Computer Hope
Software => Computer viruses and spyware => Topic started by: sparowha on February 09, 2010, 03:14:51 PM
-
Hello and thank you in advance for any advice or help everybody The problem that my computer has tarted about three weeks ago basically its simople I cant use any search engine everytime I try I get redirected to search.com and I was using that for my search ......yes like an idiot I knew I had a problem but I was desperate to finish the work I was doing untile about 2 days later modzilla kept opening by itself and trying to download something well it finally did while I was getting some pop and it downloaded this crap called security tool that opened up with false virus warnings and all kinds of stuff here are my logs the security tool crap appears to be gone after avast superanti spyware and mbwb but I still cant use any other search engin I think this bug is in deep and I am in need of assistance thank you again for any help
Hijackthis log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:05:17 PM, on 2/9/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\Archivos comunes\Java\Java Update\jusched.exe
C:\ARCHIV~1\ALWILS~1\Avast5\avastUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Java\jre6\bin\jqs.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Archivos de programa\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe
C:\Archivos de programa\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Archivos de programa\Yahoo!\Companion\Installs\cpn\ytbb.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Archivos de programa\Trend Micro\HijackThis\sniper.exe.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.live.com/sphome.aspx
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.live.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?fr=fp-yma2
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?fr=fp-yma2
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.live.com/sphome.aspx
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vķnculos
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Archivos de programa\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: 74.125.45.100 4-open-davinci.com
O1 - Hosts: 74.125.45.100 securitysoftwarepayments.com
O1 - Hosts: 74.125.45.100 privatesecuredpayments.com
O1 - Hosts: 74.125.45.100 secure.privatesecuredpayments.com
O1 - Hosts: 74.125.45.100 getantivirusplusnow.com
O1 - Hosts: 74.125.45.100 secure-plus-payments.com
O1 - Hosts: 74.125.45.100 www.getantivirusplusnow.com
O1 - Hosts: 74.125.45.100 www.secure-plus-payments.com
O1 - Hosts: 74.125.45.100 www.getavplusnow.com
O1 - Hosts: 74.125.45.100 www.securesoftwarebill.com
O1 - Hosts: 74.125.45.100 secure.paysecuresystem.com
O1 - Hosts: 74.125.45.100 paysoftbillsolution.com
O1 - Hosts: 64.86.16.97 google.ae
O1 - Hosts: 64.86.16.97 google.as
O1 - Hosts: 64.86.16.97 google.at
O1 - Hosts: 64.86.16.97 google.az
O1 - Hosts: 64.86.16.97 google.ba
O1 - Hosts: 64.86.16.97 google.be
O1 - Hosts: 64.86.16.97 google.bg
O1 - Hosts: 64.86.16.97 google.bs
O1 - Hosts: 64.86.16.97 google.ca
O1 - Hosts: 64.86.16.97 google.cd
O1 - Hosts: 64.86.16.97 google.com.gh
O1 - Hosts: 64.86.16.97 google.com.hk
O1 - Hosts: 64.86.16.97 google.com.jm
O1 - Hosts: 64.86.16.97 google.com.mx
O1 - Hosts: 64.86.16.97 google.com.my
O1 - Hosts: 64.86.16.97 google.com.na
O1 - Hosts: 64.86.16.97 google.com.nf
O1 - Hosts: 64.86.16.97 google.com.ng
O1 - Hosts: 64.86.16.97 google.ch
O1 - Hosts: 64.86.16.97 google.com.np
O1 - Hosts: 64.86.16.97 google.com.pr
O1 - Hosts: 64.86.16.97 google.com.qa
O1 - Hosts: 64.86.16.97 google.com.sg
O1 - Hosts: 64.86.16.97 google.com.tj
O1 - Hosts: 64.86.16.97 google.com.tw
O1 - Hosts: 64.86.16.97 google.dj
O1 - Hosts: 64.86.16.97 google.de
O1 - Hosts: 64.86.16.97 google.dk
O1 - Hosts: 64.86.16.97 google.dm
O1 - Hosts: 64.86.16.97 google.ee
O1 - Hosts: 64.86.16.97 google.fi
O1 - Hosts: 64.86.16.97 google.fm
O1 - Hosts: 64.86.16.97 google.fr
O1 - Hosts: 64.86.16.97 google.ge
O1 - Hosts: 64.86.16.97 google.gg
O1 - Hosts: 64.86.16.97 google.gm
O1 - Hosts: 64.86.16.97 google.gr
O1 - Hosts: 64.86.16.97 google.ht
O1 - Hosts: 64.86.16.97 google.ie
O1 - Hosts: 64.86.16.97 google.im
O1 - Hosts: 64.86.16.97 google.in
O1 - Hosts: 64.86.16.97 google.it
O1 - Hosts: 64.86.16.97 google.ki
O1 - Hosts: 64.86.16.97 google.la
O1 - Hosts: 64.86.16.97 google.li
O1 - Hosts: 64.86.16.97 google.lv
O1 - Hosts: 64.86.16.97 google.ma
O1 - Hosts: 64.86.16.97 google.ms
O1 - Hosts: 64.86.16.97 google.mu
O1 - Hosts: 64.86.16.97 google.mw
O1 - Hosts: 64.86.16.97 google.nl
O1 - Hosts: 64.86.16.97 google.no
O1 - Hosts: 64.86.16.97 google.nr
O1 - Hosts: 64.86.16.97 google.nu
O1 - Hosts: 64.86.16.97 google.pl
O1 - Hosts: 64.86.16.97 google.pn
O1 - Hosts: 64.86.16.97 google.pt
O1 - Hosts: 64.86.16.97 google.ro
O1 - Hosts: 64.86.16.97 *Blocked Russian URL*
O1 - Hosts: 64.86.16.97 google.rw
O1 - Hosts: 64.86.16.97 google.sc
O1 - Hosts: 64.86.16.97 google.se
O1 - Hosts: 64.86.16.97 google.sh
O1 - Hosts: 64.86.16.97 google.si
O1 - Hosts: 64.86.16.97 google.sm
O1 - Hosts: 64.86.16.97 google.sn
O1 - Hosts: 64.86.16.97 google.st
O1 - Hosts: 64.86.16.97 google.tl
O1 - Hosts: 64.86.16.97 google.tm
O1 - Hosts: 64.86.16.97 google.tt
O1 - Hosts: 64.86.16.97 google.us
O1 - Hosts: 64.86.16.97 google.vu
O1 - Hosts: 64.86.16.97 google.ws
O1 - Hosts: 64.86.16.97 google.co.ck
O1 - Hosts: 64.86.16.97 google.co.id
O1 - Hosts: 64.86.16.97 google.co.il
O1 - Hosts: 64.86.16.97 google.co.in
O1 - Hosts: 64.86.16.97 google.co.jp
O1 - Hosts: 64.86.16.97 google.co.kr
O1 - Hosts: 64.86.16.97 google.co.ls
O1 - Hosts: 64.86.16.97 google.co.ma
O1 - Hosts: 64.86.16.97 google.co.nz
O1 - Hosts: 64.86.16.97 google.co.tz
O1 - Hosts: 64.86.16.97 google.co.ug
O1 - Hosts: 64.86.16.97 google.co.uk
O1 - Hosts: 64.86.16.97 google.co.za
O1 - Hosts: 64.86.16.97 google.co.zm
O1 - Hosts: 64.86.16.97 google.com
O1 - Hosts: 64.86.16.97 google.com.af
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Archivos de programa\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Spesoft Toolbar - {94817c02-feac-4aa8-99d8-1cb47bf4d4c0} - C:\Archivos de programa\Spesoft\tbSpes.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Archivos de programa\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Archivos de programa\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Archivos de programa\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Spesoft Toolbar - {94817c02-feac-4aa8-99d8-1cb47bf4d4c0} - C:\Archivos de programa\Spesoft\tbSpes.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Archivos de programa\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Archivos de programa\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Archivos de programa\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Archivos comunes\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [avast5] C:\ARCHIV~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Archivos de programa\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Archivos de programa\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Servicio de red')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: LimeWire On Startup.lnk = C:\Archivos de programa\LimeWire\LimeWire.exe
O4 - Global Startup: Service Manager.lnk = C:\Archivos de programa\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Archivos de programa\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8942.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Archivos de programa\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! Antivirus - ALWIL Software - C:\Archivos de programa\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Archivos de programa\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Archivos de programa\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Archivos de programa\Google\Update\GoogleUpdate.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Archivos de programa\Java\jre6\bin\jqs.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Archivos de programa\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Archivos de programa\Yahoo!\SoftwareUpdate\YahooAUService.exe
--
End of file - 10745 bytes
[Saving space, attachment deleted by admin]
-
Open HijackThis and select Do a system scan only
Place a check mark next to the following entries: (if there)
- O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
Important: Close all open windows except for HijackThis and then click Fix checked.
Once completed, exit HijackThis.
----------
Please download the following batch file and save it to your desktop: Hostsperm.bat Download Link (http://download.bleepingcomputer.com/bats/hostsperm.bat)
When the file has finished downloading, double-click on the hostsperm.bat file that is now on your desktop. If Windows asks if you if you are sure you want to run it, please allow it to run. Once it starts you will see a small black window that opens and then quickly goes away. This is normal and is nothing to be worried about.
----------
Reset Hosts File:
* Go to Start > Run and type Notepad.exe then click OK
* Copy and Paste everything from the Code Box below into Notepad:
@Echo off
pushd\windows\system32\drivers\etc
attrib -h -s -r hosts
echo 127.0.0.1 localhost>HOSTS
attrib +r +h +s hosts
popd
del %0
* Go to File > Save As
* Save File name as Reset.bat
* Change Save as Type to All Files and save the file to your desktop.
On the desktop double click the Reset.bat to run the batch file. It will self-delete when completed.
----------
Download HostsXpert (http://www.majorgeeks.com/Hoster_d4626.html) and then follow the below steps.
* Unzip HostXpert to your desktop.
* Open up the HostXpert program.
* Make sure that the "Make Hosts Writable?" button in the upper left corner is enabled (unlocked).
* Click Create Back Up.
* Then click on Restore Microsoft's Host Files.
* Close the HostXpert program.
Note: if you use SpywareBlaster, Spybot and/or IE-SPYAD, it will be necessary to re-install the protection they afford. For SpywareBlaster, run the program and select Enable all protection. For Spybot run the program and select Immunize. For IE-SPYAD, run the batch file and reinstall the protection.
----------
If you already have ComboFix be sure to delete it and download a new copy.
Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.
Link #1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link #2 (http://www.forospyware.com/sUBs/ComboFix.exe)
**Note: It is important that it is saved directly to your Desktop
Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.
Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of security programs that should be disabled and how to disable them.
Double click combofix.exe & follow the prompts.
Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.
Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.
Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.
If you have problems with ComboFix usage, see How to use ComboFix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)
-
hey thank you so much evil but im hitting a snag using hostexpert it wont allow me to make host writable it says Your hosts file is marked as a systems file and cannot be manipulated press ok to remove the ssytem file attribute host expert will not reset these atributes what should i doæ
-
Okay just skip that for now and move to the next step.
-
ComboFix 10-02-09.03 - Administrador 02/09/2010 20:12:25.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.34.3082.18.767.505 [GMT -6:00]
Running from: c:\documents and settings\Administrador\Escritorio\ComboFix.exe
AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\archivos de programa\WinPCap
c:\archivos de programa\WinPCap\rpcapd.exe
C:\data
c:\documents and settings\Administrador\Datos de programa\020000009be6ff86729C.manifest
c:\documents and settings\Administrador\Datos de programa\020000009be6ff86729O.manifest
c:\documents and settings\Administrador\Datos de programa\020000009be6ff86729P.manifest
c:\documents and settings\Administrador\Datos de programa\020000009be6ff86729S.manifest
c:\documents and settings\Administrador\Datos de programa\SystemProc
c:\windows\system32\1121223595
c:\windows\system32\drivers\npf.sys
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\unrar.exe
c:\windows\system32\WanPacket.dll
c:\windows\system32\wpcap.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_NPF
-------\Service_npf
((((((((((((((((((((((((( Files Created from 2010-01-10 to 2010-02-10 )))))))))))))))))))))))))))))))
.
2010-02-09 20:45 . 2010-02-09 20:45 5115824 ----a-w- c:\documents and settings\All Users\Datos de programa\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-02-09 19:24 . 2010-02-09 19:24 52224 ----a-w- c:\documents and settings\Administrador\Datos de programa\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-02-02 21:47 . 2010-02-02 21:47 -------- d-----w- c:\archivos de programa\Archivos comunes\Java
2010-02-02 21:47 . 2010-02-02 21:47 503808 ----a-w- c:\documents and settings\Administrador\Datos de programa\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-77d6ff33-n\msvcp71.dll
2010-02-02 21:47 . 2010-02-02 21:47 499712 ----a-w- c:\documents and settings\Administrador\Datos de programa\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-77d6ff33-n\jmc.dll
2010-02-02 21:47 . 2010-02-02 21:47 348160 ----a-w- c:\documents and settings\Administrador\Datos de programa\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-77d6ff33-n\msvcr71.dll
2010-02-02 21:47 . 2010-02-02 21:47 61440 ----a-w- c:\documents and settings\Administrador\Datos de programa\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-42e234a6-n\decora-sse.dll
2010-02-02 21:47 . 2010-02-02 21:47 12800 ----a-w- c:\documents and settings\Administrador\Datos de programa\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-42e234a6-n\decora-d3d.dll
2010-02-02 21:10 . 2010-02-02 21:11 -------- d-----w- c:\archivos de programa\Free Window Registry Repair
2010-02-02 20:24 . 2010-02-02 20:29 -------- d-----w- c:\archivos de programa\Windows Live Safety Center
2010-02-01 19:36 . 2010-02-01 19:36 -------- d-----w- c:\documents and settings\All Users\Datos de programa\Alwil Software
2010-02-01 19:22 . 2010-02-01 19:22 -------- d-----w- c:\archivos de programa\Trend Micro
2010-02-01 16:35 . 2010-02-01 16:35 152576 ----a-w- c:\documents and settings\Administrador\Datos de programa\Sun\Java\jre1.6.0_17\lzma.dll
2010-01-22 03:03 . 2010-01-22 03:03 -------- d-----w- c:\documents and settings\NetworkService\Datos de programa\Yahoo!
2010-01-20 02:27 . 2010-01-20 02:27 -------- d-----w- c:\documents and settings\Administrador\Datos de programa\Apple Computer
2010-01-20 02:24 . 2010-01-20 02:25 -------- d-----w- c:\archivos de programa\QuickTime
2010-01-20 02:24 . 2010-01-20 02:24 -------- d-----w- c:\documents and settings\All Users\Datos de programa\Apple Computer
2010-01-20 02:23 . 2010-01-20 02:23 -------- d-----w- c:\archivos de programa\Archivos comunes\Apple
2010-01-20 02:22 . 2010-01-20 02:22 -------- d-----w- c:\archivos de programa\Apple Software Update
2010-01-20 02:22 . 2010-01-20 02:22 -------- d-----w- c:\documents and settings\All Users\Datos de programa\Apple
2010-01-19 04:13 . 2010-02-10 02:20 -------- d-----w- c:\documents and settings\Administrador\Datos de programa\LimeWire
2010-01-19 04:13 . 2010-01-19 04:13 -------- d-----w- c:\archivos de programa\LimeWire
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-10 02:21 . 2008-10-29 06:47 1744 ----a-w- c:\windows\system32\d3d9caps.dat
2010-02-09 20:45 . 2009-10-23 01:43 -------- d-----w- c:\archivos de programa\Malwarebytes' Anti-Malware
2010-02-09 20:44 . 2001-08-24 11:00 90662 ----a-w- c:\windows\system32\perfc00A.dat
2010-02-09 20:44 . 2001-08-24 11:00 486594 ----a-w- c:\windows\system32\perfh00A.dat
2010-02-09 19:24 . 2009-10-22 18:53 117760 ----a-w- c:\documents and settings\Administrador\Datos de programa\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-02-02 21:47 . 2008-10-29 06:45 -------- d-----w- c:\archivos de programa\Java
2010-02-02 20:17 . 2007-11-16 11:48 -------- d-----w- c:\archivos de programa\Alwil Software
2010-02-02 16:28 . 2010-02-02 16:28 0 ----a-w- c:\windows\system32\BA.tmp
2010-02-02 16:28 . 2010-02-02 16:28 0 ----a-w- c:\windows\system32\B9.tmp
2010-02-01 19:40 . 2008-10-29 06:46 -------- d-----w- c:\archivos de programa\Google
2010-02-01 19:04 . 2009-09-30 03:02 -------- d-----w- c:\archivos de programa\Winamp
2010-02-01 16:35 . 2009-11-10 14:43 79488 ----a-w- c:\documents and settings\Administrador\Datos de programa\Sun\Java\jre1.6.0_17\gtapi.dll
2010-01-31 22:34 . 2009-10-22 18:52 -------- d-----w- c:\archivos de programa\SUPERAntiSpyware
2010-01-29 14:05 . 2010-01-29 14:05 0 ----a-w- c:\windows\system32\1E.tmp
2010-01-29 14:05 . 2010-01-29 14:05 0 ----a-w- c:\windows\system32\1D.tmp
2010-01-28 22:09 . 2009-10-23 05:43 152672 ----a-w- c:\windows\system32\aswBoot.exe
2010-01-28 21:57 . 2009-10-23 05:44 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-01-28 21:57 . 2009-10-23 05:44 163280 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-01-28 21:54 . 2009-10-23 05:44 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-01-28 21:54 . 2009-10-23 05:44 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-01-28 21:54 . 2009-10-23 05:44 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-01-28 21:54 . 2009-10-23 05:44 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-01-28 21:53 . 2009-10-23 05:44 28240 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-01-19 11:57 . 2009-10-23 05:44 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-01-07 22:07 . 2009-10-23 01:44 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 22:07 . 2009-10-23 01:43 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-17 23:14 . 2008-10-29 06:46 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-01 03:25 . 2009-12-01 03:25 0 ----a-w- c:\windows\nsreg.dat
2008-10-14 15:13 . 2008-10-14 15:13 2578 --sh--r- c:\archivos de programa\Archivos comunes\081014171349.html
2008-10-13 22:21 . 2008-10-13 22:21 40366 --sh--r- c:\archivos de programa\Archivos comunes\081014002159.html
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{94817c02-feac-4aa8-99d8-1cb47bf4d4c0}]
2007-10-28 21:45 1502232 ----a-w- c:\archivos de programa\Spesoft\tbSpes.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{94817c02-feac-4aa8-99d8-1cb47bf4d4c0}"= "c:\archivos de programa\Spesoft\tbSpes.dll" [2007-10-28 1502232]
[HKEY_CLASSES_ROOT\clsid\{94817c02-feac-4aa8-99d8-1cb47bf4d4c0}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\archivos de programa\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"Messenger (Yahoo!)"="c:\archivos de programa\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-19 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CanonSolutionMenu"="c:\archivos de programa\Canon\SolutionMenu\CNSLMAIN.exe" [2007-10-26 652624]
"CanonMyPrinter"="c:\archivos de programa\Canon\MyPrinter\BJMyPrt.exe" [2007-09-14 1603152]
"QuickTime Task"="c:\archivos de programa\QuickTime\QTTask.exe" [2009-11-11 417792]
"SunJavaUpdateSched"="c:\archivos de programa\Archivos comunes\Java\Java Update\jusched.exe" [2010-01-11 246504]
"avast5"="c:\archiv~1\ALWILS~1\Avast5\avastUI.exe" [2010-01-28 2757512]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-19 15360]
c:\documents and settings\Administrador\Men£ Inicio\Programas\Inicio\
LimeWire On Startup.lnk - c:\archivos de programa\LimeWire\LimeWire.exe [2009-12-16 503808]
c:\documents and settings\All Users\Men£ Inicio\Programas\Inicio\
Service Manager.lnk - c:\archivos de programa\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 74308]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\archivos de programa\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 20:21 548352 ----a-w- c:\archivos de programa\SUPERAntiSpyware\SASWINLO.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menś Inicio^Programas^Inicio^Inicio rįpido de Adobe Reader.lnk]
backup=c:\windows\pss\Inicio rįpido de Adobe Reader.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
2006-12-06 04:55 54832 ----a-w- c:\archivos de programa\CyberLink\PowerDVD\Language\Language.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-07-26 21:44 3883856 ----a-w- c:\archivos de programa\Windows Live\Messenger\msnmsgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2006-11-23 21:10 56928 ------w- c:\archivos de programa\CyberLink\PowerDVD\PDVDServ.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Archivos de programa\\LimeWire\\LimeWire.exe"=
"c:\\Documents and Settings\\All Users\\Datos de programa\\Kaspersky Lab Setup Files\\Kaspersky Anti-Virus 2009\\spanish\\setup.exe"=
"c:\\Archivos de programa\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Archivos de programa\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Archivos de programa\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Archivos de programa\\Messenger\\msmsgs.exe"=
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [10/22/2009 11:44 PM 163280]
R1 SASDIFSV;SASDIFSV;c:\archivos de programa\SUPERAntiSpyware\sasdifsv.sys [10/12/2009 8:24 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\archivos de programa\SUPERAntiSpyware\SASKUTIL.SYS [10/12/2009 8:24 PM 74480]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [10/22/2009 11:44 PM 19024]
S2 gupdate;Google Update Service (gupdate);c:\archivos de programa\Google\Update\GoogleUpdate.exe [2/1/2010 1:37 PM 133104]
S3 SASENUM;SASENUM;c:\archivos de programa\SUPERAntiSpyware\SASENUM.SYS [10/12/2009 8:24 PM 7408]
.
Contents of the 'Scheduled Tasks' folder
2010-02-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\archivos de programa\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]
2010-02-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\archivos de programa\Google\Update\GoogleUpdate.exe [2010-02-01 19:37]
2010-02-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\archivos de programa\Google\Update\GoogleUpdate.exe [2010-02-01 19:37]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.yahoo.com/?fr=fp-yma2
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: &Search
.
- - - - ORPHANS REMOVED - - - -
MSConfigStartUp-My Web Search Bar - c:\archiv~1\MYWEBS~1\bar\2.bin\MWSBAR.DLL
MSConfigStartUp-MyWebSearch Plugin - c:\archiv~1\MYWEBS~1\bar\2.bin\M3PLUGIN.DLL
AddRemove-HijackThis - c:\archivos de programa\Trend Micro\HijackThis\HijackThis.exe
AddRemove-WinZip - c:\archivos de programa\WinZip\WINZIP32.EXE
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-09 20:20
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-823518204-1644491937-682003330-500\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{70352449-10B9-4B1A-6E17-25888A073CF1}*]
"hajknalopikdjppk"=hex:69,61,65,68,6b,6b,61,6a,6d,6c,68,62,64,63,6d,6d,67,6f,
00,00
"iadllcfbepggbpknda"=hex:6a,61,65,68,6e,6b,6a,69,70,6d,6a,66,69,61,66,63,6d,61,
64,6e,00,6a
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\|’’’’"|ž»Ńw�*]
"A0C0110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(640)
c:\archivos de programa\SUPERAntiSpyware\SASWINLO.dll
- - - - - - - > 'explorer.exe'(2116)
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\archivos de programa\Alwil Software\Avast5\AvastSvc.exe
c:\archivos de programa\Java\jre6\bin\jqs.exe
c:\archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\archivos de programa\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe
c:\archivos de programa\CyberLink\Shared Files\RichVideo.exe
c:\archivos de programa\Yahoo!\SoftwareUpdate\YahooAUService.exe
.
**************************************************************************
.
Completion time: 2010-02-09 20:26:18 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-10 02:26
Pre-Run: 18,760,663,040 bytes libres
Post-Run: 19,288,596,480 bytes libres
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
- - End Of File - - A0A72631472FD40D92D76CBC51377CE6
Here is the combo log
-
Download this file to your desktop, don't do anything with it. http://download.bleepingcomputer.com/misc/host-files/windows-xp/hosts
Copy this entire file path. C:\Windows\System32\Drivers\etc
Now in the lower right corner of your computer go to Start > Search and paste this in the the file path and press Enter on the keyboard.
The etc folder should open. If there is a file in there named HOSTS then delete it and then right click the file on the desktop you just downloaded and paste it into the etc folder then close that window.
1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C
KillAll::
RegLock::
[HKEY_USERS\S-1-5-21-823518204-1644491937-682003330-500\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{70352449-10B9-4B1A-6E17-25888A073CF1}*]
"hajknalopikdjppk"=hex:69,61,65,68,6b,6b,61,6a,6d,6c,68,62,64,63,6d,6d,67,6f,
00,00
RegLockDel::
[HKEY_USERS\S-1-5-21-823518204-1644491937-682003330-500\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{70352449-10B9-4B1A-6E17-25888A073CF1}*]
"hajknalopikdjppk"=hex:69,61,65,68,6b,6b,61,6a,6d,6c,68,62,64,63,6d,6d,67,6f,
00,00
3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!
(http://img249.imageshack.us/img249/1218/cfscript1.gif)
ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.
Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze
-
when I open the link to the download it doesnt download anything the page just comes up with this # Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
127.0.0.1 localhost
what shoulńd i doæ
-
Try the HostsXpert instructions again. Let me know if it works now.
-
I made them writeable but the same text box came up
-
Go ahead with the ComboFix instructions.
-
here is the combofix log
ComboFix 10-02-10.01 - Administrador 02/10/2010 12:16:01.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.34.3082.18.767.493 [GMT -6:00]
Running from: c:\documents and settings\Administrador\Escritorio\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
((((((((((((((((((((((((( Files Created from 2010-01-10 to 2010-02-10 )))))))))))))))))))))))))))))))
.
2010-02-09 20:45 . 2010-02-09 20:45 5115824 ----a-w- c:\documents and settings\All Users\Datos de programa\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-02-09 19:24 . 2010-02-09 19:24 52224 ----a-w- c:\documents and settings\Administrador\Datos de programa\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-02-02 21:47 . 2010-02-02 21:47 -------- d-----w- c:\archivos de programa\Archivos comunes\Java
2010-02-02 21:47 . 2010-02-02 21:47 503808 ----a-w- c:\documents and settings\Administrador\Datos de programa\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-77d6ff33-n\msvcp71.dll
2010-02-02 21:47 . 2010-02-02 21:47 499712 ----a-w- c:\documents and settings\Administrador\Datos de programa\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-77d6ff33-n\jmc.dll
2010-02-02 21:47 . 2010-02-02 21:47 348160 ----a-w- c:\documents and settings\Administrador\Datos de programa\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-77d6ff33-n\msvcr71.dll
2010-02-02 21:47 . 2010-02-02 21:47 61440 ----a-w- c:\documents and settings\Administrador\Datos de programa\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-42e234a6-n\decora-sse.dll
2010-02-02 21:47 . 2010-02-02 21:47 12800 ----a-w- c:\documents and settings\Administrador\Datos de programa\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-42e234a6-n\decora-d3d.dll
2010-02-02 21:10 . 2010-02-02 21:11 -------- d-----w- c:\archivos de programa\Free Window Registry Repair
2010-02-02 20:24 . 2010-02-02 20:29 -------- d-----w- c:\archivos de programa\Windows Live Safety Center
2010-02-01 19:36 . 2010-02-01 19:36 -------- d-----w- c:\documents and settings\All Users\Datos de programa\Alwil Software
2010-02-01 19:22 . 2010-02-01 19:22 -------- d-----w- c:\archivos de programa\Trend Micro
2010-02-01 16:35 . 2010-02-01 16:35 152576 ----a-w- c:\documents and settings\Administrador\Datos de programa\Sun\Java\jre1.6.0_17\lzma.dll
2010-01-22 03:03 . 2010-01-22 03:03 -------- d-----w- c:\documents and settings\NetworkService\Datos de programa\Yahoo!
2010-01-20 02:27 . 2010-01-20 02:27 -------- d-----w- c:\documents and settings\Administrador\Datos de programa\Apple Computer
2010-01-20 02:24 . 2010-01-20 02:25 -------- d-----w- c:\archivos de programa\QuickTime
2010-01-20 02:24 . 2010-01-20 02:24 -------- d-----w- c:\documents and settings\All Users\Datos de programa\Apple Computer
2010-01-20 02:23 . 2010-01-20 02:23 -------- d-----w- c:\archivos de programa\Archivos comunes\Apple
2010-01-20 02:22 . 2010-01-20 02:22 -------- d-----w- c:\archivos de programa\Apple Software Update
2010-01-20 02:22 . 2010-01-20 02:22 -------- d-----w- c:\documents and settings\All Users\Datos de programa\Apple
2010-01-19 04:13 . 2010-02-10 02:24 -------- d-----w- c:\documents and settings\Administrador\Datos de programa\LimeWire
2010-01-19 04:13 . 2010-01-19 04:13 -------- d-----w- c:\archivos de programa\LimeWire
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-10 02:21 . 2008-10-29 06:47 1744 ----a-w- c:\windows\system32\d3d9caps.dat
2010-02-09 20:45 . 2009-10-23 01:43 -------- d-----w- c:\archivos de programa\Malwarebytes' Anti-Malware
2010-02-09 20:44 . 2001-08-24 11:00 90662 ----a-w- c:\windows\system32\perfc00A.dat
2010-02-09 20:44 . 2001-08-24 11:00 486594 ----a-w- c:\windows\system32\perfh00A.dat
2010-02-09 19:24 . 2009-10-22 18:53 117760 ----a-w- c:\documents and settings\Administrador\Datos de programa\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-02-02 21:47 . 2008-10-29 06:45 -------- d-----w- c:\archivos de programa\Java
2010-02-02 20:17 . 2007-11-16 11:48 -------- d-----w- c:\archivos de programa\Alwil Software
2010-02-02 16:28 . 2010-02-02 16:28 0 ----a-w- c:\windows\system32\BA.tmp
2010-02-02 16:28 . 2010-02-02 16:28 0 ----a-w- c:\windows\system32\B9.tmp
2010-02-01 19:40 . 2008-10-29 06:46 -------- d-----w- c:\archivos de programa\Google
2010-02-01 19:04 . 2009-09-30 03:02 -------- d-----w- c:\archivos de programa\Winamp
2010-02-01 16:35 . 2009-11-10 14:43 79488 ----a-w- c:\documents and settings\Administrador\Datos de programa\Sun\Java\jre1.6.0_17\gtapi.dll
2010-01-31 22:34 . 2009-10-22 18:52 -------- d-----w- c:\archivos de programa\SUPERAntiSpyware
2010-01-29 14:05 . 2010-01-29 14:05 0 ----a-w- c:\windows\system32\1E.tmp
2010-01-29 14:05 . 2010-01-29 14:05 0 ----a-w- c:\windows\system32\1D.tmp
2010-01-28 22:09 . 2009-10-23 05:43 152672 ----a-w- c:\windows\system32\aswBoot.exe
2010-01-28 21:57 . 2009-10-23 05:44 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-01-28 21:57 . 2009-10-23 05:44 163280 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-01-28 21:54 . 2009-10-23 05:44 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-01-28 21:54 . 2009-10-23 05:44 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-01-28 21:54 . 2009-10-23 05:44 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-01-28 21:54 . 2009-10-23 05:44 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-01-28 21:53 . 2009-10-23 05:44 28240 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-01-19 11:57 . 2009-10-23 05:44 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-01-07 22:07 . 2009-10-23 01:44 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 22:07 . 2009-10-23 01:43 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-17 23:14 . 2008-10-29 06:46 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-01 03:25 . 2009-12-01 03:25 0 ----a-w- c:\windows\nsreg.dat
2008-10-14 15:13 . 2008-10-14 15:13 2578 --sh--r- c:\archivos de programa\Archivos comunes\081014171349.html
2008-10-13 22:21 . 2008-10-13 22:21 40366 --sh--r- c:\archivos de programa\Archivos comunes\081014002159.html
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{94817c02-feac-4aa8-99d8-1cb47bf4d4c0}]
2007-10-28 21:45 1502232 ----a-w- c:\archivos de programa\Spesoft\tbSpes.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{94817c02-feac-4aa8-99d8-1cb47bf4d4c0}"= "c:\archivos de programa\Spesoft\tbSpes.dll" [2007-10-28 1502232]
[HKEY_CLASSES_ROOT\clsid\{94817c02-feac-4aa8-99d8-1cb47bf4d4c0}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\archivos de programa\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"Messenger (Yahoo!)"="c:\archivos de programa\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CanonSolutionMenu"="c:\archivos de programa\Canon\SolutionMenu\CNSLMAIN.exe" [2007-10-26 652624]
"CanonMyPrinter"="c:\archivos de programa\Canon\MyPrinter\BJMyPrt.exe" [2007-09-14 1603152]
"QuickTime Task"="c:\archivos de programa\QuickTime\QTTask.exe" [2009-11-11 417792]
"SunJavaUpdateSched"="c:\archivos de programa\Archivos comunes\Java\Java Update\jusched.exe" [2010-01-11 246504]
"avast5"="c:\archiv~1\ALWILS~1\Avast5\avastUI.exe" [2010-01-28 2757512]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-19 15360]
c:\documents and settings\Administrador\Men£ Inicio\Programas\Inicio\
LimeWire On Startup.lnk - c:\archivos de programa\LimeWire\LimeWire.exe [2009-12-16 503808]
c:\documents and settings\All Users\Men£ Inicio\Programas\Inicio\
Service Manager.lnk - c:\archivos de programa\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 74308]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\archivos de programa\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 20:21 548352 ----a-w- c:\archivos de programa\SUPERAntiSpyware\SASWINLO.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menś Inicio^Programas^Inicio^Inicio rįpido de Adobe Reader.lnk]
backup=c:\windows\pss\Inicio rįpido de Adobe Reader.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
2006-12-06 04:55 54832 ----a-w- c:\archivos de programa\CyberLink\PowerDVD\Language\Language.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-07-26 21:44 3883856 ----a-w- c:\archivos de programa\Windows Live\Messenger\msnmsgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2006-11-23 21:10 56928 ------w- c:\archivos de programa\CyberLink\PowerDVD\PDVDServ.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Archivos de programa\\LimeWire\\LimeWire.exe"=
"c:\\Documents and Settings\\All Users\\Datos de programa\\Kaspersky Lab Setup Files\\Kaspersky Anti-Virus 2009\\spanish\\setup.exe"=
"c:\\Archivos de programa\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Archivos de programa\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Archivos de programa\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Archivos de programa\\Messenger\\msmsgs.exe"=
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [10/22/2009 11:44 PM 163280]
R1 SASDIFSV;SASDIFSV;c:\archivos de programa\SUPERAntiSpyware\sasdifsv.sys [10/12/2009 8:24 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\archivos de programa\SUPERAntiSpyware\SASKUTIL.SYS [10/12/2009 8:24 PM 74480]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [10/22/2009 11:44 PM 19024]
S2 gupdate;Google Update Service (gupdate);c:\archivos de programa\Google\Update\GoogleUpdate.exe [2/1/2010 1:37 PM 133104]
S3 SASENUM;SASENUM;c:\archivos de programa\SUPERAntiSpyware\SASENUM.SYS [10/12/2009 8:24 PM 7408]
.
Contents of the 'Scheduled Tasks' folder
2010-02-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\archivos de programa\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]
2010-02-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\archivos de programa\Google\Update\GoogleUpdate.exe [2010-02-01 19:37]
2010-02-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\archivos de programa\Google\Update\GoogleUpdate.exe [2010-02-01 19:37]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.yahoo.com/?fr=fp-yma2
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: &Search
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-10 12:21
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-823518204-1644491937-682003330-500\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{70352449-10B9-4B1A-6E17-25888A073CF1}*]
"hajknalopikdjppk"=hex:69,61,65,68,6b,6b,61,6a,6d,6c,68,62,64,63,6d,6d,67,6f,
00,00
"iadllcfbepggbpknda"=hex:6a,61,65,68,6e,6b,6a,69,70,6d,6a,66,69,61,66,63,6d,61,
64,6e,00,6a
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\|’’’’"|ž»Ńw�*]
"A0C0110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(640)
c:\archivos de programa\SUPERAntiSpyware\SASWINLO.dll
- - - - - - - > 'explorer.exe'(3224)
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-02-10 12:24:39
ComboFix-quarantined-files.txt 2010-02-10 18:24
ComboFix2.txt 2010-02-10 02:26
Pre-Run: 19,202,822,144 bytes libres
Post-Run: 19,176,247,296 bytes libres
- - End Of File - - 834A5C96305DEFCEB71DAB4B78E880F4
-
Looking better. How is the computer running now?
Go to Microsoft Windows Update (http://windowsupdate.microsoft.com/) and get all critical updates.
----------
* Click START then RUN - Vista users press the Windows Key and the R keys for the Run box.
* Now type Combofix /Uninstall in the runbox
* Make sure there's a space between Combofix and /Uninstall
* Then hit Enter
* The above procedure will:
* Delete the following:
* ComboFix and its associated files and folders.
* Reset the clock settings.
* Hide file extensions, if required.
* Hide System/Hidden files, if required.
* Set a new, clean Restore Point.
----------
Clean out your temporary internet files and temp files.
Download TFC by OldTimer (http://oldtimer.geekstogo.com/TFC.exe) to your desktop.
Double-click TFC.exe to run it.
Note: If you are running on Vista, right-click on the file and choose Run As Administrator
TFC will close all programs when run, so make sure you have saved all your work before you begin.
* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
* Please let TFC run uninterrupted until it is finished.
Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.
----------
ESET Online Scan
Scan your computer with the ESET FREE Online Virus Scan (http://eset.com/onlinescan)
* Click the ESET Online Scanner button.
* For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
* Click on the esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop
* Double click on the esetsmartinstaller_enu.exe icon on your desktop.
* Place a check mark next to YES, I accept the Terms of Use.
* Click the Start button.
* Accept any security warnings from your browser.
* Leave the check mark next to Remove found threats and place a check next to Scan archives.
* Click the Start button.
* ESET will then download updates, install, and begin scanning your computer. Please be patient as this can take some time.
* When the scan completes, click List of found threats.
* Next click Export to text file and save the file to your desktop using a name such as ESETScan. Include the contents of this report in your next reply.
* Click the <<Back button then click Finish.
In your next reply please include the ESET Online Scan Log
-
its running better i can use google now i will post the log in one moment
-
C:\Documents and Settings\Administrador\Mis documentos\LimeWire\Saved\battle chess cracked by FOFF (verified, 100% good).zip a variant of Win32/Kryptik.CDS trojan deleted - quarantined
this is the only thing that showed up
what next
-
If there are no more malware issues we can finish up now.
Use the Secunia Software Inspector (http://secunia.com/software_inspector) to check for out of date software.
* Click Start Now
* Check the box next to Enable thorough system inspection.
* Click Start
* Allow the scan to finish and scroll down to see if any updates are needed.
* Update anything listed.
----------
Go to Microsoft Windows Update (http://windowsupdate.microsoft.com/) and get all critical updates.
----------
If you are using or have installed IE6 you are using an outdated and soon to be unsupported version of Internet Explorer and I strongly suggest you update to the latest version directly from Microsoft Internet Explorer 8: Home page (http://www.microsoft.com/windows/ie/).
----------
I recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no realtime protection so will not interfere with each other. They do not use any significant amount of resources (except a little disk space) until you run a scan.
I suggest using WOT - Web of Trust (http://www.mywot.com/). WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.
SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html) - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* (http://www.bleepingcomputer.com/tutorials/tutorial49.html)Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/forums/tutorial49.html)
* If you don't know what ActiveX controls are, see here (http://www.webopedia.com/TERM/A/ActiveX_control.html)
Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy (http://www.safer-networking.org/en/spybotsd/index.html). Guide: Use Spybot's Immunize Feature (http://www.bleepingcomputer.com/tutorials/tutorial43.html#immunize) to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ (http://www.safer-networking.org/en/faq/index.html)
Check out Keeping Yourself Safe On The Web (http://evilfantasy.wordpress.com/2008/05/20/keeping-yourself-safe-on-the-web/) for tips and free tools to help keep you safe in the future.
Also see Slow Computer? It May Not Be Malware (http://evilfantasy.wordpress.com/2008/05/24/slow-computer-it-may-not-be-malware/) for free cleaning/maintenance tools to help keep your computer running smooth.
-
Thank you so much evil my computer hasnt run this well in a very long time awsome easy to fallow advice thank you again
-
Your welcome.
Safe surfing.