Virtumonde (Solucionado) - Página 3

Buscar

		Foro de Spyware » Spyware - Adware - Hijackers - Malwares » Temas Solucionados
Virtumonde (Solucionado)

Para evitar Virus, Spyware y otros Malwares, te recomendamos mantenerte informado en: InfoSpyware Blog

Temas Solucionados Casos de HijackThis y Malwares resueltos.
(Solo lectura)

Página 3 de 4

Enviar a:

Herramientas

post #21

19/08/09, 06:31:10

novatilla

Usuario

Registrado: ago 2005

Ubicación: españa

Mensajes: 136

Re: Virtumonde

Cita:

Originalmente publicado por Leosolari

- Descarga la herramienta ComboFix.exe y guárdala en el escritorio.

Desactiva temporalmente el Antivirus y/o Antispyware.
Cierra todas las ventanas abiertas.
Hacele doble clic al archivo ComboFix.exe y seguí las instrucciones.
Cuando termine, generara un registro en C:\ComboFix.txt.
- *Nota* Mientras CF este trabajando no mover el mouse ya que pararía su proceso.
- *Nota* ComboFix puede reiniciar automáticamente el PC para completar el proceso de eliminación.

Reinicia y pega el reporte de C:\ComboFix.txt en este mismo mensaje.

PD: No vuelvas a ejecutar ComboFix ni ningun otro programa antivirus hasta que vuelva con una respuesta, ya que puedes hacer cambiar las cosas.

Hecho, te mando el reporte. Ha cambiado el fondo de pantalla, es normal?.

ComboFix 09-08-18.01 - Administrador 19/08/2009 11:12.1.4 - NTFSx86
Microsoft® Windows Vista™ Ultimate 6.0.6001.1.1252.34.3082.18.3582.2742 [GMT 2:00]
Running from: c:\users\Administrador\Downloads\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-51003140-4199384537-3980697693-500
c:\users\ADMINI~1\AppData\Roaming\logman.exe
c:\users\ADMINI~1\AppData\Roaming\Microsoft\mstini t.exe
c:\users\Administrador\AppData\Roaming\logman.exe
c:\users\Administrador\AppData\Roaming\Microsoft\m stinit.exe
c:\windows\Cursors\aero_link.cur
c:\windows\Fonts\img hearts.ttf
c:\windows\Fonts\img travel.ttf
c:\windows\system32\drivers\logman.exe

.
((((((((((((((((((((((((( Files Created from 2009-07-19 to 2009-08-19 )))))))))))))))))))))))))))))))
.

2009-08-19 09:17 . 2009-07-07 17:19 61440 ----a-w- c:\users\Administrador\AppData\Roaming\comrepl.exe
2009-08-19 09:16 . 2009-07-07 17:19 61440 ----a-w- c:\users\Administrador\AppData\Roaming\spoolsv.exe
2009-08-19 09:16 . 2009-07-07 17:19 61440 ----a-w- c:\windows\system\comrepl.exe
2009-08-19 09:15 . 2009-08-19 09:15 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-08-18 18:18 . 2008-06-19 15:24 28544 ----a-w- c:\windows\system32\drivers\pavboot.sys
2009-08-18 18:18 . 2009-08-18 18:18 -------- d-----w- c:\program files\Panda Security
2009-08-18 18:09 . 2009-07-07 17:19 61440 ----a-w- c:\windows\mstsc.exe
2009-08-18 17:43 . 2009-08-18 17:43 -------- d-----w- c:\users\Administrador\AppData\Roaming\Malwarebyte s
2009-08-18 17:43 . 2009-08-18 17:43 -------- d-----w- c:\users\ADMINI~1\AppData\Roaming\Malwarebytes
2009-08-18 17:43 . 2009-08-03 11:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-18 17:43 . 2009-08-18 17:43 -------- d-----w- c:\progra~2\Malwarebytes
2009-08-18 17:43 . 2009-08-18 18:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-18 17:43 . 2009-08-03 11:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-18 17:09 . 2009-08-18 17:09 -------- d-----w- c:\program files\CCleaner
2009-08-13 20:54 . 2009-07-17 14:35 71680 ----a-w- c:\windows\system32\atl.dll
2009-08-13 20:54 . 2009-06-10 12:12 160256 ----a-w- c:\windows\system32\wkssvc.dll
2009-08-13 20:54 . 2009-06-04 12:34 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-08-13 20:54 . 2009-06-10 12:07 91136 ----a-w- c:\windows\system32\avifil32.dll
2009-08-13 20:54 . 2009-06-15 15:21 499712 ----a-w- c:\windows\system32\kerberos.dll
2009-08-13 20:54 . 2009-06-15 15:24 175104 ----a-w- c:\windows\system32\wdigest.dll
2009-08-13 20:54 . 2009-06-15 15:24 270848 ----a-w- c:\windows\system32\schannel.dll
2009-08-13 20:54 . 2009-06-15 15:23 1256448 ----a-w- c:\windows\system32\lsasrv.dll
2009-08-13 20:54 . 2009-06-15 15:22 213504 ----a-w- c:\windows\system32\msv1_0.dll
2009-08-13 20:54 . 2009-06-15 18:20 439896 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-08-13 20:54 . 2009-06-15 15:24 72704 ----a-w- c:\windows\system32\secur32.dll
2009-08-13 20:54 . 2009-06-15 12:57 9728 ----a-w- c:\windows\system32\lsass.exe
2009-08-13 20:53 . 2009-07-14 13:00 313344 ----a-w- c:\windows\system32\wmpdxm.dll
2009-08-13 20:53 . 2009-07-14 12:59 4096 ----a-w- c:\windows\system32\dxmasf.dll
2009-08-13 20:53 . 2009-07-14 12:58 7680 ----a-w- c:\windows\system32\spwmp.dll
2009-08-13 20:53 . 2009-07-14 10:59 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-08-12 15:22 . 2009-08-12 15:22 -------- d-----w- c:\users\Administrador\AppData\Roaming\ScanSoft
2009-08-12 15:22 . 2009-08-12 15:22 -------- d-----w- c:\users\ADMINI~1\AppData\Roaming\ScanSoft
2009-08-11 08:39 . 2009-08-11 08:39 -------- d-----w- c:\users\Administrador\AppData\Roaming\VoipBuster
2009-08-11 08:39 . 2009-08-11 08:39 -------- d-----w- c:\users\ADMINI~1\AppData\Roaming\VoipBuster
2009-08-11 08:38 . 2009-08-11 08:38 -------- d-----w- c:\program files\VoipBuster.com
2009-08-04 20:30 . 2009-08-04 20:31 -------- d-----w- c:\progra~2\NVIDIA
2009-08-04 20:23 . 2009-03-27 22:03 801312 ----a-w- c:\windows\system32\nvcplui.exe
2009-08-04 20:23 . 2009-03-27 22:03 453152 ----a-w- c:\windows\system32\nvuninst.exe
2009-08-04 20:23 . 2009-03-27 22:03 1108512 ----a-w- c:\windows\system32\nvcpluir.dll
2009-08-02 11:27 . 2009-08-02 11:27 -------- d-----w- c:\users\Administrador\AppData\Roaming\Softplicity
2009-08-02 11:27 . 2009-08-02 11:27 -------- d-----w- c:\users\ADMINI~1\AppData\Roaming\Softplicity
2009-08-02 11:27 . 2009-08-02 11:27 -------- d-----w- c:\program files\TotalAudioConverter
2009-08-01 21:28 . 2009-08-01 21:28 -------- d-----w- c:\program files\Alcohol Soft
2009-08-01 21:26 . 2009-08-01 21:26 685816 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-08-01 17:24 . 2009-08-12 12:37 -------- d-----w- c:\users\Administrador\AppData\Roaming\Winamp
2009-08-01 17:24 . 2009-08-12 12:37 -------- d-----w- c:\users\ADMINI~1\AppData\Roaming\Winamp
2009-07-28 21:47 . 2009-07-28 21:47 -------- d-----w- c:\program files\MSXML 4.0
2009-07-28 20:42 . 2009-07-28 20:42 -------- d-----w- c:\users\Administrador\AppData\Local\ESET
2009-07-28 20:42 . 2009-07-28 20:42 -------- d-----w- c:\users\ADMINI~1\AppData\Local\ESET
2009-07-28 20:26 . 2009-07-28 20:26 -------- d-----w- c:\program files\Common Files\PX Storage Engine
2009-07-28 20:15 . 2009-04-28 20:20 44944 ------w- c:\windows\system32\drivers\PxHelp20.sys
2009-07-28 18:56 . 2009-08-18 23:39 -------- d-----w- c:\progra~2\Spybot - Search & Destroy
2009-07-28 18:56 . 2009-08-01 08:59 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-28 18:54 . 2009-07-28 18:54 -------- d-----w- c:\program files\jv16 PowerTools
2009-07-28 18:49 . 2009-07-28 18:53 10054 ----a-w- c:\windows\msvrc20.dll
2009-07-28 18:49 . 2009-07-28 18:49 -------- d-----w- c:\program files\IObit
2009-07-28 18:46 . 2009-08-16 22:42 -------- d-----w- C:\MSNCleaner

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-08-19 08:52 . 2006-11-02 16:00 667748 ----a-w- c:\windows\system32\perfh00A.dat
2009-08-19 08:52 . 2006-11-02 16:00 129514 ----a-w- c:\windows\system32\perfc00A.dat
2009-08-11 19:44 . 2009-03-29 23:27 -------- d-----w- c:\users\Administrador\AppData\Roaming\Skype
2009-08-11 19:44 . 2009-03-29 23:27 -------- d-----w- c:\users\ADMINI~1\AppData\Roaming\Skype
2009-08-04 20:04 . 2009-01-24 02:06 680 ----a-w- c:\users\Administrador\AppData\Local\d3d9caps.dat
2009-08-04 20:04 . 2009-01-24 02:06 680 ----a-w- c:\users\ADMINI~1\AppData\Local\d3d9caps.dat
2009-08-01 17:25 . 2009-02-04 17:30 -------- d-----w- c:\program files\Winamp
2009-07-27 17:24 . 2009-02-04 17:33 -------- d-----w- c:\program files\eMule
2009-07-18 16:06 . 2009-07-28 21:46 827904 ----a-w- c:\windows\system32\wininet.dll
2009-07-18 16:01 . 2009-07-28 21:46 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-07-18 09:46 . 2009-07-28 21:46 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-07-07 17:19 . 2009-08-19 09:17 61440 ----a-w- c:\users\ADMINI~1\AppData\Roaming\comrepl.exe
2009-07-07 17:19 . 2009-08-19 09:16 61440 ----a-w- c:\windows\system32\drivers\logman.exe
2009-07-07 17:19 . 2009-08-19 09:16 61440 ----a-w- c:\users\ADMINI~1\AppData\Roaming\spoolsv.exe
2009-06-15 15:24 . 2009-07-28 21:46 156672 ----a-w- c:\windows\system32\t2embed.dll
2009-06-15 15:20 . 2009-07-28 21:46 72704 ----a-w- c:\windows\system32\fontsub.dll
2009-06-15 15:20 . 2009-07-28 21:46 10240 ----a-w- c:\windows\system32\dciman32.dll
2009-06-15 12:52 . 2009-07-28 21:46 289792 ----a-w- c:\windows\system32\atmfd.dll
2009-06-11 05:02 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-06-09 04:36 . 2006-07-11 16:35 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-05-29 14:00 . 2009-01-24 02:19 87136 ----a-w- c:\users\Administrador\AppData\Local\GDIPFONTCACHE V1.DAT
2009-05-29 14:00 . 2009-01-24 02:19 87136 ----a-w- c:\users\ADMINI~1\AppData\Local\GDIPFONTCACHEV1.DA T
2009-05-29 13:50 . 2009-05-29 13:50 29926 ----a-r- c:\users\Administrador\AppData\Roaming\Microsoft\I nstaller\{5EB90C06-964F-4195-B83E-BD7E55C88415}\ARPPRODUCTICON.exe
2008-08-07 08:27 . 2008-08-07 07:40 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2007-07-02 220544]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-08-07 202240]
"VoipBuster"="c:\program files\VoipBuster.com\VoipBuster\VoipBuster.exe" [2009-07-16 9075504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"snpstd"="c:\windows\vsnpstd.exe" [2005-10-11 339968]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-01-29 30248]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-01-29 46632]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2007-03-12 663552]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2007-01-26 65536]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-02-06 2021400]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-06-09 198160]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-07-01 37888]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-27 13687328]
"NvMediaCenter"="c:\windows\system32\NvMcTray. dll" [2009-03-27 92704]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\Curr entversion\policies\explorer\Run]
"Mstsc"="c:\windows\mstsc.exe" [2009-07-07 61440]

[HKEY_CURRENT_USER\software\microsoft\windows\Curre ntversion\policies\explorer\Run]
"Logman"="c:\windows\System32\drivers\logman.e xe" [2009-07-07 61440]

[HKEY_USERS\.DEFAULT\software\microsoft\windows\Cur rentversion\policies\explorer\Run]
"ComRepl"="c:\windows\System\comrepl.exe" [2009-07-07 61440]

c:\progra~2\MICROS~1\Windows\STARTM~1\Programs\Sta rtup\
Ralink Wireless Utility.lnk - c:\windows\RaUI.exe [2009-1-24 598016]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=c:\users\ADMINI~1\AppData\Roaming\comrepl.e xe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\FirewallRules]
"{3080B9D5-7B6C-4D4B-98A1-CE2632E49CCE}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"TCP Query User{0059050F-E0FD-4716-9291-95102E5E1626}c:\\program files\\mozilla firefox\\firefox.exe"= UDP:c:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{BAC5F1A2-FFB4-4A44-9F20-F55BDC57DA6E}c:\\program files\\mozilla firefox\\firefox.exe"= TCP:c:\program files\mozilla firefox\firefox.exe:Firefox
"TCP Query User{958AB601-555B-4BBA-B306-097E1AFFD4C6}c:\\program files\\emule\\emule.exe"= UDP:c:\program files\emule\emule.exe:eMule
"UDP Query User{BCB97809-B005-4735-94F5-8B3245EEFB02}c:\\program files\\emule\\emule.exe"= TCP:c:\program files\emule\emule.exe:eMule
"TCP Query User{6276BBFB-F502-45DC-A1F1-50978C932400}c:\\program files\\msn messenger 8.5\\msnmsgr.exe"= UDP:c:\program files\msn messenger 8.5\msnmsgr.exe:Windows Live Messenger
"UDP Query User{FEF261A8-2D12-4A66-B9A3-99EAB0C2EEC5}c:\\program files\\msn messenger 8.5\\msnmsgr.exe"= TCP:c:\program files\msn messenger 8.5\msnmsgr.exe:Windows Live Messenger
"{B6C5423A-8BA3-41E4-A135-072FE3671FDC}"= c:\program files\Skype\Phone\Skype.exe:Skype
"TCP Query User{BB6EB12D-399D-4624-B4B2-CDC29DADA0A3}c:\\program files\\mozilla firefox\\firefox.exe"= UDP:c:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{AF16CB95-1717-4FE7-84C5-A8BC1F9D8E07}c:\\program files\\mozilla firefox\\firefox.exe"= TCP:c:\program files\mozilla firefox\firefox.exe:Firefox
"{1BA7BB5F-BE01-4685-A5DD-39709AD71EA5}"= UDP:c:\program files\Pinnacle\Studio 12\Programs\RM.exe:Render Manager
"{6D526CF4-C7E7-468B-ADCC-35E2A740DAB2}"= TCP:c:\program files\Pinnacle\Studio 12\Programs\RM.exe:Render Manager
"{638F6559-6833-4F79-9FE4-160C7784B9B8}"= UDP:c:\program files\Pinnacle\Studio 12\Programs\Studio.exe:Studio
"{B26085CA-5708-45A7-BE0A-B91493309605}"= TCP:c:\program files\Pinnacle\Studio 12\Programs\Studio.exe:Studio
"{8DAC97E4-C1C2-4874-9E38-5A04B3829F7A}"= UDP:c:\program files\Pinnacle\Studio 12\Programs\umi.exe:umi
"{007DC4EF-385D-449D-B410-4A2085005D93}"= TCP:c:\program files\Pinnacle\Studio 12\Programs\umi.exe:umi
"TCP Query User{1F76BC4F-C2D9-4512-B71E-FCE656ADC2F7}c:\\program files\\pinnacle\\studio 12\\programs\\studio.exe"= UDP:c:\program files\pinnacle\studio 12\programs\studio.exe:Studio program file
"UDP Query User{11107221-6770-40E5-8AB7-ACC5BBA0FE86}c:\\program files\\pinnacle\\studio 12\\programs\\studio.exe"= TCP:c:\program files\pinnacle\studio 12\programs\studio.exe:Studio program file
"TCP Query User{D00C149C-25EF-49DD-919C-D3705FC9E5D2}c:\\program files\\emule\\emule.exe"= UDP:c:\program files\emule\emule.exe:eMule
"UDP Query User{C667155D-9BCD-4CD4-8D97-7F5606585DA7}c:\\program files\\emule\\emule.exe"= TCP:c:\program files\emule\emule.exe:eMule
"{45B55FF9-DAB1-4AC4-9F10-45EAC37C23D8}"= c:\program files\Skype\Phone\Skype.exe:Skype
"TCP Query User{BBF71D8B-9B54-40F4-816B-5D5EC6AF78CD}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp32\\mdm.exe"= UDP:c:\users\ADMINI~1\AppData\Local\Temp\~temp\mlp 32\mdm.exe:UpdateWizzard
"TCP Query User{BBF71D8B-9B54-40F4-996B-5D5EC6AF78CD}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp32\\mdm.exe"= UDP:c:\users\ADMINI~1\AppData\Local\Temp\~temp\mlp 32\mdm.exe:UpdateWizzard
"UDP Query User{4C9BECF3-6333-4D16-A3DB-DF8B71A69449}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp32\\mdm.exe"= TCP:c:\users\ADMINI~1\AppData\Local\Temp\~temp\mlp 32\mdm.exe:UpdateWizzard
"UDP Query User{4C9BECF3-6333-4D16-99DB-DF8B71A69449}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp32\\mdm.exe"= TCP:c:\users\ADMINI~1\AppData\Local\Temp\~temp\mlp 32\mdm.exe:UpdateWizzard
"TCP Query User{BBF71D8B-9B54-40F4-816B-5D5EC6AF78CD}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp33\\mdm.exe"= UDP:c:\users\ADMINI~1\AppData\Local\Temp\~temp\mlp 33\mdm.exe:UpdateWizzard
"TCP Query User{BBF71D8B-9B54-40F4-996B-5D5EC6AF78CD}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp33\\mdm.exe"= UDP:c:\users\ADMINI~1\AppData\Local\Temp\~temp\mlp 33\mdm.exe:UpdateWizzard
"UDP Query User{4C9BECF3-6333-4D16-A3DB-DF8B71A69449}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp33\\mdm.exe"= TCP:c:\users\ADMINI~1\AppData\Local\Temp\~temp\mlp 33\mdm.exe:UpdateWizzard
"UDP Query User{4C9BECF3-6333-4D16-99DB-DF8B71A69449}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp33\\mdm.exe"= TCP:c:\users\ADMINI~1\AppData\Local\Temp\~temp\mlp 33\mdm.exe:UpdateWizzard
"TCP Query User{BBF71D8B-9B54-40F4-816B-5D5EC6AF78CD}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp35\\mdm.exe"= UDP:c:\users\ADMINI~1\AppData\Local\Temp\~temp\mlp 35\mdm.exe:UpdateWizzard
"TCP Query User{BBF71D8B-9B54-40F4-996B-5D5EC6AF78CD}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp35\\mdm.exe"= UDP:c:\users\ADMINI~1\AppData\Local\Temp\~temp\mlp 35\mdm.exe:UpdateWizzard
"UDP Query User{4C9BECF3-6333-4D16-A3DB-DF8B71A69449}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp35\\mdm.exe"= TCP:c:\users\ADMINI~1\AppData\Local\Temp\~temp\mlp 35\mdm.exe:UpdateWizzard
"UDP Query User{4C9BECF3-6333-4D16-99DB-DF8B71A69449}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp35\\mdm.exe"= TCP:c:\users\ADMINI~1\AppData\Local\Temp\~temp\mlp 35\mdm.exe:UpdateWizzard
"TCP Query User{BBF71D8B-9B54-40F4-816B-5D5EC6AF78CD}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp43\\mdm.exe"= UDP:c:\users\ADMINI~1\AppData\Local\Temp\~temp\mlp 43\mdm.exe:UpdateWizzard
"TCP Query User{BBF71D8B-9B54-40F4-996B-5D5EC6AF78CD}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp43\\mdm.exe"= UDP:c:\users\ADMINI~1\AppData\Local\Temp\~temp\mlp 43\mdm.exe:UpdateWizzard
"UDP Query User{4C9BECF3-6333-4D16-A3DB-DF8B71A69449}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp43\\mdm.exe"= TCP:c:\users\ADMINI~1\AppData\Local\Temp\~temp\mlp 43\mdm.exe:UpdateWizzard
"UDP Query User{4C9BECF3-6333-4D16-99DB-DF8B71A69449}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp43\\mdm.exe"= TCP:c:\users\ADMINI~1\AppData\Local\Temp\~temp\mlp 43\mdm.exe:UpdateWizzard
"{45ABB48D-A0F2-4D0D-8F1E-7CD97B009E54}"= UDP:c:\program files\Winamp Remote\bin\Orb.exe:Orb
"{865F9FC5-7139-4F89-A73D-F7C6A045F616}"= TCP:c:\program files\Winamp Remote\bin\Orb.exe:Orb
"{FAE1674D-1639-4D7B-B9B5-5561EEAE9335}"= UDP:c:\program files\Winamp Remote\bin\OrbTray.exe:OrbTray
"{46C31F11-CEB6-461A-AE65-65331959AA47}"= TCP:c:\program files\Winamp Remote\bin\OrbTray.exe:OrbTray
"{7CD75F22-BC40-4544-9009-B6B1110B2279}"= UDP:c:\program files\Winamp Remote\bin\OrbIR.exe:OrbIR
"{F3BE4407-9A37-42F6-A358-E0E4D8B7E514}"= TCP:c:\program files\Winamp Remote\bin\OrbIR.exe:OrbIR
"{D7B03E71-C771-4B67-BDAE-607D42DB1973}"= UDP:c:\program files\Winamp Remote\bin\OrbStreamerClient.exe:Orb Stream Client
"{721FE511-1A34-4A51-A5DE-9F6FB2BEA3E8}"= TCP:c:\program files\Winamp Remote\bin\OrbStreamerClient.exe:Orb Stream Client
"TCP Query User{BBF71D8B-9B54-40F4-816B-5D5EC6AF78CD}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp44\\mdm.exe"= UDP:c:\users\ADMINI~1\AppData\Local\Temp\~temp\mlp 44\mdm.exe:UpdateWizzard
"TCP Query User{BBF71D8B-9B54-40F4-996B-5D5EC6AF78CD}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp44\\mdm.exe"= UDP:c:\users\ADMINI~1\AppData\Local\Temp\~temp\mlp 44\mdm.exe:UpdateWizzard
"UDP Query User{4C9BECF3-6333-4D16-A3DB-DF8B71A69449}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp44\\mdm.exe"= TCP:c:\users\ADMINI~1\AppData\Local\Temp\~temp\mlp 44\mdm.exe:UpdateWizzard
"UDP Query User{4C9BECF3-6333-4D16-99DB-DF8B71A69449}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp44\\mdm.exe"= TCP:c:\users\ADMINI~1\AppData\Local\Temp\~temp\mlp 44\mdm.exe:UpdateWizzard
"TCP Query User{BBF71D8B-9B54-40F4-816B-5D5EC6AF78CD}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp45\\mdm.exe"= UDP:c:\users\ADMINI~1\AppData\Local\Temp\~temp\mlp 45\mdm.exe:UpdateWizzard
"TCP Query User{BBF71D8B-9B54-40F4-996B-5D5EC6AF78CD}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp45\\mdm.exe"= UDP:c:\users\ADMINI~1\AppData\Local\Temp\~temp\mlp 45\mdm.exe:UpdateWizzard
"UDP Query User{4C9BECF3-6333-4D16-A3DB-DF8B71A69449}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp45\\mdm.exe"= TCP:c:\users\ADMINI~1\AppData\Local\Temp\~temp\mlp 45\mdm.exe:UpdateWizzard
"UDP Query User{4C9BECF3-6333-4D16-99DB-DF8B71A69449}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp45\\mdm.exe"= TCP:c:\users\ADMINI~1\AppData\Local\Temp\~temp\mlp 45\mdm.exe:UpdateWizzard
"TCP Query User{BBF71D8B-9B54-40F4-816B-5D5EC6AF78CD}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp46\\mdm.exe"= UDP:c:\users\ADMINI~1\AppData\Local\Temp\~temp\mlp 46\mdm.exe:UpdateWizzard
"TCP Query User{BBF71D8B-9B54-40F4-996B-5D5EC6AF78CD}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp46\\mdm.exe"= UDP:c:\users\ADMINI~1\AppData\Local\Temp\~temp\mlp 46\mdm.exe:UpdateWizzard
"UDP Query User{4C9BECF3-6333-4D16-A3DB-DF8B71A69449}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp46\\mdm.exe"= TCP:c:\users\ADMINI~1\AppData\Local\Temp\~temp\mlp 46\mdm.exe:UpdateWizzard
"UDP Query User{4C9BECF3-6333-4D16-99DB-DF8B71A69449}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp46\\mdm.exe"= TCP:c:\users\ADMINI~1\AppData\Local\Temp\~temp\mlp 46\mdm.exe:UpdateWizzard
"{5FE57764-F193-4A7C-8742-40B949C8EF1F}"= UDP:c:\program files\VoipBuster.com\VoipBuster\VoipBuster.exe:Voi pBuster
"{713AC264-52B1-4169-B47C-F0337DA5595A}"= TCP:c:\program files\VoipBuster.com\VoipBuster\VoipBuster.exe:Voi pBuster
"{7CA92649-DB20-46ED-949E-6AE966640453}"= UDP:c:\program files\VoipBuster.com\VoipBuster\VoipBuster.exe:Voi pBuster
"{D2EDC23E-17C3-4B2F-B27E-96DBBC9BC1B5}"= TCP:c:\program files\VoipBuster.com\VoipBuster\VoipBuster.exe:Voi pBuster
"TCP Query User{BBF71D8B-9B54-40F4-816B-5D5EC6AF78CD}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp47\\mdm.exe"= UDP:c:\users\ADMINI~1\AppData\Local\Temp\~temp\mlp 47\mdm.exe:UpdateWizzard
"TCP Query User{BBF71D8B-9B54-40F4-996B-5D5EC6AF78CD}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp47\\mdm.exe"= UDP:c:\users\ADMINI~1\AppData\Local\Temp\~temp\mlp 47\mdm.exe:UpdateWizzard
"UDP Query User{4C9BECF3-6333-4D16-A3DB-DF8B71A69449}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp47\\mdm.exe"= TCP:c:\users\ADMINI~1\AppData\Local\Temp\~temp\mlp 47\mdm.exe:UpdateWizzard
"UDP Query User{4C9BECF3-6333-4D16-99DB-DF8B71A69449}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp47\\mdm.exe"= TCP:c:\users\ADMINI~1\AppData\Local\Temp\~temp\mlp 47\mdm.exe:UpdateWizzard
"TCP Query User{BBF71D8B-9B54-40F4-816B-5D5EC6AF78CD}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp49\\mdm.exe"= UDP:c:\users\ADMINI~1\AppData\Local\Temp\~temp\mlp 49\mdm.exe:UpdateWizzard
"TCP Query User{BBF71D8B-9B54-40F4-996B-5D5EC6AF78CD}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp49\\mdm.exe"= UDP:c:\users\ADMINI~1\AppData\Local\Temp\~temp\mlp 49\mdm.exe:UpdateWizzard
"UDP Query User{4C9BECF3-6333-4D16-A3DB-DF8B71A69449}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp49\\mdm.exe"= TCP:c:\users\ADMINI~1\AppData\Local\Temp\~temp\mlp 49\mdm.exe:UpdateWizzard
"UDP Query User{4C9BECF3-6333-4D16-99DB-DF8B71A69449}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp49\\mdm.exe"= TCP:c:\users\ADMINI~1\AppData\Local\Temp\~temp\mlp 49\mdm.exe:UpdateWizzard

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R0 pavboot;pavboot;c:\windows\System32\drivers\pavboo t.sys [18/08/2009 20:18 28544]
R1 ehdrv;ehdrv;c:\windows\System32\drivers\ehdrv.sys [06/02/2009 14:23 106208]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [06/02/2009 14:23 727720]
R2 epfwwfpr;epfwwfpr;c:\windows\System32\drivers\epfw wfpr.sys [06/02/2009 14:24 92800]
R3 rt61x86;Ralink RT61 Wireless Driver for Windows Vista;c:\windows\System32\drivers\netr61.sys [11/05/2007 16:28 357376]
S0 OemBiosDevice;Royalty OEM BIOS Extension;c:\windows\System32\drivers\royal.sys [24/01/2009 13:53 240128]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [28/07/2009 20:56 810320]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
- - - - ORPHANS REMOVED - - - -

HKLM-Explorer_Run-ComRepl - c:\users\Administrador\LOCALS~1\APPLIC~1\comrepl.e xe
HKCU-Explorer_Run-ClipSrv - c:\users\Administrador\LOCALS~1\APPLIC~1\MICROS~1\ clipsrv.exe
HKU-Default-Explorer_Run-Cisvc - c:\users\ADMINI~1\AppData\Roaming\MICROS~1\cisvc.e xe

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.tropal.net/
mStart Page = hxxp://www.tropal.net/
IE: E&xportar a Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\ADMINI~1\AppData\Roaming\Mozilla\Firefox\ Profiles\cy1gi959.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.es
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\npr pbrowserrecordplugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-19 11:16
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2357816084-603884151-2891837792-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.aif\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.AIFF"

[HKEY_USERS\S-1-5-21-2357816084-603884151-2891837792-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.aifc\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.AIFF"

[HKEY_USERS\S-1-5-21-2357816084-603884151-2891837792-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.aiff\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.AIFF"

[HKEY_USERS\S-1-5-21-2357816084-603884151-2891837792-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.asf\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.ASF"

[HKEY_USERS\S-1-5-21-2357816084-603884151-2891837792-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.asx\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.ASX"

[HKEY_USERS\S-1-5-21-2357816084-603884151-2891837792-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.au\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.AU"

[HKEY_USERS\S-1-5-21-2357816084-603884151-2891837792-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.avi\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.avi"

[HKEY_USERS\S-1-5-21-2357816084-603884151-2891837792-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.cda\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.CDA"

[HKEY_USERS\S-1-5-21-2357816084-603884151-2891837792-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.doc\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Applications\\AcroRD32.exe"

[HKEY_USERS\S-1-5-21-2357816084-603884151-2891837792-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.htm\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"

[HKEY_USERS\S-1-5-21-2357816084-603884151-2891837792-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.html\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"

[HKEY_USERS\S-1-5-21-2357816084-603884151-2891837792-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.m1v\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"

[HKEY_USERS\S-1-5-21-2357816084-603884151-2891837792-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.M2V\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"

[HKEY_USERS\S-1-5-21-2357816084-603884151-2891837792-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.m3u\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Applications\\winampa.exe"

[HKEY_USERS\S-1-5-21-2357816084-603884151-2891837792-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.mid\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MIDI"

[HKEY_USERS\S-1-5-21-2357816084-603884151-2891837792-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.midi\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MIDI"

[HKEY_USERS\S-1-5-21-2357816084-603884151-2891837792-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.MOD\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"

[HKEY_USERS\S-1-5-21-2357816084-603884151-2891837792-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.mp2\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"

[HKEY_USERS\S-1-5-21-2357816084-603884151-2891837792-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.mp2v\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"

[HKEY_USERS\S-1-5-21-2357816084-603884151-2891837792-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.mp3\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MP3"

[HKEY_USERS\S-1-5-21-2357816084-603884151-2891837792-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.mpa\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"

[HKEY_USERS\S-1-5-21-2357816084-603884151-2891837792-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.mpe\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"

[HKEY_USERS\S-1-5-21-2357816084-603884151-2891837792-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.mpeg\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"

[HKEY_USERS\S-1-5-21-2357816084-603884151-2891837792-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.mpg\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"

[HKEY_USERS\S-1-5-21-2357816084-603884151-2891837792-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.mpv2\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"

[HKEY_USERS\S-1-5-21-2357816084-603884151-2891837792-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.rmi\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MIDI"

[HKEY_USERS\S-1-5-21-2357816084-603884151-2891837792-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.shtml\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"

[HKEY_USERS\S-1-5-21-2357816084-603884151-2891837792-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.snd\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.AU"

[HKEY_USERS\S-1-5-21-2357816084-603884151-2891837792-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.wav\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WAV"

[HKEY_USERS\S-1-5-21-2357816084-603884151-2891837792-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.wax\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WAX"

[HKEY_USERS\S-1-5-21-2357816084-603884151-2891837792-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.wm\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.ASF"

[HKEY_USERS\S-1-5-21-2357816084-603884151-2891837792-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.wma\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMA"

[HKEY_USERS\S-1-5-21-2357816084-603884151-2891837792-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.wmd\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMD"

[HKEY_USERS\S-1-5-21-2357816084-603884151-2891837792-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.wms\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMS"

[HKEY_USERS\S-1-5-21-2357816084-603884151-2891837792-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.wmv\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMV"

[HKEY_USERS\S-1-5-21-2357816084-603884151-2891837792-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.wmx\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.ASX"

[HKEY_USERS\S-1-5-21-2357816084-603884151-2891837792-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.wmz\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMZ"

[HKEY_USERS\S-1-5-21-2357816084-603884151-2891837792-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.wpl\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WPL"

[HKEY_USERS\S-1-5-21-2357816084-603884151-2891837792-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.wvx\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WVX"

[HKEY_USERS\S-1-5-21-2357816084-603884151-2891837792-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.xht\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"

[HKEY_USERS\S-1-5-21-2357816084-603884151-2891837792-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.xhtml\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{47629D4 B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\Windows\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:e2,63,26,f1 ,3f,c8,ff,68,89,79,57,bf,a0,
e7,09,9a,e2,63,26,f1,3f,c8,ff,68,59,f7,47,5a,8e,81 ,64,b2,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{604BB98 A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\Windows\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:46,47,15,b0 ,92,4b,c7,ef,b3,86,cd,74,c1,
8e,2a,4f,6a,9c,d6,61,af,45,84,18,3e,3c,13,f8,7f,0b ,ec,3b,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{684373F B-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\Windows\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:ff,7c,85,e0 ,43,d4,0e,fe,42,34,20,07,c8,
a8,99,00,ff,7c,85,e0,43,d4,0e,fe,8c,48,02,a6,3e,c5 ,94,a5,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{74554CC D-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\Windows\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:6b,65,49,6a ,7e,99,74,f7,47,c8,0c,af,b6,
f6,83,ed,86,8c,21,01,be,91,eb,e7,d9,c1,22,9f,74,f9 ,32,ce,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7EB537F 9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\Windows\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:e9,02,6c,fa ,fb,1d,47,57,f1,40,3f,af,fe,
d0,3d,f0,f5,1d,4d,73,a8,13,5c,05,40,bb,46,d3,1d,30 ,90,76,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{948395E 8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\Windows\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:df,20,58,62 ,78,6b,cf,c8,5f,d7,3c,35,f6,
cd,4b,f8,df,20,58,62,78,6b,cf,c8,60,46,4a,2c,8d,a1 ,c0,44,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AC3ED30 B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\Windows\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:31,77,e1,ba ,b1,f8,68,02,a3,c1,96,12,b8,
46,c4,07,fb,a7,78,e6,12,2f,9a,ea,f7,2a,00,19,ad,ca ,2c,e1,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DE5654C A-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\Windows\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:aa,52,c6,00 ,84,3c,26,64,12,db,c6,47,a3,
6c,10,c3,01,3a,48,fc,e8,04,4a,f1,56,25,f6,04,9b,b4 ,ac,af,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E39C35E 8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\Windows\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:f6,0f,4e,58 ,98,5b,89,c9,e9,a0,67,ea,43,
14,93,2a,f6,0f,4e,58,98,5b,89,c9,a9,86,73,41,8f,da ,5f,12,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EACAFCE 5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\Windows\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:37,a4,aa,c3 ,a6,15,56,0a,29,ee,a5,f1,bd,
49,77,e1,3d,ce,ea,26,2d,45,aa,78,7e,5b,a8,a8,e4,fc ,63,43,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F8F02AD D-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\Windows\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:2a,b7,cc,b5 ,b9,7f,41,e7,60,e4,e4,d0,fa,
54,62,7d,2a,b7,cc,b5,b9,7f,41,e7,75,97,2f,66,5d,f3 ,e3,43,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FEE45DE 2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\Windows\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:fa,ea,66,7f ,d4,3b,6b,70,45,4d,53,e4,b4,
7f,68,92,6c,43,2d,1e,aa,22,2f,9c,00,f4,92,d9,b2,33 ,b9,a3,6c,43,2d,1e,aa,22,\
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\nvvsvc.exe
c:\windows\System32\audiodg.exe
c:\windows\System32\rundll32.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\windows\System32\conime.exe
c:\windows\System32\WUDFHost.exe
c:\program files\Brother\ControlCenter3\BrccMCtl.exe
c:\program files\Brother\Brmfcmon\BrMfcMon.exe
c:\windows\System32\rundll32.exe
c:\program files\Windows Media Player\wmpnetwk.exe
.
************************************************** ************************
.
Completion time: 2009-08-19 11:20 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-19 09:19

Pre-Run: 144.227.012.608 bytes libres
Post-Run: 144.343.633.920 bytes libres

455 --- E O F --- 2009-08-13 20:56

InfoSpyware

post #22

19/08/09, 08:21:03

Leosolari

Moderador

Registrado: jun 2007

Ubicación: argentina

Mensajes: 17.165

Re: Virtumonde

Realiza lo siguiente :

Clic en INICIO > EJECUTAR >
- Y ahí pones notepad.exe y ACEPTAR
- Ahora copia y pega el texto del cuadro de mas abajo dentro del Notepad

Código:

KillAll::

File::
c:\users\ADMINI~1\AppData\Local\Temp\~temp\mlp47\mdm.exe

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"TCP Query User{BBF71D8B-9B54-40F4-816B-5D5EC6AF78CD}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp32\\mdm.exe"=- 
"TCP Query User{BBF71D8B-9B54-40F4-996B-5D5EC6AF78CD}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp32\\mdm.exe"=- 
"UDP Query User{4C9BECF3-6333-4D16-A3DB-DF8B71A69449}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp32\\mdm.exe"=- 
"UDP Query User{4C9BECF3-6333-4D16-99DB-DF8B71A69449}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp32\\mdm.exe"=- 
"TCP Query User{BBF71D8B-9B54-40F4-816B-5D5EC6AF78CD}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp33\\mdm.exe"=- 
"TCP Query User{BBF71D8B-9B54-40F4-996B-5D5EC6AF78CD}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp33\\mdm.exe"=- 
"UDP Query User{4C9BECF3-6333-4D16-A3DB-DF8B71A69449}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp33\\mdm.exe"=- 
"UDP Query User{4C9BECF3-6333-4D16-99DB-DF8B71A69449}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp33\\mdm.exe"=- 
"TCP Query User{BBF71D8B-9B54-40F4-816B-5D5EC6AF78CD}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp35\\mdm.exe"=- 
"TCP Query User{BBF71D8B-9B54-40F4-996B-5D5EC6AF78CD}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp35\\mdm.exe"=- 
"UDP Query User{4C9BECF3-6333-4D16-A3DB-DF8B71A69449}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp35\\mdm.exe"=- 
"UDP Query User{4C9BECF3-6333-4D16-99DB-DF8B71A69449}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp35\\mdm.exe"=- 
"TCP Query User{BBF71D8B-9B54-40F4-816B-5D5EC6AF78CD}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp43\\mdm.exe"=- 
"TCP Query User{BBF71D8B-9B54-40F4-996B-5D5EC6AF78CD}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp43\\mdm.exe"=- 
"UDP Query User{4C9BECF3-6333-4D16-A3DB-DF8B71A69449}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp43\\mdm.exe"=- 
"UDP Query User{4C9BECF3-6333-4D16-99DB-DF8B71A69449}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp43\\mdm.exe"=- 
"TCP Query User{BBF71D8B-9B54-40F4-816B-5D5EC6AF78CD}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp44\\mdm.exe"=- 
"TCP Query User{BBF71D8B-9B54-40F4-996B-5D5EC6AF78CD}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp44\\mdm.exe"=- 
"UDP Query User{4C9BECF3-6333-4D16-A3DB-DF8B71A69449}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp44\\mdm.exe"=- 
"UDP Query User{4C9BECF3-6333-4D16-99DB-DF8B71A69449}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp44\\mdm.exe"=- 
"TCP Query User{BBF71D8B-9B54-40F4-816B-5D5EC6AF78CD}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp45\\mdm.exe"=- 
"TCP Query User{BBF71D8B-9B54-40F4-996B-5D5EC6AF78CD}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp45\\mdm.exe"=- 
"UDP Query User{4C9BECF3-6333-4D16-A3DB-DF8B71A69449}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp45\\mdm.exe"=- 
"UDP Query User{4C9BECF3-6333-4D16-99DB-DF8B71A69449}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp45\\mdm.exe"=- 
"TCP Query User{BBF71D8B-9B54-40F4-816B-5D5EC6AF78CD}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp46\\mdm.exe"=- 
"TCP Query User{BBF71D8B-9B54-40F4-996B-5D5EC6AF78CD}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp46\\mdm.exe"=- 
"UDP Query User{4C9BECF3-6333-4D16-A3DB-DF8B71A69449}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp46\\mdm.exe"=- 
"UDP Query User{4C9BECF3-6333-4D16-99DB-DF8B71A69449}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp46\\mdm.exe"=- 
"TCP Query User{BBF71D8B-9B54-40F4-816B-5D5EC6AF78CD}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp47\\mdm.exe"=- 
"TCP Query User{BBF71D8B-9B54-40F4-996B-5D5EC6AF78CD}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp47\\mdm.exe"=- 
"UDP Query User{4C9BECF3-6333-4D16-A3DB-DF8B71A69449}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp47\\mdm.exe"=- 
"UDP Query User{4C9BECF3-6333-4D16-99DB-DF8B71A69449}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp47\\mdm.exe"=- 
"TCP Query User{BBF71D8B-9B54-40F4-816B-5D5EC6AF78CD}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp49\\mdm.exe"=- 
"TCP Query User{BBF71D8B-9B54-40F4-996B-5D5EC6AF78CD}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp49\\mdm.exe"=- 
"UDP Query User{4C9BECF3-6333-4D16-A3DB-DF8B71A69449}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp49\\mdm.exe"=- 
"UDP Query User{4C9BECF3-6333-4D16-99DB-DF8B71A69449}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp49\\mdm.exe"=-

Guarda este archivo con el nombre CFScript.txt
Arrastra y suelta el archivo CFScript.txt dentro del archivo ComboFix.exe como lo muestra el screenshot de abajo.
ComboFix comenzará otra vez a ejecutarse. Cuando termine generara un nuevo reporte que tendras que pegar en este mismo tema.

saludos

PD: Nos comentas como va tu pc ahora

NO DESESPERES....SIGUE LUCHANDO.

Novedades del Foro | Antivirus Online | Eliminar Malwares | Políticas del Foro | Blog

* Ayúdanos haciendo una DONACIÓN para poder seguir Ayudando.
* Infórmate de las ultimas amenazas de la red desde: InfoSpyware Blog
* No se resuelven dudas por Privados ni por E-mail, ya que para eso esta el foro.

Última edición por Leosolari fecha: 19/08/09 a las 08:23:29.

post #23

19/08/09, 08:46:46

novatilla

Usuario

Registrado: ago 2005

Ubicación: españa

Mensajes: 136

Re: Virtumonde

Cita:

Originalmente publicado por Leosolari

Realiza lo siguiente :

Clic en INICIO > EJECUTAR >
- Y ahí pones notepad.exe y ACEPTAR
- Ahora copia y pega el texto del cuadro de mas abajo dentro del Notepad

Código:

KillAll::

File::
c:\users\ADMINI~1\AppData\Local\Temp\~temp\mlp47\mdm.exe

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"TCP Query User{BBF71D8B-9B54-40F4-816B-5D5EC6AF78CD}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp32\\mdm.exe"=- 
"TCP Query User{BBF71D8B-9B54-40F4-996B-5D5EC6AF78CD}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp32\\mdm.exe"=- 
"UDP Query User{4C9BECF3-6333-4D16-A3DB-DF8B71A69449}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp32\\mdm.exe"=- 
"UDP Query User{4C9BECF3-6333-4D16-99DB-DF8B71A69449}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp32\\mdm.exe"=- 
"TCP Query User{BBF71D8B-9B54-40F4-816B-5D5EC6AF78CD}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp33\\mdm.exe"=- 
"TCP Query User{BBF71D8B-9B54-40F4-996B-5D5EC6AF78CD}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp33\\mdm.exe"=- 
"UDP Query User{4C9BECF3-6333-4D16-A3DB-DF8B71A69449}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp33\\mdm.exe"=- 
"UDP Query User{4C9BECF3-6333-4D16-99DB-DF8B71A69449}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp33\\mdm.exe"=- 
"TCP Query User{BBF71D8B-9B54-40F4-816B-5D5EC6AF78CD}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp35\\mdm.exe"=- 
"TCP Query User{BBF71D8B-9B54-40F4-996B-5D5EC6AF78CD}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp35\\mdm.exe"=- 
"UDP Query User{4C9BECF3-6333-4D16-A3DB-DF8B71A69449}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp35\\mdm.exe"=- 
"UDP Query User{4C9BECF3-6333-4D16-99DB-DF8B71A69449}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp35\\mdm.exe"=- 
"TCP Query User{BBF71D8B-9B54-40F4-816B-5D5EC6AF78CD}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp43\\mdm.exe"=- 
"TCP Query User{BBF71D8B-9B54-40F4-996B-5D5EC6AF78CD}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp43\\mdm.exe"=- 
"UDP Query User{4C9BECF3-6333-4D16-A3DB-DF8B71A69449}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp43\\mdm.exe"=- 
"UDP Query User{4C9BECF3-6333-4D16-99DB-DF8B71A69449}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp43\\mdm.exe"=- 
"TCP Query User{BBF71D8B-9B54-40F4-816B-5D5EC6AF78CD}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp44\\mdm.exe"=- 
"TCP Query User{BBF71D8B-9B54-40F4-996B-5D5EC6AF78CD}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp44\\mdm.exe"=- 
"UDP Query User{4C9BECF3-6333-4D16-A3DB-DF8B71A69449}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp44\\mdm.exe"=- 
"UDP Query User{4C9BECF3-6333-4D16-99DB-DF8B71A69449}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp44\\mdm.exe"=- 
"TCP Query User{BBF71D8B-9B54-40F4-816B-5D5EC6AF78CD}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp45\\mdm.exe"=- 
"TCP Query User{BBF71D8B-9B54-40F4-996B-5D5EC6AF78CD}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp45\\mdm.exe"=- 
"UDP Query User{4C9BECF3-6333-4D16-A3DB-DF8B71A69449}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp45\\mdm.exe"=- 
"UDP Query User{4C9BECF3-6333-4D16-99DB-DF8B71A69449}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp45\\mdm.exe"=- 
"TCP Query User{BBF71D8B-9B54-40F4-816B-5D5EC6AF78CD}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp46\\mdm.exe"=- 
"TCP Query User{BBF71D8B-9B54-40F4-996B-5D5EC6AF78CD}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp46\\mdm.exe"=- 
"UDP Query User{4C9BECF3-6333-4D16-A3DB-DF8B71A69449}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp46\\mdm.exe"=- 
"UDP Query User{4C9BECF3-6333-4D16-99DB-DF8B71A69449}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp46\\mdm.exe"=- 
"TCP Query User{BBF71D8B-9B54-40F4-816B-5D5EC6AF78CD}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp47\\mdm.exe"=- 
"TCP Query User{BBF71D8B-9B54-40F4-996B-5D5EC6AF78CD}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp47\\mdm.exe"=- 
"UDP Query User{4C9BECF3-6333-4D16-A3DB-DF8B71A69449}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp47\\mdm.exe"=- 
"UDP Query User{4C9BECF3-6333-4D16-99DB-DF8B71A69449}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp47\\mdm.exe"=- 
"TCP Query User{BBF71D8B-9B54-40F4-816B-5D5EC6AF78CD}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp49\\mdm.exe"=- 
"TCP Query User{BBF71D8B-9B54-40F4-996B-5D5EC6AF78CD}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp49\\mdm.exe"=- 
"UDP Query User{4C9BECF3-6333-4D16-A3DB-DF8B71A69449}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp49\\mdm.exe"=- 
"UDP Query User{4C9BECF3-6333-4D16-99DB-DF8B71A69449}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp49\\mdm.exe"=-

Guarda este archivo con el nombre CFScript.txt
Arrastra y suelta el archivo CFScript.txt dentro del archivo ComboFix.exe como lo muestra el screenshot de abajo.
ComboFix comenzará otra vez a ejecutarse. Cuando termine generara un nuevo reporte que tendras que pegar en este mismo tema.

saludos

PD: Nos comentas como va tu pc ahora

Esta vez olvidé desactivar el antivirus, disculpa, me precipité. Espero que esto no cree ningún problema. Te mando el reporte.

Para saber si ha desaparecido "virtumonde" voy a pasar el spybot y después te cuento. Gracias.

ComboFix 09-08-18.01 - Administrador 19/08/2009 13:33.1.4 - NTFSx86
Microsoft® Windows Vista™ Ultimate 6.0.6001.1.1252.34.3082.18.3582.2674 [GMT 2:00]
Running from: c:\users\Administrador\Desktop\ComboFix.exe
Command switches used :: c:\users\Administrador\Documents\CFScript.txt
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Administrador\AppData\Roaming\comrepl.exe
c:\users\Administrador\AppData\Roaming\spoolsv.exe
c:\windows\system\comrepl.exe
c:\windows\system\esentutl.exe
c:\windows\system32\drivers\logman.exe

.
((((((((((((((((((((((((( Files Created from 2009-07-19 to 2009-08-19 )))))))))))))))))))))))))))))))
.

2009-08-19 11:36 . 2009-07-07 17:19 61440 ----a-w- c:\users\Administrador\AppData\Roaming\clipsrv.exe
2009-08-19 11:35 . 2009-08-19 11:35 -------- d-----w- c:\users\Public\AppData\Local\temp
2009-08-19 11:35 . 2009-08-19 11:35 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-08-18 18:18 . 2008-06-19 15:24 28544 ----a-w- c:\windows\system32\drivers\pavboot.sys
2009-08-18 18:18 . 2009-08-18 18:18 -------- d-----w- c:\program files\Panda Security
2009-08-18 18:09 . 2009-07-07 17:19 61440 ----a-w- c:\windows\mstsc.exe
2009-08-18 17:43 . 2009-08-18 17:43 -------- d-----w- c:\users\Administrador\AppData\Roaming\Malwarebyte s
2009-08-18 17:43 . 2009-08-03 11:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-18 17:43 . 2009-08-18 17:43 -------- d-----w- c:\progra~2\Malwarebytes
2009-08-18 17:43 . 2009-08-18 18:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-18 17:43 . 2009-08-03 11:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-18 17:09 . 2009-08-18 17:09 -------- d-----w- c:\program files\CCleaner
2009-08-13 20:54 . 2009-07-17 14:35 71680 ----a-w- c:\windows\system32\atl.dll
2009-08-13 20:54 . 2009-06-10 12:12 160256 ----a-w- c:\windows\system32\wkssvc.dll
2009-08-13 20:54 . 2009-06-04 12:34 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-08-13 20:54 . 2009-06-10 12:07 91136 ----a-w- c:\windows\system32\avifil32.dll
2009-08-13 20:54 . 2009-06-15 15:21 499712 ----a-w- c:\windows\system32\kerberos.dll
2009-08-13 20:54 . 2009-06-15 15:24 175104 ----a-w- c:\windows\system32\wdigest.dll
2009-08-13 20:54 . 2009-06-15 15:24 270848 ----a-w- c:\windows\system32\schannel.dll
2009-08-13 20:54 . 2009-06-15 15:23 1256448 ----a-w- c:\windows\system32\lsasrv.dll
2009-08-13 20:54 . 2009-06-15 15:22 213504 ----a-w- c:\windows\system32\msv1_0.dll
2009-08-13 20:54 . 2009-06-15 18:20 439896 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-08-13 20:54 . 2009-06-15 15:24 72704 ----a-w- c:\windows\system32\secur32.dll
2009-08-13 20:54 . 2009-06-15 12:57 9728 ----a-w- c:\windows\system32\lsass.exe
2009-08-13 20:53 . 2009-07-14 13:00 313344 ----a-w- c:\windows\system32\wmpdxm.dll
2009-08-13 20:53 . 2009-07-14 12:59 4096 ----a-w- c:\windows\system32\dxmasf.dll
2009-08-13 20:53 . 2009-07-14 12:58 7680 ----a-w- c:\windows\system32\spwmp.dll
2009-08-13 20:53 . 2009-07-14 10:59 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-08-12 15:22 . 2009-08-12 15:22 -------- d-----w- c:\users\Administrador\AppData\Roaming\ScanSoft
2009-08-11 08:39 . 2009-08-11 08:39 -------- d-----w- c:\users\Administrador\AppData\Roaming\VoipBuster
2009-08-11 08:38 . 2009-08-11 08:38 -------- d-----w- c:\program files\VoipBuster.com
2009-08-04 20:30 . 2009-08-04 20:31 -------- d-----w- c:\progra~2\NVIDIA
2009-08-04 20:23 . 2009-03-27 22:03 801312 ----a-w- c:\windows\system32\nvcplui.exe
2009-08-04 20:23 . 2009-03-27 22:03 453152 ----a-w- c:\windows\system32\nvuninst.exe
2009-08-04 20:23 . 2009-03-27 22:03 1108512 ----a-w- c:\windows\system32\nvcpluir.dll
2009-08-02 11:27 . 2009-08-02 11:27 -------- d-----w- c:\users\Administrador\AppData\Roaming\Softplicity
2009-08-02 11:27 . 2009-08-02 11:27 -------- d-----w- c:\program files\TotalAudioConverter
2009-08-01 21:28 . 2009-08-01 21:28 -------- d-----w- c:\program files\Alcohol Soft
2009-08-01 21:26 . 2009-08-01 21:26 685816 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-08-01 17:24 . 2009-08-12 12:37 -------- d-----w- c:\users\Administrador\AppData\Roaming\Winamp
2009-07-28 21:47 . 2009-07-28 21:47 -------- d-----w- c:\program files\MSXML 4.0
2009-07-28 20:42 . 2009-07-28 20:42 -------- d-----w- c:\users\Administrador\AppData\Local\ESET
2009-07-28 20:26 . 2009-07-28 20:26 -------- d-----w- c:\program files\Common Files\PX Storage Engine
2009-07-28 20:15 . 2009-04-28 20:20 44944 ------w- c:\windows\system32\drivers\PxHelp20.sys
2009-07-28 18:56 . 2009-08-18 23:39 -------- d-----w- c:\progra~2\Spybot - Search & Destroy
2009-07-28 18:56 . 2009-08-01 08:59 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-28 18:54 . 2009-07-28 18:54 -------- d-----w- c:\program files\jv16 PowerTools
2009-07-28 18:49 . 2009-07-28 18:53 10054 ----a-w- c:\windows\msvrc20.dll
2009-07-28 18:49 . 2009-07-28 18:49 -------- d-----w- c:\program files\IObit
2009-07-28 18:46 . 2009-08-16 22:42 -------- d-----w- C:\MSNCleaner

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-08-19 09:22 . 2006-11-02 16:00 667748 ----a-w- c:\windows\system32\perfh00A.dat
2009-08-19 09:22 . 2006-11-02 16:00 129514 ----a-w- c:\windows\system32\perfc00A.dat
2009-08-11 19:44 . 2009-03-29 23:27 -------- d-----w- c:\users\Administrador\AppData\Roaming\Skype
2009-08-04 20:04 . 2009-01-24 02:06 680 ----a-w- c:\users\Administrador\AppData\Local\d3d9caps.dat
2009-08-01 17:25 . 2009-02-04 17:30 -------- d-----w- c:\program files\Winamp
2009-07-27 17:24 . 2009-02-04 17:33 -------- d-----w- c:\program files\eMule
2009-07-18 16:06 . 2009-07-28 21:46 827904 ----a-w- c:\windows\system32\wininet.dll
2009-07-18 16:01 . 2009-07-28 21:46 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-07-18 09:46 . 2009-07-28 21:46 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-07-07 17:19 . 2009-08-19 09:16 61440 ----a-w- c:\windows\system32\drivers\logman.exe
2009-06-15 15:24 . 2009-07-28 21:46 156672 ----a-w- c:\windows\system32\t2embed.dll
2009-06-15 15:20 . 2009-07-28 21:46 72704 ----a-w- c:\windows\system32\fontsub.dll
2009-06-15 15:20 . 2009-07-28 21:46 10240 ----a-w- c:\windows\system32\dciman32.dll
2009-06-15 12:52 . 2009-07-28 21:46 289792 ----a-w- c:\windows\system32\atmfd.dll
2009-06-11 05:02 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-06-09 04:36 . 2006-07-11 16:35 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-05-29 14:00 . 2009-01-24 02:19 87136 ----a-w- c:\users\Administrador\AppData\Local\GDIPFONTCACHE V1.DAT
2009-05-29 13:50 . 2009-05-29 13:50 29926 ----a-r- c:\users\Administrador\AppData\Roaming\Microsoft\I nstaller\{5EB90C06-964F-4195-B83E-BD7E55C88415}\ARPPRODUCTICON.exe
2008-08-07 08:27 . 2008-08-07 07:40 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2007-07-02 220544]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-08-07 202240]
"VoipBuster"="c:\program files\VoipBuster.com\VoipBuster\VoipBuster.exe" [2009-07-16 9075504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"snpstd"="c:\windows\vsnpstd.exe" [2005-10-11 339968]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-01-29 30248]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-01-29 46632]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2007-03-12 663552]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2007-01-26 65536]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-02-06 2021400]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-06-09 198160]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-07-01 37888]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-27 13687328]
"NvMediaCenter"="c:\windows\system32\NvMcTray. dll" [2009-03-27 92704]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\Curr entversion\policies\explorer\Run]
"Mstsc"="c:\windows\mstsc.exe" [2009-07-07 61440]

[HKEY_CURRENT_USER\software\microsoft\windows\Curre ntversion\policies\explorer\Run]
"Logman"="c:\windows\System32\drivers\logman.e xe" [2009-07-07 61440]

[HKEY_USERS\.DEFAULT\software\microsoft\windows\Cur rentversion\policies\explorer\Run]
"ComRepl"="c:\windows\System\comrepl.exe" [2009-07-07 61440]

c:\progra~2\MICROS~1\Windows\STARTM~1\Programs\Sta rtup\
Ralink Wireless Utility.lnk - c:\windows\RaUI.exe [2009-1-24 598016]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=c:\users\ADMINI~1\AppData\Local\Temp\logman .exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\FirewallRules]
"{3080B9D5-7B6C-4D4B-98A1-CE2632E49CCE}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"TCP Query User{0059050F-E0FD-4716-9291-95102E5E1626}c:\\program files\\mozilla firefox\\firefox.exe"= UDP:c:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{BAC5F1A2-FFB4-4A44-9F20-F55BDC57DA6E}c:\\program files\\mozilla firefox\\firefox.exe"= TCP:c:\program files\mozilla firefox\firefox.exe:Firefox
"TCP Query User{958AB601-555B-4BBA-B306-097E1AFFD4C6}c:\\program files\\emule\\emule.exe"= UDP:c:\program files\emule\emule.exe:eMule
"UDP Query User{BCB97809-B005-4735-94F5-8B3245EEFB02}c:\\program files\\emule\\emule.exe"= TCP:c:\program files\emule\emule.exe:eMule
"TCP Query User{6276BBFB-F502-45DC-A1F1-50978C932400}c:\\program files\\msn messenger 8.5\\msnmsgr.exe"= UDP:c:\program files\msn messenger 8.5\msnmsgr.exe:Windows Live Messenger
"UDP Query User{FEF261A8-2D12-4A66-B9A3-99EAB0C2EEC5}c:\\program files\\msn messenger 8.5\\msnmsgr.exe"= TCP:c:\program files\msn messenger 8.5\msnmsgr.exe:Windows Live Messenger
"{B6C5423A-8BA3-41E4-A135-072FE3671FDC}"= c:\program files\Skype\Phone\Skype.exe:Skype
"TCP Query User{BB6EB12D-399D-4624-B4B2-CDC29DADA0A3}c:\\program files\\mozilla firefox\\firefox.exe"= UDP:c:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{AF16CB95-1717-4FE7-84C5-A8BC1F9D8E07}c:\\program files\\mozilla firefox\\firefox.exe"= TCP:c:\program files\mozilla firefox\firefox.exe:Firefox
"{1BA7BB5F-BE01-4685-A5DD-39709AD71EA5}"= UDP:c:\program files\Pinnacle\Studio 12\Programs\RM.exe:Render Manager
"{6D526CF4-C7E7-468B-ADCC-35E2A740DAB2}"= TCP:c:\program files\Pinnacle\Studio 12\Programs\RM.exe:Render Manager
"{638F6559-6833-4F79-9FE4-160C7784B9B8}"= UDP:c:\program files\Pinnacle\Studio 12\Programs\Studio.exe:Studio
"{B26085CA-5708-45A7-BE0A-B91493309605}"= TCP:c:\program files\Pinnacle\Studio 12\Programs\Studio.exe:Studio
"{8DAC97E4-C1C2-4874-9E38-5A04B3829F7A}"= UDP:c:\program files\Pinnacle\Studio 12\Programs\umi.exe:umi
"{007DC4EF-385D-449D-B410-4A2085005D93}"= TCP:c:\program files\Pinnacle\Studio 12\Programs\umi.exe:umi
"TCP Query User{1F76BC4F-C2D9-4512-B71E-FCE656ADC2F7}c:\\program files\\pinnacle\\studio 12\\programs\\studio.exe"= UDP:c:\program files\pinnacle\studio 12\programs\studio.exe:Studio program file
"UDP Query User{11107221-6770-40E5-8AB7-ACC5BBA0FE86}c:\\program files\\pinnacle\\studio 12\\programs\\studio.exe"= TCP:c:\program files\pinnacle\studio 12\programs\studio.exe:Studio program file
"TCP Query User{D00C149C-25EF-49DD-919C-D3705FC9E5D2}c:\\program files\\emule\\emule.exe"= UDP:c:\program files\emule\emule.exe:eMule
"UDP Query User{C667155D-9BCD-4CD4-8D97-7F5606585DA7}c:\\program files\\emule\\emule.exe"= TCP:c:\program files\emule\emule.exe:eMule
"{45B55FF9-DAB1-4AC4-9F10-45EAC37C23D8}"= c:\program files\Skype\Phone\Skype.exe:Skype
"TCP Query User{BBF71D8B-9B54-40F4-816B-5D5EC6AF78CD}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp32\\mdm.exe"= UDP:c:\users\ADMINI~1\AppData\Local\Temp\~temp\mlp 32\mdm.exe:UpdateWizzard
"TCP Query User{BBF71D8B-9B54-40F4-996B-5D5EC6AF78CD}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp32\\mdm.exe"= UDP:c:\users\ADMINI~1\AppData\Local\Temp\~temp\mlp 32\mdm.exe:UpdateWizzard
"UDP Query User{4C9BECF3-6333-4D16-A3DB-DF8B71A69449}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp32\\mdm.exe"= TCP:c:\users\ADMINI~1\AppData\Local\Temp\~temp\mlp 32\mdm.exe:UpdateWizzard
"UDP Query User{4C9BECF3-6333-4D16-99DB-DF8B71A69449}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp32\\mdm.exe"= TCP:c:\users\ADMINI~1\AppData\Local\Temp\~temp\mlp 32\mdm.exe:UpdateWizzard
"TCP Query User{BBF71D8B-9B54-40F4-816B-5D5EC6AF78CD}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp33\\mdm.exe"= UDP:c:\users\ADMINI~1\AppData\Local\Temp\~temp\mlp 33\mdm.exe:UpdateWizzard
"TCP Query User{BBF71D8B-9B54-40F4-996B-5D5EC6AF78CD}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp33\\mdm.exe"= UDP:c:\users\ADMINI~1\AppData\Local\Temp\~temp\mlp 33\mdm.exe:UpdateWizzard
"UDP Query User{4C9BECF3-6333-4D16-A3DB-DF8B71A69449}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp33\\mdm.exe"= TCP:c:\users\ADMINI~1\AppData\Local\Temp\~temp\mlp 33\mdm.exe:UpdateWizzard
"UDP Query User{4C9BECF3-6333-4D16-99DB-DF8B71A69449}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp33\\mdm.exe"= TCP:c:\users\ADMINI~1\AppData\Local\Temp\~temp\mlp 33\mdm.exe:UpdateWizzard
"TCP Query User{BBF71D8B-9B54-40F4-816B-5D5EC6AF78CD}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp35\\mdm.exe"= UDP:c:\users\ADMINI~1\AppData\Local\Temp\~temp\mlp 35\mdm.exe:UpdateWizzard
"TCP Query User{BBF71D8B-9B54-40F4-996B-5D5EC6AF78CD}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp35\\mdm.exe"= UDP:c:\users\ADMINI~1\AppData\Local\Temp\~temp\mlp 35\mdm.exe:UpdateWizzard
"UDP Query User{4C9BECF3-6333-4D16-A3DB-DF8B71A69449}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp35\\mdm.exe"= TCP:c:\users\ADMINI~1\AppData\Local\Temp\~temp\mlp 35\mdm.exe:UpdateWizzard
"UDP Query User{4C9BECF3-6333-4D16-99DB-DF8B71A69449}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp35\\mdm.exe"= TCP:c:\users\ADMINI~1\AppData\Local\Temp\~temp\mlp 35\mdm.exe:UpdateWizzard
"TCP Query User{BBF71D8B-9B54-40F4-816B-5D5EC6AF78CD}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp43\\mdm.exe"= UDP:c:\users\ADMINI~1\AppData\Local\Temp\~temp\mlp 43\mdm.exe:UpdateWizzard
"TCP Query User{BBF71D8B-9B54-40F4-996B-5D5EC6AF78CD}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp43\\mdm.exe"= UDP:c:\users\ADMINI~1\AppData\Local\Temp\~temp\mlp 43\mdm.exe:UpdateWizzard
"UDP Query User{4C9BECF3-6333-4D16-A3DB-DF8B71A69449}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp43\\mdm.exe"= TCP:c:\users\ADMINI~1\AppData\Local\Temp\~temp\mlp 43\mdm.exe:UpdateWizzard
"UDP Query User{4C9BECF3-6333-4D16-99DB-DF8B71A69449}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp43\\mdm.exe"= TCP:c:\users\ADMINI~1\AppData\Local\Temp\~temp\mlp 43\mdm.exe:UpdateWizzard
"{45ABB48D-A0F2-4D0D-8F1E-7CD97B009E54}"= UDP:c:\program files\Winamp Remote\bin\Orb.exe:Orb
"{865F9FC5-7139-4F89-A73D-F7C6A045F616}"= TCP:c:\program files\Winamp Remote\bin\Orb.exe:Orb
"{FAE1674D-1639-4D7B-B9B5-5561EEAE9335}"= UDP:c:\program files\Winamp Remote\bin\OrbTray.exe:OrbTray
"{46C31F11-CEB6-461A-AE65-65331959AA47}"= TCP:c:\program files\Winamp Remote\bin\OrbTray.exe:OrbTray
"{7CD75F22-BC40-4544-9009-B6B1110B2279}"= UDP:c:\program files\Winamp Remote\bin\OrbIR.exe:OrbIR
"{F3BE4407-9A37-42F6-A358-E0E4D8B7E514}"= TCP:c:\program files\Winamp Remote\bin\OrbIR.exe:OrbIR
"{D7B03E71-C771-4B67-BDAE-607D42DB1973}"= UDP:c:\program files\Winamp Remote\bin\OrbStreamerClient.exe:Orb Stream Client
"{721FE511-1A34-4A51-A5DE-9F6FB2BEA3E8}"= TCP:c:\program files\Winamp Remote\bin\OrbStreamerClient.exe:Orb Stream Client
"TCP Query User{BBF71D8B-9B54-40F4-816B-5D5EC6AF78CD}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp44\\mdm.exe"= UDP:c:\users\ADMINI~1\AppData\Local\Temp\~temp\mlp 44\mdm.exe:UpdateWizzard
"TCP Query User{BBF71D8B-9B54-40F4-996B-5D5EC6AF78CD}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp44\\mdm.exe"= UDP:c:\users\ADMINI~1\AppData\Local\Temp\~temp\mlp 44\mdm.exe:UpdateWizzard
"UDP Query User{4C9BECF3-6333-4D16-A3DB-DF8B71A69449}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp44\\mdm.exe"= TCP:c:\users\ADMINI~1\AppData\Local\Temp\~temp\mlp 44\mdm.exe:UpdateWizzard
"UDP Query User{4C9BECF3-6333-4D16-99DB-DF8B71A69449}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp44\\mdm.exe"= TCP:c:\users\ADMINI~1\AppData\Local\Temp\~temp\mlp 44\mdm.exe:UpdateWizzard
"TCP Query User{BBF71D8B-9B54-40F4-816B-5D5EC6AF78CD}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp45\\mdm.exe"= UDP:c:\users\ADMINI~1\AppData\Local\Temp\~temp\mlp 45\mdm.exe:UpdateWizzard
"TCP Query User{BBF71D8B-9B54-40F4-996B-5D5EC6AF78CD}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp45\\mdm.exe"= UDP:c:\users\ADMINI~1\AppData\Local\Temp\~temp\mlp 45\mdm.exe:UpdateWizzard
"UDP Query User{4C9BECF3-6333-4D16-A3DB-DF8B71A69449}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp45\\mdm.exe"= TCP:c:\users\ADMINI~1\AppData\Local\Temp\~temp\mlp 45\mdm.exe:UpdateWizzard
"UDP Query User{4C9BECF3-6333-4D16-99DB-DF8B71A69449}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp45\\mdm.exe"= TCP:c:\users\ADMINI~1\AppData\Local\Temp\~temp\mlp 45\mdm.exe:UpdateWizzard
"TCP Query User{BBF71D8B-9B54-40F4-816B-5D5EC6AF78CD}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp46\\mdm.exe"= UDP:c:\users\ADMINI~1\AppData\Local\Temp\~temp\mlp 46\mdm.exe:UpdateWizzard
"TCP Query User{BBF71D8B-9B54-40F4-996B-5D5EC6AF78CD}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp46\\mdm.exe"= UDP:c:\users\ADMINI~1\AppData\Local\Temp\~temp\mlp 46\mdm.exe:UpdateWizzard
"UDP Query User{4C9BECF3-6333-4D16-A3DB-DF8B71A69449}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp46\\mdm.exe"= TCP:c:\users\ADMINI~1\AppData\Local\Temp\~temp\mlp 46\mdm.exe:UpdateWizzard
"UDP Query User{4C9BECF3-6333-4D16-99DB-DF8B71A69449}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp46\\mdm.exe"= TCP:c:\users\ADMINI~1\AppData\Local\Temp\~temp\mlp 46\mdm.exe:UpdateWizzard
"{5FE57764-F193-4A7C-8742-40B949C8EF1F}"= UDP:c:\program files\VoipBuster.com\VoipBuster\VoipBuster.exe:Voi pBuster
"{713AC264-52B1-4169-B47C-F0337DA5595A}"= TCP:c:\program files\VoipBuster.com\VoipBuster\VoipBuster.exe:Voi pBuster
"{7CA92649-DB20-46ED-949E-6AE966640453}"= UDP:c:\program files\VoipBuster.com\VoipBuster\VoipBuster.exe:Voi pBuster
"{D2EDC23E-17C3-4B2F-B27E-96DBBC9BC1B5}"= TCP:c:\program files\VoipBuster.com\VoipBuster\VoipBuster.exe:Voi pBuster
"TCP Query User{BBF71D8B-9B54-40F4-816B-5D5EC6AF78CD}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp47\\mdm.exe"= UDP:c:\users\ADMINI~1\AppData\Local\Temp\~temp\mlp 47\mdm.exe:UpdateWizzard
"TCP Query User{BBF71D8B-9B54-40F4-996B-5D5EC6AF78CD}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp47\\mdm.exe"= UDP:c:\users\ADMINI~1\AppData\Local\Temp\~temp\mlp 47\mdm.exe:UpdateWizzard
"UDP Query User{4C9BECF3-6333-4D16-A3DB-DF8B71A69449}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp47\\mdm.exe"= TCP:c:\users\ADMINI~1\AppData\Local\Temp\~temp\mlp 47\mdm.exe:UpdateWizzard
"UDP Query User{4C9BECF3-6333-4D16-99DB-DF8B71A69449}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp47\\mdm.exe"= TCP:c:\users\ADMINI~1\AppData\Local\Temp\~temp\mlp 47\mdm.exe:UpdateWizzard
"TCP Query User{BBF71D8B-9B54-40F4-816B-5D5EC6AF78CD}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp49\\mdm.exe"= UDP:c:\users\ADMINI~1\AppData\Local\Temp\~temp\mlp 49\mdm.exe:UpdateWizzard
"TCP Query User{BBF71D8B-9B54-40F4-996B-5D5EC6AF78CD}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp49\\mdm.exe"= UDP:c:\users\ADMINI~1\AppData\Local\Temp\~temp\mlp 49\mdm.exe:UpdateWizzard
"UDP Query User{4C9BECF3-6333-4D16-A3DB-DF8B71A69449}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp49\\mdm.exe"= TCP:c:\users\ADMINI~1\AppData\Local\Temp\~temp\mlp 49\mdm.exe:UpdateWizzard
"UDP Query User{4C9BECF3-6333-4D16-99DB-DF8B71A69449}c:\\Users\\ADMINI~1\\AppData\\Local\\ Temp\\~temp\\mlp49\\mdm.exe"= TCP:c:\users\ADMINI~1\AppData\Local\Temp\~temp\mlp 49\mdm.exe:UpdateWizzard

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R0 pavboot;pavboot;c:\windows\System32\drivers\pavboo t.sys [18/08/2009 20:18 28544]
R1 ehdrv;ehdrv;c:\windows\System32\drivers\ehdrv.sys [06/02/2009 14:23 106208]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [06/02/2009 14:23 727720]
R2 epfwwfpr;epfwwfpr;c:\windows\System32\drivers\epfw wfpr.sys [06/02/2009 14:24 92800]
R3 rt61x86;Ralink RT61 Wireless Driver for Windows Vista;c:\windows\System32\drivers\netr61.sys [11/05/2007 16:28 357376]
S0 OemBiosDevice;Royalty OEM BIOS Extension;c:\windows\System32\drivers\royal.sys [24/01/2009 13:53 240128]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [28/07/2009 20:56 810320]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.tropal.net/
mStart Page = hxxp://www.tropal.net/
IE: E&xportar a Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\ADMINI~1\AppData\Roaming\Mozilla\Firefox\ Profiles\cy1gi959.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.es
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\npr pbrowserrecordplugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-19 13:37
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2357816084-603884151-2891837792-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.aif\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.AIFF"

[HKEY_USERS\S-1-5-21-2357816084-603884151-2891837792-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.aifc\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.AIFF"

[HKEY_USERS\S-1-5-21-2357816084-603884151-2891837792-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.aiff\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.AIFF"

[HKEY_USERS\S-1-5-21-2357816084-603884151-2891837792-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.asf\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.ASF"

[HKEY_USERS\S-1-5-21-2357816084-603884151-2891837792-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.asx\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.ASX"

[HKEY_USERS\S-1-5-21-2357816084-603884151-2891837792-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.au\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.AU"

[HKEY_USERS\S-1-5-21-2357816084-603884151-2891837792-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.avi\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.avi"

[HKEY_USERS\S-1-5-21-2357816084-603884151-2891837792-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.cda\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.CDA"

[HKEY_USERS\S-1-5-21-2357816084-603884151-2891837792-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.doc\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Applications\\AcroRD32.exe"

[HKEY_USERS\S-1-5-21-2357816084-603884151-2891837792-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.htm\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"

[HKEY_USERS\S-1-5-21-2357816084-603884151-2891837792-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.html\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"

[HKEY_USERS\S-1-5-21-2357816084-603884151-2891837792-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.m1v\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"

[HKEY_USERS\S-1-5-21-2357816084-603884151-2891837792-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.M2V\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"

[HKEY_USERS\S-1-5-21-2357816084-603884151-2891837792-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.m3u\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Applications\\winampa.exe"

[HKEY_USERS\S-1-5-21-2357816084-603884151-2891837792-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.mid\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MIDI"

[HKEY_USERS\S-1-5-21-2357816084-603884151-2891837792-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.midi\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MIDI"

[HKEY_USERS\S-1-5-21-2357816084-603884151-2891837792-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.MOD\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"

[HKEY_USERS\S-1-5-21-2357816084-603884151-2891837792-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.mp2\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"

[HKEY_USERS\S-1-5-21-2357816084-603884151-2891837792-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.mp2v\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"

[HKEY_USERS\S-1-5-21-2357816084-603884151-2891837792-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.mp3\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MP3"

[HKEY_USERS\S-1-5-21-2357816084-603884151-2891837792-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.mpa\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"

[HKEY_USERS\S-1-5-21-2357816084-603884151-2891837792-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.mpe\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"

[HKEY_USERS\S-1-5-21-2357816084-603884151-2891837792-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.mpeg\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"

[HKEY_USERS\S-1-5-21-2357816084-603884151-2891837792-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.mpg\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"

[HKEY_USERS\S-1-5-21-2357816084-603884151-2891837792-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.mpv2\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"

[HKEY_USERS\S-1-5-21-2357816084-603884151-2891837792-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.rmi\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MIDI"

[HKEY_USERS\S-1-5-21-2357816084-603884151-2891837792-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.shtml\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"

[HKEY_USERS\S-1-5-21-2357816084-603884151-2891837792-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.snd\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.AU"

[HKEY_USERS\S-1-5-21-2357816084-603884151-2891837792-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.wav\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WAV"

[HKEY_USERS\S-1-5-21-2357816084-603884151-2891837792-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.wax\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WAX"

[HKEY_USERS\S-1-5-21-2357816084-603884151-2891837792-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.wm\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.ASF"

[HKEY_USERS\S-1-5-21-2357816084-603884151-2891837792-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.wma\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMA"

[HKEY_USERS\S-1-5-21-2357816084-603884151-2891837792-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.wmd\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMD"

[HKEY_USERS\S-1-5-21-2357816084-603884151-2891837792-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.wms\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMS"

[HKEY_USERS\S-1-5-21-2357816084-603884151-2891837792-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.wmv\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMV"

[HKEY_USERS\S-1-5-21-2357816084-603884151-2891837792-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.wmx\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.ASX"

[HKEY_USERS\S-1-5-21-2357816084-603884151-2891837792-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.wmz\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMZ"

[HKEY_USERS\S-1-5-21-2357816084-603884151-2891837792-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.wpl\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WPL"

[HKEY_USERS\S-1-5-21-2357816084-603884151-2891837792-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.wvx\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WVX"

[HKEY_USERS\S-1-5-21-2357816084-603884151-2891837792-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.xht\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"

[HKEY_USERS\S-1-5-21-2357816084-603884151-2891837792-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.xhtml\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{47629D4 B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\Windows\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:e2,63,26,f1 ,3f,c8,ff,68,89,79,57,bf,a0,
e7,09,9a,e2,63,26,f1,3f,c8,ff,68,59,f7,47,5a,8e,81 ,64,b2,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{604BB98 A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\Windows\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:46,47,15,b0 ,92,4b,c7,ef,b3,86,cd,74,c1,
8e,2a,4f,6a,9c,d6,61,af,45,84,18,3e,3c,13,f8,7f,0b ,ec,3b,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{684373F B-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\Windows\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:ff,7c,85,e0 ,43,d4,0e,fe,42,34,20,07,c8,
a8,99,00,ff,7c,85,e0,43,d4,0e,fe,8c,48,02,a6,3e,c5 ,94,a5,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{74554CC D-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\Windows\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:6b,65,49,6a ,7e,99,74,f7,47,c8,0c,af,b6,
f6,83,ed,86,8c,21,01,be,91,eb,e7,d9,c1,22,9f,74,f9 ,32,ce,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7EB537F 9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\Windows\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:e9,02,6c,fa ,fb,1d,47,57,f1,40,3f,af,fe,
d0,3d,f0,f5,1d,4d,73,a8,13,5c,05,40,bb,46,d3,1d,30 ,90,76,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{948395E 8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\Windows\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:df,20,58,62 ,78,6b,cf,c8,5f,d7,3c,35,f6,
cd,4b,f8,df,20,58,62,78,6b,cf,c8,60,46,4a,2c,8d,a1 ,c0,44,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AC3ED30 B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\Windows\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:31,77,e1,ba ,b1,f8,68,02,a3,c1,96,12,b8,
46,c4,07,fb,a7,78,e6,12,2f,9a,ea,f7,2a,00,19,ad,ca ,2c,e1,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DE5654C A-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\Windows\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:aa,52,c6,00 ,84,3c,26,64,12,db,c6,47,a3,
6c,10,c3,01,3a,48,fc,e8,04,4a,f1,56,25,f6,04,9b,b4 ,ac,af,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E39C35E 8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\Windows\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:f6,0f,4e,58 ,98,5b,89,c9,e9,a0,67,ea,43,
14,93,2a,f6,0f,4e,58,98,5b,89,c9,a9,86,73,41,8f,da ,5f,12,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EACAFCE 5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\Windows\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:37,a4,aa,c3 ,a6,15,56,0a,29,ee,a5,f1,bd,
49,77,e1,3d,ce,ea,26,2d,45,aa,78,7e,5b,a8,a8,e4,fc ,63,43,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F8F02AD D-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\Windows\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:2a,b7,cc,b5 ,b9,7f,41,e7,60,e4,e4,d0,fa,
54,62,7d,2a,b7,cc,b5,b9,7f,41,e7,75,97,2f,66,5d,f3 ,e3,43,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FEE45DE 2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\Windows\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:fa,ea,66,7f ,d4,3b,6b,70,45,4d,53,e4,b4,
7f,68,92,6c,43,2d,1e,aa,22,2f,9c,00,f4,92,d9,b2,33 ,b9,a3,6c,43,2d,1e,aa,22,\
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\nvvsvc.exe
c:\windows\System32\audiodg.exe
c:\windows\System32\rundll32.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\windows\System32\WUDFHost.exe
c:\windows\System32\conime.exe
c:\program files\Brother\ControlCenter3\BrccMCtl.exe
c:\windows\System32\rundll32.exe
c:\program files\Brother\Brmfcmon\BrMfcMon.exe
c:\program files\Windows Media Player\wmpnetwk.exe
.
************************************************** ************************
.
Completion time: 2009-08-19 13:40 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-19 11:40
ComboFix2.txt 2009-08-19 09:20

Pre-Run: 144.326.361.088 bytes libres
Post-Run: 144.126.070.784 bytes libres

437 --- E O F --- 2009-08-13 20:56

post #24

19/08/09, 08:52:09

Leosolari

Moderador

Registrado: jun 2007

Ubicación: argentina

Mensajes: 17.165

Re: Virtumonde

Bueno....por acá esperamos....

NO DESESPERES....SIGUE LUCHANDO.

post #25

19/08/09, 09:03:15

novatilla

Usuario

Registrado: ago 2005

Ubicación: españa

Mensajes: 136

Re: Virtumonde

Pues sigue detectandolo el spybot.

(SBI $92386332)
C\Windows\System32\zipfldr.dll

Última edición por novatilla fecha: 19/08/09 a las 09:07:55.

post #26

19/08/09, 09:28:42

Leosolari

Moderador

Registrado: jun 2007

Ubicación: argentina

Mensajes: 17.165

Re: Virtumonde

º Descarga OTM by OldTimer en el escritorio.

º Hace doble clic sobre OTM.exe para ejecutarlo.

º Asegurate que esté marcado "Unregister Dll's and Ocx's".

º Copia el texto que se encuentra dentro del recuadrado de abajo, y pegalo en el marco izquierdo de OTMoveIt llamado "Paste instruccions for items to be moved ".

Código:

:files
C\Windows\System32\zipfldr.dll 
:commands
[emptytemp]
[purity]
[Reboot]

º Hace clic en MoveIt para lanzar la supresión. En la parte derecha de la ventana del programa llamada Results podes ver los resultados de la supresión.

º Simultáneamente se abrirá un aviso preguntando si deseas reiniciar el PC. Debes pulsar YES. En caso de no preguntar, deberás reiniciar de todas maneras, para terminar con la eliminación.

º Los resultados aparecen después del reinicio en C: \ _ OTM\MovedFiles\***_***.log (Donde sale "***_***" es la fecha y hora).

Este resultado debes copiar y pegar en tu próxima respuesta.

NO DESESPERES....SIGUE LUCHANDO.

post #27

19/08/09, 09:39:28

novatilla

Usuario

Registrado: ago 2005

Ubicación: españa

Mensajes: 136

Re: Virtumonde

Este es el resultado, esta vez no me dio problemas, me arriesgué y no fué tan mal

All processes killed
========== FILES ==========
File/Folder C\Windows\System32\zipfldr.dll not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrador
->Temp folder emptied: 98304 bytes
->Temporary Internet Files folder emptied: 3437897 bytes
->FireFox cache emptied: 49713490 bytes

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 50,78 mb

OTM by OldTimer - Version 3.0.0.6 log created on 08192009_144410

Files moved on Reboot...

Registry entries deleted on Reboot...

Última edición por novatilla fecha: 19/08/09 a las 09:49:38.

post #28

19/08/09, 11:47:43

novatilla

Usuario

Registrado: ago 2005

Ubicación: españa

Mensajes: 136

Re: Virtumonde

He vuelto a pasar el spybot 2 veces más, ahora el "virtumonde aparece así:
(SBI $92386332) Biblioteca
C\Windows\System32\zipfldr.dll

Pero ahora además detecta "Dobleclick", lo elimino y vuelve a detectarlo en el siguiente análisis.

Que piensas?

post #29

19/08/09, 18:47:18

novatilla

Usuario

Registrado: ago 2005

Ubicación: españa

Mensajes: 136

Re: Virtumonde

Creo que ya he resuelto,
buscando por el foro encontré la posibilidadde que se tratara de un falso positivo. Yo usaba la versión anterior del spybot, que al parecer es la que detectaba "virtumonde como falso positivo". La he actualizado y ya no aparece.
Sigue apareciendo el "dobleclick" pero creo que se trata de un cookie de seguimiento, no estóy segura, pero creo que no es peligroso.
Siento haberos hecho perder el tiempo, aunque una vez más, he aprendido mucho y disfrutado más de vuestra compañía y ayuda.
Gracias y, si quieres cerrar el tema, creo que eso lo hacéis vosotros, o no?.
Un saludo

post #30

19/08/09, 19:03:46

Leosolari

Moderador

Registrado: jun 2007

Ubicación: argentina

Mensajes: 17.165

Re: Virtumonde

Por cualquier otro problema, no dudes en volver a postear. Te dejo saludos.

Tema Solucionado

PD: si deseas REABRIR ESTE TEMA, presiona

y un MODERADOR atenderà la consulta...

NO DESESPERES....SIGUE LUCHANDO.

Página 3 de 4

« Tema Anterior | Próximo Tema »

Herramientas
Mostrar Versión Imprimible Enviar por Correo

Reglas del foro
No puedes crear nuevos temas No puedes responder temas No puedes subir adjuntos No puedes editar tus mensajes BB code is activado Las caritas están activado Código [IMG] está activado Código HTML está desactivado Trackbacks are desactivado Pingbacks are activado Refbacks are activado Políticas del foro

Temas Similares

Tema	Autor	Foro	Respuestas	Último mensaje
Virtumonde, no se que entradas tengo que eliminar (Solucionado)	Reds86	Temas Solucionados	4	01/08/08 07:08:31
Problemas con Virtumonde (Solucionado)	Diev99	Temas Solucionados	3	18/07/08 19:00:39
Ayuda Con Virtumonde (Solucionado)	gsegura11	Temas Solucionados	6	13/07/08 12:21:08
ayuda infectado por virtumonde (Solucionado)	abebunbury	Temas Solucionados	8	03/06/08 20:38:26
A vueltas con el Virtumonde (Solucionado)	BlackHearT_85	Temas Solucionados	10	10/03/08 12:38:36

Todas las horas son GMT -4. La hora es 23:52:09.

InfoSpyware es miembro de ASAP - Alliance of Security Analysis Professionals

Foro de InfoSpyware - Foro de Hijackthis - Foro de Virus