Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Problem with virus Trojan.win32.patched.bb

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Problem with virus Trojan.win32.patched.bb

Unread postby pepemarix » July 27th, 2008, 11:08 am

Hello

My name is José María González, from Spain, I have a serius problem with a virus called Trojan.win32.patched.bb in my computer

i have been reading in websites but the only information but seem quite serious is in this web. Please help me with this problem.

kaspersky detected the same virus in 2 files:
C:\windows\system32\user32.dll
and in the memory module csrss.exe\user32d.ll

every time that i reboot my PC this 2 message appeared again.

I know it is a long process and i will follow every step that you tell me.
I have karspesky and I have download the softaware HiJackThis, malwarebytes and Fileassasin, but I don't want to use it without any advice because i know it is dangerous.

I will be really gratefull if you could help me, thanks

This is the Report from Kaspersky
KASPERSKY ONLINE SCANNER INFORME
domingo, 27 de julio de 2008 16:55:36
Sistema operativo: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner versión: 5.0.84.1
Ultima actualización: 27/07/2008
Registros en la base antivirus: 902322


Configuración del análisis
Analizar usando las siguientes bases standard
Analizar archivos verdadero
Analizar bases de correo verdadero

Objetivo a analizar Áreas críticas
C:\WINDOWS
C:\DOCUME~1\JOSEMARI\CONFIG~1\Temp\

Estadísticas
Número de objeros analizados 18982
Virus encontrados 7
Objetos infectados 10 / 0
Objetos sospechosos 0
Duración del análisis 00:24:13

Bombre del objeto infectado Nombre del virus Última acción
C:\WINDOWS\Debug\PASSWD.LOG Object is locked saltado

C:\WINDOWS\SchedLgU.Txt Object is locked saltado

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked saltado

C:\WINDOWS\Sti_Trace.log Object is locked saltado

C:\WINDOWS\system32\afinding.exe Infectados: Trojan-Downloader.Win32.Delf.kto saltado

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked saltado

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked saltado

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked saltado

C:\WINDOWS\system32\config\default Object is locked saltado

C:\WINDOWS\system32\config\default.LOG Object is locked saltado

C:\WINDOWS\system32\config\SAM Object is locked saltado

C:\WINDOWS\system32\config\SAM.LOG Object is locked saltado

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked saltado

C:\WINDOWS\system32\config\SECURITY Object is locked saltado

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked saltado

C:\WINDOWS\system32\config\software Object is locked saltado

C:\WINDOWS\system32\config\software.LOG Object is locked saltado

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked saltado

C:\WINDOWS\system32\config\system Object is locked saltado

C:\WINDOWS\system32\config\system.LOG Object is locked saltado

C:\WINDOWS\system32\config\systemprofile\Configuración local\Archivos temporales de Internet\Content.IE5\4F3MDUCR\pr[2].bin Infectados: Trojan.Win32.Agent.wdl saltado

C:\WINDOWS\system32\config\systemprofile\Configuración local\Archivos temporales de Internet\Content.IE5\HMVL4065\pr[2].bin Infectados: Trojan.Win32.Agent.wdl saltado

C:\WINDOWS\system32\config\systemprofile\Configuración local\Archivos temporales de Internet\Content.IE5\HMVL4065\pr[3].bin Infectados: Trojan.Win32.Agent.wdl saltado

C:\WINDOWS\system32\config\systemprofile\Configuración local\Archivos temporales de Internet\Content.IE5\index.dat Object is locked saltado

C:\WINDOWS\system32\config\systemprofile\Configuración local\Archivos temporales de Internet\Content.IE5\PZ44PNXD\p[2].bin Infectados: Trojan-Downloader.Win32.Delf.ktm saltado

C:\WINDOWS\system32\config\systemprofile\Configuración local\Archivos temporales de Internet\Content.IE5\PZ44PNXD\p[3].bin Infectados: Trojan-Downloader.Win32.Delf.ktm saltado

C:\WINDOWS\system32\config\systemprofile\Configuración local\Historial\History.IE5\index.dat Object is locked saltado

C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat Object is locked saltado

C:\WINDOWS\system32\mshlp.exe Object is locked saltado

C:\WINDOWS\system32\Nobicyt.exe Infectados: Trojan-Downloader.Win32.Delf.ktn saltado

C:\WINDOWS\system32\nvrsul32.dll Object is locked saltado

C:\WINDOWS\system32\routing.exe Infectados: Trojan.Win32.Agent.wcj saltado

C:\WINDOWS\system32\stsycod.sys Infectados: Trojan.Win32.Delf.dqc saltado

C:\WINDOWS\system32\user32.DLL Infectados: Trojan.Win32.Patched.bb saltado

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked saltado

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked saltado

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked saltado

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked saltado

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked saltado

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked saltado

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked saltado

C:\WINDOWS\wiadebug.log Object is locked saltado

C:\WINDOWS\wiaservc.log Object is locked saltado

C:\WINDOWS\WindowsUpdate.log Object is locked saltado

Análisis completado.

--------------------------------------------------------------------

And this is the report from HiJack:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:06:01, on 27/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Ahead\InCD\InCDsrv.exe
c:\windows\explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Java\jre1.6.0_07\bin\jusched.exe
C:\Archivos de programa\Ahead\InCD\InCD.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Archivos de programa\QuickTime\qttask.exe
C:\Archivos de programa\iTunes\iTunesHelper.exe
C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\DrvMon.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Google\Google Updater\GoogleUpdater.exe
C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Archivos comunes\Ulead Systems\DVD\ULCDRSvr.exe
C:\Archivos de programa\iPod\bin\iPodService.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\Archivos de programa\Internet Explorer\IEXPLORE.EXE
C:\Archivos de programa\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.es/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
F2 - REG:system.ini: Shell=c:\windows\explorer.exe
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe
O2 - BHO: Aplicación auxiliar de vínculos de Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Archivos comunes\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Archivos de programa\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Archivos de programa\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Archivos de programa\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Archivos de programa\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [KAVPersonal50] C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize
O4 - HKLM\..\Run: [TkBellExe] "C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [UVS10 Preload] C:\Archivos de programa\Ulead Systems\Ulead VideoStudio 10\uvPL.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Archivos de programa\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [DrvMon.exe] C:\WINDOWS\System32\DrvMon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Archivos de programa\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Archivos de programa\Microsoft ActiveSync\wcescomm.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Servicio de red')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Archivos de programa\Archivos comunes\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Google Updater.lnk = C:\Archivos de programa\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MIF269~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\ARCHIV~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\ARCHIV~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Crear un favorito móvil... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\ARCHIV~1\MICROS~4\INetRepl.dll
O9 - Extra button: Xanadu - {5CC384BB-1326-11D5-F4AE-00C04923F885} - C:\Archivos de programa\Foreignword\Xanadu\XanaduLaunch.exe
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MIF269~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/spanish/ka ... nicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 0935060921
O16 - DPF: {8C875948-9C60-4381-9248-0DF180542D53} - http://installs.hotbar.com/installs/hbt ... btools.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/softwa ... Plugin.cab
O20 - Winlogon Notify: winhdn32 - C:\WINDOWS\SYSTEM32\winhdn32.dll
O23 - Service: Google Updater Service (gusvc) - Google - C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Archivos de programa\Archivos comunes\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Archivos de programa\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Archivos de programa\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Archivos de programa\iPod\bin\iPodService.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: Microsoft File Mapping Service (mshlpkd) - Unknown owner - C:\WINDOWS\system32\mshlp.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Routing Service (Routing) - Conexant - (no file)
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Archivos de programa\Archivos comunes\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 8122 bytes
pepemarix
Regular Member
 
Posts: 17
Joined: July 27th, 2008, 9:28 am
Advertisement
Register to Remove

Re: Problem with virus Trojan.win32.patched.bb

Unread postby Carolyn » July 30th, 2008, 1:00 pm

Hello and Welcome to the forums!

My name is Carolyn and I'll be glad to help you with your computer problems. HijackThis logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that it happens.

Please do not run any other tool untill instructed to do so!
Please reply to this thread, do not start another!
Please tell me about any problems that have occurred during the fix.
Please tell me of any other symptoms you may be having as these can help also.
Please try as much as possible not to run anything while executing a fix.


If you follow these instructions, everything should go smoothly.

I am currently looking at your log now and will be back as soon as possible with your instructions.
User avatar
Carolyn
MRU Emeritus
MRU Emeritus
 
Posts: 4701
Joined: April 18th, 2007, 9:36 am
Location: Maine

Re: Problem with virus Trojan.win32.patched.bb

Unread postby Carolyn » July 30th, 2008, 3:02 pm

Hello,

Please download Malwarebytes' Anti-Malware and save it to a convenient location.
  1. Double click on mbam-setup.exe to install it.
  2. Before clicking the Finish button, make sure that these 2 boxes are checked (ticked):
      Update Malwarebytes' Anti-Malware
      Launch Malwarebytes' Anti-Malware
  3. Malwarebytes' Anti-Malware will now check for updates. If your firewall prompts, please allow it. If you can't update it, select the Update tab. Under Update Mirror, select one of the websites and click on Check for Updates.
  4. Select the Scanner tab. Click on Perform full scan, then click on Scan.
  5. Leave the default options as it is and click on Start Scan.
  6. When done, you will be prompted. Click OK, then click on Show Results.
  7. Checked (ticked) all items and click on Remove Selected.
  8. After it has removed the items, Notepad will open. Please post this log in your next reply. You can also find the log in the Logs tab. The bottom most log is the latest.


Download and Run ComboFix (by sUBs)

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper.


We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

  1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


  2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you. Please post this log in your next reply.

Make a uninstall list using HijackThis
To access the Uninstall Manager you would do the following:
  • Start HijackThis
  • Click on the Open the Misc tool section button
  • Click on the Misc Tools button
  • Click on the Open Uninstall Manager button.

You will see a list with the programs installed in your computer.
Click on save list button and specify where you would like to save this file.
When you press Save button a notepad will open with the contents of that file.
Simply copy and paste the contents of that notepad into your next post.


Please include the following reports for further review, and so we may continue cleansing the system:
  1. The Malwarebytes' Anti-malware log
  2. C:\ComboFix.txt
  3. The HijackThis Uninstall List
  4. And a new HijackThis log.
User avatar
Carolyn
MRU Emeritus
MRU Emeritus
 
Posts: 4701
Joined: April 18th, 2007, 9:36 am
Location: Maine

Re: Problem with virus Trojan.win32.patched.bb

Unread postby pepemarix » July 31st, 2008, 11:24 am

Dear Caroline:

Thank you very much for your help.

I could wait until the somobody's answer, so I got to solve the problem for my self. I am a Information Technolgy Teacher in Spain, so I have some knowdlage about. I was reading docen of post about my problem and more or less i got the information from here.

Anyway i followed the same step that you told me, I downloaded Malware and ComboFix, The first one solved the most of the litte problem with some trojan and the second one got to delete the user32.dll file

For a moment, I was worry about my PC because, as I suspected, When I deleted this file my PC didn't reboot properly but I solved this problem with the Repair tool of my CD of Windows XP.

I checked my PC several times with Kaspersky Online and Malware and all the Report was satisficed without any virus or any malware. I also clean my PC with CCleaner.

So, in this moment I think the problem was solved and my PC is establed. Anyway I send you my last Hyjack report and I will follow your advice if you think I have to do any thing else.

Thank you again
José

-----------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:21, on 2008-07-31
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Java\jre1.6.0_07\bin\jusched.exe
C:\Archivos de programa\Ahead\InCD\InCD.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Archivos de programa\QuickTime\qttask.exe
C:\Archivos de programa\iTunes\iTunesHelper.exe
C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\System32\DrvMon.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Microsoft ActiveSync\wcescomm.exe
C:\Archivos de programa\Google\Google Updater\GoogleUpdater.exe
C:\ARCHIV~1\MICROS~4\rapimgr.exe
C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Archivos comunes\Ulead Systems\DVD\ULCDRSvr.exe
C:\Archivos de programa\iPod\bin\iPodService.exe
C:\Archivos de programa\MSN Messenger\msnmsgr.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\Archivos de programa\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.es/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: Aplicación auxiliar de vínculos de Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Archivos comunes\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Archivos de programa\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Archivos de programa\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Archivos de programa\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Archivos de programa\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [UVS10 Preload] C:\Archivos de programa\Ulead Systems\Ulead VideoStudio 10\uvPL.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [KAVPersonal50] C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Archivos de programa\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [DrvMon.exe] C:\WINDOWS\System32\DrvMon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Archivos de programa\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Archivos de programa\Microsoft ActiveSync\wcescomm.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Servicio de red')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Archivos de programa\Archivos comunes\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Google Updater.lnk = C:\Archivos de programa\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MIF269~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\ARCHIV~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\ARCHIV~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Crear un favorito móvil... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\ARCHIV~1\MICROS~4\INetRepl.dll
O9 - Extra button: Xanadu - {5CC384BB-1326-11D5-F4AE-00C04923F885} - C:\Archivos de programa\Foreignword\Xanadu\XanaduLaunch.exe
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MIF269~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/spanish/ka ... nicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 0935060921
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/softwa ... Plugin.cab
O23 - Service: Google Updater Service (gusvc) - Google - C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Archivos de programa\Archivos comunes\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Archivos de programa\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Archivos de programa\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Archivos de programa\iPod\bin\iPodService.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: Microsoft File Mapping Service (mshlpkd) - Unknown owner - C:\WINDOWS\system32\mshlp.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Archivos de programa\Archivos comunes\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 8068 bytes
pepemarix
Regular Member
 
Posts: 17
Joined: July 27th, 2008, 9:28 am

Re: Problem with virus Trojan.win32.patched.bb

Unread postby Carolyn » July 31st, 2008, 1:16 pm

Thank you for posting the HijackThis log. I'll take a look at it.

Would you mind posting the ComboFix log as well? I would like to see it too. :)
User avatar
Carolyn
MRU Emeritus
MRU Emeritus
 
Posts: 4701
Joined: April 18th, 2007, 9:36 am
Location: Maine

Re: Problem with virus Trojan.win32.patched.bb

Unread postby pepemarix » July 31st, 2008, 1:53 pm

Dear Carolyn:

As i told you, after use combofix, I had to repair with my Windows XP CD, i was looking for this combofix.log and I could find it. As I read in one of your forum, i unistall Combofix with Hijack after use it, so that now I don't know where this log file is.

what do you think i have to do? to run combofix again?
I will wait until you answer me

Thanks
Jose Maria González
pepemarix
Regular Member
 
Posts: 17
Joined: July 27th, 2008, 9:28 am

Re: Problem with virus Trojan.win32.patched.bb

Unread postby Carolyn » July 31st, 2008, 3:52 pm

Hi Jose,

If you deleted ComboFix by using the "/u" command line switch, then the log file was deleted along with the program.

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.
  1. Close all applications and windows.
  2. Double-click on dss.exe to run it, and follow the prompts.
  3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
  4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt in your reply.
User avatar
Carolyn
MRU Emeritus
MRU Emeritus
 
Posts: 4701
Joined: April 18th, 2007, 9:36 am
Location: Maine

Re: Problem with virus Trojan.win32.patched.bb

Unread postby pepemarix » August 1st, 2008, 11:00 am

Dear Carolyne:

As you told me I downloaded DSS software and I show the two log. I passed again malwarebyte and I also show you the log. Thank you very much, I will continue following your advices.

Some of the results appeared in Spanish, If you need any translation, please, tell me

1.- MAIN.TXT

Deckard's System Scanner v20071014.68
Run by JOSEMARI on 2008-08-01 16:39:32
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 4 Restore Point(s) --
4: 2008-08-01 14:39:55 UTC - RP10 - Deckard's System Scanner Restore Point
3: 2008-08-01 14:15:03 UTC - RP9 - Software Distribution Service 3.0
2: 2008-07-31 22:08:43 UTC - RP8 - Software Distribution Service 3.0
1: 2008-07-31 19:00:38 UTC - RP7 - Software Distribution Service 3.0


Backed up registry hives.
Performed disk cleanup.

System Drive C: has 0.89 GiB (less than 15%) free.


-- HijackThis (run as JOSEMARI.exe) --------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:41, on 2008-08-01
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Java\jre1.6.0_07\bin\jusched.exe
C:\Archivos de programa\Ahead\InCD\InCD.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Archivos de programa\QuickTime\qttask.exe
C:\Archivos de programa\iTunes\iTunesHelper.exe
C:\Archivos de programa\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\System32\DrvMon.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Microsoft ActiveSync\wcescomm.exe
C:\Archivos de programa\Google\Google Updater\GoogleUpdater.exe
C:\ARCHIV~1\MICROS~4\rapimgr.exe
C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Archivos comunes\Ulead Systems\DVD\ULCDRSvr.exe
C:\Archivos de programa\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\JOSEMARI\Escritorio\Nuevos Programas Bajados\dss\dss.exe
C:\ARCHIV~1\TRENDM~1\HIJACK~1\JOSEMARI.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.es/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: Aplicación auxiliar de vínculos de Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Archivos comunes\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Archivos de programa\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Archivos de programa\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Archivos de programa\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Archivos de programa\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [UVS10 Preload] C:\Archivos de programa\Ulead Systems\Ulead VideoStudio 10\uvPL.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [KAVPersonal50] C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Archivos de programa\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [DrvMon.exe] C:\WINDOWS\System32\DrvMon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Archivos de programa\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Archivos de programa\Microsoft ActiveSync\wcescomm.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Servicio de red')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Archivos de programa\Archivos comunes\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Google Updater.lnk = C:\Archivos de programa\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MIF269~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\ARCHIV~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\ARCHIV~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Crear un favorito móvil... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\ARCHIV~1\MICROS~4\INetRepl.dll
O9 - Extra button: Xanadu - {5CC384BB-1326-11D5-F4AE-00C04923F885} - C:\Archivos de programa\Foreignword\Xanadu\XanaduLaunch.exe
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MIF269~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/spanish/ka ... nicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 0935060921
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/softwa ... Plugin.cab
O23 - Service: Google Updater Service (gusvc) - Google - C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Archivos de programa\Archivos comunes\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Archivos de programa\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Archivos de programa\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Archivos de programa\iPod\bin\iPodService.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: Microsoft File Mapping Service (mshlpkd) - Unknown owner - C:\WINDOWS\system32\mshlp.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Archivos de programa\Archivos comunes\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 8122 bytes

-- File Associations -----------------------------------------------------------

.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 Klmc - c:\windows\system32\drivers\klmc.sys <Not Verified; Kaspersky Lab; Kaspersky Anti-Virus Personal>
R3 Pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus(R) ASPI Shell>

S1 4200a86b - c:\windows\system32\drivers\4200a86b.sys
S3 catchme - c:\combofix\catchme.sys (file missing)
S3 GMSIPCI - e:\install\gmsipci.sys (file missing)
S3 NTACCESS - e:\ntaccess.sys (file missing)
S3 pfsvgae - c:\docume~1\josemari\config~1\temp\pfsvgae.sys (file missing)
S3 SetupNTGLM7X - e:\ntglm7x.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 kavsvc - c:\archivos de programa\kaspersky lab\kaspersky anti-virus personal\kavsvc.exe <Not Verified; Kaspersky Lab; Kaspersky Anti-Virus Personal>

S2 mshlpkd (Microsoft File Mapping Service) - c:\windows\system32\mshlp.exe
S2 NOBICYT (NOBICYT Service) -


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2008-07-01 and 2008-08-01 -----------------------------

2008-08-01 15:45:18 61440 --a------ C:\WINDOWS\system32\msdcb.exe
2008-08-01 12:01:18 0 d-------- C:\WINDOWS\system32\NtmsData
2008-07-31 17:25:52 0 dr-h----- C:\Documents and Settings\JOSEMARI\Recent
2008-07-30 15:03:42 0 d-------- C:\WINDOWS\Prefetch
2008-07-30 14:14:17 53248 --a------ C:\WINDOWS\PSEXESVC.EXE <Not Verified; Sysinternals; Sysinternals PsExec>
2008-07-30 14:08:45 68096 --a------ C:\WINDOWS\zip.exe
2008-07-30 14:08:45 49152 --a------ C:\WINDOWS\VFind.exe
2008-07-30 14:08:45 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-07-30 14:08:45 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-07-30 14:08:45 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-07-30 14:08:45 98816 --a------ C:\WINDOWS\sed.exe
2008-07-30 14:08:45 80412 --a------ C:\WINDOWS\grep.exe
2008-07-30 14:08:45 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-07-30 11:43:16 0 dr-hs---- C:\cmdcons
2008-07-30 11:43:14 0 d-------- C:\WINDOWS\setup.pss
2008-07-30 11:42:55 0 d-------- C:\WINDOWS\setupupd
2008-07-29 11:30:23 0 d-------- C:\Archivos de programa\Any Video Converter
2008-07-27 16:14:40 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-07-25 22:45:45 0 d-------- C:\Archivos de programa\Trend Micro
2008-07-25 21:17:10 0 d-------- C:\Archivos de programa\Malwarebytes' Anti-Malware
2008-07-25 16:48:09 2 --a------ C:\-1072858546
2008-07-25 16:48:03 0 --a------ C:\WINDOWS\system32\drivers\4200a86b.sys
2008-07-24 11:21:16 0 d-------- C:\Archivos de programa\RM Converter
2008-07-24 11:01:16 0 d-------- C:\Archivos de programa\AviSynth 2.5
2008-07-24 11:01:01 0 d-------- C:\Archivos de programa\AML Products
2008-07-17 21:31:12 0 d-------- C:\Archivos de programa\Free PDF to Word Doc Converter
2008-07-08 18:48:51 0 d-------- C:\DVDVideoSoft
2008-07-08 14:33:40 0 d-------- C:\Archivos de programa\GeoVid
2008-07-08 13:09:00 0 d-------- C:\SmartSound Software
2008-07-08 13:08:24 0 d-------- C:\Archivos de programa\SmartSound Software
2008-07-08 13:06:40 0 d-------- C:\Archivos de programa\Windows Media Components
2008-07-08 13:03:07 0 d-------- C:\Archivos de programa\Archivos comunes\Ulead Systems
2008-07-08 13:02:56 0 d-------- C:\Archivos de programa\Ulead Systems
2008-07-08 11:19:16 45056 --a------ C:\WINDOWS\system32\vusetup.dll


-- Find3M Report ---------------------------------------------------------------

2008-07-30 15:07:20 363688 --a------ C:\WINDOWS\system32\perfh00A.dat
2008-07-30 15:07:20 51900 --a------ C:\WINDOWS\system32\perfc00A.dat
2008-07-30 14:53:33 23080 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-07-30 14:12:19 0 d-------- C:\Archivos de programa\Archivos comunes
2008-07-29 12:31:42 0 d-------- C:\Documents and Settings\JOSEMARI\Datos de programa\Any Video Converter
2008-07-25 21:22:39 0 d-------- C:\Documents and Settings\JOSEMARI\Datos de programa\Malwarebytes
2008-07-24 11:04:10 0 d-------- C:\Documents and Settings\JOSEMARI\Datos de programa\Media Player Classic
2008-07-24 00:09:38 0 d-------- C:\Archivos de programa\Java
2008-07-23 00:20:24 0 d-------- C:\Archivos de programa\eMule
2008-07-22 23:48:42 0 d-------- C:\Archivos de programa\Cool2000
2008-07-21 16:38:39 0 d-------- C:\Documents and Settings\JOSEMARI\Datos de programa\Canon
2008-07-08 18:48:30 0 d-------- C:\Archivos de programa\Archivos comunes\DVDVideoSoft
2008-07-08 18:48:16 0 d-------- C:\Archivos de programa\DVDVideoSoft
2008-07-08 15:45:40 0 d-------- C:\Documents and Settings\JOSEMARI\Datos de programa\Ulead Systems
2008-07-08 13:09:08 0 d--h----- C:\Archivos de programa\InstallShield Installation Information
2008-07-08 13:02:55 0 d-------- C:\Archivos de programa\Archivos comunes\InstallShield
2008-07-04 16:34:23 0 d-------- C:\Archivos de programa\Windows Live Safety Center
2008-06-23 16:51:22 0 d-------- C:\Archivos de programa\Archivos comunes\xing shared
2008-06-23 16:50:47 0 d-------- C:\Archivos de programa\Archivos comunes\Real
2008-06-11 17:19:49 0 d-------- C:\Archivos de programa\CCleaner
2008-06-06 17:28:28 0 d-------- C:\Archivos de programa\SPYWAREfighter
2008-06-06 17:18:28 0 d-------- C:\Archivos de programa\Enigma Software Group
2008-06-06 16:52:55 0 d-------- C:\Archivos de programa\Microsoft AntiSpyware
2008-06-05 20:50:21 0 d-------- C:\Archivos de programa\Kaspersky Lab


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Archivos de programa\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
"InCD"="C:\Archivos de programa\Ahead\InCD\InCD.exe" [2004-09-13 11:51]
"LVCOMSX"="C:\WINDOWS\System32\LVCOMSX.EXE" [2005-07-19 17:32]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22]
"SiSUSBRG"="C:\WINDOWS\SiSUSBrg.exe" [2002-02-21 04:01]
"SoundMan"="SOUNDMAN.EXE" [2002-03-21 04:23 C:\WINDOWS\SOUNDMAN.EXE]
"QuickTime Task"="C:\Archivos de programa\QuickTime\qttask.exe" [2006-10-25 19:58]
"iTunesHelper"="C:\Archivos de programa\iTunes\iTunesHelper.exe" [2006-10-30 10:36]
"Adobe Reader Speed Launcher"="C:\Archivos de programa\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16]
"TkBellExe"="C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" [2008-06-23 16:49]
"UVS10 Preload"="C:\Archivos de programa\Ulead Systems\Ulead VideoStudio 10\uvPL.exe" [2006-05-17 14:23]
"nwiz"="nwiz.exe" [2006-10-22 12:22 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 13:22]
"KAVPersonal50"="C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" [2004-10-07 11:51]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LogitechSoftwareUpdate"="C:\Archivos de programa\Logitech\Video\ManifestEngine.exe" [2005-06-08 14:44]
"DrvMon.exe"="C:\WINDOWS\System32\DrvMon.exe" [2004-09-10 04:16]
"MSMSGS"="C:\Archivos de programa\Messenger\msmsgs.exe" [2004-10-13 18:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 15:42]
"swg"="C:\Archivos de programa\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-29 19:09]
"H/PC Connection Agent"="C:\Archivos de programa\Microsoft ActiveSync\wcescomm.exe" [2006-06-26 23:18]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"tscuninstall"=%systemroot%\system32\tscupgrd.exe

C:\Documents and Settings\All Users\Men£ Inicio\Programas\Inicio\
Adobe Gamma Loader.lnk - C:\Archivos de programa\Archivos comunes\Adobe\Calibration\Adobe Gamma Loader.exe [2006-10-15 21:24:15]
Google Updater.lnk - C:\Archivos de programa\Google\Google Updater\GoogleUpdater.exe [2007-08-29 19:08:57]
Microsoft Office.lnk - C:\Archivos de programa\Microsoft Office\Office\OSA9.EXE [1999-02-17 22:05:56]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"disableregistrytools"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"=0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Menú Inicio\Programas\Inicio\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^InterVideo WinCinema Manager.lnk]
path=C:\Documents and Settings\All Users\Menú Inicio\Programas\Inicio\InterVideo WinCinema Manager.lnk
backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HbTools]
C:\Archivos de programa\HbTools\Bin\4.8.2.0\HbtOEAddOn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Archivos de programa\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]
C:\Archivos de programa\Logitech\Video\ISStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]
C:\Archivos de programa\Logitech\Video\LogiTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Archivos de programa\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemDoctor 2006 Free]
C:\Archivos de programa\SystemDoctor 2006 Free\sd2006.exe -scan

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\usdr6cw]
C:\Archivos de programa\SystemDoctor 2006 Free\usdr6cw.exe -c

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WeatherOnTray]
C:\Archivos de programa\HbTools\Bin\4.8.2.0\HbtWeatherOnTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Xanadu]
C:\Archivos de programa\Foreignword\Xanadu\Xanadu.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SPYWAREfighterRP"=3 (0x3)
"kavsvc"=2 (0x2)


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{139f6f67-9b2c-11db-898d-00c0dff5cee3}]
AutoRun\command- G:\loader.exe




-- End of Deckard's System Scanner: finished at 2008-08-01 16:42:31 ------------



--------------------------------------------------------------------------------------





2.- EXTRA.TXT


Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: Spanish

CPU 0: Intel(R) Pentium(R) 4 CPU 2.00GHz
Percentage of Memory in Use: 65%
Physical Memory (total/avail): 511.48 MiB / 177.5 MiB
Pagefile Memory (total/avail): 1250.23 MiB / 981.81 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1942.17 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 19.53 GiB total, 0.87 GiB free.
D: is Fixed (NTFS) - 12.84 GiB total, 9.21 GiB free.
E: is CDROM (No Media)
F: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - ST340810A - 37.27 GiB - 4 partitions
\PARTITION0 (bootable) - Sistema de archivos instalables - 19.53 GiB - C:
\PARTITION1 - Unknown - 517.72 MiB
\PARTITION2 - Unknown - 4.39 GiB
\PARTITION3 - Extendido con Inter. 13 extendida - 12.84 GiB - D:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

AV: Kaspersky Anti-Virus Personal v5.0.156 (Kaspersky Labs)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Archivos de programa\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Archivos de programa\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\\Archivos de programa\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Archivos de programa\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\\Archivos de programa\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Archivos de programa\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"
"C:\\Archivos de programa\\MSN Messenger\\msncall.exe"="C:\\Archivos de programa\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Archivos de programa\\MSN Messenger\\msnmsgr.exe"="C:\\Archivos de programa\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Archivos de programa\\MSN Messenger\\livecall.exe"="C:\\Archivos de programa\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Archivos de programa\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Archivos de programa\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\\Archivos de programa\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Archivos de programa\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\\Archivos de programa\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Archivos de programa\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"
"C:\\Archivos de programa\\MSN Messenger\\msncall.exe"="C:\\Archivos de programa\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\CS1.6 pod-Bot\\hl.exe"="C:\\CS1.6 pod-Bot\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\Archivos de programa\\eMule\\emule.exe"="C:\\Archivos de programa\\eMule\\emule.exe:*:Enabled:eMule"
"C:\\Archivos de programa\\iTunes\\iTunes.exe"="C:\\Archivos de programa\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Archivos de programa\\Kaspersky Lab\\Kaspersky Anti-Virus 6.0\\avp.exe"="C:\\Archivos de programa\\Kaspersky Lab\\Kaspersky Anti-Virus 6.0\\avp.exe:*:Enabled:Kaspersky Anti-Virus"
"C:\\Documents and Settings\\JOSEMARI\\Configuración local\\Temp\\Rar$EX07.531\\paswordmsnrecovery.exe"="C:\\Documents and Settings\\JOSEMARI\\Configuración local\\Temp\\Rar$EX07.531\\paswordmsnrecovery.exe:*:Enabled:paswordmsnrecovery"
"C:\\Archivos de programa\\MSN Messenger\\msnmsgr.exe"="C:\\Archivos de programa\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Archivos de programa\\MSN Messenger\\livecall.exe"="C:\\Archivos de programa\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\CS1.6 pod-Bot\\hltv.exe"="C:\\CS1.6 pod-Bot\\hltv.exe:*:Disabled:HLTV Launcher"
"C:\\Archivos de programa\\Google\\Google Talk\\googletalk.exe"="C:\\Archivos de programa\\Google\\Google Talk\\googletalk.exe:*:Enabled:Google Talk"
"C:\\Archivos de programa\\mIRC\\mirc.exe"="C:\\Archivos de programa\\mIRC\\mirc.exe:*:Enabled:mIRC"
"C:\\WINDOWS\\PCHEALTH\\HELPCTR\\Binaries\\HelpCtr.exe"="C:\\WINDOWS\\PCHEALTH\\HELPCTR\\Binaries\\HelpCtr.exe:*:Enabled:Asistencia remota - Windows Messenger and Voice"
"C:\\Archivos de programa\\Kaspersky Lab\\Kaspersky Anti-Virus Personal\\kavsvc.exe"="C:\\Archivos de programa\\Kaspersky Lab\\Kaspersky Anti-Virus Personal\\kavsvc.exe:*:Enabled:Kaspersky Anti-Virus Service"
"C:\\WINDOWS\\system32\\winver.exe"="C:\\WINDOWS\\system32\\winver.exe:*:Enabled:winver"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\JOSEMARI\Datos de programa
BitRock=1
CLASSPATH=.;C:\Archivos de programa\Java\jre1.5.0_11\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Archivos de programa\Archivos comunes
COMPUTERNAME=PC-JOSE
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\JOSEMARI
LOGONSERVER=\\PC-JOSE
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\WBEM;C:\Archivos de programa\QuickTime\QTSystem;C:\Archivos de programa\Archivos comunes\Ulead Systems\MPEG
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 4, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0204
ProgramFiles=C:\Archivos de programa
PROMPT=$P$G
QTJAVA=C:\Archivos de programa\Java\jre1.5.0_11\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\JOSEMARI\CONFIG~1\Temp
TMP=C:\DOCUME~1\JOSEMARI\CONFIG~1\Temp
USERDOMAIN=PC-JOSE
USERNAME=JOSEMARI
USERPROFILE=C:\Documents and Settings\JOSEMARI
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

JOSEMARI (admin)
Administrador (new local, admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Archivos de programa\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\Archivos de programa\Archivos comunes\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\WINDOWS\NuNInst.exe /UNINSTALL
--> C:\WINDOWS\unmrw.exe /UNINSTALL
--> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Acrobat 5.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Archivos de programa\Archivos comunes\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Archivos de programa\Archivos comunes\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742) --> MsiExec.exe /X{6846389C-BAC0-4374-808E-B120F86AF5D7}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Photoshop 7.0 --> C:\WINDOWS\ISUN040A.EXE -f"C:\Archivos de programa\Adobe\Photoshop 7.0\Uninst.isu" -c"C:\Archivos de programa\Adobe\Photoshop 7.0\Uninst.dll"
Adobe Reader 8.1.2 - Español --> MsiExec.exe /I{AC76BA86-7AD7-1034-7B44-A81200000003}
Adobe Reader 8.1.2 Security Update 1 (KB403742) -->
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Analizador y SDK de Microsoft XML --> MsiExec.exe /I{3E908702-AF35-4611-9518-955DA24B7E07}
AnvSoft Video to 3GP Converter 1.10 --> "C:\Archivos de programa\AnvSoft\Video to 3GP Converter\unins000.exe"
Any Video Converter 2.6.2 --> "C:\Archivos de programa\Any Video Converter\unins000.exe"
Asistente para la publicación en Web 1.53 de Microsoft --> RunDll32 ADVPACK.DLL,LaunchINFSection C:\WINDOWS\INF\wpie3x86.inf,WebPostUninstall
Avance AC'97 Audio --> RunDll32 C:\ARCHIV~1\ARCHIV~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Archivos de programa\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" REMOVE
BenQ QVideo --> "C:\Archivos de programa\InstallShield Installation Information\{0B168FED-B9EC-4DA8-AC17-9A41F284640B}\setup.exe" REMOVEALL
CamStudio --> C:\Archivos de programa\CamStudio\uninstall.exe
CCleaner (remove only) --> "C:\Archivos de programa\CCleaner\uninst.exe"
Compresor WinRAR --> C:\Archivos de programa\WinRAR\uninstall.exe
Controlador de Logitech® Camera --> "C:\Archivos de programa\Archivos comunes\Logitech\QCDRV\BIN\SETUP.EXE" UNINSTALL REMOVEPROMPT
Cool Edit 2000 --> C:\Archivos de programa\Cool2000\ce2Kunin.exe
Counter Strike 1.6 - By PirocaHP.F!N4LShare --> C:\WINDOWS\unvise32.exe C:\CS1.6 pod-Bot\uninstal_cs.log
Counter Strike 1.6 - Pack 112 Mapas - By PirocaHP F!N4LShare --> C:\WINDOWS\unvise32.exe C:\CS1.6 pod-Bot\uninstal_map.log
CuteFTP 6 Professional --> C:\ARCHIV~1\ARCHIV~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{AB18B0BA-A08F-48B8-8D0E-AA9DDDCA22EA}
Dialang V1 Beta --> RunDll32 C:\ARCHIV~1\ARCHIV~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Archivos de programa\InstallShield Installation Information\{97DF4674-AB43-11D5-91C9-005004F84FA1}\Setup.exe" -l0xa
eMule --> "C:\Archivos de programa\eMule\Uninstall.exe"
Enable S3 for USB Device --> C:\WINDOWS\IsUninst.exe -f"C:\Archivos de programa\Gigabyte\Enable S3 for USB Device\Uninst.isu"
Express Rip --> C:\Archivos de programa\NCH Swift Sound\ExpressRip\uninst.exe
FLV Player 1.3.3 --> "C:\Archivos de programa\FLVPlayer\uninstall.exe"
FPAdjust --> C:\WINDOWS\IsUninst.exe -f"C:\Archivos de programa\Flat Panel Adjust\Uninst.isu"
Free 3GP Video Converter version 2.4 --> "C:\Archivos de programa\DVDVideoSoft\Free 3GP Video Converter\unins000.exe"
Free PDF to Word Doc Converter v1.1 --> "C:\Archivos de programa\Free PDF to Word Doc Converter\unins000.exe"
Free Video to Mp3 Converter version 3.1 --> "C:\Archivos de programa\DVDVideoSoft\Free Video to Mp3 Converter\unins000.exe"
Google Earth --> MsiExec.exe /I{1E04F83B-2AB9-4301-9EF7-E86307F79C72}
Google Talk (remove only) --> "C:\Archivos de programa\Google\Google Talk\uninstall.exe"
Google Updater --> "C:\Archivos de programa\Google\Google Updater\GoogleUpdater.exe" -uninstall
HijackThis 2.0.2 --> "C:\Archivos de programa\Trend Micro\HijackThis\HijackThis.exe" /uninstall
HP Deskjet 3900 series --> C:\Archivos de programa\HP\Digital Imaging\{3819891A-030B-4a4e-98ED-B28A649E48AB}\setup\hpzscr01.exe -datfile hpfscr05.dat
HP Imaging Device Functions 5.0 --> C:\Archivos de programa\HP\Digital Imaging\DigitalImagingMonitor\hpzscr01.exe -datfile hpqbud01.dat
HP Software Update --> MsiExec.exe /X{15EE79F4-4ED1-4267-9B0F-351009325D7D}
HP Solution Center & Imaging Support Tools 5.0 --> C:\Archivos de programa\HP\Digital Imaging\eSupport\hpzscr01.exe -datfile hpqbud05.dat
iTunes --> MsiExec.exe /I{446DBFFA-4088-48E3-8932-74316BA4CAE4}
J2SE Runtime Environment 5.0 Update 10 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150100}
J2SE Runtime Environment 5.0 Update 11 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150110}
J2SE Runtime Environment 5.0 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
Java(TM) 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java(TM) 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java(TM) 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Java(TM) 6 Update 7 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
Java(TM) SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
Kaspersky Anti-Virus Personal --> "C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus Personal\uninstall.exe"
Kaspersky Online Scanner --> C:\WINDOWS\system32\KASPER~1\KASPER~1\kavuninstall.exe
Malwarebytes' Anti-Malware --> "C:\Archivos de programa\Malwarebytes' Anti-Malware\unins002.exe"
Messenger Plus! Live --> "C:\Archivos de programa\Messenger Plus! Live\Uninstall.exe"
Microsoft ActiveSync 4.0 --> MsiExec.exe /I{B208806F-A231-4FA0-AB3F-5C1B8979223E}
Microsoft Data Access Components KB870669 --> C:\WINDOWS\muninst.exe C:\WINDOWS\INF\KB870669.inf
Microsoft Office 2000 Premium --> MsiExec.exe /I{00000C0A-78E1-11D2-B60F-006097C998E7}
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110C0A-6000-11D3-8CFE-0150048383C9}
mIRC --> C:\Archivos de programa\mIRC\uninstall.exe _?=C:\Archivos de programa\mIRC
Mozilla Firefox (2.0.0.11) --> C:\Archivos de programa\Mozilla Firefox\uninstall\helper.exe
Nero Suite --> C:\Archivos de programa\Archivos comunes\Ahead\Uninstall\setup.exe /uninstall
NVIDIA Drivers --> C:\WINDOWS\system32\nvudisp.exe UninstallGUI
OpenOffice.org 2.1 --> MsiExec.exe /I{9331086D-3C8C-4AC7-9557-CAA4C97B2519}
Pdf995 --> C:\Archivos de programa\pdf995\setup.exe uninstall
QuickTime --> MsiExec.exe /I{50D8FFDD-90CD-4859-841F-AA1961C7767A}
RealPlayer --> C:\Archivos de programa\Archivos comunes\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Rhapsody Player Engine --> MsiExec.exe /I{2DFF31F9-7893-4922-AF66-C9A1EB4EBB31}
RTLSetup --> RunDll32 C:\ARCHIV~1\ARCHIV~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Archivos de programa\InstallShield Installation Information\{97AA0C55-AFAD-4126-B21C-F1318FB6DADA}\setup.exe" -l0x9 REMOVE
Sibelius Scorch (ActiveX Only) --> MsiExec.exe /I{C8E4455F-0F70-4DA2-A9F9-2D56C80E10AD}
SmartSound Quicktracks Plugin --> C:\ARCHIV~1\ARCHIV~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{4A7FDA4D-F4D7-4A49-934A-066D59A43C7E}
Software Logitech QuickCam --> RunDll32 C:\ARCHIV~1\ARCHIV~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Archivos de programa\InstallShield Installation Information\{C43048A9-742C-4DAD-90D2-E3B53C9DB825}\setup.exe" -l0xa
Sun Java Runtime Environment and JMF --> RunDll32 C:\ARCHIV~1\ARCHIV~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Archivos de programa\InstallShield Installation Information\{FFA98080-B0C6-11D5-91CB-005004F84FA1}\Setup.exe" -l0xa
Ulead VideoStudio 10 --> RunDll32 C:\ARCHIV~1\ARCHIV~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Archivos de programa\InstallShield Installation Information\{E188D820-1218-4E28-8BCA-91134C3664C2}\Setup.exe" -l0x9
Uninstall 1.0.0.1 --> "C:\Archivos de programa\Archivos comunes\DVDVideoSoft\unins000.exe"
WavePad Uninstall --> C:\Archivos de programa\NCH Swift Sound\WavePad\uninst.exe
Windows Live Messenger --> MsiExec.exe /I{1692CC0E-8798-493A-9580-23555E21C14B}
Windows Live OneCare safety scanner --> RunDll32.exe "C:\Archivos de programa\Windows Live Safety Center\wlscCore.dll",UninstallFunction WLSC_SCANNER_PRODUCT
Xanadu --> C:\WINDOWS\unvise32.exe C:\Archivos de programa\Foreignword\Xanadu\uninstal.log
XviD MPEG-4 Codec --> "C:\Archivos de programa\XviD\UninstXviD.exe"


-- Application Event Log -------------------------------------------------------

Event Record #/Type3235 / Error
Event Submitted/Written: 08/01/2008 04:41:54 PM
Event ID/Source: 8 / crypt32
Event Description:
Error en la recuperación de actualización automática del número de secuencia de la lista raíz de terceros de: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> con el error: No se ha podido resolver el nombre de servidor o su dirección

Event Record #/Type3195 / Error
Event Submitted/Written: 07/30/2008 03:42:32 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Aplicación que no responde: msnmsgr.exe, versión 8.1.178.0, módulo que no responde hungapp, versión 0.0.0.0, dirección que no responde 0x00000000.

Event Record #/Type3165 / Warning
Event Submitted/Written: 07/30/2008 02:56:33 PM
Event ID/Source: 4353 / EventSystem
Event Description:
El sistema de sucesos COM+ intentó activar el suceso EventObjectChange::ChangedSubscription, pero recibió un código de retorno erróneo. HRESULT fue 80040201.

Event Record #/Type3164 / Warning
Event Submitted/Written: 07/30/2008 02:56:33 PM
Event ID/Source: 4356 / EventSystem
Event Description:
El sistema de sucesos COM+ no pudo crear una instancia del suscriptor partition:{41E90F3E-56C1-4633-81C3-6E8BAC8BDD70}!new:{D3938AB0-5B9D-11D1-8DD2-00AA004ABD5E}. CoGetObject devolvió como HRESULT 80070422.

Event Record #/Type3163 / Warning
Event Submitted/Written: 07/30/2008 02:56:33 PM
Event ID/Source: 4353 / EventSystem
Event Description:
El sistema de sucesos COM+ intentó activar el suceso EventObjectChange::ChangedSubscription, pero recibió un código de retorno erróneo. HRESULT fue 80040201.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type109532 / Error
Event Submitted/Written: 08/01/2008 04:41:03 PM
Event ID/Source: 1000 / Dhcp
Event Description:
Su equipo ha perdido la concesión de su dirección IP 192.168.100.11 en la
tarjeta de red con dirección de red 00C0DFF5CEE3.

Event Record #/Type109531 / Warning
Event Submitted/Written: 08/01/2008 04:41:03 PM
Event ID/Source: 1003 / Dhcp
Event Description:
Su equipo no pudo renovar su dirección de la red (desde el
servidor DHCP) para la tarjeta de red con dirección de red 00C0DFF5CEE3. Ocurrió el
siguiente error:
%%121.
Su equipo continuará intentando obtener una dirección del
servidor de direcciones de red (DHCP).

Event Record #/Type109518 / Error
Event Submitted/Written: 08/01/2008 04:37:05 PM
Event ID/Source: 1000 / Dhcp
Event Description:
Su equipo ha perdido la concesión de su dirección IP 192.168.100.11 en la
tarjeta de red con dirección de red 00C0DFF5CEE3.

Event Record #/Type109517 / Warning
Event Submitted/Written: 08/01/2008 04:37:05 PM
Event ID/Source: 1003 / Dhcp
Event Description:
Su equipo no pudo renovar su dirección de la red (desde el
servidor DHCP) para la tarjeta de red con dirección de red 00C0DFF5CEE3. Ocurrió el
siguiente error:
%%121.
Su equipo continuará intentando obtener una dirección del
servidor de direcciones de red (DHCP).

Event Record #/Type109506 / Error
Event Submitted/Written: 08/01/2008 04:36:48 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
El servicio NOBICYT Service no pudo iniciarse debido al siguiente error:
%%3



-- End of Deckard's System Scanner: finished at 2008-08-01 16:42:31 ------------



--------------------------------------------------------------------------------------




3.- Malware bit LOG


Malwarebytes' Anti-Malware 1.23
Versión de la Base de Datos: 992
Windows 5.1.2600 Service Pack 2

16:52:32 2008-08-01
mbam-log-8-1-2008 (16-52-32).txt

Tipo de examen : Examen Rápido
Objetos examinados: 37787
Tiempo transcurrido: 6 minute(s), 27 second(s)

Procesos en Memoria Infectados: 0
Módulos en Memoria Infectados: 0
Claves del Registro Infectadas: 0
Valores del Registro Infectados: 0
Elementos de Datos del Registro Infectados: 0
Carpetas Infectadas: 0
Ficheros Infectados: 0

Procesos en Memoria Infectados:
(No se han detectado elementos maliciosos)

Módulos en Memoria Infectados:
(No se han detectado elementos maliciosos)

Claves del Registro Infectadas:
(No se han detectado elementos maliciosos)

Valores del Registro Infectados:
(No se han detectado elementos maliciosos)

Elementos de Datos del Registro Infectados:
(No se han detectado elementos maliciosos)

Carpetas Infectadas:
(No se han detectado elementos maliciosos)

Ficheros Infectados:
(No se han detectado elementos maliciosos)
pepemarix
Regular Member
 
Posts: 17
Joined: July 27th, 2008, 9:28 am

Re: Problem with virus Trojan.win32.patched.bb

Unread postby Carolyn » August 1st, 2008, 3:29 pm

Hello Jose,

I see several suspicious items in the Deckard's logs that warrant further investigation. Before I do that, I have to ask you to uninstall eMule.


With reference to Malware Removal P2P Programs Policy, please uninstall the following programs before we continue:

  1. Click on Start > Control Panel and double click on Add/Remove Programs.
  2. Locate eMule and click on the Change/Remove button to uninstall it.
  3. Close Add/Remove Programs and Control Panel when done.

Uninstall List

    Make an uninstall list using HijackThis
    To access the Uninstall Manager you would do the following:

    1. Start HijackThis
    2. Click on the Config button
    3. Click on the Misc Tools button
    4. Click on the Open Uninstall Manager button.
    5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here in your next reply.


Please post the HijackThis Uninstall List along with a fresh HijackThis log.
User avatar
Carolyn
MRU Emeritus
MRU Emeritus
 
Posts: 4701
Joined: April 18th, 2007, 9:36 am
Location: Maine

Re: Problem with virus Trojan.win32.patched.bb

Unread postby pepemarix » August 2nd, 2008, 7:07 am

Dear Carolyne:

Here you have the uninstall list from the Hijack

you ask me to uninstall Emule and I did, but you told that in reference to Malware I had to uninstall the follow programas, but you didn't specify any in concret.

So the only program that i finally unistall was Emule.

Thank You,
Josemari

------------------------------------------------------------------------------

Adobe Acrobat 5.0
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Flash Player ActiveX
Adobe Photoshop 7.0
Adobe Reader 8.1.2 - Español
Adobe Shockwave Player
Analizador y SDK de Microsoft XML
AnvSoft Video to 3GP Converter 1.10
Any Video Converter 2.6.2
Asistente para la publicación en Web 1.53 de Microsoft
Avance AC'97 Audio
BenQ QVideo
CamStudio
CCleaner (remove only)
Compresor WinRAR
Controlador de Logitech® Camera
Cool Edit 2000
Counter Strike 1.6 - By PirocaHP.F!N4LShare
Counter Strike 1.6 - Pack 112 Mapas - By PirocaHP F!N4LShare
CuteFTP 6 Professional
Dialang V1 Beta
Enable S3 for USB Device
Express Rip
FLV Player 1.3.3
FPAdjust
Free 3GP Video Converter version 2.4
Free PDF to Word Doc Converter v1.1
Free Video to Mp3 Converter version 3.1
Google Earth
Google Talk (remove only)
Google Updater
HijackThis 1.99.1
HP Deskjet 3900 series
HP Imaging Device Functions 5.0
HP Software Update
HP Solution Center & Imaging Support Tools 5.0
iTunes
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 6
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Java(TM) SE Runtime Environment 6 Update 1
Kaspersky Anti-Virus Personal
Kaspersky Online Scanner
Malwarebytes' Anti-Malware
Messenger Plus! Live
Microsoft ActiveSync 4.0
Microsoft Data Access Components KB870669
Microsoft Office 2000 Premium
Microsoft Office Professional Edition 2003
mIRC
Mozilla Firefox (2.0.0.11)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
Nero Suite
NVIDIA Drivers
OpenOffice.org 2.1
Pdf995
QuickTime
RealPlayer
Rhapsody Player Engine
RTLSetup
Sibelius Scorch (ActiveX Only)
SmartSound Quicktracks Plugin
Software Logitech QuickCam
Sun Java Runtime Environment and JMF
Ulead VideoStudio 10
Uninstall 1.0.0.1
WavePad Uninstall
Windows Live Messenger
Windows Live OneCare safety scanner
Xanadu
XviD MPEG-4 Codec
pepemarix
Regular Member
 
Posts: 17
Joined: July 27th, 2008, 9:28 am

Re: Problem with virus Trojan.win32.patched.bb

Unread postby Carolyn » August 2nd, 2008, 5:34 pm

Hello,

Your computer is dangerously low on disk space. The partition with the system needs at least 15% Free Space, or it will bog down and run very slowly.

System Drive C: has 0.89 GiB (less than 15%) free.

Uninstall Old Versions of Java
Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and updates.

  • Go to start > control panel > programs and features.
  • Right click on each instance of:

    J2SE Runtime Environment 5.0 Update 10
    J2SE Runtime Environment 5.0 Update 11
    J2SE Runtime Environment 5.0 Update 6
    Java(TM) 6 Update 2
    Java(TM) 6 Update 3
    Java(TM) 6 Update 5
    Java(TM) SE Runtime Environment 6 Update 1


  • Click Uninstall & then follow the prompts to remove it.
  • Close any programs you may have running - especially your web browser.
  • Right click on jre-6u7-windows-i586-p.exe and select Run As Administrator to install Java.
  • Reboot your computer.

I see that you have mIRC installed.

Next,
Go to Start, My Computer
Right-click on the hard-drive letter for the system, (usually C: )
Uncheck the box labeled "Allow Indexing Service to index this disk for fast file searching"
If it asks whether to apply to all files and folders, answer Yes.
You may have to wait while it resets the file attributes.
----------------------------------------------------------
Reboot the machine.
----------------------------------------------------------

Set Options in CCleaner and run Cleaning Scan.
Right click CCleaner and select Run as administrator if it's not already running.
( Do not use the Registry block to clean anything with this program. It is for experts only and it is risky).

* Select Cleaner Settings.
Check Internet Explorer, Windows Explorer, and System so that all items are checked. In the Advanced section, have a check only on Old PreFetch Data.
* Click on the Options block on the left. Select Advanced.
Uncheck Only delete files in Windows Temp folders older than 48 hours.
* Set Cookie Retention.
Click on the Options block on the left, then choose Cookies.
Under the Cookies to delete pane, highlight any cookies you would like to retain permanently (those companies or sites with which you regularly visit or do business), and click the right arrow > to move them to the Cookies to keep pane.
* Run Cleaning Scan. Click on the Cleaner block on the left. Choose the Windows tab.
Click the Run Cleaner button. This process could take a while. When CCleaner shows how much has been removed, cleaning is finished.

-----------------------------------------------------------
Reset Options in CCleaner for Regular Use.
Open CCleaner if it's not already running.

* Select Cleaner Settings.
Check Internet Explorer, Windows Explorer, and System so that all items are checked. Then under Internet Explorer, Uncheck "History". In the Advanced section, have a check only on Old PreFetch Data.
* Click on the Options block on the left. Select Advanced.
Check Only delete files in Windows Temp folders older than 48 hours.
* Set CCleaner to Run When Computer Starts. Click on the Options block on the left, then choose Settings. Check Run Ccleaner when computer starts.

-----------------------------------------------------------
Go to Start, Computer
Right-click on the hard-drive letter for the system, (usually C: )
Click Properties
Look at what it reports for Free Space.
Include that information in your next reply.

Upload files for scanning
I'd like you to check a file/some files for malware.
C:\WINDOWS\system32\msdcb.exe
C:\WINDOWS\system32\drivers\4200a86b.sys
C:\-1072858546

  • Copy/Paste the first file on the list into the white Upload a file box.
  • Click Send/Submit, and the file will upload to VirusTotal/Jotti, where it will be scanned by several anti-virus programmes.
  • After a while, a window will open, with details of what the scans found.
  • Save the complete results in a Notepad/Word document on your desktop.
  • Repeat for all files on the list.

There is one more file I would like you to upload... You will find it on a Thumb drive, or on some other removeable media.
In the Deckard's log, the file with path appears as G:\loader.exe.
Please find that file, if you can, and upload it to VirusTotal or Jotti using the instructions listed above.
Include those scan results in your next reply.

Please download DirLook by jpshortstuff from here.
  • Double-click DirLook.exe to run it.
  • Ensure that Show Hidden Files/Folders and BBCode Ouput are both checked.
  • Copy the content of the following codebox into the main textfield:

    Code: Select all
    C:\WINDOWS\system32\NtmsData


  • Click the DirLook button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply. (Note: The log can also be found at C:\dl_log.txt)
Note: Scanning may take longer for large folders.

Please post the following:
  1. How much space you now have available on your hard drive
  2. The VirusTotal/Jotti results
  3. The DirLook log
  4. A fresh HijackThis log
  5. Describe any problems you are having with the computer or with the instructions I have given.
User avatar
Carolyn
MRU Emeritus
MRU Emeritus
 
Posts: 4701
Joined: April 18th, 2007, 9:36 am
Location: Maine

Re: Problem with virus Trojan.win32.patched.bb

Unread postby pepemarix » August 3rd, 2008, 3:25 pm

Dear Carolyne:

I followed all the steps that you told me:

1.- I uninstalled every Java updates
2.- I installed the java version jre-6u7-windows-i586-p.exe
3.- I uninstalled MIRC
4.- I uncheked the box labeled "Allow Indexing Service to index ...."
5.- I set the Cleaner and Run the cleaner in the way you told me
6.- About the space in my hard disk, don't worry about, I am working in a Video Edition project with files of some Gib, so in some days I will save it in DVD and i deleted it and iIwill get about 10 Gib.
7.- About the virustotal.com, in msdcb.exe and 4200a86b.sys virustotal told me that theses files are empty with 0 kb and about c:\-1072858546 told me that it had not any virus.
8.- I didn't find any loader.exe files in any of my pen drives
9.- I run Dirlook.exe as you indicated me, now i will show you the .log
10.- In this moment I have 1,5 Gb of free space in my hard disk but as I told you in some days I will get space enough

BUT, the most important. Since 2 days ago, Kaspersky detected, every time I reboot my PC, 1 virus in two files. Kaspersky delete it sucessfully, but every time I reboot my PC these two files appear again.

The virus is Trojan-downloader.win32.delf.lhu
in
C:\windows\system32\msdcb.exe
and
C:\WINDOWS\system32\config\systemprofile\Configuración local\Archivos temporales de Internet\Content.IE5\HMVL4065\msdcb[1].jpg


Sometimes, but only sometimes after delete these files I run Malwarebyte and It detected some infected files like afinding.exe, nobicyst.exe, perfs.exe, routing.exe, wserving.exe , etc.. but Malware deleted them sucessfully.

I was looking for information about it and i couldn't find any serious one so I wish you could help me.

Here you have the dirlook log and the hijack log

Thank you very much for your patience and help
Josemari
-------------------------------------------------------------

1.- Dirlook Log

DirLook.exe by jpshortstuff
Log created at 20:43:57 on 2008-08-03

==============================

Contents of "C:\WINDOWS\system32\NtmsData" (inc. hidden/system files/folders)

---FOLDERS---


---FILES---

NTMSDATA (126976 bytes, created: 2008-08-01 12:03) --a------
NTMSDATA.BAK (126976 bytes, created: 2008-08-01 12:03) --a------
NTMSIDX (86024 bytes, created: 2008-08-01 12:03) --a------
NTMSREG (816 bytes, created: 2008-08-01 12:01) --a------

==============================

=EOF=



2.- Hijack Log

Logfile of HijackThis v1.99.1
Scan saved at 20:47, on 2008-08-03
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Ahead\InCD\InCD.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Archivos de programa\QuickTime\qttask.exe
C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Archivos de programa\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\System32\DrvMon.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Microsoft ActiveSync\wcescomm.exe
C:\Archivos de programa\Google\Google Updater\GoogleUpdater.exe
C:\ARCHIV~1\MICROS~4\rapimgr.exe
C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Archivos comunes\Ulead Systems\DVD\ULCDRSvr.exe
C:\Archivos de programa\Internet Explorer\IEXPLORE.EXE
C:\Archivos de programa\Archivos comunes\Microsoft Shared\Source Engine\OSE.EXE
C:\Documents and Settings\JOSEMARI\Escritorio\Nuevos Programas Bajados\HijackThis\HijackThis_1.99.1.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.es/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Archivos de programa\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Archivos de programa\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Archivos de programa\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [UVS10 Preload] C:\Archivos de programa\Ulead Systems\Ulead VideoStudio 10\uvPL.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [KAVPersonal50] C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Archivos de programa\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [DrvMon.exe] C:\WINDOWS\System32\DrvMon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Archivos de programa\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Archivos de programa\Microsoft ActiveSync\wcescomm.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Archivos de programa\Archivos comunes\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Google Updater.lnk = C:\Archivos de programa\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MIF269~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\ARCHIV~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\ARCHIV~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Crear un favorito móvil... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\ARCHIV~1\MICROS~4\INetRepl.dll
O9 - Extra button: Xanadu - {5CC384BB-1326-11D5-F4AE-00C04923F885} - C:\Archivos de programa\Foreignword\Xanadu\XanaduLaunch.exe
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MIF269~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/spanish/ka ... nicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 0935060921
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/softwa ... Plugin.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARCHIV~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARCHIV~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Google Updater Service (gusvc) - Google - C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Archivos de programa\Archivos comunes\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Archivos de programa\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Archivos de programa\Ahead\InCD\InCDsrv.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: Microsoft File Mapping Service (mshlpkd) - Unknown owner - C:\WINDOWS\system32\mshlp.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Archivos de programa\Archivos comunes\Ulead Systems\DVD\ULCDRSvr.exe
pepemarix
Regular Member
 
Posts: 17
Joined: July 27th, 2008, 9:28 am

Re: Problem with virus Trojan.win32.patched.bb

Unread postby Carolyn » August 4th, 2008, 9:05 pm

Hello,

There is a new version of ComboFix available. I would like you to download and run it.

Download and Run ComboFix (by sUBs)

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper.


We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

  1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


  2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.
User avatar
Carolyn
MRU Emeritus
MRU Emeritus
 
Posts: 4701
Joined: April 18th, 2007, 9:36 am
Location: Maine

Re: Problem with virus Trojan.win32.patched.bb

Unread postby pepemarix » August 5th, 2008, 7:20 am

Dear carolyne:

I run combofix as you told me and here you have the combofix.log and a new hijack.log.

Anyway I run combofix just when i boot my PC, after all the warning that i read in the instruccions, but usually the famous file msdcb.exe appear maybe 5 or 10 or 15 minutes after I use Internet Explorer o Messenger

When kaspersky detected it make me delete it. When I reboot this file doesn't exit, but after 5-15 minutes appear again. Sometimes i tried to ignore the kaspersky warning and try to check this file with virustotal.com but always tell me that the file have 0k, but I can see that this file (msdcb.exe have 60 kb) so its something strage about it. I think that another file, that kAS doesn't detect let that this another file download again without my permiss.

anyway i will follow your advices.

thanks.
Josemari

-------------------------------------------------------------------

1.- COMBOFIX.TXT
ComboFix 08-08-04.01 - JOSEMARI 2008-08-05 12:42:39.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.3082.18.241 [GMT 2:00]
Se ejecuta desde: C:\Documents and Settings\JOSEMARI\Escritorio\ComboFix.exe
* Creado un nuevo punto de restauración
.

(((((((((((((((((((((((((((((((((((( Otras eliminaciones )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\Help\chscxdyv.fy
C:\WINDOWS\system32\mdfg.odl
C:\WINDOWS\system32\sfmrr.r
.
---- Previous Run -------
.
C:\d.exe
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\Help\access.hlp
C:\WINDOWS\Help\verifier.hlp
C:\WINDOWS\system32\afinding.exe
C:\WINDOWS\system32\comsa32.sys
C:\WINDOWS\system32\drivers\atmapi.sys
C:\WINDOWS\system32\drivers\lrj47.sys
C:\WINDOWS\system32\mdm.exe
C:\WINDOWS\system32\Nobicyt.exe
C:\WINDOWS\system32\nvrsul32.dll
C:\WINDOWS\system32\routing.exe
C:\WINDOWS\system32\WServing.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AFINDING
-------\Legacy_lrj47
-------\Legacy_PERFMONS
-------\Legacy_ROUTING
-------\Legacy_WSERVING
-------\Service_AFinding
-------\Service_lrj47
-------\Service_perfmons
-------\Service_Routing
-------\Service_WServing
-------\Legacy_AFINDING
-------\Legacy_PERFMONS
-------\Legacy_ROUTING
-------\Legacy_WSERVING
-------\Service_lrj47


(((((((((((((((((( Archivos creados desde 2008-07-05 - 2008-08-05 )))))))))))))))))))))))))))))))))
.

-----------------------------------------------------------------

2.- HIJACKTHIS. LOG

Logfile of HijackThis v1.99.1
Scan saved at 13:08, on 2008-08-05
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Ahead\InCD\InCD.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Archivos de programa\QuickTime\qttask.exe
C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Archivos de programa\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\System32\DrvMon.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Microsoft ActiveSync\wcescomm.exe
C:\Archivos de programa\Google\Google Updater\GoogleUpdater.exe
C:\ARCHIV~1\MICROS~4\rapimgr.exe
C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Archivos comunes\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Archivos de programa\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\JOSEMARI\Escritorio\Nuevos Programas Bajados\HijackThis\HijackThis_1.99.1.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.es/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Archivos de programa\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Archivos de programa\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Archivos de programa\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [UVS10 Preload] C:\Archivos de programa\Ulead Systems\Ulead VideoStudio 10\uvPL.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [KAVPersonal50] C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Archivos de programa\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [DrvMon.exe] C:\WINDOWS\System32\DrvMon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Archivos de programa\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Archivos de programa\Microsoft ActiveSync\wcescomm.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Archivos de programa\Archivos comunes\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Google Updater.lnk = C:\Archivos de programa\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MIF269~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\ARCHIV~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\ARCHIV~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Crear un favorito móvil... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\ARCHIV~1\MICROS~4\INetRepl.dll
O9 - Extra button: Xanadu - {5CC384BB-1326-11D5-F4AE-00C04923F885} - C:\Archivos de programa\Foreignword\Xanadu\XanaduLaunch.exe
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MIF269~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/spanish/ka ... nicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 0935060921
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/softwa ... Plugin.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARCHIV~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARCHIV~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Google Updater Service (gusvc) - Google - C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Archivos de programa\Archivos comunes\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Archivos de programa\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Archivos de programa\Ahead\InCD\InCDsrv.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: Microsoft File Mapping Service (mshlpkd) - Unknown owner - C:\WINDOWS\system32\mshlp.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Archivos de programa\Archivos comunes\Ulead Systems\DVD\ULCDRSvr.exe
pepemarix
Regular Member
 
Posts: 17
Joined: July 27th, 2008, 9:28 am

Re: Problem with virus Trojan.win32.patched.bb

Unread postby Carolyn » August 5th, 2008, 7:39 am

Hello,

The ComboFix log you posted was incomplete.

Please post the contents of C:\ComboFix.txt again.

Also, please do the following:

Step 1:
Using Windows Explore by right-clicking the Start button and left clicking Explore navigate to and find the following folders:

C:\qoobox

In that folder you will may find the old ComboFix log files. Please post the contents of any log files you find there in your next reply.


Step 2:
Using Windows Explore by right-clicking the Start button and left clicking Explore navigate to and find the following folders:

C:\QooBox\LastRun

If there are any log files in that folder, please post them in your next reply as well.
User avatar
Carolyn
MRU Emeritus
MRU Emeritus
 
Posts: 4701
Joined: April 18th, 2007, 9:36 am
Location: Maine
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 28 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware