqlkdkt7.default\cookies.txt[.adultfriendfinder.com/]
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\Invitado\Datos de programa\Mozilla\Firefox\Profiles\iqlkdkt7.default\cookies.txt[counter5.sextracker.com/]
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\Invitado\Datos de programa\Mozilla\Firefox\Profiles\iqlkdkt7.default\cookies.txt[.sextracker.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Invitado\Datos de programa\Mozilla\Firefox\Profiles\iqlkdkt7.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Invitado\Datos de programa\Mozilla\Firefox\Profiles\iqlkdkt7.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Invitado\Datos de programa\Mozilla\Firefox\Profiles\iqlkdkt7.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Invitado\Datos de programa\Mozilla\Firefox\Profiles\iqlkdkt7.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Invitado\Datos de programa\Mozilla\Firefox\Profiles\iqlkdkt7.default\cookies.txt[.ad.yieldmanager.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Invitado\Datos de programa\Mozilla\Firefox\Profiles\iqlkdkt7.default\cookies.txt[.2o7.net/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Invitado\Datos de programa\Mozilla\Firefox\Profiles\iqlkdkt7.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Invitado\Datos de programa\Mozilla\Firefox\Profiles\iqlkdkt7.default\cookies.txt[.adrevolver.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Invitado\Datos de programa\Mozilla\Firefox\Profiles\iqlkdkt7.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Invitado\Datos de programa\Mozilla\Firefox\Profiles\iqlkdkt7.default\cookies.txt[.revenue.net/]
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Invitado\Datos de programa\Mozilla\Firefox\Profiles\iqlkdkt7.default\cookies.txt[searchportal.information.com/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Invitado\Datos de programa\Mozilla\Firefox\Profiles\iqlkdkt7.default\cookies.txt[.as-eu.falkag.net/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Invitado\Datos de programa\Mozilla\Firefox\Profiles\iqlkdkt7.default\cookies.txt[.zedo.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Invitado\Datos de programa\Mozilla\Firefox\Profiles\iqlkdkt7.default\cookies.txt[.advertising.com/]
xsaintseiyax is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 03-06-2007, 02:00 PM   #9 (permalink)
Registered User
 
Join Date: Feb 2007
Posts: 14
OS: XP


ComboScan v20070226.18 run by Carolaa on 2007-03-06 at 18:21:01
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Carolaa.exe) ----------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 18:21:02, on 06-03-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
c:\Apps\Powercinema\Kernel\TV\CLCapSvc.exe
C:\Archivos de programa\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Archivos de programa\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
c:\Apps\Powercinema\Kernel\TV\CLSched.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\iTunes\iTunesHelper.exe
C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe
C:\Archivos de programa\Java\jre1.5.0_09\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\BitTorrent\bittorrent.exe
C:\Archivos de programa\iPod\bin\iPodService.exe
C:\Archivos de programa\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\Carolaa\Escritorio\comboscan.exe
C:\DOCUME~1\Carolaa\ESCRIT~1\Carolaa.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.cl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.packardbell.cl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\archivos de programa\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\archivos de programa\google\googletoolbar2.dll
O4 - HKLM\..\Run: [iTunesHelper] "C:\Archivos de programa\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Archivos de programa\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - Startup: Adobe Gamma.lnk = C:\Archivos de programa\Archivos comunes\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Archivos de programa\Archivos comunes\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: mcregwiz.lnk = C:\Archivos de programa\McAfee.com\Agent\mcregwiz.exe
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase9602.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\ARCHIV~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Archivos de programa\Archivos comunes\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - c:\Apps\Powercinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - c:\Apps\Powercinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Archivos de programa\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Archivos de programa\Archivos comunes\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Archivos de programa\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe


-- Files created between 2007-02-06 and 2007-03-06 ------------------------------

2007-03-06 17:43:10 278 --a------ C:\WINDOWS\system32\pfdnnt_actions.sys<PFDNNT~1.SYS>
2007-03-06 17:43:10 8704 --a------ C:\WINDOWS\system32\pfdnnt.exe
2007-03-06 16:02:31 0 d-------- C:\WINDOWS\system32\ActiveScan<ACTIVE~1>
2007-03-06 16:02:27 0 d-------- C:\WINDOWS\LastGood
2007-03-06 15:34:32 0 d-------- C:\Archivos de programa\CCleaner
2007-02-24 16:28:49 0 d-------- C:\NoLopBackups<NOLOPB~1>
2007-02-21 23:03:39 0 d-------- C:\Documents and Settings\Invitado\Application Data\bang
2007-02-16 00:58:59 0 d-------- C:\Sun
2007-02-15 16:30:04 0 d-------- C:\Archivos de programa\Lavasoft
2007-02-15 03:02:48 0 d-------- C:\WINDOWS\ie7updates<IE7UPD~1>
2007-02-13 1209 2560 -----n--- C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-02-13 1209 2432 -----n--- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-02-13 1208 129784 -----n--- C:\WINDOWS\system32\pxafs.dll
2007-02-11 16:29:15 0 d-------- C:\Archivos de programa\Video ActiveX Object<VIDEOA~1>


-- Find3M Report ----------------------------------------------------------------

2007-03-06 16:51:41 0 d-------- C:\Archivos de programa\MSN Messenger<MSNMES~1>
2007-03-06 16:27:27 0 d-------- C:\Archivos de programa\iTunes
2007-03-06 16:25:28 0 d-------- C:\Archivos de programa\iPod
2007-03-06 16:25:18 0 d-------- C:\Archivos de programa\Google
2007-03-06 16:24:59 0 d-------- C:\Archivos de programa\BitTorrent<BITTOR~2>
2007-03-02 20:26:22 0 d-------- C:\Documents and Settings\Carolaa\Datos de programa\BSplayer
2007-03-02 20:26:22 0 d-------- C:\Archivos de programa\Webteh
2007-03-02 20:26:00 0 d-------- C:\Archivos de programa\Archivos comunes<ARCHIV~1>
2007-02-27 10:53:58 0 d-------- C:\Documents and Settings\Carolaa\Datos de programa\BitTorrent<BITTOR~1>
2007-02-26 19:14:08 0 d-------- C:\Archivos de programa\Windows Live Safety Center<WIE5D0~1>
2007-02-21 20:04:22 0 d-------- C:\Archivos de programa\Soulseek
2007-02-21 19:09:53 0 d-------- C:\Documents and Settings\Carolaa\Datos de programa\Adobe
2007-02-16 00:14:04 0 d-------- C:\Documents and Settings\Carolaa\Datos de programa\BSplayer Pro<BSPLAY~1>
2007-02-15 23:59:36 0 d-------- C:\Archivos de programa\Windows Media Connect 2<WINDOW~4>
2007-02-15 16:30:27 0 d-------- C:\Documents and Settings\Carolaa\Datos de programa\Lavasoft
2007-02-13 1221 0 d-------- C:\Archivos de programa\DivX
2007-02-01 20:16:17 0 d-------- C:\Archivos de programa\BitGrabber<BITGRA~1>
2007-02-01 01:56:06 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll<DIVX_X~2.DLL>
2007-02-01 01:56:05 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll<DIVX_X~3.DLL>
2007-02-01 01:56:05 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll<DIVX_X~1.DLL>
2007-02-01 01:56:04 639066 --a------ C:\WINDOWS\system32\DivX.dll
2007-01-31 18:27:01 524288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-01-30 20:15:10 118784 --a------ C:\WINDOWS\system32\DivXCodecUpdateChecker.exe<DIVXCO~1.EXE>
2007-01-30 02:03:40 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-01-30 02:03:34 118520 -----n--- C:\WINDOWS\system32\pxinsi64.exe
2007-01-30 02:03:34 116472 -----n--- C:\WINDOWS\system32\pxcpyi64.exe
2007-01-30 02:03:26 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-01-30 02:03:26 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-01-30 01:56:56 196608 --a------ C:\WINDOWS\system32\dtu100.dll
2007-01-30 01:56:56 73728 --a------ C:\WINDOWS\system32\dpl100.dll
2007-01-30 01:56:54 53248 --a------ C:\WINDOWS\system32\dpuGUI10.dll
2007-01-30 01:56:52 57344 --a------ C:\WINDOWS\system32\dpv11.dll
2007-01-30 01:56:52 344064 --a------ C:\WINDOWS\system32\dpus11.dll
2007-01-30 01:56:52 593920 --a------ C:\WINDOWS\system32\dpuGUI11.dll
2007-01-30 01:56:52 294912 --a------ C:\WINDOWS\system32\dpu11.dll
2007-01-30 01:56:52 294912 --a------ C:\WINDOWS\system32\dpu10.dll
2007-01-29 05:58:06 60416 -----n--- C:\WINDOWS\system32\tzchange.exe
2007-01-12 09:27:42 232960 --a------ C:\WINDOWS\system32\webcheck.dll
2007-01-12 09:27:42 51712 -----n--- C:\WINDOWS\system32\msfeedsbs.dll<MSFEED~1.DLL>
2007-01-12 09:27:42 458752 -----n--- C:\WINDOWS\system32\msfeeds.dll
2007-01-12 09:27:42 6054400 --a------ C:\WINDOWS\system32\ieframe.dll
2007-01-09 23:33:43 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-01-08 19:04:54 105984 --a------ C:\WINDOWS\system32\url.dll
2007-01-08 19:04:08 102400 --a------ C:\WINDOWS\system32\occache.dll
2007-01-08 19:02:04 266752 --a------ C:\WINDOWS\system32\iertutil.dll
2007-01-08 19:02:04 44544 --a------ C:\WINDOWS\system32\iernonce.dll
2007-01-08 19:02:02 384000 --a------ C:\WINDOWS\system32\iedkcs32.dll
2007-01-08 19:02:02 383488 -----n--- C:\WINDOWS\system32\ieapfltr.dll
2007-01-08 19:02:02 161792 --a------ C:\WINDOWS\system32\ieakui.dll
2007-01-08 19:02:02 230400 --a------ C:\WINDOWS\system32\ieaksie.dll
2007-01-08 19:02:02 153088 --a------ C:\WINDOWS\system32\ieakeng.dll
2007-01-08 19:01:14 17408 --a------ C:\WINDOWS\system32\corpol.dll
2007-01-08 19:00:48 124928 --a------ C:\WINDOWS\system32\advpack.dll
2007-01-08 18:08:14 56832 --a------ C:\WINDOWS\system32\ie4uinit.exe
2007-01-08 18:08:10 13824 --a------ C:\WINDOWS\system32\ieudinit.exe
2006-12-19 18:49:47 134656 --a------ C:\WINDOWS\system32\shsvcs.dll
2006-12-19 15:17:15 334336 --a------ C:\WINDOWS\system32\wiaservc.dll
2006-12-12 13:24:42 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll<DIVXWM~1.DLL>


-- Registry Dump ----------------------------------------------------------------


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"BitTorrent"="\"C:\\Archivos de programa\\BitTorrent\\bittorrent.exe\" --force_start_minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"iTunesHelper"="\"C:\\Archivos de programa\\iTunes\\iTunesHelper.exe\""
"TkBellExe"="\"C:\\Archivos de programa\\Archivos comunes\\Real\\Update_OB\\realsched.exe\" -osboot"
"SunJavaUpdateSched"="\"C:\\Archivos de programa\\Java\\jre1.5.0_09\\bin\\jusched.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Carolaa^Menú Inicio^Programas^Inicio^Empty.pif]
"path"="C:\\Documents and Settings\\Carolaa\\Menú Inicio\\Programas\\Inicio\\Empty.pif"
"backup"="C:\\WINDOWS\\pss\\Empty.pifStartup"
"location"="Startup"
"command"="C:\\Documents and Settings\\Carolaa\\Menú Inicio\\Programas\\Inicio\\Empty.pif"
"item"="Empty"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Archivos de programa\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KAZAA]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="kazaa"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark 2200 Series]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="lxbvbmgr"
"hkey"="HKLM"
"command"="\"C:\\Archivos de programa\\Lexmark 2200 Series\\lxbvbmgr.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PCMService"
"hkey"="HKLM"
"command"="\"c:\\apps\\Powercinema\\PCMService.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tbon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="tbon"
"hkey"="HKCU"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="\"C:\\Archivos de programa\\Archivos comunes\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WhenUSave]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Save"
"hkey"="HKCU"
"inimapping"="0"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0



-- End of ComboScan: finished at 2007-03-06 at 18:21:21 -------------------------
xsaintseiyax is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 03-06-2007, 02:03 PM   #10 (permalink)
Registered User
 
Join Date: Feb 2007
Posts: 14
OS: XP


I attacched the kaspersky report cause is too big and de supplementary.txt
Attached Files
File Type: txt kavscan.txt (958.4 KB, 1 views)
File Type: txt Supplementary.txt (18.6 KB, 0 views)
xsaintseiyax is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 03-06-2007, 06:32 PM   #11 (permalink)
Analyst, Security Team
 
Sempurna's Avatar
 
Join Date: Sep 2006
Posts: 1,302
OS: Windows XP SP2


Hi xsaintseiyax,

You’re most welcome, xsaintseiyax. Glad to be of some help.

OK, just some leftovers to take care of.

Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below (don't forget to copy and paste REGEDIT4 as well):

Code:
REGEDIT4

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KAZAA]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WhenUSave]
Save this as fix.reg and change the "Save as type" to "All Files" and place it on your desktop.

It should look like this:

Double-click on it and when it asks you if you want to merge the contents to the registry, click "Yes" or "OK". You should receive a message that it was successful.

In case you still are unsure on how to create a REG file, please take a look HERE with screenshots.


NEXT:

Please delete these FILES:

C:\Documents and Settings\Carolaa\Mis documentos\bsplayer214.942_clip.exe
C:\Documents and Settings\Carolaa\Mis documentos\SetupInstRe.exe
C:\Documents and Settings\Cony\Datos de programa\Sun\Java\Deployment\cache\javapi\v1.0\jar\arr3.jar-44f46a27-6de26627.zip
C:\WINDOWS\system32\d3d9caps.dat
C:\Documents and Settings\Carolaa\Mis documentos\SetupInstRe.exe


And please delete this FOLDER:

C:\Archivos de programa\Video ActiveX Object


How are things running now?
__________________

Keep this forum alive - if you've been helped at this forum, please do consider a donation. Thank you for your support.

Donation link for Tech Support Forum
Sempurna is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 03-07-2007, 04:34 PM   #12 (permalink)
Registered User
 
Join Date: Feb 2007
Posts: 14
OS: XP


Hi, things are running better now, don't you need a hijackthis log?
thanks for the help.
xsaintseiyax is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 03-07-2007, 09:32 PM   #13 (permalink)
Analyst, Security Team
 
Sempurna's Avatar
 
Join Date: Sep 2006
Posts: 1,302
OS: Windows XP SP2


Hi xsaintseiyax,

You're most welcome, xsaintseiyax. I'm glad to hear that things are running better now.

Yep, let's look at one last HijackThis log before we let you go home.
__________________

Keep this forum alive - if you've been helped at this forum, please do consider a donation. Thank you for your support.

Donation link for Tech Support Forum
Sempurna is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 03-08-2007, 07:12 AM   #14 (permalink)
Registered User
 
Join Date: Feb 2007
Posts: 14
OS: XP


hi!, i hope this is the last hijackthis log. thanks for the help :)

Logfile of HijackThis v1.99.1
Scan saved at 12:10:40, on 08-03-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
c:\Apps\Powercinema\Kernel\TV\CLCapSvc.exe
C:\Archivos de programa\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Archivos de programa\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
c:\Apps\Powercinema\Kernel\TV\CLSched.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Archivos de programa\iTunes\iTunesHelper.exe
C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe
C:\Archivos de programa\Java\jre1.5.0_09\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\BitTorrent\bittorrent.exe
C:\Archivos de programa\iPod\bin\iPodService.exe
C:\Archivos de programa\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\Carolaa\Escritorio\hi.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.cl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.packardbell.cl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\archivos de programa\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\archivos de programa\google\googletoolbar2.dll
O4 - HKLM\..\Run: [iTunesHelper] "C:\Archivos de programa\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Archivos de programa\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - Startup: Adobe Gamma.lnk = C:\Archivos de programa\Archivos comunes\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Archivos de programa\Archivos comunes\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: mcregwiz.lnk = C:\Archivos de programa\McAfee.com\Agent\mcregwiz.exe
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase9602.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\ARCHIV~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Archivos de programa\Archivos comunes\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - c:\Apps\Powercinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - c:\Apps\Powercinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Archivos de programa\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Archivos de programa\Archivos comunes\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Archivos de programa\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
xsaintseiyax is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 03-08-2007, 08:12 AM   #15 (permalink)
Analyst, Security Team
 
Sempurna's Avatar
 
Join Date: Sep 2006
Posts: 1,302
OS: Windows XP SP2


Hi xsaintseiyax,

You’re most welcome, xsaintseiyax.

Just some loose ends to tie up, and then we can let you go home. :)


Reconfigure Windows XP to disable viewing of hidden files/folders:
  • Click Start -> My Computer.
  • Select the Tools menu and click Folder Options. Select the View tab.
  • Under the Hidden files and folders heading uncheck "Show hidden files and folders".
  • Check the "Hide protected operating system files (recommended)" option.
  • Check the "Hide file extensions for known file types" option.
  • Click Yes to confirm. Click OK.


NEXT:

Your version of Sun Java is out-of-date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older Java version components and update:
  • CLICK HERE to download the offline installer.
    • Select Java Runtime Environment (JRE) 6 and click the Download button to the right.
    • Check the box that says Accept License Agreement.
    • Click on the link to download Windows Offline Installation, Multi-language.
    • Save the file to your desktop.
  • Next, uninstall your currently installed version from Add/Remove Programs.
  • If you have older versions listed uninstall them also. If you simply update to the new version it leaves the older versions still installed, complete with previous vulnerabilities.
  • Examples of older versions in Add/Remove Programs:
    • Java 2 Runtime Environment, SE v1.4.2
    • J2SE Runtime Environment 5.0
    • J2SE Runtime Environment 5.0 Update 2
  • Reboot your system.
  • Install the new version by double-clicking on the file you downloaded.


NEXT:

Everything looks great --- your HijackThis log appears to be clean.

Please take some time reading this list; it is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
  • Windows Updates (a must!)
    It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. You can either click on the link above and bookmark the updates page, or open Internet Explorer, then go to the Tools menu -> Windows Update, and follow the online instructions from there.

  • Firewall (a must!)
    It is definitely a must have. Some good FREE versions are Comodo, Outpost, or ZoneAlarm.
    Note: You must only use 1 (one) firewall at a time because if you have 2 or more firewalls running at the same time, they will conflict with each other and make your security less reliable. Please also remember to turn off Windows Firewall once you have installed a new firewall.

  • Anti-Virus (a must!)
    It is also a must have. I would recommend this excellent and FREE program, Active Virus Shield powered by Kaspersky (NOTE: please do NOT install the Security Toolbar that comes with it).
    Other good and FREE alternatives are AntiVir, Avast!, and AVG.
    Note: You must only use 1 (one) AV at a time because if you have 2 or more AVs running at the same time, they will conflict with each other and make your security less reliable.

  • SpywareBlaster
    This is a great FREE prevention tool to keep nasties from installing on your system.
    Tutorial: How to use!

  • IE-SPYAD
    This FREE tool puts over 5000 sites in your IE Restricted Zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
    Tutorial: How to use!

  • Spybot - Search & Destroy
    This is a very powerful FREE tool that can search for and annihilate nasties that make it onto your system. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features for realtime protection.
    Tutorial: How to use!

  • Ad-Aware SE
    This is another very powerful FREE tool that searches for and kills nasties that infect your system. Ad-Aware SE and Spybot Search & Destroy compliment each other very well.
    Tutorial: How to use!

  • AVG Anti-Spyware
    This is an excellent FREE scanner to look for trojans and other nasties that might be residing in your system.
    User Manual: How to use!

  • SUPERAntiSpyware
    This is another excellent FREE scanner to look for nasties that might be lurking in your system. SUPERAntiSpyware and AVG Anti-Spyware compliment each other very well.
    Quick Guide: How to use!

Please also read Tony Klein's excellent article How I got Infected in the First Place and this CastleCops article Malware Prevention: Prevent Re-infection.

Hopefully this should take care of your problems! Good luck!



Please respond one more time and let me know you received this post, so that it can be marked as resolved, unless you have other problems.
__________________

Keep this forum alive - if you've been helped at this forum, please do consider a donation. Thank you for your support.

Donation link for Tech Support Forum
Sempurna is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
 

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 11:48 AM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84