Spyware on my PC help with Combofix Log

melchfm · May 29, 2009

Hello,
I have a spyware on my pc that I cannot get rid off.
It started yesterday, when I opened the internet explorer it redirects itself to a gamerz.com web site and after a while it closes the window. I installed the hijackthis program and first I couldn't get to run, or even open, it closes itself after a couple of seconds. I don't know what I did but after some trying the hijackthis run and manage to deleted all the hosts and ips. After this, I run the pc tools sky doctor and it was supposed to be clean.
Today I turn on the computer and there it is again. same problems as yesterday, but today I cannot get the hijackthis to run. Did some research on some forums and decided to try Combofix.
Here is the combofix log, could someone help telling what to do next so I can get rid of this spyware and clean for good my pc?
Thanks

ComboFix 09-05-28.07 - Usuario 29/05/2009 12:31.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.34.3082.18.2036.1535 [GMT -5:00]
Running from: c:\documents and settings\Usuario\Escritorio\funstuff.exe.exe
AV: ESET Smart Security 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: Cortafuegos personal de ESET *disabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\windows\winlogon.exe

.
((((((((((((((((((((((((( Files Created from 2009-04-28 to 2009-05-29 )))))))))))))))))))))))))))))))
.

2009-05-29 17:24 . 2009-05-29 17:24 130216 ----a-w c:\windows\wlo.exe
2009-05-28 18:51 . 2008-12-11 13:38 159600 ----a-w c:\windows\system32\drivers\pctgntdi.sys
2009-05-28 18:51 . 2009-03-06 21:45 130424 ----a-w c:\windows\system32\drivers\PCTCore.sys
2009-05-28 18:51 . 2008-12-18 17:16 73840 ----a-w c:\windows\system32\drivers\PCTAppEvent.sys
2009-05-28 18:51 . 2009-05-28 18:51 -------- d-----w c:\archivos de programa\Archivos comunes\PC Tools
2009-05-28 18:51 . 2008-12-10 17:36 64392 ----a-w c:\windows\system32\drivers\pctplsg.sys
2009-05-28 18:51 . 2009-05-29 13:45 -------- d-----w c:\archivos de programa\Spyware Doctor
2009-05-28 18:51 . 2009-05-28 18:51 -------- d-----w c:\documents and settings\Usuario\Datos de programa\PC Tools
2009-05-28 18:51 . 2009-05-28 18:51 -------- d-----w c:\documents and settings\All Users\Datos de programa\PC Tools
2009-05-28 18:47 . 2009-05-28 18:47 50968 ----a-w c:\windows\system32\avgfwdx.dll
2009-05-28 18:47 . 2009-05-28 18:47 29208 ----a-w c:\windows\system32\drivers\avgfwdx.sys
2009-05-28 18:47 . 2009-05-28 18:47 -------- d-----w c:\documents and settings\All Users\Datos de programa\avg8
2009-05-28 18:08 . 2009-05-29 17:17 -------- d-----w c:\archivos de programa\Google
2009-05-28 17:43 . 2009-05-28 17:43 -------- d-----w c:\documents and settings\Usuario\Datos de programa\AVG8
2009-05-28 17:43 . 2009-05-28 17:41 839880 ----a-w c:\archivos de programa\avg_iswt_stb_all_8_22.exe
2009-05-28 17:17 . 2009-05-28 17:16 1308216 ----a-w c:\archivos de programa\abc.exe
2009-05-28 17:00 . 2009-05-29 17:30 -------- d---a-w c:\documents and settings\All Users\Datos de programa\TEMP
2009-05-28 15:59 . 2009-05-29 17:23 14336 ----a-w c:\windows\winhelp32.exe
2009-05-26 16:19 . 2009-05-26 16:19 -------- d-----w c:\archivos de programa\AVG
2009-05-26 15:57 . 2009-05-26 16:12 -------- d-----w c:\archivos de programa\AVG Antivirus
2009-05-22 22:55 . 2009-05-22 22:55 -------- d-----w c:\archivos de programa\pdfsam
2009-05-16 17:26 . 2009-05-17 00:10 -------- d-----w c:\documents and settings\All Users\Datos de programa\NOS
2009-05-16 17:26 . 2009-05-17 00:10 -------- d-----w c:\archivos de programa\NOS
2009-05-16 17:16 . 2009-05-16 17:16 -------- d-----w c:\documents and settings\Usuario\Mis documentos
2009-05-12 10:21 . 2009-05-12 10:40 -------- d-----w c:\documents and settings\Usuario\Datos de programa\Apple Computer
2009-05-12 10:21 . 2009-03-19 14:32 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-05-12 10:21 . 2008-04-17 10:12 107368 ----a-w c:\windows\system32\GEARAspi.dll
2009-05-12 10:21 . 2009-05-12 10:21 -------- d-----w c:\archivos de programa\iPod
2009-05-12 10:21 . 2009-05-12 10:21 -------- d-----w c:\documents and settings\All Users\Datos de programa\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-05-12 10:21 . 2009-05-12 10:21 -------- d-----w c:\documents and settings\All Users\Datos de programa\Apple Computer
2009-05-12 10:20 . 2009-05-12 10:20 -------- d-----w c:\archivos de programa\Apple Software Update
2009-05-12 10:20 . 2009-03-26 13:23 36864 ----a-w c:\windows\system32\drivers\usbaapl.sys
2009-05-12 10:20 . 2009-03-26 13:23 1900544 ----a-w c:\windows\system32\usbaaplrc.dll
2009-05-12 10:20 . 2009-05-12 10:20 -------- d-----w c:\documents and settings\All Users\Datos de programa\Apple
2009-05-12 10:20 . 2009-05-12 10:20 -------- d-----w c:\archivos de programa\Archivos comunes\Apple
2009-05-06 18:35 . 2009-05-25 04:50 -------- d-----w c:\documents and settings\Usuario\Datos de programa\CyberLink
2009-05-06 18:35 . 2009-05-06 18:35 -------- d-----w c:\documents and settings\All Users\Datos de programa\CyberLink

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-29 14:27 . 2009-02-28 01:07 -------- d-----w c:\documents and settings\Usuario\Datos de programa\Skype
2009-05-28 02:15 . 2009-02-28 01:08 -------- d-----w c:\documents and settings\Usuario\Datos de programa\skypePM
2009-05-17 00:11 . 2001-08-24 10:00 78086 ----a-w c:\windows\system32\perfc00A.dat
2009-05-17 00:11 . 2001-08-24 10:00 457280 ----a-w c:\windows\system32\perfh00A.dat
2009-05-16 17:16 . 2008-05-15 08:12 -------- d-----w c:\archivos de programa\Archivos comunes\Adobe
2009-05-12 10:21 . 2008-05-15 08:19 -------- d-----w c:\archivos de programa\Bonjour
2009-05-12 10:21 . 2008-05-15 08:34 -------- d-----w c:\archivos de programa\QuickTime
2009-04-29 13:59 . 2009-04-29 13:59 -------- d-----w c:\archivos de programa\Microsoft Office Outlook Connector
2009-04-29 13:59 . 2009-03-17 20:53 -------- d-----w c:\archivos de programa\Windows Live
2009-04-29 13:59 . 2009-04-29 13:59 -------- d-----w c:\archivos de programa\Microsoft Sync Framework
2009-04-24 07:29 . 2008-05-15 08:30 -------- d-----w c:\documents and settings\All Users\Datos de programa\FLEXnet
2009-04-04 09:17 . 2009-04-04 09:17 -------- d-----w c:\archivos de programa\Microsoft SQL Server Compact Edition
2009-04-02 14:29 . 2009-04-02 14:29 75048 ----a-w c:\documents and settings\All Users\Datos de programa\Apple Computer\Installer Cache\iTunes 8.1.1.10\SetupAdmin.exe
2009-03-19 14:32 . 2009-03-19 14:32 23400 ----a-w c:\documents and settings\All Users\Datos de programa\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\x86\GEARAspiWDM.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\archivos de programa\Skype\Phone\Skype.exe" [2009-02-04 23975720]
"MSMSGS"="c:\archivos de programa\Messenger\msmsgs.exe" [2004-08-19 1667584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="c:\archivos de programa\ESET\ESET Smart Security\egui.exe" [2008-03-18 1443072]
"LogitechCommunicationsManager"="c:\archivos de programa\Archivos comunes\LogiShrd\LComMgr\Communications_Helper.exe" [2008-02-13 564496]
"LogitechQuickCamRibbon"="c:\archivos de programa\Logitech\QuickCam\Quickcam.exe" [2008-02-13 2196240]
"QuickTime Task"="c:\archivos de programa\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="d:\melanie\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"Adobe Reader Speed Launcher"="c:\archivos de programa\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-19 15360]

c:\documents and settings\All Users\Men£ Inicio\Programas\Inicio\
Logitech Desktop Messenger.lnk - c:\archivos de programa\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2009-2-5 66864]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Archivos de programa\\Skype\\Phone\\Skype.exe"=
"c:\\WINDOWS\\wlo.exe"=

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [28/05/2009 01:51 p.m. 130424]
R2 ekrn;Eset Service;c:\archivos de programa\ESET\ESET Smart Security\ekrn.exe [18/03/2008 05:00 a.m. 468224]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [29/04/2009 08:59 a.m. 55152]
S3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [28/05/2009 01:47 p.m. 29208]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [28/05/2009 01:47 p.m. 29208]
S3 fsssvc;Windows Live Protección Infantil;c:\archivos de programa\Windows Live\Family Safety\fsssvc.exe [06/02/2009 11:08 a.m. 533360]
S3 sdAuxService;PC Tools Auxiliary Service;c:\archivos de programa\Spyware Doctor\pctsAuxs.exe [28/05/2009 01:51 p.m. 348752]
.
Contents of the 'Scheduled Tasks' folder

2009-05-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\archivos de programa\Apple Software Update\SoftwareUpdate.exe [2008-07-30 10:34]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-AVG8_TRAY - c:\archiv~1\AVG\AVG8\avgtray.exe
SafeBoot-procexp90.Sys

.
------- Supplementary Scan -------
.
uStart Page = hxxp:\\www.zonagamerz.com
mStart Page = hxxp:\\www.zonagamerz.com
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Convertir a Adobe PDF - c:\archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convertir destino de vínculo en archivo Adobe PDF - c:\archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convertir selección a Adobe PDF - c:\archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convertir vínculos seleccionados a Adobe PDF - c:\archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: E&xportar a Microsoft Excel - c:\archiv~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\archivos de programa\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-29 12:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(5248)
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\archivos de programa\Archivos comunes\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\archivos de programa\Bonjour\mDNSResponder.exe
c:\archivos de programa\Archivos comunes\LogiShrd\LVCOMSER\LVComSer.exe
c:\archivos de programa\Archivos comunes\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\archivos de programa\Archivos comunes\Protexis\License Service\PsiService_2.exe
c:\archivos de programa\CyberLink\Shared Files\RichVideo.exe
c:\archivos de programa\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\archivos de programa\Archivos comunes\LogiShrd\LVCOMSER\LVComSer.exe
c:\archivos de programa\iPod\bin\iPodService.exe
c:\archivos de programa\Archivos comunes\LogiShrd\LQCVFX\COCIManager.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-05-29 12:36 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-29 17:36

Pre-Run: 65,053,888,512 bytes libres
Post-Run: 68,305,620,992 bytes libres

170

amateur · Jun 9, 2009

Hello and welcome to TSF.

Did some research on some forums and decided to try Combofix.

First, it's not a good idea to follow the fixes for other machines. Infections are machine specific.

Second, Combofix should only be run under the supervision/request of a trained analyst.

As seen in Post #2 of our sticky topic 'NEW INSTRUCTIONS Read this Before Posting For Malware Removal Help'

Why we don't ask you to run ComboFix from the onset

As stated by the author of ComboFix:

ComboFix is a very powerful tool which when improperly used may render your machine to a doorstop.

We first need to verify if there's any rootkits present and how they could affect our tools. DDS & GMER are preliminary scans. We use their logs to map our strategy for attack.

With these logs we can determine the infections present & decide whether to deploy ComboFix.

We want all our members to perform the steps outlined in the link given below, before posting for assistance. Please follow our pre-posting process outlined here:

http://www.techsupportforum.com/f50...-posting-for-malware-removal-help-305963.html

After running through all the steps, you shall have a proper set of logs.

If you have trouble with one of the steps, simply move on to the next one, and make note of it in your reply.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

amateur · Jun 12, 2009

Due to lack of response, this topic will now be closed. If you need continued support, please begin a new thread, and provide a link to this topic. This applies only to the original topic starter. Everyone else please begin a New Topic, after following the steps outlined here:

http://www.techsupportforum.com/sec...read-before-posting-malware-removal-help.html

Spyware on my PC help with Combofix Log

melchfm

Registered

amateur

TSF-Emeritus

amateur

TSF-Emeritus