|
| ||
| Need help removing CID pop-ups Been trying to get rid of CID pop-ups on my nephew's computer for a while now. Have tried several anti spyware/virus programs (Spybot S&D, Adaware, Avast!, UBCD4Win) with no luck whatsoever. Have read many posts regarding removal of CID, so I am posting my Hijackthis log here with hopes someone will be able to help. Per one of the forum posts I read, I renamed the hjt .exe file (to Greg.exe) hoping it's processes would not be detected by whatever malware has infected the computer. Thanks in advance for any assistance or direction you may be able to offer. Cheers! Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 16:58:13, on 07/09/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: H:\WINDOWS\system32\csrss.exe H:\WINDOWS\system32\winlogon.exe H:\WINDOWS\system32\services.exe H:\WINDOWS\system32\lsass.exe H:\WINDOWS\system32\Ati2evxx.exe H:\WINDOWS\system32\svchost.exe H:\WINDOWS\system32\svchost.exe H:\WINDOWS\System32\svchost.exe H:\WINDOWS\system32\svchost.exe H:\WINDOWS\system32\svchost.exe H:\WINDOWS\system32\spoolsv.exe H:\Archivos de programa\Archivos comunes\EPSON\EBAPI\SAgent2.exe H:\Archivos de programa\Archivos comunes\LightScribe\LSSrvc.exe H:\ARCHIV~1\McAfee\MSC\mcmscsvc.exe H:\WINDOWS\system32\Ati2evxx.exe h:\archivos de programa\archivos comunes\mcafee\mna\mcnasvc.exe h:\ARCHIV~1\ARCHIV~1\mcafee\mcproxy\mcproxy.exe H:\Archivos de programa\McAfee\MPF\MPFSrv.exe H:\Archivos de programa\SiteAdvisor\6261\SAService.exe H:\WINDOWS\System32\PAStiSvc.exe H:\WINDOWS\system32\svchost.exe H:\WINDOWS\Explorer.EXE H:\ARCHIV~1\McAfee.com\Agent\mcagent.exe H:\WINDOWS\SOUNDMAN.EXE H:\Archivos de programa\CyberLink DVD Solution\PowerDVD\PDVDServ.exe H:\Archivos de programa\Java\jre1.6.0_07\bin\jusched.exe H:\Archivos de programa\ATI Technologies\ATI.ACE\CLI.EXE H:\ARCHIV~1\Nokia\NOKIAP~1\LAUNCH~1.EXE H:\Archivos de programa\SiteAdvisor\6261\SiteAdv.exe H:\Archivos de programa\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe H:\WINDOWS\system32\ctfmon.exe H:\WINDOWS\System32\alg.exe H:\Archivos de programa\MSN Messenger\MsnMsgr.Exe H:\Archivos de programa\Internet Explorer\iexplore.exe H:\Archivos de programa\ARES\Ares.exe H:\Archivos de programa\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe H:\Archivos de programa\Messenger\msmsgs.exe H:\Archivos de programa\ECOM\Common\TurboG-UI.exe H:\Archivos de programa\Archivos comunes\PCSuite\Services\ServiceLayer.exe H:\Archivos de programa\Internet Explorer\iexplore.exe H:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE H:\WINDOWS\System32\svchost.exe H:\Archivos de programa\DesktopEarth\DesktopEarth.exe H:\Archivos de programa\ATI Technologies\ATI.ACE\cli.exe H:\Archivos de programa\ATI Technologies\ATI.ACE\cli.exe H:\ARCHIV~1\McAfee\VIRUSS~1\mcsysmon.exe h:\ARCHIV~1\mcafee\msc\mcuimgr.exe H:\Archivos de programa\McAfee\VirusScan\McShield.exe H:\Archivos de programa\Trend Micro\HijackThis\Greg.exe H:\WINDOWS\system32\wbem\wmiprvse.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.es/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Archivos de programa\Archivos comunes\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - H:\Archivos de programa\SiteAdvisor\6261\SiteAdv.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - H:\Archivos de programa\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - H:\Archivos de programa\McAfee\VirusScan\scriptsn.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - H:\Archivos de programa\Archivos comunes\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - h:\archivos de programa\google\googletoolbar3.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - H:\Archivos de programa\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - h:\archivos de programa\google\googletoolbar3.dll O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - H:\Archivos de programa\SiteAdvisor\6261\SiteAdv.dll O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [ATICCC] "H:\Archivos de programa\ATI Technologies\ATI.ACE\CLIStart.exe" O4 - HKLM\..\Run: [RemoteControl] "H:\Archivos de programa\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [NeroFilterCheck] H:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "H:\Archivos de programa\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [mcagent_exe] H:\Archivos de programa\McAfee.com\Agent\mcagent.exe /runkey O4 - HKLM\..\Run: [PCSuiteTrayApplication] H:\ARCHIV~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup O4 - HKLM\..\Run: [SiteAdvisor] "H:\Archivos de programa\SiteAdvisor\6261\SiteAdv.exe" O4 - HKLM\..\Run: [Adobe Photo Downloader] "H:\Archivos de programa\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "H:\Archivos de programa\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [H:\WINDOWS\system32\kdqnw.exe] H:\WINDOWS\system32\kdqnw.exe O4 - HKLM\..\Run: [close surf mail dupe] H:\Documents and Settings\All Users\Datos de programa\Tick Find Close Surf\User slow.exe O4 - HKCU\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MsnMsgr] "H:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [ares] "H:\Archivos de programa\ARES\Ares.exe" -h O4 - HKCU\..\Run: [swg] H:\Archivos de programa\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [MSMSGS] "H:\Archivos de programa\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [updateMgr] H:\Archivos de programa\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9 O4 - HKCU\..\Run: [junk peak] H:\DOCUME~1\user\DATOSD~1\grimfrag\TwoEach.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\CTFMON.EXE (User 'SERVICIO LOCAL') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\CTFMON.EXE (User 'Servicio de red') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Startup: Babelbox.lnk = H:\Archivos de programa\beon Widgets\Babelbox\LoaderBeon.exe O4 - Startup: DesktopEarth AutoStart.lnk = ? O4 - Global Startup: ECOM Turbo-G Wireless Utility.lnk = H:\Archivos de programa\ECOM\Common\TurboG-UI.exe O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = H:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE O8 - Extra context menu item: E&xportar a Microsoft Excel - res://H:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Archivos de programa\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Archivos de programa\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - H:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Archivos de programa\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Archivos de programa\Messenger\msmsgs.exe O12 - Plugin for .spop: H:\Archivos de programa\Internet Explorer\Plugins\NPDocBox.dll O17 - HKLM\System\CCS\Services\Tcpip\..\{00A9E119-E86B-4062-95CF-C8227ABF0D3C}: NameServer = 85.255.114.195,85.255.112.96 O17 - HKLM\System\CCS\Services\Tcpip\..\{717D3973-88B6-4782-9931-7708198751EB}: NameServer = 85.255.114.195,85.255.112.96 O17 - HKLM\System\CCS\Services\Tcpip\..\{F61F93F9-F7B8-4A87-8E31-56E6F9E83DE6}: NameServer = 85.255.114.195,85.255.112.96 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.195 85.255.112.96 O17 - HKLM\System\CS1\Services\Tcpip\..\{00A9E119-E86B-4062-95CF-C8227ABF0D3C}: NameServer = 85.255.114.195,85.255.112.96 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.195 85.255.112.96 O17 - HKLM\System\CS2\Services\Tcpip\..\{00A9E119-E86B-4062-95CF-C8227ABF0D3C}: NameServer = 85.255.114.195,85.255.112.96 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.195 85.255.112.96 O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - H:\Archivos de programa\Ares\chatServer.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - H:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - H:\WINDOWS\system32\ati2sgag.exe O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - H:\Archivos de programa\Archivos comunes\EPSON\EBAPI\SAgent2.exe O23 - Service: Google Updater Service (gusvc) - Google - H:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - H:\Archivos de programa\Archivos comunes\LightScribe\LSSrvc.exe O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - H:\ARCHIV~1\McAfee\MSC\mcmscsvc.exe O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - h:\archivos de programa\archivos comunes\mcafee\mna\mcnasvc.exe O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - H:\ARCHIV~1\McAfee\VIRUSS~1\mcods.exe O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - h:\ARCHIV~1\ARCHIV~1\mcafee\mcproxy\mcproxy.exe O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - H:\Archivos de programa\McAfee\VirusScan\McShield.exe O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - H:\ARCHIV~1\McAfee\VIRUSS~1\mcsysmon.exe O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - H:\Archivos de programa\McAfee\MPF\MPFSrv.exe O23 - Service: ServiceLayer - Nokia. - H:\Archivos de programa\Archivos comunes\PCSuite\Services\ServiceLayer.exe O23 - Service: Servicio SiteAdvisor (SiteAdvisor Service) - Unknown owner - H:\Archivos de programa\SiteAdvisor\6261\SAService.exe O23 - Service: STI Simulator - Unknown owner - H:\WINDOWS\System32\PAStiSvc.exe O24 - Desktop Component 0: (no name) - http://tbn0.google.com/images?q=tbn:...ndertaker2.jpg -- End of file - 10292 bytes |
| ||
| Re: Need help removing CID pop-ups What you are noting can be indicative of a LOP infection. Notice some files are in Spanish, others are not. Any reason? Please download Malwarebytes' Anti-Malware (MBA-M) to your Desktop. * DoubleClick mbam-setup.exe and follow the prompts to install MBA-M. * Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. * If an update is found, it will download and install the latest version. * Once the program has loaded, select Perform full scan, then click Scan. * When the scan is complete, click OK, then Show Results to view the results. * Be sure that everything is checked, and click Remove Selected. * When MBA-M finishes, Notepad will open with the log. Please save it where you can find it easily. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt. Also do the following; The first thing you should do is print out this guide as we will close all the open windows and programs, including your web browser, before starting the ComboFix program. Next you should download ComboFix Click on the Save button and then when it asks you where to save it, make sure you save it directly to your Windows Desktop. At this point you should do the following: * Close all open Windows including this one. * Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix. double-click on the ComboFix icon found on your desktop. Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all and just take a break as it may take a while for it to complete. You may get a prompt because ComboFix does not have a digital signature. This is perfectly normal and safe and you can click on the Run button to continue. ComboFix will prepare to run and when it has finished you will see the Disclaimer screen, just click the number 1 and then Enter. It will then back up the registry. Once the Windows Registry has finished being backed up, ComboFix will disconnect your computer from the Internet. Therefore, do not be surprised or concerned if you receive any warnings stating that you are no longer on the Internet as your connection will be completely restored at a later stage in the program. ComboFix will now start scanning your computer for known infections. This procedure can take some time, so please be patient. While the program is scanning your computer, it will change your clock format, so do not be concerned when you see this happen. When ComboFix is finished it will restore your clock settings to what they were previously. You will also see the text in the ComboFix window being updated as it goes through the various stages of its scan. When ComboFix has finished running, you will see a screen stating that it is preparing the log report. This can take a while, so please be patient. If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt. This can take a while, so please be patient. If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt. Come back here and post the Malwarebytes' log and the ComboFix log. |
| ||
| Re: Need help removing CID pop-ups Thanks j, I'll move forward with your suggested actions and post logs. Regarding the Spanish files, they're there because my nephew is Spanish and has his computer configured likewise. I also thought it could be a Lop infection and tried running nolop.exe prior to reading your reply. Something to note, I was unable to successfully run the nolop.exe program. It would run for about 10 seconds and then just quit and close without any warning or error message. Not sure if that changes anything you suggested. Again, thanks for your help. |
| ||
| Re: Need help removing CID pop-ups Run the MBA-M program first and let it fix what it finds. Then run combofix programand let's see what it shows. Be sure to follow the instructions exactly and turn off all security programs while running it. Post back here with both logs. Judy |
| ||
| Re: Need help removing CID pop-ups Quote:
Hi Judy. I ran both MBA-M and Combofix. Logs are posted below. Not sure, but the programs have appeared to remedy the problem my nephew was having with CID popups and generally slow computer performance. With regards to Combofix, I was unable to completely disable Mcafee's antivirus program, even by turning off the applicable services using services.msc from Start/Run. If you feel that step was absolutely critical, I can uninstall Mcafee entirely and try running Combofix again. Thanks for all your help! Malwarebytes' Anti-Malware 1.28 Database version: 1180 Windows 5.1.2600 Service Pack 2 20/09/2008 15:31:46 mbam-log-2008-09-20 (15-31-46).txt Scan type: Full Scan (H:\|) Objects scanned: 187212 Time elapsed: 1 hour(s), 24 minute(s), 42 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 16 Registry Values Infected: 4 Registry Data Items Infected: 19 Folders Infected: 14 Files Infected: 39 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CLASSES_ROOT\sssinstaller.installer (Adware.Comet) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\TypeLib\{74278296-0ec7-4f7a-ad55-eb7a2f35f311} (Adware.Comet) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{0fbc3efb-fc98-4b32-bf10-bde9aa4dea5a} (Adware.Comet) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{6a4b7d17-1de9-4c14-8adf-eb4c07060519} (Adware.Comet) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{abf441b2-9b57-4838-96a0-34b1cecd4aa5} (Adware.Comet) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{a84e835e-1b9c-4fc0-980f-4b2da3c6a2a7} (Adware.Comet) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{a84e835e-1b9c-4fc0-980f-4b2da3c6a2a7} (Adware.Comet) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{bf0a1ff4-bbaf-487f-bc85-a24ef8f443a8} (Adware.Comet) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{bf0a1ff4-bbaf-487f-bc85-a24ef8f443a8} (Adware.Comet) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\sssinstaller.installer.1 (Adware.Comet) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\sssinstaller.sinstaller (Adware.Comet) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\sssinstaller.sinstaller.1 (Adware.Comet) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{90b5a95a-afd5-4d11-b9bd-a69d53d22226} (Adware.Hotbar) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Screensavers.com (Adware.Comet) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SSSInstaller (Adware.Comet) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Ares Gold (Adware.WhenUSave) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\host-domain-lookup.com (Malware.Trace) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\mysearchnow.com (Malware.Trace) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\www.host-domain-lookup.com (Malware.Trace) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\www.mysearchnow.com (Malware.Trace) -> Quarantined and deleted successfully. Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\System (Rootkit.DNSChanger.H) -> Data: kdhvx.exe -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.114.195 85.255.112.96 -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{00a9e119-e86b-4062-95cf-c8227abf0d3c}\NameServer (Trojan.DNSChanger) -> Data: 85.255.114.195,85.255.112.96 -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0fbc26cf-7c73-43c7-b7b7-b126a15b5d13}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.195,85.255.112.96 -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{717d3973-88b6-4782-9931-7708198751eb}\NameServer (Trojan.DNSChanger) -> Data: 85.255.114.195,85.255.112.96 -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{f61f93f9-f7b8-4a87-8e31-56e6f9e83de6}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.195,85.255.112.96 -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{f61f93f9-f7b8-4a87-8e31-56e6f9e83de6}\NameServer (Trojan.DNSChanger) -> Data: 85.255.114.195,85.255.112.96 -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.114.195 85.255.112.96 -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{00a9e119-e86b-4062-95cf-c8227abf0d3c}\NameServer (Trojan.DNSChanger) -> Data: 85.255.114.195,85.255.112.96 -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{0fbc26cf-7c73-43c7-b7b7-b126a15b5d13}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.195,85.255.112.96 -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{717d3973-88b6-4782-9931-7708198751eb}\NameServer (Trojan.DNSChanger) -> Data: 85.255.114.195,85.255.112.96 -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{f61f93f9-f7b8-4a87-8e31-56e6f9e83de6}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.195,85.255.112.96 -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{f61f93f9-f7b8-4a87-8e31-56e6f9e83de6}\NameServer (Trojan.DNSChanger) -> Data: 85.255.114.195,85.255.112.96 -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.114.195 85.255.112.96 -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{00a9e119-e86b-4062-95cf-c8227abf0d3c}\NameServer (Trojan.DNSChanger) -> Data: 85.255.114.195,85.255.112.96 -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{0fbc26cf-7c73-43c7-b7b7-b126a15b5d13}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.195,85.255.112.96 -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{717d3973-88b6-4782-9931-7708198751eb}\NameServer (Trojan.DNSChanger) -> Data: 85.255.114.195,85.255.112.96 -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{f61f93f9-f7b8-4a87-8e31-56e6f9e83de6}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.195,85.255.112.96 -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{f61f93f9-f7b8-4a87-8e31-56e6f9e83de6}\NameServer (Trojan.DNSChanger) -> Data: 85.255.114.195,85.255.112.96 -> Quarantined and deleted successfully. Folders Infected: H:\Documents and Settings\All Users\Datos de programa\Starware316 (Adware.Starware) -> Quarantined and deleted successfully. H:\Documents and Settings\All Users\Datos de programa\Starware316\buttons (Adware.Starware) -> Quarantined and deleted successfully. H:\Documents and Settings\All Users\Datos de programa\Starware316\contexts (Adware.Starware) -> Quarantined and deleted successfully. H:\Archivos de programa\Screensavers.com (Adware.Comet) -> Quarantined and deleted successfully. H:\Archivos de programa\Screensavers.com\ActiveDesktop (Adware.Comet) -> Quarantined and deleted successfully. H:\Archivos de programa\Screensavers.com\ActiveDesktop\bin (Adware.Comet) -> Quarantined and deleted successfully. H:\Archivos de programa\Screensavers.com\SSSInstaller (Adware.Comet) -> Quarantined and deleted successfully. H:\Archivos de programa\Screensavers.com\SSSInstaller\bin (Adware.Comet) -> Quarantined and deleted successfully. H:\Archivos de programa\Screensavers.com\SSSInstaller\Ready (Adware.Comet) -> Quarantined and deleted successfully. H:\Archivos de programa\Screensavers.com\SSSInstaller\temp (Adware.Comet) -> Quarantined and deleted successfully. H:\Archivos de programa\Screensavers.com\SSSInstaller\Upload (Adware.Comet) -> Quarantined and deleted successfully. H:\Archivos de programa\Save (Adware.WhenUSave) -> Quarantined and deleted successfully. H:\Archivos de programa\Ares Gold (Adware.WhenUSave) -> Quarantined and deleted successfully. H:\Archivos de programa\Ares Gold\Data (Adware.WhenUSave) -> Quarantined and deleted successfully. Files Infected: H:\WINDOWS\system32\kdhvx.exe (Rootkit.DNSChanger.H) -> Delete on reboot. H:\Archivos de programa\Screensavers.com\SSSInstaller\bin\SSSInstaller.dll (Adware.Comet) -> Quarantined and deleted successfully. H:\Archivos de programa\Screensavers.com\ActiveDesktop\bin\ActiveDesktopExe.exe (Adware.Comet) -> Quarantined and deleted successfully. H:\Archivos de programa\Screensavers.com\SSSInstaller\bin\sinstaller3.exe (Adware.Comet) -> Quarantined and deleted successfully. H:\Documents and Settings\papote\Configuración local\Temp\tmp38.tmp (Trojan.Clicker) -> Quarantined and deleted successfully. H:\Documents and Settings\user\Configuración local\Temp\bit2.exe (Adware.Agent) -> Quarantined and deleted successfully. H:\Documents and Settings\user\Configuración local\Temp\bitcoll.dll (Adware.Agent) -> Quarantined and deleted successfully. H:\System Volume Information\_restore{C9201CCA-C68F-4092-A78D-D026CCB7DACB}\RP385\A0037570.exe (Adware.Comet) -> Quarantined and deleted successfully. H:\Documents and Settings\All Users\Datos de programa\Starware316\buttons\FindIt.bmp (Adware.Starware) -> Quarantined and deleted successfully. H:\Documents and Settings\All Users\Datos de programa\Starware316\buttons\FindItHot.bmp (Adware.Starware) -> Quarantined and deleted successfully. H:\Documents and Settings\All Users\Datos de programa\Starware316\buttons\findithotxp.png (Adware.Starware) -> Quarantined and deleted successfully. H:\Documents and Settings\All Users\Datos de programa\Starware316\buttons\finditxp.png (Adware.Starware) -> Quarantined and deleted successfully. H:\Documents and Settings\All Users\Datos de programa\Starware316\buttons\Highlight.bmp (Adware.Starware) -> Quarantined and deleted successfully. H:\Documents and Settings\All Users\Datos de programa\Starware316\buttons\HighlightHot.bmp (Adware.Starware) -> Quarantined and deleted successfully. H:\Documents and Settings\All Users\Datos de programa\Starware316\buttons\highlighthotxp.png (Adware.Starware) -> Quarantined and deleted successfully. H:\Documents and Settings\All Users\Datos de programa\Starware316\buttons\highlightxp.png (Adware.Starware) -> Quarantined and deleted successfully. H:\Documents and Settings\All Users\Datos de programa\Starware316\buttons\Reference.bmp (Adware.Starware) -> Quarantined and deleted successfully. H:\Documents and Settings\All Users\Datos de programa\Starware316\buttons\ReferenceHot.bmp (Adware.Starware) -> Quarantined and deleted successfully. H:\Documents and Settings\All Users\Datos de programa\Starware316\buttons\referencehotxp.png (Adware.Starware) -> Quarantined and deleted successfully. H:\Documents and Settings\All Users\Datos de programa\Starware316\buttons\referencexp.png (Adware.Starware) -> Quarantined and deleted successfully. H:\Documents and Settings\All Users\Datos de programa\Starware316\buttons\screensaver.bmp (Adware.Starware) -> Quarantined and deleted successfully. H:\Documents and Settings\All Users\Datos de programa\Starware316\buttons\starware_toolbar_icon.bmp (Adware.Starware) -> Quarantined and deleted successfully. H:\Documents and Settings\All Users\Datos de programa\Starware316\buttons\Weather.bmp (Adware.Starware) -> Quarantined and deleted successfully. H:\Documents and Settings\All Users\Datos de programa\Starware316\buttons\weatherhotxp.png (Adware.Starware) -> Quarantined and deleted successfully. H:\Documents and Settings\All Users\Datos de programa\Starware316\buttons\weatherxp.png (Adware.Starware) -> Quarantined and deleted successfully. H:\Documents and Settings\All Users\Datos de programa\Starware316\contexts\error.xml (Adware.Starware) -> Quarantined and deleted successfully. H:\Documents and Settings\All Users\Datos de programa\Starware316\contexts\related.xml (Adware.Starware) -> Quarantined and deleted successfully. H:\Documents and Settings\All Users\Datos de programa\Starware316\contexts\travel.xml (Adware.Starware) -> Quarantined and deleted successfully. H:\Archivos de programa\Screensavers.com\SSSUninst.exe (Adware.Comet) -> Quarantined and deleted successfully. H:\Archivos de programa\Screensavers.com\SSSInstaller\temp\dm69.tmp (Adware.Comet) -> Quarantined and deleted successfully. H:\Archivos de programa\Screensavers.com\SSSInstaller\temp\dm6B.tmp (Adware.Comet) -> Quarantined and deleted successfully. H:\Archivos de programa\Screensavers.com\SSSInstaller\temp\dm6D.tmp (Adware.Comet) -> Quarantined and deleted successfully. H:\Archivos de programa\Screensavers.com\SSSInstaller\temp\dm6D.tmp.di (Adware.Comet) -> Quarantined and deleted successfully. H:\Archivos de programa\Ares Gold\Data\cache.net (Adware.WhenUSave) -> Quarantined and deleted successfully. H:\Archivos de programa\Ares Gold\Data\MyMedia.edb (Adware.WhenUSave) -> Quarantined and deleted successfully. H:\Archivos de programa\Ares Gold\Data\searchkeys.dat (Adware.WhenUSave) -> Quarantined and deleted successfully. H:\Archivos de programa\Ares Gold\Data\ultracache.net (Adware.WhenUSave) -> Quarantined and deleted successfully. H:\Archivos de programa\Ares Gold\Data\webcache.net (Adware.WhenUSave) -> Quarantined and deleted successfully. H:\WINDOWS\system32\nvs2.inf (Adware.EGDAccess) -> Quarantined and deleted successfully. ComboFix 08-09-19.09 - user 2008-09-20 16:08:19.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.3082.18.631 [GMT 2:00] Se ejecuta desde: H:\Documents and Settings\user\Escritorio\ComboFix.exe * Creado un nuevo punto de restauración * Resident AV is active ADVERTENCIA - ESTE EQUIPO NO TIENE INSTALADA LA CONSOLA DE RECUPERACION! . (((((((((((((((((((((((((((((((((((( Otras eliminaciones ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Autorun.inf H:\Documents and Settings\papote\Cookies\papote@metacafe[2].txt H:\Documents and Settings\user\Configuración local\Datos de programa\iqecsiw.dat H:\Documents and Settings\user\Configuración local\Datos de programa\iqecsiw.exe H:\Documents and Settings\user\Configuración local\Datos de programa\iqecsiw_nav.dat H:\Documents and Settings\user\Configuración local\Datos de programa\iqecsiw_navps.dat H:\Documents and Settings\user\Configuración local\Datos de programa\iqecsiw_navup.dat H:\Documents and Settings\user\Cookies\user@ehg-dig.hitbox[2].txt H:\Documents and Settings\user\Cookies\user@t.ifilm[1].txt H:\Documents and Settings\user\Favoritos\Videos.url H:\Documents and Settings\user\Menú Inicio\Programas\Videos.url H:\WINDOWS\system32\uninstall.exe . (((((((((((((((((( Archivos creados desde 2008-08-20 - 2008-09-20 ))))))))))))))))))))))))))))))))) . 2008-09-20 12:53 . 2008-09-20 12:53 <DIR> d-------- H:\Archivos de programa\NETGEAR 2008-09-20 12:53 . 2004-04-18 16:43 651,264 --a------ H:\WINDOWS\system32\libeay32.dll 2008-09-20 12:53 . 2005-09-26 16:02 362,944 --a------ H:\WINDOWS\system32\drivers\WPN111.sys 2008-09-20 12:53 . 2005-07-27 21:15 149,392 --a------ H:\WINDOWS\system32\drivers\ar5523.bin 2008-09-20 12:53 . 2004-04-18 16:43 147,456 --a------ H:\WINDOWS\system32\ssleay32.dll 2008-09-20 12:53 . 2003-07-24 12:10 94,208 --a------ H:\WINDOWS\system32\DNIN50.dll 2008-09-20 12:53 . 2003-07-24 12:10 17,149 --a------ H:\WINDOWS\system32\DNINDIS5.sys 2008-09-20 12:53 . 2003-07-25 13:30 15,941 --a------ H:\WINDOWS\system32\DNINDIS3.VXD 2008-09-20 12:53 . 2005-10-06 11:28 15,819 --a------ H:\WINDOWS\system32\drivers\netwpn11.inf 2008-09-20 12:53 . 2005-10-19 05:03 8,263 --a------ H:\WINDOWS\system32\drivers\WPN111.cat 2008-09-20 12:37 . 2008-09-20 12:37 <DIR> d-------- H:\Documents and Settings\user\Datos de programa\Malwarebytes 2008-09-20 12:37 . 2008-09-10 00:03 17,200 --a------ H:\WINDOWS\system32\drivers\mbam.sys 2008-09-20 12:36 . 2008-09-20 12:36 <DIR> d-------- H:\Documents and Settings\All Users\Datos de programa\Malwarebytes 2008-09-20 12:36 . 2008-09-20 14:04 <DIR> d-------- H:\Archivos de programa\Malwarebytes' Anti-Malware 2008-09-20 12:36 . 2008-09-10 00:04 38,528 --a------ H:\WINDOWS\system32\drivers\mbamswissarmy.sys 2008-09-16 15:56 . 2008-09-16 15:56 <DIR> d-------- H:\Archivos de programa\grimfrag 2008-09-12 20:55 . 2008-09-12 20:55 <DIR> d-------- H:\Archivos de programa\VirtualDJ 2008-09-07 16:55 . 2008-09-07 16:55 <DIR> d-------- H:\Archivos de programa\Trend Micro 2008-09-07 16:28 . 2008-09-07 16:38 424 --a------ H:\delete.bat 2008-09-07 16:12 . 2008-09-07 16:12 0 --a------ H:\WINDOWS\nsreg.dat 2008-08-31 21:31 . 2008-08-31 21:31 <DIR> d-------- H:\Archivos de programa\Sun . (((((((((((((((((((((((((((((((((((((( Reporte Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-09-20 11:21 --------- d-----w H:\Documents and Settings\user\Datos de programa\SiteAdvisor 2008-09-20 10:53 --------- d--h--w H:\Archivos de programa\InstallShield Installation Information 2008-09-17 18:05 --------- d-----w H:\Documents and Settings\m.mar\Datos de programa\grimfrag 2008-09-16 13:56 --------- d-----w H:\Documents and Settings\user\Datos de programa\grimfrag 2008-09-16 13:56 --------- d-----w H:\Documents and Settings\All Users\Datos de programa\Tick Find Close Surf 2008-09-12 18:54 --------- d-----w H:\Archivos de programa\eMule 2008-09-08 11:45 --------- d-----w H:\Documents and Settings\papote\Datos de programa\grimfrag 2008-09-05 15:09 --------- d-----w H:\WINDOWS\system32\config\systemprofile\Datos de programa\SiteAdvisor 2008-08-31 19:56 --------- d-----w H:\Archivos de programa\beon Widgets 2008-08-31 19:31 --------- d-----w H:\Archivos de programa\Java 2008-08-29 13:00 --------- d-----w H:\Archivos de programa\Norton Security Scan 2008-08-29 10:29 --------- d-----w H:\Documents and Settings\LocalService\Datos de programa\SiteAdvisor 2007-08-10 19:33 2,201,356 ----a-w H:\Documents and Settings\user\medal of honor allied assault - mohaa nocd crack v1 11(2).exe 2006-07-18 12:41 1,019,094 --sha-r H:\Archivos de programa\serial.zip 2006-07-18 12:41 1,019,094 --sha-r H:\Archivos de programa\serial.tde 2006-05-28 15:46 397,306 --sha-r H:\Archivos de programa\wunauclt.zip 2006-05-28 15:46 397,306 --sha-r H:\Archivos de programa\wunauclt.tbe 2004-10-01 14:00 40,960 -c--a-w H:\Archivos de programa\Uninstall_CDS.exe 2003-05-10 02:16 1,438 ----a-w H:\Documents and Settings\user\_Unpak.bat 2001-12-27 22:00 100,864 ----a-w H:\Documents and Settings\user\Tecuha.exe . ((((((((((((((((((((((((((((((((( Cargando Puntos Reg )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Nota* entradas vacías & entradas legítimas predeterminadas no son mostradas REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="H:\WINDOWS\system32\ctfmon.exe" [2004-08-19 15360] "MsnMsgr"="H:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352] "ares"="H:\Archivos de programa\ARES\Ares.exe" [2007-03-05 947712] "swg"="H:\Archivos de programa\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-13 68856] "MSMSGS"="H:\Archivos de programa\Messenger\msmsgs.exe" [2004-10-13 1694208] "junk peak"="H:\DOCUME~1\user\DATOSD~1\grimfrag\TwoEach.exe" [2008-09-16 512512] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ATICCC"="H:\Archivos de programa\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112] "RemoteControl"="H:\Archivos de programa\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2004-11-02 32768] "NeroFilterCheck"="H:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 155648] "SunJavaUpdateSched"="H:\Archivos de programa\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784] "PCSuiteTrayApplication"="H:\ARCHIV~1\Nokia\NOKIAP~1\LAUNCH~1.EXE" [2006-06-15 229376] "SiteAdvisor"="H:\Archivos de programa\SiteAdvisor\6261\SiteAdv.exe" [2006-07-31 35416] "Adobe Photo Downloader"="H:\Archivos de programa\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712] "Adobe Reader Speed Launcher"="H:\Archivos de programa\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792] "close surf mail dupe"="H:\Documents and Settings\All Users\Datos de programa\Tick Find Close Surf\Play Send.exe" [2008-09-20 761344] "SoundMan"="SOUNDMAN.EXE" [2005-04-15 H:\WINDOWS\SOUNDMAN.EXE] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="H:\WINDOWS\system32\CTFMON.EXE" [2004-08-19 15360] H:\Documents and Settings\m.mar\Men£ Inicio\Programas\Inicio\ DesktopEarth AutoStart.lnk - H:\Documents and Settings\user\Datos de programa\Microsoft\Installer\{DBA5E973-660D-4CBE-A469-F5C37FBF0CE4}\_C1A9BF9D98647632ED5172.exe [2008-01-02 29926] H:\Documents and Settings\All Users\Men£ Inicio\Programas\Inicio\ ECOM Turbo-G Wireless Utility.lnk - H:\Archivos de programa\ECOM\Common\TurboG-UI.exe [2006-12-28 614400] EPSON Status Monitor 3 Environment Check 2.lnk - H:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE [2007-11-14 127488] NETGEAR WPN111 Smart Wizard.lnk - H:\Archivos de programa\NETGEAR\WPN111\wpn111.exe [2008-09-20 884838] [HKLM\~\startupfolder\H:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^VIA RAID TOOL.lnk] path=H:\Documents and Settings\All Users\Menú Inicio\Programas\Inicio\VIA RAID TOOL.lnk backup=H:\WINDOWS\pss\VIA RAID TOOL.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\I downloaded pirated Software from P2P ] NBA Live 2007 [X] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcagent_exe] --a------ 2007-08-03 23:33 582992 H:\Archivos de programa\McAfee.com\Agent\mcagent.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "H:\\Archivos de programa\\ARES\\Ares.exe"= "H:\\Archivos de programa\\MotoGP2\\motogp2.exe"= "H:\\WINDOWS\\system32\\rtcshare.exe"= "H:\\Archivos de programa\\MSN Messenger\\msnmsgr.exe"= "H:\\Archivos de programa\\MSN Messenger\\livecall.exe"= "H:\\Archivos de programa\\Archivos comunes\\McAfee\\MNA\\McNASvc.exe"= S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;H:\WINDOWS\system32\DNINDIS5.SYS [2003-07-24 17149] S3 PAC207;VideoCAM GF112;H:\WINDOWS\system32\DRIVERS\pfc027.sys [2005-04-08 162176] S3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;H:\WINDOWS\system32\DRIVERS\WPN111.sys [2005-09-26 362944] *Newly Created Service* - PROCEXP90 . Contenido de carpeta 'Tareas Programadas' . - - - - ORPHANS REMOVED - - - - HKCU-Run-updateMgr - H:\Archivos de programa\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe HKCU-Run-iqecsiw - h:\documents and settings\user\configuración local\datos de programa\iqecsiw.exe HKLM-Run-H:\WINDOWS\system32\kdqnw.exe - H:\WINDOWS\system32\kdqnw.exe HKLM-Run-H:\WINDOWS\system32\kdhvx.exe - H:\WINDOWS\system32\kdhvx.exe Notify-WgaLogon - (no file) . ------- Supplementary Scan ------- . R0 -: HKCU-Main,Start Page = hxxp://www.google.es/ R0 -: HKCU-Main,Search Page = hxxp://www.google.com R0 -: HKCU-Main,Search Bar = hxxp://www.google.com/ie R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s O8 -: E&xportar a Microsoft Excel - H:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O16 -: Microsoft XML Parser for Java - file://H:\WINDOWS\Java\classes\xmldso.cab H:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-09-20 16:15:48 Windows 5.1.2600 Service Pack 2 NTFS escaneando procesos ocultos ... escaneando entradas ocultas de autostart ... escaneando archivos ocultos ... el escaneo se completo con exito archivos ocultos: 0 ************************************************************************** . Tiempo completado: 2008-09-20 16:16:59 ComboFix-quarantined-files.txt 2008-09-20 14:16:56 Pre-Run: 93.034.496.000 bytes libres Post-Run: 96,248,139,776 bytes libres 163 --- E O F --- 2007-12-27 17:40:10 |
| ||
| Re: Need help removing CID pop-ups For now don't worry about the McAfee remainders with the combofix. Let me go through these logs and I will get back to you ASAP. Can you also run a new HJT Full System scan, save the log and post it back here so we can get a "new" snapshot of what may be remaining. Judy |
| ||
| Re: Need help removing CID pop-ups Correction...still getting CID popups and webpage redirects. Bummer! |
| ||
| Re: Need help removing CID pop-ups Quote:
Here's the latest HJT log...thanks! Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 17:18:59, on 20/09/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: H:\WINDOWS\System32\smss.exe H:\WINDOWS\system32\winlogon.exe H:\WINDOWS\system32\services.exe H:\WINDOWS\system32\lsass.exe H:\WINDOWS\system32\Ati2evxx.exe H:\WINDOWS\system32\svchost.exe H:\WINDOWS\System32\svchost.exe H:\WINDOWS\system32\spoolsv.exe H:\Archivos de programa\Archivos comunes\EPSON\EBAPI\SAgent2.exe H:\Archivos de programa\Archivos comunes\LightScribe\LSSrvc.exe H:\ARCHIV~1\McAfee\MSC\mcmscsvc.exe H:\WINDOWS\system32\Ati2evxx.exe h:\archivos de programa\archivos comunes\mcafee\mna\mcnasvc.exe h:\ARCHIV~1\ARCHIV~1\mcafee\mcproxy\mcproxy.exe H:\Archivos de programa\McAfee\VirusScan\McShield.exe H:\Archivos de programa\McAfee\MPF\MPFSrv.exe H:\Archivos de programa\SiteAdvisor\6261\SAService.exe H:\WINDOWS\System32\PAStiSvc.exe H:\WINDOWS\system32\svchost.exe H:\WINDOWS\System32\svchost.exe H:\ARCHIV~1\McAfee\VIRUSS~1\mcsysmon.exe H:\ARCHIV~1\McAfee.com\Agent\mcagent.exe H:\WINDOWS\Explorer.EXE H:\WINDOWS\SOUNDMAN.EXE H:\Archivos de programa\CyberLink DVD Solution\PowerDVD\PDVDServ.exe H:\Archivos de programa\Java\jre1.6.0_07\bin\jusched.exe H:\Archivos de programa\SiteAdvisor\6261\SiteAdv.exe H:\Archivos de programa\ATI Technologies\ATI.ACE\CLI.EXE H:\WINDOWS\system32\ctfmon.exe H:\Archivos de programa\MSN Messenger\MsnMsgr.Exe H:\Archivos de programa\Messenger\msmsgs.exe H:\Archivos de programa\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe H:\Archivos de programa\Internet Explorer\iexplore.exe H:\Archivos de programa\Internet Explorer\iexplore.exe H:\Archivos de programa\Archivos comunes\PCSuite\Services\ServiceLayer.exe H:\Archivos de programa\DesktopEarth\DesktopEarth.exe H:\Archivos de programa\ATI Technologies\ATI.ACE\cli.exe H:\Archivos de programa\Trend Micro\HijackThis\Greg.exe h:\ARCHIV~1\mcafee\msc\mcuimgr.exe H:\Archivos de programa\Archivos comunes\McAfee\HackerWatch\HWUpdChk.exe h:\ARCHIV~1\mcafee\msc\mcupdui.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.es/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Archivos de programa\Archivos comunes\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - H:\Archivos de programa\SiteAdvisor\6261\SiteAdv.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - H:\Archivos de programa\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - H:\Archivos de programa\McAfee\VirusScan\scriptsn.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - H:\Archivos de programa\Archivos comunes\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - h:\archivos de programa\google\googletoolbar3.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - H:\Archivos de programa\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - h:\archivos de programa\google\googletoolbar3.dll O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - H:\Archivos de programa\SiteAdvisor\6261\SiteAdv.dll O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [ATICCC] "H:\Archivos de programa\ATI Technologies\ATI.ACE\CLIStart.exe" O4 - HKLM\..\Run: [RemoteControl] "H:\Archivos de programa\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [NeroFilterCheck] H:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "H:\Archivos de programa\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [PCSuiteTrayApplication] H:\ARCHIV~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup O4 - HKLM\..\Run: [SiteAdvisor] "H:\Archivos de programa\SiteAdvisor\6261\SiteAdv.exe" O4 - HKLM\..\Run: [close surf mail dupe] H:\Documents and Settings\All Users\Datos de programa\Tick Find Close Surf\Play Send.exe O4 - HKLM\..\Run: [mcagent_exe] H:\Archivos de programa\McAfee.com\Agent\mcagent.exe /runkey O4 - HKCU\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MsnMsgr] "H:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [MSMSGS] "H:\Archivos de programa\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [junk peak] H:\DOCUME~1\user\DATOSD~1\grimfrag\TwoEach.exe O4 - HKCU\..\Run: [swg] H:\Archivos de programa\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\CTFMON.EXE (User 'SERVICIO LOCAL') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\CTFMON.EXE (User 'Servicio de red') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Startup: Babelbox.lnk = H:\Archivos de programa\beon Widgets\Babelbox\LoaderBeon.exe O4 - Startup: DesktopEarth AutoStart.lnk = ? O8 - Extra context menu item: E&xportar a Microsoft Excel - res://H:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Archivos de programa\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Archivos de programa\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - H:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Archivos de programa\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Archivos de programa\Messenger\msmsgs.exe O12 - Plugin for .spop: H:\Archivos de programa\Internet Explorer\Plugins\NPDocBox.dll O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - H:\Archivos de programa\Ares\chatServer.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - H:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - H:\WINDOWS\system32\ati2sgag.exe O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - H:\Archivos de programa\Archivos comunes\EPSON\EBAPI\SAgent2.exe O23 - Service: Google Updater Service (gusvc) - Google - H:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - H:\Archivos de programa\Archivos comunes\LightScribe\LSSrvc.exe O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - H:\ARCHIV~1\McAfee\MSC\mcmscsvc.exe O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - h:\archivos de programa\archivos comunes\mcafee\mna\mcnasvc.exe O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - H:\ARCHIV~1\McAfee\VIRUSS~1\mcods.exe O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - h:\ARCHIV~1\ARCHIV~1\mcafee\mcproxy\mcproxy.exe O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - H:\Archivos de programa\McAfee\VirusScan\McShield.exe O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - H:\ARCHIV~1\McAfee\VIRUSS~1\mcsysmon.exe O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - H:\Archivos de programa\McAfee\MPF\MPFSrv.exe O23 - Service: ServiceLayer - Nokia. - H:\Archivos de programa\Archivos comunes\PCSuite\Services\ServiceLayer.exe O23 - Service: Servicio SiteAdvisor (SiteAdvisor Service) - Unknown owner - H:\Archivos de programa\SiteAdvisor\6261\SAService.exe O23 - Service: STI Simulator - Unknown owner - H:\WINDOWS\System32\PAStiSvc.exe O24 - Desktop Component 0: (no name) - http://tbn0.google.com/images?q=tbn:...ndertaker2.jpg -- End of file - 8499 bytes |
| ||
| Re: Need help removing CID pop-ups I am still going through your combofix log, but let's try a fix using HJT and see how that goes. First you should do the following; You may want to print out these instructions and save them in notepad on the desktop because part of the time you are going to be in Safe mode and won't be able to access this site; Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). Using the F8 Method 1. Restart your computer. 2. When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu. 3. Select the option for Safe Mode using the arrow keys. 4. Then press enter on your keyboard to boot into Safe Mode. 5. Do whatever tasks you require and when you are done reboot to boot back into normal mode. Enable Viewing of Hidden Files and Folders 1. Click Start. 2. Open My Computer. 3. Select the Tools menu and click Folder Options. 4. Select the View Tab. 5. Under the Hidden files and folders heading select Show hidden files and folders. 6. Uncheck the Hide protected operating system files (recommended) option. 7. Click Yes to confirm. 8. Click OK. Open your task manager, by holding down the ctrl and alt keys and pressing the delete key. Click on the processes tab and end process for(if there). iexplore.exe (if two show then end both) Play Send.exe TwoEach.exe Close task manager. Run HJT with no other programs open(except notepad). Click the scan button. Have HJT fix the following, by placing a check mark in the little box next to the following(if there); O4 - HKLM\..\Run: [close surf mail dupe] H:\Documents and Settings\All Users\Datos de programa\Tick Find Close Surf\Play Send.exe O4 - HKCU\..\Run: [junk peak] H:\DOCUME~1\user\DATOSD~1\grimfrag\TwoEach.exe Click on the fix checked button. Close HJT. Now search for and delete the following bold files and/or directories(if there). H:\Documents and Settings\All Users\Datos de programa\Tick Find Close Surf\<Delete the entire folder in bold. H:\DOCUMENTS & SETTINGS\user\DATOSD~1\grimfrag\<Delete the entire folder in bold. Reboot into normal mode and rehide your protected OS files. Post a fresh HJT log Meanwhile I am still going through that combofix log and will get back on that. Judy |
| ||
| Re: Need help removing CID pop-ups I also would like you to generate and Uninstall list using HJT and post it here. To do this do the following; 1. Start HijackThis 2. Click on the Config button 3. Click on the Misc Tools button 4. Click on the Open Uninstall Manager button. Click on the Save list... button and specify where you would like to save this file. the desktop is the easiest place. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad back here. |
| All times are GMT -4. The time now is 4:48 pm. |
Forum system based on vBulletin Copyright ©2000 - 2009, Jelsoft Enterprises Ltd.
©2003 - 2009 DaniWeb® LLC