PDA

View Full Version : Smitfraud-C.Toolbar888, Virtumonde, WebTrends Live



Moebius
2007-07-03, 16:31
Spybot detected this a couple of days before, but it couldnt fix.
Posting HijackThis log (renamed HijackThis_v2.exe into something.exe):


Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 15:21:13, on 03/07/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Avast4\aswUpdSv.exe
C:\Archivos de programa\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Archivos de programa\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\rqkalvbb.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wwSecure.exe
C:\Archivos de programa\Avast4\ashMaiSv.exe
C:\Archivos de programa\Avast4\ashWebSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\ARCHIV~1\Avast4\ashDisp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Archivos de programa\Picasa2\PicasaMediaDetector.exe
C:\Archivos de programa\ATI Technologies\ATI.ACE\cli.exe
C:\Archivos de programa\HP\HP Software Update\HPWuSchd2.exe
C:\Archivos de programa\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Spybot - Search & Destroy\TeaTimer.exe
C:\ARCHIV~1\HEWLET~1\Toolbox\STATUS~1\STATUS~1.EXE
C:\Archivos de programa\Google\Google Desktop Search\GoogleDesktop.exe
C:\Archivos de programa\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\Archivos de programa\ATI Technologies\ATI.ACE\cli.exe
C:\Archivos de programa\ATI Technologies\ATI.ACE\cli.exe
C:\Archivos de programa\Outlook Express\msimn.exe
C:\WINDOWS\system32\osyvklnk.exe
C:\Archivos de programa\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Archivos de programa\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\Archivos de programa\Spybot - Search & Destroy\SpybotSD.exe
C:\Documents and Settings\E\Mis documentos\SOMETHING.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.es/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Constantino Moreira S.A.
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O1 - Hosts: 128.100.96.241 NPI15C6CB
O2 - BHO: Aplicación auxiliar de vínculos de Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Archivos comunes\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5ADF3862-9E2E-4ad3-86F7-4510E6550CD0} - C:\WINDOWS\system32\ylhfnvsn.dll
O2 - BHO: (no name) - {640D0632-8402-4A06-BECF-329A57937490} - C:\WINDOWS\system32\awvts.dll
O2 - BHO: (no name) - {CFDE1CF9-75B3-4B1E-B9A7-B5FB88A171E6} - C:\WINDOWS\system32\opnmlki.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [avast!] C:\ARCHIV~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Archivos de programa\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Archivos de programa\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [HP Software Update] "C:\Archivos de programa\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Archivos de programa\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Archivos de programa\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\system32\vwkkotlb.dll",realset
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Archivos de programa\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Archivos de programa\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Servicio de red')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Archivos de programa\HP\Digital Imaging\bin\hpqtra08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe (file missing)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4492F9DD-6837-485B-B506-5AF475B49673}: NameServer = 62.151.2.8
O17 - HKLM\System\CS2\Services\Tcpip\..\{4492F9DD-6837-485B-B506-5AF475B49673}: NameServer = 62.151.2.8
O17 - HKLM\System\CS3\Services\Tcpip\..\{4492F9DD-6837-485B-B506-5AF475B49673}: NameServer = 62.151.2.8
O20 - AppInit_DLLs: C:\ARCHIV~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: awvts - C:\WINDOWS\system32\awvts.dll
O20 - Winlogon Notify: opnmlki - C:\WINDOWS\SYSTEM32\opnmlki.dll
O22 - SharedTaskScheduler: Precargador Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Demonio de caché de las categorías de componente - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Archivos de programa\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Archivos de programa\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Archivos de programa\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Archivos de programa\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Archivos de programa\Avast4\ashWebSv.exe
O23 - Service: Servicio del administrador de discos lógicos (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\rqkalvbb.exe
O23 - Service: Registro de sucesos (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: GoogleDesktopManager - Google - C:\Archivos de programa\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Servicio COM de grabación de CD de IMAPI (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Escritorio remoto compartido de NetMeeting (mnmsrvc) - Unknown owner - C:\WINDOWS\system32\mnmsrvc.exe
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Administrador de sesión de Ayuda de escritorio remoto (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Tarjeta inteligente (SCardSvr) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: Registros y alertas de rendimiento (SysmonLog) - Unknown owner - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: Instantáneas de volumen (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe
O23 - Service: Adaptador de rendimiento de WMI (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe
O23 - Service: Servicio de uso compartido de red del Reproductor de Windows Media (WMPNetworkSvc) - Unknown owner - C:\Archivos de programa\Windows Media Player\WMPNetwk.exe
O23 - Service: Washer AutoComplete (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe

--
End of file - 9552 bytes

And waiting for your instructions to save me...

Regards

Shaba
2007-07-04, 12:07
Hi Moebius

Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

1. Download combofix from one of these links:
Link1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link2 (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Post:

- a fresh HijackThis log
- combofix report
- vundofix report

Moebius
2007-07-04, 15:58
Well, I've done all of the stuff, here we go with the logs:

Most recent HijackThis log:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 14:47:17, on 04/07/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Avast4\aswUpdSv.exe
C:\Archivos de programa\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Archivos de programa\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wwSecure.exe
C:\Archivos de programa\Avast4\ashMaiSv.exe
C:\Archivos de programa\Avast4\ashWebSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\ARCHIV~1\Avast4\ashDisp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Archivos de programa\Picasa2\PicasaMediaDetector.exe
C:\Archivos de programa\ATI Technologies\ATI.ACE\cli.exe
C:\Archivos de programa\HP\HP Software Update\HPWuSchd2.exe
C:\Archivos de programa\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Spybot - Search & Destroy\TeaTimer.exe
C:\Archivos de programa\Google\Google Desktop Search\GoogleDesktop.exe
C:\ARCHIV~1\HEWLET~1\Toolbox\STATUS~1\STATUS~1.EXE
C:\Archivos de programa\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\Archivos de programa\ATI Technologies\ATI.ACE\cli.exe
C:\Archivos de programa\ATI Technologies\ATI.ACE\cli.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\Documents and Settings\E\Escritorio\SOMETHING.exe
C:\WINDOWS\system32\hpbpro.exe
C:\WINDOWS\system32\hpbpro.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.es/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: Aplicación auxiliar de vínculos de Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Archivos comunes\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {C199B0CF-3CC3-4727-8498-D1D0258FF76D} - C:\WINDOWS\system32\awvts.dll (file missing)
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [avast!] C:\ARCHIV~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Archivos de programa\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Archivos de programa\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [HP Software Update] "C:\Archivos de programa\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Archivos de programa\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Archivos de programa\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Archivos de programa\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Servicio de red')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Archivos de programa\HP\Digital Imaging\bin\hpqtra08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe (file missing)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4492F9DD-6837-485B-B506-5AF475B49673}: NameServer = 62.151.2.8
O17 - HKLM\System\CS2\Services\Tcpip\..\{4492F9DD-6837-485B-B506-5AF475B49673}: NameServer = 62.151.2.8
O17 - HKLM\System\CS3\Services\Tcpip\..\{4492F9DD-6837-485B-B506-5AF475B49673}: NameServer = 62.151.2.8
O20 - AppInit_DLLs: C:\ARCHIV~1\Google\GOOGLE~2\GOEC62~1.DLL
O22 - SharedTaskScheduler: Precargador Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Demonio de caché de las categorías de componente - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Archivos de programa\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Archivos de programa\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Archivos de programa\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Archivos de programa\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Archivos de programa\Avast4\ashWebSv.exe
O23 - Service: Servicio del administrador de discos lógicos (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Registro de sucesos (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: GoogleDesktopManager - Google - C:\Archivos de programa\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Servicio COM de grabación de CD de IMAPI (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Escritorio remoto compartido de NetMeeting (mnmsrvc) - Unknown owner - C:\WINDOWS\system32\mnmsrvc.exe
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Administrador de sesión de Ayuda de escritorio remoto (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Tarjeta inteligente (SCardSvr) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: Registros y alertas de rendimiento (SysmonLog) - Unknown owner - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: Instantáneas de volumen (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe
O23 - Service: Adaptador de rendimiento de WMI (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe
O23 - Service: Servicio de uso compartido de red del Reproductor de Windows Media (WMPNetworkSvc) - Unknown owner - C:\Archivos de programa\Windows Media Player\WMPNetwk.exe
O23 - Service: Washer AutoComplete (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe

--
End of file - 8296 bytes

Moebius
2007-07-04, 15:59
VUNDOFIX LOG: [NOTE: rebooting crashed the PC at startup screen a couple of times, I booted in Safe Mode to complete operation]

VundoFix V6.5.4

Checking Java version...

Sun Java not detected
Scan started at 14:07:43 04/07/2007

Listing files found while scanning....

C:\windows\system32\awvts.dll
C:\windows\system32\bltokkwv.ini
C:\windows\system32\imchipqb.exe
C:\windows\system32\ohsvgabg.exe
C:\WINDOWS\system32\opnmlki.dll
C:\windows\system32\stvwa.bak1
C:\WINDOWS\system32\stvwa.bak2
C:\windows\system32\stvwa.ini
C:\WINDOWS\system32\vwkkotlb.dll
C:\WINDOWS\system32\ylhfnvsn.dll
C:\windows\system32\yykjedjv.exe

Beginning removal...

Attempting to delete C:\windows\system32\awvts.dll
C:\windows\system32\awvts.dll Has been deleted!

Attempting to delete C:\windows\system32\bltokkwv.ini
C:\windows\system32\bltokkwv.ini Has been deleted!

Attempting to delete C:\windows\system32\imchipqb.exe
C:\windows\system32\imchipqb.exe Has been deleted!

Attempting to delete C:\windows\system32\ohsvgabg.exe
C:\windows\system32\ohsvgabg.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\opnmlki.dll
C:\WINDOWS\system32\opnmlki.dll Could not be deleted.

Attempting to delete C:\windows\system32\stvwa.bak1
C:\windows\system32\stvwa.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\stvwa.bak2
C:\WINDOWS\system32\stvwa.bak2 Has been deleted!

Attempting to delete C:\windows\system32\stvwa.ini
C:\windows\system32\stvwa.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\vwkkotlb.dll
C:\WINDOWS\system32\vwkkotlb.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ylhfnvsn.dll
C:\WINDOWS\system32\ylhfnvsn.dll Has been deleted!

Attempting to delete C:\windows\system32\yykjedjv.exe
C:\windows\system32\yykjedjv.exe Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.5.4

Checking Java version...

Sun Java not detected
Scan started at 14:17:46 04/07/2007

Listing files found while scanning....

C:\windows\system32\opnmlki.dll

Beginning removal...

Attempting to delete C:\windows\system32\opnmlki.dll
C:\windows\system32\opnmlki.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.5.4

Checking Java version...

Sun Java not detected
Scan started at 14:30:13 04/07/2007

Listing files found while scanning....

No infected files were found.

Moebius
2007-07-04, 16:01
COMBOFIX LOG:

"E" - 2007-07-04 14:34:15 - ComboFix 07-07-03.9 - Service Pack 2 [SAFE MODE]


(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\dqhvjtmi.exe
C:\WINDOWS\system32\osyvklnk.exe


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_DOMAINSERVICE


((((((((((((((((((((((((( Files Created from 2007-06-04 to 2007-07-04 )))))))))))))))))))))))))))))))


2007-07-04 14:33 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-04 14:07 <DIR> d-------- C:\VundoFix Backups
2007-06-29 19:07 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\DATOSD~1\Spybot - Search & Destroy
2007-06-29 19:05 <DIR> d-------- C:\Archivos de programa\SpywareBlaster
2007-06-29 18:51 57,344 --a------ C:\WINDOWS\Unwash6.exe
2007-06-29 18:51 487,936 --a------ C:\WINDOWS\system32\wwSecure.exe
2007-06-29 18:51 <DIR> d-------- C:\DOCUME~1\E\DATOSD~1\Webroot
2007-06-29 18:51 <DIR> d-------- C:\Archivos de programa\Webroot
2007-06-29 18:51 <DIR> d-------- C:\Archivos de programa\Archivos comunes\Webroot Shared
2007-06-29 18:35 <DIR> d-------- C:\e3dd30e40a58a46a42fba40d
2007-06-29 18:22 <DIR> d-------- C:\DOCUME~1\E\DATOSD~1\Google
2007-06-29 18:19 17,920 --a------ C:\WINDOWS\system32\mdimon.dll
2007-06-29 18:11 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\DATOSD~1\BVRP Software
2007-06-29 18:09 <DIR> d-------- C:\DOCUME~1\E\DATOSD~1\Help
2007-06-29 17:53 74,752 --a------ C:\WINDOWS\system32\jst.dll
2007-06-29 17:53 40,960 --a------ C:\WINDOWS\system32\d4channel.dll
2007-06-29 17:53 36,864 --a------ C:\WINDOWS\system32\hpbmmjno.dll
2007-06-29 17:53 32,768 --a------ C:\WINDOWS\system32\compJNI.dll
2007-06-29 17:53 102,400 --a------ C:\WINDOWS\system32\PMLJNI.dll
2007-06-29 17:44 94,208 --a------ C:\WINDOWS\system32\HPZipt12.dll
2007-06-29 17:44 61,440 --a------ C:\WINDOWS\system32\HPZinw12.exe
2007-06-29 17:44 57,344 --a------ C:\WINDOWS\system32\HPZisn12.dll
2007-06-29 17:44 306,688 --a------ C:\WINDOWS\IsUninst.exe
2007-06-29 17:43 98,304 -ra------ C:\WINDOWS\system32\hpzjsn01.dll
2007-06-29 17:43 757,760 -ra------ C:\WINDOWS\system32\hpptpml2.dll
2007-06-29 17:43 73,728 -ra------ C:\WINDOWS\system32\hptcpmib.dll
2007-06-29 17:43 69,632 --a------ C:\WINDOWS\system32\HPZipm12.exe
2007-06-29 17:43 6,912 --a------ C:\WINDOWS\system32\drivers\serscan.sys
2007-06-29 17:43 28,672 -ra------ C:\WINDOWS\system32\hpzjfw01.dll
2007-06-29 17:43 278,584 --a------ C:\WINDOWS\system32\HPZidr12.dll
2007-06-29 17:43 278,528 -ra------ C:\WINDOWS\system32\hpgwiamd.dll
2007-06-29 17:43 266,240 -ra------ C:\WINDOWS\system32\hpp2800s.dll
2007-06-29 17:43 212,992 -ra------ C:\WINDOWS\system32\hptcpmui.dll
2007-06-29 17:43 204,800 --a------ C:\WINDOWS\system32\HPZipr12.dll
2007-06-29 17:43 110,592 -ra------ C:\WINDOWS\system32\hptcpmon.dll
2007-06-29 17:38 54,395 --a------ C:\WINDOWS\hppins01.dat
2007-06-29 17:38 2,392 --------- C:\WINDOWS\hppmdl01.dat
2007-06-29 17:38 <DIR> d-------- C:\Archivos de programa\Archivos comunes\SWF Studio
2007-06-29 17:18 87,040 --a------ C:\WINDOWS\system32\wiafbdrv.dll
2007-06-29 17:18 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2007-06-29 17:17 298,496 --a------ C:\WINDOWS\unin040a.exe
2007-06-29 17:17 <DIR> d-------- C:\DOCUME~1\E\WINDOWS
2007-06-29 17:17 <DIR> d-------- C:\Archivos de programa\Lexmark X1100 Series
2007-06-29 17:14 <DIR> d-------- C:\DOCUME~1\E\DATOSD~1\ATI
2007-06-29 16:33 1,723 --a------ C:\WINDOWS\mozver.dat
2007-06-29 16:29 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\DATOSD~1\WinZip
2007-06-29 16:24 2,560 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-06-29 16:24 2,432 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-06-29 16:24 <DIR> d-------- C:\Archivos de programa\Picasa2
2007-06-29 16:24 <DIR> d-------- C:\Archivos de programa\Google
2007-06-29 16:22 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2007-06-29 16:22 <DIR> d-------- C:\Archivos de programa\Reference Assemblies
2007-06-29 16:18 23,856 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-06-29 16:18 0 --a------ C:\WINDOWS\nsreg.dat
2007-06-29 16:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\DATOSD~1\Windows Genuine Advantage
2007-06-29 16:05 82,944 --a------ C:\WINDOWS\system32\drivers\wdmaud.sys
2007-06-29 16:05 6,400 --a------ C:\WINDOWS\system32\drivers\splitter.sys
2007-06-29 16:05 54,272 --a------ C:\WINDOWS\system32\drivers\swmidi.sys
2007-06-29 16:05 52,864 --a------ C:\WINDOWS\system32\drivers\DMusic.sys
2007-06-29 16:05 49,152 --a------ C:\WINDOWS\system32\ChCfg.exe
2007-06-29 16:05 142,464 --a------ C:\WINDOWS\system32\drivers\aec.sys
2007-06-29 16:04 7,552 --a------ C:\WINDOWS\system32\drivers\MSKSSRV.sys
2007-06-29 16:04 60,800 --a------ C:\WINDOWS\system32\drivers\sysaudio.sys
2007-06-29 16:04 60,288 --a------ C:\WINDOWS\system32\drivers\drmk.sys
2007-06-29 16:04 577,536 --a------ C:\WINDOWS\soundman.exe
2007-06-29 16:04 5,376 --a------ C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2007-06-29 16:04 4,992 --a------ C:\WINDOWS\system32\drivers\MSPQM.sys
2007-06-29 16:04 4,096 --a------ C:\WINDOWS\system32\ksuser.dll
2007-06-29 16:04 4,030,144 --a------ C:\WINDOWS\system32\drivers\alcxwdm.sys
2007-06-29 16:04 315,392 --a------ C:\WINDOWS\alcupd.exe
2007-06-29 16:04 217,088 --a------ C:\WINDOWS\Alcrmv.exe
2007-06-29 16:04 2,944 --a------ C:\WINDOWS\system32\drivers\drmkaud.sys
2007-06-29 16:04 172,416 --a------ C:\WINDOWS\system32\drivers\kmixer.sys
2007-06-29 16:04 147,456 --a------ C:\WINDOWS\system32\RtlCPAPI.dll
2007-06-29 16:04 145,792 --a------ C:\WINDOWS\system32\drivers\portcls.sys
2007-06-29 16:04 10,528,768 --a------ C:\WINDOWS\system32\RTLCPL.exe
2007-06-29 16:04 <DIR> d-------- C:\Archivos de programa\Realtek AC97
2007-06-29 13:58 520,192 --------- C:\WINDOWS\system32\ati2sgag.exe
2007-06-29 13:58 <DIR> d-------- C:\Archivos de programa\ATI Technologies
2007-06-29 13:54 <DIR> d-------- C:\DOCUME~1\E\DATOSD~1\uTorrent
2007-06-29 13:43 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\DATOSD~1\Lavasoft
2007-06-29 13:43 <DIR> d-------- C:\Archivos de programa\Lavasoft
2007-06-29 13:43 <DIR> d-------- C:\Archivos de programa\Archivos comunes\Wise Installation Wizard
2007-06-29 13:39 95,872 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-06-29 13:39 94,552 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-06-29 13:39 85,952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-06-29 13:39 745,600 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-06-29 13:39 499,712 --a------ C:\WINDOWS\system32\MSVCP71.dll
2007-06-29 13:39 43,176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-06-29 13:39 348,160 --a------ C:\WINDOWS\system32\MSVCR71.dll
2007-06-29 13:39 26,888 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-06-29 13:39 23,416 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-06-29 13:39 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2007-06-29 13:39 <DIR> d-------- C:\Archivos de programa\Avast4
2007-06-29 13:35 8,192 --a------ C:\WINDOWS\system32\wshirda.dll
2007-06-29 13:35 59,648 --a------ C:\WINDOWS\system32\drivers\rfcomm.sys
2007-06-29 13:35 3,072 --a------ C:\WINDOWS\system32\drivers\audstub.sys
2007-06-29 13:35 28,160 --a------ C:\WINDOWS\system32\irmon.dll
2007-06-29 13:35 17,024 --a------ C:\WINDOWS\system32\drivers\BthEnum.sys
2007-06-29 13:35 153,600 --a------ C:\WINDOWS\system32\irftp.exe


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-29 16:36:37 -------- d-----w C:\Archivos de programa\Windows Media Connect 2
2007-06-29 16:12:25 -------- d--h--w C:\Archivos de programa\InstallShield Installation Information
2007-06-29 15:53:24 -------- d-----w C:\Archivos de programa\Hewlett-Packard
2007-06-29 15:53:23 -------- d--h--w C:\Archivos de programa\Zero G Registry
2007-06-29 14:54:03 -------- d-----w C:\Archivos de programa\MSBuild
2007-06-29 10:39:30 -------- d-----w C:\Archivos de programa\Windows NT
2007-06-19 09:35:38 -------- d-----w C:\Archivos de programa\DivX
2007-05-18 06:06:56 -------- d-----w C:\Archivos de programa\HP
2007-05-16 07:03:30 -------- d-----w C:\Archivos de programa\Archivos comunes\HP
2007-05-16 06:59:12 -------- d-----w C:\Archivos de programa\Archivos comunes\Hewlett-Packard
2007-04-16 20:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-13 13:19:52 7,680 ----a-w C:\WINDOWS\system32\lsdelete.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2006-10-22 23:08 62080 --a------ C:\Archivos de programa\Archivos comunes\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
2005-05-31 01:04 853672 --a------ C:\ARCHIV~1\SPYBOT~1\SDHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C199B0CF-3CC3-4727-8498-D1D0258FF76D}]
C:\WINDOWS\system32\awvts.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-19 15:56 C:\WINDOWS\system32\bthprops.cpl]
"avast!"="C:\ARCHIV~1\Avast4\ashDisp.exe" [2007-04-30 17:42]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 15:28 C:\WINDOWS\soundman.exe]
"Picasa Media Detector"="C:\Archivos de programa\Picasa2\PicasaMediaDetector.exe" [2007-06-16 01:15]
"ATICCC"="C:\Archivos de programa\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 16:41]
"HP Software Update"="C:\Archivos de programa\HP\HP Software Update\HPWuSchd2.exe" [2005-02-16 23:11]
"Google Desktop Search"="C:\Archivos de programa\Google\Google Desktop Search\GoogleDesktop.exe" [2007-06-29 19:43]
"TomcatStartup 2.5"="C:\Archivos de programa\Hewlett-Packard\Toolbox\hpbpsttp.exe" [2004-11-12 18:57]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 15:42]
"SpybotSD TeaTimer"="C:\Archivos de programa\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoToolbarCustomize"=0 (0x0)
"NoFileMenu"=0 (0x0)
"NoLowDiskSpaceChecks"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\ARCHIV~1\Google\GOOGLE~2\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ


Contents of the 'Scheduled Tasks' folder
2007-07-03 13:00:19 C:\WINDOWS\tasks\User_Feed_Synchronization-{DAC4462A-7CFA-476E-9A19-F4E43B19DBBB}.job

**************************************************************************

catchme 0.3.914 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-04 14:43:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-04 14:44:37 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-04 14:44

--- E O F ---

Moebius
2007-07-04, 16:01
COMBOFIX QUARANTINED FILES.TXT:



2007-06-29 19:52 4628 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\dqhvjtmi.exe.vir
2007-07-03 14:47 4628 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\osyvklnk.exe.vir
2007-07-04 14:35 846 --a------ C:\Qoobox\Quarantine\Registry_backups\LEGACY_DOMAINSERVICE.reg.cf


Listado de rutas de carpetas
El nŁmero de serie del volumen es D09D-CF67
C:\QOOBOX
\---Quarantine
+---C
| \---WINDOWS
| \---system32
| dqhvjtmi.exe.vir
| osyvklnk.exe.vir
|
\---Registry_backups
LEGACY_DOMAINSERVICE.reg.cf

Moebius
2007-07-04, 16:03
And that's all.

Maybe..I killed the spies yet?

Shaba
2007-07-04, 16:32
Hi

Looking pretty good yes but we're not done yet.

Open HijackThis, click do a system scan only and checkmark these:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {C199B0CF-3CC3-4727-8498-D1D0258FF76D} - C:\WINDOWS\system32\awvts.dll (file missing)

Close all windows including browser and press fix checked.

Reboot.

Please do an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/downloads/kws/kavwebscan.html). You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings
In the scan settings make sure that the following are selected:

o Scan using the following Anti-Virus database:

+ Extended (If available otherwise Standard)

o Scan Options:

+ Scan Archives
+ Scan Mail Bases

Click OK
Now under select a target to scan select My Computer
The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button
Save the file to your desktop.
Copy and paste that information in your next post.

Post:

- a fresh HijackThis log
- kaspersky report

Moebius
2007-07-06, 09:25
Well, I´ve done, here go the logs:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 8:18:02, on 06/07/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Avast4\aswUpdSv.exe
C:\Archivos de programa\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\ARCHIV~1\Avast4\ashDisp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Archivos de programa\Picasa2\PicasaMediaDetector.exe
C:\Archivos de programa\ATI Technologies\ATI.ACE\cli.exe
C:\Archivos de programa\HP\HP Software Update\HPWuSchd2.exe
C:\Archivos de programa\Google\Google Desktop Search\GoogleDesktop.exe
C:\Archivos de programa\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Archivos de programa\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wwSecure.exe
C:\ARCHIV~1\HEWLET~1\Toolbox\STATUS~1\STATUS~1.EXE
C:\Archivos de programa\Avast4\ashMaiSv.exe
C:\Archivos de programa\Avast4\ashWebSv.exe
C:\Archivos de programa\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\Archivos de programa\ATI Technologies\ATI.ACE\cli.exe
C:\Archivos de programa\ATI Technologies\ATI.ACE\cli.exe
C:\Archivos de programa\Outlook Express\msimn.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\EnriqueBouza\Escritorio\SOMETHING.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.es/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: Aplicación auxiliar de vínculos de Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Archivos comunes\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [avast!] C:\ARCHIV~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Archivos de programa\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Archivos de programa\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [HP Software Update] "C:\Archivos de programa\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Archivos de programa\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] C:\Archivos de programa\Corel\Corel Graphics 12\Languages\ES\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=072007 serial=dr12cun-1353003-vhd lang=ES
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Archivos de programa\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKCU\..\Run: [Window Washer] C:\Archivos de programa\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [Index Washer] C:\Archivos de programa\Webroot\Washer\WashIdx.exe "EnriqueBouza"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Servicio de red')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Archivos de programa\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe (file missing)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4492F9DD-6837-485B-B506-5AF475B49673}: NameServer = 62.151.2.8
O17 - HKLM\System\CS2\Services\Tcpip\..\{4492F9DD-6837-485B-B506-5AF475B49673}: NameServer = 62.151.2.8
O17 - HKLM\System\CS3\Services\Tcpip\..\{4492F9DD-6837-485B-B506-5AF475B49673}: NameServer = 62.151.2.8
O20 - AppInit_DLLs: C:\ARCHIV~1\Google\GOOGLE~2\GOEC62~1.DLL
O22 - SharedTaskScheduler: Precargador Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Demonio de caché de las categorías de componente - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Archivos de programa\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Archivos de programa\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Archivos de programa\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Archivos de programa\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Archivos de programa\Avast4\ashWebSv.exe
O23 - Service: Servicio del administrador de discos lógicos (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Registro de sucesos (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: GoogleDesktopManager - Google - C:\Archivos de programa\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Servicio COM de grabación de CD de IMAPI (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Escritorio remoto compartido de NetMeeting (mnmsrvc) - Unknown owner - C:\WINDOWS\system32\mnmsrvc.exe
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Administrador de sesión de Ayuda de escritorio remoto (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Tarjeta inteligente (SCardSvr) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: Registros y alertas de rendimiento (SysmonLog) - Unknown owner - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: Instantáneas de volumen (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe
O23 - Service: Adaptador de rendimiento de WMI (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe
O23 - Service: Servicio de uso compartido de red del Reproductor de Windows Media (WMPNetworkSvc) - Unknown owner - C:\Archivos de programa\Windows Media Player\WMPNetwk.exe
O23 - Service: Washer AutoComplete (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe

--
End of file - 8521 bytes

Moebius
2007-07-06, 09:26
And kaspersky Online: (it detected some "visitors")

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, July 06, 2007 8:06:10 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 5/07/2007
Kaspersky Anti-Virus database records: 358653
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 58343
Number of viruses found: 8
Number of infected objects: 31
Number of suspicious objects: 0
Duration of the scan process: 02:14:02

Infected Object Name / Virus Name / Last Action
C:\Archivos de programa\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Archivos de programa\Avast4\DATA\Avast4.db Object is locked skipped
C:\Archivos de programa\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Archivos de programa\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Archivos de programa\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Archivos de programa\Avast4\DATA\report\Protección residente.txt Object is locked skipped
C:\Documents and Settings\All Users\Datos de programa\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Datos de programa\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Datos de programa\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\E\Configuración local\Datos de programa\Identities\{0FA4FDA7-FDC8-4015-8629-2A50518A125F}\Microsoft\Outlook Express\Comercial - Elementos eliminados.dbx/[From comercial@arien-machine.com][Date Wed, 6 Jun 2007 08:45:49 +0200]/email.doc Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\E\Configuración local\Datos de programa\Identities\{0FA4FDA7-FDC8-4015-8629-2A50518A125F}\Microsoft\Outlook Express\Comercial - Elementos eliminados.dbx/[From irivas@comsa.com][Date Thu, 21 Jun 2007 09:20:41 +0200]/data_comercial.zip/data.rtf .scr Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\E\Configuración local\Datos de programa\Identities\{0FA4FDA7-FDC8-4015-8629-2A50518A125F}\Microsoft\Outlook Express\Comercial - Elementos eliminados.dbx/[From irivas@comsa.com][Date Thu, 21 Jun 2007 09:20:41 +0200]/data_comercial.zip Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\E\Configuración local\Datos de programa\Identities\{0FA4FDA7-FDC8-4015-8629-2A50518A125F}\Microsoft\Outlook Express\Comercial - Elementos eliminados.dbx/[From 06cb6db3@arsenal.co.uk][Date Thu, 28 Jun 2007 08:42:55 +0200]/UNNAMED/message_comercial.zip/details.txt .pif Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\E\Configuración local\Datos de programa\Identities\{0FA4FDA7-FDC8-4015-8629-2A50518A125F}\Microsoft\Outlook Express\Comercial - Elementos eliminados.dbx/[From 06cb6db3@arsenal.co.uk][Date Thu, 28 Jun 2007 08:42:55 +0200]/UNNAMED/message_comercial.zip Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\E\Configuración local\Datos de programa\Identities\{0FA4FDA7-FDC8-4015-8629-2A50518A125F}\Microsoft\Outlook Express\Comercial - Elementos eliminados.dbx/[From 06cb6db3@arsenal.co.uk][Date Thu, 28 Jun 2007 08:42:55 +0200]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\E\Configuración local\Datos de programa\Identities\{0FA4FDA7-FDC8-4015-8629-2A50518A125F}\Microsoft\Outlook Express\Comercial - Elementos eliminados.dbx Mail MS Outlook 5: infected - 6 skipped
C:\Documents and Settings\E\Mis documentos\Downloads\Winzip 11 pro\winzip110.exe/data0000.cab/is67528.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.if skipped
C:\Documents and Settings\E\Mis documentos\Downloads\Winzip 11 pro\winzip110.exe/data0000.cab Infected: not-a-virus:AdWare.Win32.Virtumonde.if skipped
C:\Documents and Settings\E\Mis documentos\Downloads\Winzip 11 pro\winzip110.exe Rsrc-Package: infected - 2 skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Archivos temporales de Internet\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Archivos temporales de Internet\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\ApplicationHistory\cli.exe.72313fbf.ini.inuse Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Google\Google Desktop\d5bfe6e206e1\ch8dfe7597 Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Google\Google Desktop\d5bfe6e206e1\dbc2e.ht1 Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Google\Google Desktop\d5bfe6e206e1\dbdam Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Google\Google Desktop\d5bfe6e206e1\dbdao Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Google\Google Desktop\d5bfe6e206e1\dbeam Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Google\Google Desktop\d5bfe6e206e1\dbeao Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Google\Google Desktop\d5bfe6e206e1\dbm Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Google\Google Desktop\d5bfe6e206e1\dbu2d.ht1 Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Google\Google Desktop\d5bfe6e206e1\dbvm.cf1 Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Google\Google Desktop\d5bfe6e206e1\dbvmh.ht1 Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Google\Google Desktop\d5bfe6e206e1\fii.cf1 Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Google\Google Desktop\d5bfe6e206e1\fiih.ht1 Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Google\Google Desktop\d5bfe6e206e1\hp Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Google\Google Desktop\d5bfe6e206e1\hpt2i.ht1 Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Google\Google Desktop\d5bfe6e206e1\rpm.cf1 Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Google\Google Desktop\d5bfe6e206e1\rpm1m.cf1 Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Google\Google Desktop\d5bfe6e206e1\rpm1mh.ht1 Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Google\Google Desktop\d5bfe6e206e1\rpmh.ht1 Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Google\Google Desktop\d5bfe6e206e1\safeweb\goog-black-enchashm.cf1 Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Google\Google Desktop\d5bfe6e206e1\safeweb\goog-black-enchashmh.ht1 Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Google\Google Desktop\d5bfe6e206e1\safeweb\goog-black-urlm.cf1 Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Google\Google Desktop\d5bfe6e206e1\safeweb\goog-black-urlmh.ht1 Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Google\Google Desktop\d5bfe6e206e1\safeweb\goog-malware-domainm.cf1 Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Google\Google Desktop\d5bfe6e206e1\safeweb\goog-malware-domainmh.ht1 Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Google\Google Desktop\d5bfe6e206e1\safeweb\goog-white-domainm.cf1 Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Google\Google Desktop\d5bfe6e206e1\safeweb\goog-white-domainmh.ht1 Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Identities\{BBBD0510-3E06-4941-98C6-5DEC062BF48C}\Microsoft\Outlook Express\comercial - Bandeja de entrada.dbx Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Identities\{BBBD0510-3E06-4941-98C6-5DEC062BF48C}\Microsoft\Outlook Express\Folders.dbx Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Identities\{BBBD0510-3E06-4941-98C6-5DEC062BF48C}\Microsoft\Outlook Express\Offline.dbx Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Historial\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Temp\2248_zip_dump.doc Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Temp\newtb1handler.log Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Temp\Perflib_Perfdata_1b0.dat Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Temp\Perflib_Perfdata_91c.dat Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Temp\Perflib_Perfdata_93c.dat Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Temp\proxystop-tblauncher.log Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Temp\tblauncher.log Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Temp\toolbox_healer59967.log Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Temp\~DFF607.tmp Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\EnriqueBouza\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\EnriqueBouza\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Configuración local\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Configuración local\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Configuración local\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\ntuser.dat.LOG Object is locked skipped
C:\e3dd30e40a58a46a42fba40d\e50d24d33a6ddc541ea843635302\update\update.log Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\dqhvjtmi.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\osyvklnk.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{EF9A7EC0-5A45-49C0-AF36-D6A474CB0CBD}\RP14\A0001072.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\System Volume Information\_restore{EF9A7EC0-5A45-49C0-AF36-D6A474CB0CBD}\RP15\A0002120.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\System Volume Information\_restore{EF9A7EC0-5A45-49C0-AF36-D6A474CB0CBD}\RP15\A0002137.exe Infected: Trojan.Win32.Agent.aoy skipped
C:\System Volume Information\_restore{EF9A7EC0-5A45-49C0-AF36-D6A474CB0CBD}\RP15\A0002142.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped
C:\System Volume Information\_restore{EF9A7EC0-5A45-49C0-AF36-D6A474CB0CBD}\RP15\A0002143.exe Infected: Trojan.Win32.Agent.aoy skipped
C:\System Volume Information\_restore{EF9A7EC0-5A45-49C0-AF36-D6A474CB0CBD}\RP15\A0002144.exe Infected: Trojan.Win32.Agent.aoy skipped
C:\System Volume Information\_restore{EF9A7EC0-5A45-49C0-AF36-D6A474CB0CBD}\RP15\A0002145.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\System Volume Information\_restore{EF9A7EC0-5A45-49C0-AF36-D6A474CB0CBD}\RP15\A0002146.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kj skipped
C:\System Volume Information\_restore{EF9A7EC0-5A45-49C0-AF36-D6A474CB0CBD}\RP15\A0002147.exe Infected: Trojan.Win32.Agent.aoy skipped
C:\System Volume Information\_restore{EF9A7EC0-5A45-49C0-AF36-D6A474CB0CBD}\RP15\A0004151.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{EF9A7EC0-5A45-49C0-AF36-D6A474CB0CBD}\RP15\A0005187.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{EF9A7EC0-5A45-49C0-AF36-D6A474CB0CBD}\RP15\A0005188.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{EF9A7EC0-5A45-49C0-AF36-D6A474CB0CBD}\RP17\change.log Object is locked skipped
C:\VundoFix Backups\awvts.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped
C:\VundoFix Backups\imchipqb.exe.bad Infected: Trojan.Win32.Agent.aoy skipped
C:\VundoFix Backups\ohsvgabg.exe.bad Infected: Trojan.Win32.Agent.aoy skipped
C:\VundoFix Backups\opnmlki.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\VundoFix Backups\vwkkotlb.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\VundoFix Backups\ylhfnvsn.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.kj skipped
C:\VundoFix Backups\yykjedjv.exe.bad Infected: Trojan.Win32.Agent.aoy skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_57c.dat Object is locked skipped
C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Shaba
2007-07-06, 11:52
Hi

Empty these folders:

C:\QooBox\Quarantine\
C:\VundoFix Backups\

Delete this:

C:\Documents and Settings\E\Mis documentos\Downloads\Winzip 11 pro

Empty Recycle Bin

Delete these mails via outlook express:

C:\Documents and Settings\E\Configuración local\Datos de programa\Identities\{0FA4FDA7-FDC8-4015-8629-2A50518A125F}\Microsoft\Outlook Express\Comercial - Elementos eliminados.dbx/[From comercial@arien-machine.com][Date Wed, 6 Jun 2007 08:45:49 +0200]/email.doc Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\E\Configuración local\Datos de programa\Identities\{0FA4FDA7-FDC8-4015-8629-2A50518A125F}\Microsoft\Outlook Express\Comercial - Elementos eliminados.dbx/[From irivas@comsa.com][Date Thu, 21 Jun 2007 09:20:41 +0200]/data_comercial.zip/data.rtf .scr Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\E\Configuración local\Datos de programa\Identities\{0FA4FDA7-FDC8-4015-8629-2A50518A125F}\Microsoft\Outlook Express\Comercial - Elementos eliminados.dbx/[From irivas@comsa.com][Date Thu, 21 Jun 2007 09:20:41 +0200]/data_comercial.zip Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\E\Configuración local\Datos de programa\Identities\{0FA4FDA7-FDC8-4015-8629-2A50518A125F}\Microsoft\Outlook Express\Comercial - Elementos eliminados.dbx/[From 06cb6db3@arsenal.co.uk][Date Thu, 28 Jun 2007 08:42:55 +0200]/UNNAMED/message_comercial.zip/details.txt .pif Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\E\Configuración local\Datos de programa\Identities\{0FA4FDA7-FDC8-4015-8629-2A50518A125F}\Microsoft\Outlook Express\Comercial - Elementos eliminados.dbx/[From 06cb6db3@arsenal.co.uk][Date Thu, 28 Jun 2007 08:42:55 +0200]/UNNAMED/message_comercial.zip Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\E\Configuración local\Datos de programa\Identities\{0FA4FDA7-FDC8-4015-8629-2A50518A125F}\Microsoft\Outlook Express\Comercial - Elementos eliminados.dbx/[From 06cb6db3@arsenal.co.uk][Date Thu, 28 Jun 2007 08:42:55 +0200]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped

Empty Deleted items folder in outlook

Re-scan with kaspersky

Post:

- a fresh HijackThis log
- kaspersky report

Moebius
2007-07-09, 16:49
Tomorrow morning I will post the logs, I had to go out for business

Moebius
2007-07-10, 09:09
Here it goes:
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, July 10, 2007 8:02:10 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 9/07/2007
Kaspersky Anti-Virus database records: 360136
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 67908
Number of viruses found: 8
Number of infected objects: 22
Number of suspicious objects: 0
Duration of the scan process: 01:53:34

Infected Object Name / Virus Name / Last Action
C:\Archivos de programa\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Archivos de programa\Avast4\DATA\Avast4.db Object is locked skipped
C:\Archivos de programa\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Archivos de programa\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Archivos de programa\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Archivos de programa\Avast4\DATA\report\Protección residente.txt Object is locked skipped
C:\Documents and Settings\All Users\Datos de programa\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Datos de programa\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Datos de programa\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\E\Configuración local\Datos de programa\Identities\{0FA4FDA7-FDC8-4015-8629-2A50518A125F}\Microsoft\Outlook Express\Comercial - Elementos eliminados.dbx/[From comercial@arien-machine.com][Date Wed, 6 Jun 2007 08:45:49 +0200]/email.doc Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\E\Configuración local\Datos de programa\Identities\{0FA4FDA7-FDC8-4015-8629-2A50518A125F}\Microsoft\Outlook Express\Comercial - Elementos eliminados.dbx/[From irivas@comsa.com][Date Thu, 21 Jun 2007 09:20:41 +0200]/data_comercial.zip/data.rtf .scr Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\E\Configuración local\Datos de programa\Identities\{0FA4FDA7-FDC8-4015-8629-2A50518A125F}\Microsoft\Outlook Express\Comercial - Elementos eliminados.dbx/[From irivas@comsa.com][Date Thu, 21 Jun 2007 09:20:41 +0200]/data_comercial.zip Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\E\Configuración local\Datos de programa\Identities\{0FA4FDA7-FDC8-4015-8629-2A50518A125F}\Microsoft\Outlook Express\Comercial - Elementos eliminados.dbx/[From 06cb6db3@arsenal.co.uk][Date Thu, 28 Jun 2007 08:42:55 +0200]/UNNAMED/message_comercial.zip/details.txt .pif Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\E\Configuración local\Datos de programa\Identities\{0FA4FDA7-FDC8-4015-8629-2A50518A125F}\Microsoft\Outlook Express\Comercial - Elementos eliminados.dbx/[From 06cb6db3@arsenal.co.uk][Date Thu, 28 Jun 2007 08:42:55 +0200]/UNNAMED/message_comercial.zip Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\E\Configuración local\Datos de programa\Identities\{0FA4FDA7-FDC8-4015-8629-2A50518A125F}\Microsoft\Outlook Express\Comercial - Elementos eliminados.dbx/[From 06cb6db3@arsenal.co.uk][Date Thu, 28 Jun 2007 08:42:55 +0200]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\E\Configuración local\Datos de programa\Identities\{0FA4FDA7-FDC8-4015-8629-2A50518A125F}\Microsoft\Outlook Express\Comercial - Elementos eliminados.dbx Mail MS Outlook 5: infected - 6 skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Archivos temporales de Internet\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\ApplicationHistory\cli.exe.72313fbf.ini.inuse Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Google\Google Desktop\d5bfe6e206e1\dbc2e.ht1 Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Google\Google Desktop\d5bfe6e206e1\dbdam Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Google\Google Desktop\d5bfe6e206e1\dbdao Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Google\Google Desktop\d5bfe6e206e1\dbeam Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Google\Google Desktop\d5bfe6e206e1\dbeao Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Google\Google Desktop\d5bfe6e206e1\dbm Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Google\Google Desktop\d5bfe6e206e1\dbu2d.ht1 Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Google\Google Desktop\d5bfe6e206e1\dbvm.cf1 Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Google\Google Desktop\d5bfe6e206e1\dbvmh.ht1 Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Google\Google Desktop\d5bfe6e206e1\fii.cf1 Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Google\Google Desktop\d5bfe6e206e1\fiih.ht1 Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Google\Google Desktop\d5bfe6e206e1\hp Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Google\Google Desktop\d5bfe6e206e1\hpt2i.ht1 Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Google\Google Desktop\d5bfe6e206e1\rpm.cf1 Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Google\Google Desktop\d5bfe6e206e1\rpm1m.cf1 Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Google\Google Desktop\d5bfe6e206e1\rpm1mh.ht1 Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Google\Google Desktop\d5bfe6e206e1\rpmh.ht1 Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Google\Google Desktop\d5bfe6e206e1\safeweb\goog-black-enchashm.cf1 Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Google\Google Desktop\d5bfe6e206e1\safeweb\goog-black-enchashmh.ht1 Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Google\Google Desktop\d5bfe6e206e1\safeweb\goog-black-urlm.cf1 Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Google\Google Desktop\d5bfe6e206e1\safeweb\goog-black-urlmh.ht1 Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Google\Google Desktop\d5bfe6e206e1\safeweb\goog-malware-domainm.cf1 Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Google\Google Desktop\d5bfe6e206e1\safeweb\goog-malware-domainmh.ht1 Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Google\Google Desktop\d5bfe6e206e1\safeweb\goog-white-domainm.cf1 Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Google\Google Desktop\d5bfe6e206e1\safeweb\goog-white-domainmh.ht1 Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Historial\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Historial\History.IE5\MSHist012007070920070710\index.dat Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Temp\newtb1handler.log Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Temp\Perflib_Perfdata_1004.dat Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Temp\Perflib_Perfdata_12c8.dat Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Temp\Perflib_Perfdata_1f80.dat Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Temp\proxystop-tblauncher.log Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Temp\tblauncher.log Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Temp\toolbox_healer11980.log Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Temp\~DFC50D.tmp Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\EnriqueBouza\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\EnriqueBouza\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Configuración local\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Configuración local\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Configuración local\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\ntuser.dat.LOG Object is locked skipped
C:\e3dd30e40a58a46a42fba40d\e50d24d33a6ddc541ea843635302\update\update.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{EF9A7EC0-5A45-49C0-AF36-D6A474CB0CBD}\RP14\A0001072.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\System Volume Information\_restore{EF9A7EC0-5A45-49C0-AF36-D6A474CB0CBD}\RP15\A0002120.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\System Volume Information\_restore{EF9A7EC0-5A45-49C0-AF36-D6A474CB0CBD}\RP15\A0002137.exe Infected: Trojan.Win32.Agent.aoy skipped
C:\System Volume Information\_restore{EF9A7EC0-5A45-49C0-AF36-D6A474CB0CBD}\RP15\A0002142.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped
C:\System Volume Information\_restore{EF9A7EC0-5A45-49C0-AF36-D6A474CB0CBD}\RP15\A0002143.exe Infected: Trojan.Win32.Agent.aoy skipped
C:\System Volume Information\_restore{EF9A7EC0-5A45-49C0-AF36-D6A474CB0CBD}\RP15\A0002144.exe Infected: Trojan.Win32.Agent.aoy skipped
C:\System Volume Information\_restore{EF9A7EC0-5A45-49C0-AF36-D6A474CB0CBD}\RP15\A0002145.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\System Volume Information\_restore{EF9A7EC0-5A45-49C0-AF36-D6A474CB0CBD}\RP15\A0002146.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kj skipped
C:\System Volume Information\_restore{EF9A7EC0-5A45-49C0-AF36-D6A474CB0CBD}\RP15\A0002147.exe Infected: Trojan.Win32.Agent.aoy skipped
C:\System Volume Information\_restore{EF9A7EC0-5A45-49C0-AF36-D6A474CB0CBD}\RP15\A0004151.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{EF9A7EC0-5A45-49C0-AF36-D6A474CB0CBD}\RP15\A0005187.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{EF9A7EC0-5A45-49C0-AF36-D6A474CB0CBD}\RP15\A0005188.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{EF9A7EC0-5A45-49C0-AF36-D6A474CB0CBD}\RP17\A0006312.exe/data0000.cab/is67528.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.if skipped
C:\System Volume Information\_restore{EF9A7EC0-5A45-49C0-AF36-D6A474CB0CBD}\RP17\A0006312.exe/data0000.cab Infected: not-a-virus:AdWare.Win32.Virtumonde.if skipped
C:\System Volume Information\_restore{EF9A7EC0-5A45-49C0-AF36-D6A474CB0CBD}\RP17\A0006312.exe Rsrc-Package: infected - 2 skipped
C:\System Volume Information\_restore{EF9A7EC0-5A45-49C0-AF36-D6A474CB0CBD}\RP35\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{64783C1E-4B59-4848-954E-171682A7E94C}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_56c.dat Object is locked skipped
C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Moebius
2007-07-10, 09:11
And a fresh HijackThis:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 8:10:26, on 10/07/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Avast4\aswUpdSv.exe
C:\Archivos de programa\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wwSecure.exe
C:\Archivos de programa\Avast4\ashMaiSv.exe
C:\Archivos de programa\Avast4\ashWebSv.exe
C:\ARCHIV~1\ARCHIV~1\Stardock\SDMCP.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\ARCHIV~1\Avast4\ashDisp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Archivos de programa\Picasa2\PicasaMediaDetector.exe
C:\Archivos de programa\ATI Technologies\ATI.ACE\cli.exe
C:\Archivos de programa\HP\HP Software Update\HPWuSchd2.exe
C:\Archivos de programa\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\lexpps.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Google\Google Desktop Search\GoogleDesktop.exe
C:\Archivos de programa\CursorXP\CursorXP.exe
C:\Archivos de programa\Stardock\ObjectDock\ObjectDock.exe
C:\ARCHIV~1\HEWLET~1\Toolbox\STATUS~1\STATUS~1.EXE
C:\Archivos de programa\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\Archivos de programa\ATI Technologies\ATI.ACE\cli.exe
C:\Archivos de programa\ATI Technologies\ATI.ACE\cli.exe
C:\Archivos de programa\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Archivos de programa\Outlook Express\msimn.exe
C:\WINDOWS\system32\cleanmgr.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\Source Engine\OSE.EXE
C:\Documents and Settings\EnriqueBouza\Mis documentos\Something.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.es/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: Aplicación auxiliar de vínculos de Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Archivos comunes\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [avast!] C:\ARCHIV~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Archivos de programa\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Archivos de programa\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [HP Software Update] "C:\Archivos de programa\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Archivos de programa\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] C:\Archivos de programa\Corel\Corel Graphics 12\Languages\ES\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=072007 serial=dr12cun-1353003-vhd lang=ES
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Archivos de programa\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [CursorXP] C:\Archivos de programa\CursorXP\CursorXP.exe
O4 - HKCU\..\RunOnce: [Index Washer] C:\Archivos de programa\Webroot\Washer\WashIdx.exe "EnriqueBouza"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Servicio de red')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Stardock ObjectDock.lnk = C:\Archivos de programa\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Archivos de programa\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe (file missing)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4492F9DD-6837-485B-B506-5AF475B49673}: NameServer = 62.151.2.8
O17 - HKLM\System\CS2\Services\Tcpip\..\{4492F9DD-6837-485B-B506-5AF475B49673}: NameServer = 62.151.2.8
O17 - HKLM\System\CS3\Services\Tcpip\..\{4492F9DD-6837-485B-B506-5AF475B49673}: NameServer = 62.151.2.8
O20 - AppInit_DLLs: C:\ARCHIV~1\Google\GOOGLE~2\GOEC62~1.DLL,wbsys.dll
O22 - SharedTaskScheduler: Precargador Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Demonio de caché de las categorías de componente - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Archivos de programa\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Archivos de programa\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Archivos de programa\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Archivos de programa\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Archivos de programa\Avast4\ashWebSv.exe
O23 - Service: Servicio del administrador de discos lógicos (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Registro de sucesos (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: GoogleDesktopManager - Google - C:\Archivos de programa\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Servicio COM de grabación de CD de IMAPI (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Escritorio remoto compartido de NetMeeting (mnmsrvc) - Unknown owner - C:\WINDOWS\system32\mnmsrvc.exe
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Administrador de sesión de Ayuda de escritorio remoto (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Tarjeta inteligente (SCardSvr) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: Registros y alertas de rendimiento (SysmonLog) - Unknown owner - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: Instantáneas de volumen (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe
O23 - Service: Adaptador de rendimiento de WMI (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe
O23 - Service: Servicio de uso compartido de red del Reproductor de Windows Media (WMPNetworkSvc) - Unknown owner - C:\Archivos de programa\Windows Media Player\WMPNetwk.exe
O23 - Service: Washer AutoComplete (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe

--
End of file - 8921 bytes

Shaba
2007-07-10, 11:56
Hi

Did you have troubles deleting those emails?

I ask because they are still there.

Moebius
2007-07-10, 16:23
I had troubles but I deleted Username "E" and all of the folders asociated in "Document and Settings"

May I post another Kaspersky Log?

Shaba
2007-07-10, 16:26
Hi

Sure :)

Moebius
2007-07-11, 09:13
Well, here it is:

ogfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 8:12:48, on 11/07/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Avast4\aswUpdSv.exe
C:\Archivos de programa\Avast4\ashServ.exe
C:\ARCHIV~1\ARCHIV~1\Stardock\SDMCP.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\rundll32.exe
C:\ARCHIV~1\Avast4\ashDisp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Archivos de programa\Picasa2\PicasaMediaDetector.exe
C:\Archivos de programa\ATI Technologies\ATI.ACE\cli.exe
C:\Archivos de programa\HP\HP Software Update\HPWuSchd2.exe
C:\Archivos de programa\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\CursorXP\CursorXP.exe
C:\Archivos de programa\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Archivos de programa\Google\Google Desktop Search\GoogleDesktop.exe
C:\Archivos de programa\Google\Google Updater\GoogleUpdater.exe
C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Archivos de programa\Stardock\ObjectDock\ObjectDock.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\ARCHIV~1\HEWLET~1\Toolbox\STATUS~1\STATUS~1.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wwSecure.exe
C:\Archivos de programa\Avast4\ashMaiSv.exe
C:\Archivos de programa\Avast4\ashWebSv.exe
C:\Archivos de programa\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\Archivos de programa\ATI Technologies\ATI.ACE\cli.exe
C:\Archivos de programa\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\EnriqueBouza\Mis documentos\Something.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.es/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: Aplicación auxiliar de vínculos de Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Archivos comunes\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\archivos de programa\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Archivos de programa\Google\GoogleToolbarNotifier\2.0.301.5672\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\archivos de programa\google\googletoolbar1.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [avast!] C:\ARCHIV~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Archivos de programa\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Archivos de programa\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [HP Software Update] "C:\Archivos de programa\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Archivos de programa\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] C:\Archivos de programa\Corel\Corel Graphics 12\Languages\ES\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=072007 serial=dr12cun-1353003-vhd lang=ES
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Archivos de programa\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [CursorXP] C:\Archivos de programa\CursorXP\CursorXP.exe
O4 - HKCU\..\Run: [swg] C:\Archivos de programa\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Servicio de red')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Stardock ObjectDock.lnk = C:\Archivos de programa\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: Google Updater.lnk = C:\Archivos de programa\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Archivos de programa\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe (file missing)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{4492F9DD-6837-485B-B506-5AF475B49673}: NameServer = 62.151.2.8
O17 - HKLM\System\CS2\Services\Tcpip\..\{4492F9DD-6837-485B-B506-5AF475B49673}: NameServer = 62.151.2.8
O17 - HKLM\System\CS3\Services\Tcpip\..\{4492F9DD-6837-485B-B506-5AF475B49673}: NameServer = 62.151.2.8
O20 - AppInit_DLLs: C:\ARCHIV~1\Google\GOOGLE~2\GOEC62~1.DLL,wbsys.dll
O22 - SharedTaskScheduler: Precargador Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Demonio de caché de las categorías de componente - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Archivos de programa\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Archivos de programa\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Archivos de programa\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Archivos de programa\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Archivos de programa\Avast4\ashWebSv.exe
O23 - Service: Servicio del administrador de discos lógicos (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Registro de sucesos (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: GoogleDesktopManager - Google - C:\Archivos de programa\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Servicio COM de grabación de CD de IMAPI (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Escritorio remoto compartido de NetMeeting (mnmsrvc) - Unknown owner - C:\WINDOWS\system32\mnmsrvc.exe
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Administrador de sesión de Ayuda de escritorio remoto (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Tarjeta inteligente (SCardSvr) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: Registros y alertas de rendimiento (SysmonLog) - Unknown owner - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: Instantáneas de volumen (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe
O23 - Service: Adaptador de rendimiento de WMI (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe
O23 - Service: Servicio de uso compartido de red del Reproductor de Windows Media (WMPNetworkSvc) - Unknown owner - C:\Archivos de programa\Windows Media Player\WMPNetwk.exe
O23 - Service: Washer AutoComplete (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe

--
End of file - 9337 bytes

Moebius
2007-07-11, 11:30
Bombre del objeto infectado / Nombre del virus / Última acción
C:\Archivos de programa\Avast4\DATA\aswResp.dat Object is locked saltado
C:\Archivos de programa\Avast4\DATA\Avast4.db Object is locked saltado
C:\Archivos de programa\Avast4\DATA\log\AshWebSv.ws Object is locked saltado
C:\Archivos de programa\Avast4\DATA\log\aswMaiSv.log Object is locked saltado
C:\Archivos de programa\Avast4\DATA\log\nshield.log Object is locked saltado
C:\Archivos de programa\Avast4\DATA\report\Protección residente.txt Object is locked saltado
C:\Documents and Settings\All Users\Datos de programa\Microsoft\Dr Watson\user.dmp Object is locked saltado
C:\Documents and Settings\All Users.WINDOWS\Datos de programa\Microsoft\Network\Downloader\qmgr0.dat Object is locked saltado
C:\Documents and Settings\All Users.WINDOWS\Datos de programa\Microsoft\Network\Downloader\qmgr1.dat Object is locked saltado
C:\Documents and Settings\EnriqueBouza\Configuración local\Archivos temporales de Internet\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked saltado
C:\Documents and Settings\EnriqueBouza\Configuración local\Archivos temporales de Internet\Content.IE5\index.dat Object is locked saltado
C:\Documents and Settings\EnriqueBouza\Configuración local\Archivos temporales de Internet\Content.IE5\J8LC7BSG\guitars[1].swf Object is locked saltado
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\ApplicationHistory\cli.exe.72313fbf.ini.inuse Object is locked saltado
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Google\Google Desktop\d5bfe6e206e1\dbc2e.ht1 Object is locked saltado
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Google\Google Desktop\d5bfe6e206e1\dbdam Object is locked saltado
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Google\Google Desktop\d5bfe6e206e1\dbdao Object is locked saltado
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Google\Google Desktop\d5bfe6e206e1\dbeam Object is locked saltado
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Google\Google Desktop\d5bfe6e206e1\dbeao Object is locked saltado
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Google\Google Desktop\d5bfe6e206e1\dbm Object is locked saltado
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Google\Google Desktop\d5bfe6e206e1\dbu2d.ht1 Object is locked saltado
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Google\Google Desktop\d5bfe6e206e1\dbvm.cf1 Object is locked saltado
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Google\Google Desktop\d5bfe6e206e1\dbvmh.ht1 Object is locked saltado
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Google\Google Desktop\d5bfe6e206e1\fii.cf1 Object is locked saltado
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Google\Google Desktop\d5bfe6e206e1\fiih.ht1 Object is locked saltado
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Google\Google Desktop\d5bfe6e206e1\hp Object is locked saltado
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Google\Google Desktop\d5bfe6e206e1\hpt2i.ht1 Object is locked saltado
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Google\Google Desktop\d5bfe6e206e1\rpm.cf1 Object is locked saltado
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Google\Google Desktop\d5bfe6e206e1\rpm1m.cf1 Object is locked saltado
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Google\Google Desktop\d5bfe6e206e1\rpm1mh.ht1 Object is locked saltado
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Google\Google Desktop\d5bfe6e206e1\rpmh.ht1 Object is locked saltado
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Google\Google Desktop\d5bfe6e206e1\safeweb\goog-black-enchashm.cf1 Object is locked saltado
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Google\Google Desktop\d5bfe6e206e1\safeweb\goog-black-enchashmh.ht1 Object is locked saltado
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Google\Google Desktop\d5bfe6e206e1\safeweb\goog-black-urlm.cf1 Object is locked saltado
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Google\Google Desktop\d5bfe6e206e1\safeweb\goog-black-urlmh.ht1 Object is locked saltado
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Google\Google Desktop\d5bfe6e206e1\safeweb\goog-malware-domainm.cf1 Object is locked saltado
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Google\Google Desktop\d5bfe6e206e1\safeweb\goog-malware-domainmh.ht1 Object is locked saltado
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Google\Google Desktop\d5bfe6e206e1\safeweb\goog-white-domainm.cf1 Object is locked saltado
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Google\Google Desktop\d5bfe6e206e1\safeweb\goog-white-domainmh.ht1 Object is locked saltado
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Microsoft\Feeds\ALT1040~.feed-ms Object is locked saltado
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Microsoft\Feeds\Canela Fina~.feed-ms Object is locked saltado
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Microsoft\Feeds\CPI (Curioso pero inútil)~.feed-ms Object is locked saltado
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Microsoft\Feeds\Egotastic!~.feed-ms Object is locked saltado
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Microsoft\Feeds\El morro de Murray~.feed-ms Object is locked saltado
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Microsoft\Feeds\Expansys~.feed-ms Object is locked saltado
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Microsoft\Feeds\Fogonazos~.feed-ms Object is locked saltado
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Microsoft\Feeds\Jesús de Baldomá~.feed-ms Object is locked saltado
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Microsoft\Feeds\Lo que mato al gato~.feed-ms Object is locked saltado
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Microsoft\Feeds\Microsiervos~.feed-ms Object is locked saltado
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Microsoft\Feeds\Ni libre ni ocupado~.feed-ms Object is locked saltado
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Microsoft\Feeds\No puedo creer ~d~d~d~.feed-ms Object is locked saltado
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Microsoft\Feeds\Oink!~.feed-ms Object is locked saltado
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Microsoft\Feeds\Pixel y Dixel~.feed-ms Object is locked saltado
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Microsoft\Feeds\Retiario~.feed-ms Object is locked saltado
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Microsoft\Feeds\Xataka Móvil~.feed-ms Object is locked saltado
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Microsoft\Feeds\§ Milinkito~.feed-ms Object is locked saltado
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Microsoft\Feeds Cache\index.dat Object is locked saltado
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat Object is locked saltado
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat.LOG Object is locked saltado
C:\Documents and Settings\EnriqueBouza\Configuración local\Historial\History.IE5\index.dat Object is locked saltado
C:\Documents and Settings\EnriqueBouza\Configuración local\Historial\History.IE5\MSHist012007071120070712\index.dat Object is locked saltado
C:\Documents and Settings\EnriqueBouza\Configuración local\Temp\jar_cache47739.tmp Object is locked saltado
C:\Documents and Settings\EnriqueBouza\Configuración local\Temp\jar_cache47740.tmp Object is locked saltado
C:\Documents and Settings\EnriqueBouza\Configuración local\Temp\jar_cache47741.tmp Object is locked saltado
C:\Documents and Settings\EnriqueBouza\Configuración local\Temp\jar_cache47742.tmp Object is locked saltado
C:\Documents and Settings\EnriqueBouza\Configuración local\Temp\jar_cache47743.tmp Object is locked saltado
C:\Documents and Settings\EnriqueBouza\Configuración local\Temp\jar_cache47744.tmp Object is locked saltado
C:\Documents and Settings\EnriqueBouza\Configuración local\Temp\jar_cache47745.tmp Object is locked saltado
C:\Documents and Settings\EnriqueBouza\Configuración local\Temp\jar_cache47746.tmp Object is locked saltado
C:\Documents and Settings\EnriqueBouza\Configuración local\Temp\jar_cache47747.tmp Object is locked saltado
C:\Documents and Settings\EnriqueBouza\Configuración local\Temp\jar_cache47748.tmp Object is locked saltado
C:\Documents and Settings\EnriqueBouza\Configuración local\Temp\jar_cache47749.tmp Object is locked saltado
C:\Documents and Settings\EnriqueBouza\Configuración local\Temp\jar_cache47750.tmp Object is locked saltado
C:\Documents and Settings\EnriqueBouza\Configuración local\Temp\jar_cache47751.tmp Object is locked saltado
C:\Documents and Settings\EnriqueBouza\Configuración local\Temp\jar_cache47753.tmp Object is locked saltado
C:\Documents and Settings\EnriqueBouza\Configuración local\Temp\jar_cache47754.tmp Object is locked saltado
C:\Documents and Settings\EnriqueBouza\Configuración local\Temp\jar_cache47755.tmp Object is locked saltado
C:\Documents and Settings\EnriqueBouza\Configuración local\Temp\newtb1handler.log Object is locked saltado
C:\Documents and Settings\EnriqueBouza\Configuración local\Temp\Perflib_Perfdata_220.dat Object is locked saltado
C:\Documents and Settings\EnriqueBouza\Configuración local\Temp\Perflib_Perfdata_ddc.dat Object is locked saltado
C:\Documents and Settings\EnriqueBouza\Configuración local\Temp\Perflib_Perfdata_de4.dat Object is locked saltado
C:\Documents and Settings\EnriqueBouza\Configuración local\Temp\proxystop-tblauncher.log Object is locked saltado
C:\Documents and Settings\EnriqueBouza\Configuración local\Temp\tblauncher.log Object is locked saltado
C:\Documents and Settings\EnriqueBouza\Configuración local\Temp\toolbox_healer47752.log Object is locked saltado
C:\Documents and Settings\EnriqueBouza\Configuración local\Temp\~DF16B7.tmp Object is locked saltado
C:\Documents and Settings\EnriqueBouza\Configuración local\Temp\~DF33A0.tmp Object is locked saltado
C:\Documents and Settings\EnriqueBouza\Configuración local\Temp\~DF33AE.tmp Object is locked saltado
C:\Documents and Settings\EnriqueBouza\Configuración local\Temp\~DF38B9.tmp Object is locked saltado
C:\Documents and Settings\EnriqueBouza\Configuración local\Temp\~DF38F6.tmp Object is locked saltado
C:\Documents and Settings\EnriqueBouza\Configuración local\Temp\~DF484B.tmp Object is locked saltado
C:\Documents and Settings\EnriqueBouza\Configuración local\Temp\~DF48C6.tmp Object is locked saltado
C:\Documents and Settings\EnriqueBouza\Configuración local\Temp\~DF4920.tmp Object is locked saltado
C:\Documents and Settings\EnriqueBouza\Configuración local\Temp\~DF493C.tmp Object is locked saltado
C:\Documents and Settings\EnriqueBouza\Configuración local\Temp\~DF4985.tmp Object is locked saltado
C:\Documents and Settings\EnriqueBouza\Configuración local\Temp\~DF4993.tmp Object is locked saltado
C:\Documents and Settings\EnriqueBouza\Configuración local\Temp\~DF845F.tmp Object is locked saltado
C:\Documents and Settings\EnriqueBouza\Configuración local\Temp\~DF84B2.tmp Object is locked saltado
C:\Documents and Settings\EnriqueBouza\Configuración local\Temp\~DF9D05.tmp Object is locked saltado
C:\Documents and Settings\EnriqueBouza\Configuración local\Temp\~DF9D13.tmp Object is locked saltado
C:\Documents and Settings\EnriqueBouza\Configuración local\Temp\~DF9E4C.tmp Object is locked saltado
C:\Documents and Settings\EnriqueBouza\Configuración local\Temp\~DF9ED4.tmp Object is locked saltado
C:\Documents and Settings\EnriqueBouza\Configuración local\Temp\~DF9F09.tmp Object is locked saltado
C:\Documents and Settings\EnriqueBouza\Configuración local\Temp\~DF9F76.tmp Object is locked saltado
C:\Documents and Settings\EnriqueBouza\Configuración local\Temp\~DF9FB6.tmp Object is locked saltado
C:\Documents and Settings\EnriqueBouza\Configuración local\Temp\~DF9FEE.tmp Object is locked saltado
C:\Documents and Settings\EnriqueBouza\Configuración local\Temp\~DFCFE8.tmp Object is locked saltado
C:\Documents and Settings\EnriqueBouza\Configuración local\Temp\~DFDFE3.tmp Object is locked saltado
C:\Documents and Settings\EnriqueBouza\Configuración local\Temp\~DFE002.tmp Object is locked saltado
C:\Documents and Settings\EnriqueBouza\Configuración local\Temp\~DFE3F2.tmp Object is locked saltado
C:\Documents and Settings\EnriqueBouza\Configuración local\Temp\~DFF34A.tmp Object is locked saltado
C:\Documents and Settings\EnriqueBouza\Configuración local\Temp\~DFF358.tmp Object is locked saltado
C:\Documents and Settings\EnriqueBouza\Configuración local\Temp\~DFF3BC.tmp Object is locked saltado
C:\Documents and Settings\EnriqueBouza\Configuración local\Temp\~DFF3CA.tmp Object is locked saltado
C:\Documents and Settings\EnriqueBouza\Configuración local\Temp\~DFF419.tmp Object is locked saltado
C:\Documents and Settings\EnriqueBouza\Configuración local\Temp\~DFF429.tmp Object is locked saltado
C:\Documents and Settings\EnriqueBouza\Configuración local\Temp\~DFF4E1.tmp Object is locked saltado
C:\Documents and Settings\EnriqueBouza\Configuración local\Temp\~DFF4EF.tmp Object is locked saltado
C:\Documents and Settings\EnriqueBouza\Configuración local\Temp\~DFF6AC.tmp Object is locked saltado
C:\Documents and Settings\EnriqueBouza\Configuración local\Temp\~DFF6BA.tmp Object is locked saltado
C:\Documents and Settings\EnriqueBouza\Configuración local\Temp\~DFF6F8.tmp Object is locked saltado
C:\Documents and Settings\EnriqueBouza\Configuración local\Temp\~DFF706.tmp Object is locked saltado
C:\Documents and Settings\EnriqueBouza\Configuración local\Temp\~DFF7E1.tmp Object is locked saltado
C:\Documents and Settings\EnriqueBouza\Configuración local\Temp\~DFF7F4.tmp Object is locked saltado
C:\Documents and Settings\EnriqueBouza\Configuración local\Temp\~WRF0000.tmp Object is locked saltado
C:\Documents and Settings\EnriqueBouza\Cookies\index.dat Object is locked saltado
C:\Documents and Settings\EnriqueBouza\Datos de programa\Microsoft\Plantillas\Normal.dot Object is locked saltado
C:\Documents and Settings\EnriqueBouza\NTUSER.DAT Object is locked saltado
C:\Documents and Settings\EnriqueBouza\ntuser.dat.LOG Object is locked saltado
C:\Documents and Settings\LocalService.NT AUTHORITY\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat Object is locked saltado
C:\Documents and Settings\LocalService.NT AUTHORITY\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat.LOG Object is locked saltado
C:\Documents and Settings\LocalService.NT AUTHORITY\Configuración local\Temp\Cookies\index.dat Object is locked saltado
C:\Documents and Settings\LocalService.NT AUTHORITY\Configuración local\Temp\History\History.IE5\index.dat Object is locked saltado
C:\Documents and Settings\LocalService.NT AUTHORITY\Configuración local\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked saltado
C:\Documents and Settings\LocalService.NT AUTHORITY\NTUSER.DAT Object is locked saltado
C:\Documents and Settings\LocalService.NT AUTHORITY\ntuser.dat.LOG Object is locked saltado
C:\Documents and Settings\NetworkService.NT AUTHORITY\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat Object is locked saltado
C:\Documents and Settings\NetworkService.NT AUTHORITY\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat.LOG Object is locked saltado
C:\Documents and Settings\NetworkService.NT AUTHORITY\NTUSER.DAT Object is locked saltado
C:\Documents and Settings\NetworkService.NT AUTHORITY\ntuser.dat.LOG Object is locked saltado
C:\e3dd30e40a58a46a42fba40d\e50d24d33a6ddc541ea843635302\update\update.log Object is locked saltado
C:\procedimiento mangueras.doc Object is locked saltado
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked saltado
C:\System Volume Information\_restore{EF9A7EC0-5A45-49C0-AF36-D6A474CB0CBD}\RP38\change.log Object is locked saltado
C:\WINDOWS\Debug\PASSWD.LOG Object is locked saltado
C:\WINDOWS\SchedLgU.Txt Object is locked saltado
C:\WINDOWS\SoftwareDistribution\EventCache\{3F70AD01-BD64-4B98-8AED-74BB259ACEAC}.bin Object is locked saltado
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked saltado
C:\WINDOWS\Sti_Trace.log Object is locked saltado
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked saltado
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked saltado
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked saltado
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked saltado
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked saltado
C:\WINDOWS\system32\config\default Object is locked saltado
C:\WINDOWS\system32\config\default.LOG Object is locked saltado
C:\WINDOWS\system32\config\Internet.evt Object is locked saltado
C:\WINDOWS\system32\config\SAM Object is locked saltado
C:\WINDOWS\system32\config\SAM.LOG Object is locked saltado
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked saltado
C:\WINDOWS\system32\config\SECURITY Object is locked saltado
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked saltado
C:\WINDOWS\system32\config\software Object is locked saltado
C:\WINDOWS\system32\config\software.LOG Object is locked saltado
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked saltado
C:\WINDOWS\system32\config\system Object is locked saltado
C:\WINDOWS\system32\config\system.LOG Object is locked saltado
C:\WINDOWS\system32\h323log.txt Object is locked saltado
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked saltado
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked saltado
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked saltado
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked saltado
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked saltado
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked saltado
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked saltado
C:\WINDOWS\Temp\Perflib_Perfdata_574.dat Object is locked saltado
C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked saltado
C:\WINDOWS\wiadebug.log Object is locked saltado
C:\WINDOWS\wiaservc.log Object is locked saltado
C:\WINDOWS\WindowsUpdate.log Object is locked saltado

Análisis completado.

Shaba
2007-07-11, 11:57
Hi

That looks good :)

Still problems?

Moebius
2007-07-11, 13:06
No, problems had gone at first cleaning with VundoFix and Combofix.

Its second time you saved my computer, please receive my most sincere regards...again.

Shaba
2007-07-11, 13:13
Hi

Then you're clean!

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Looking over your log, it seems you don't have any evidence of a third party firewall.

As the term conveys, a firewall is an extra layer of security installed onto computers, which restricts access to systems from the outside world. Firewalls protect against hackers and malicious intruders. I want you to download a free firewall NOW from one of these excellent vendors:

1) ZoneAlarm (http://www.zonelabs.com/store/content/catalog/products/sku_list_za.jsp?dc=12bms&ctry=US&lang=en&lid=nav_za)
2) Agnitum (http://www.agnitum.com/products/outpostfree/download.php)
3) Sunbelt/Kerio (http://www.sunbelt-software.com/Kerio-Download.cfm)
4) Comodo (http://www.personalfirewall.comodo.com/)

If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.

Disable and Enable System Restore. - If you are using Windows XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

You can find instructions on how to enable and reenable system restore here:

Windows XP System Restore Guide (http://www.bleepingcomputer.com/forums/tutorial56.html)

Reenable system restore with instructions from tutorial above

Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt

Change the Download unsigned ActiveX controls to Disable

Change the Initialize and script ActiveX controls not marked as safe to Disable

Change the Installation of desktop items to Prompt

Change the Launching programs and files in an IFRAME to Prompt

Change the Navigate sub-frames across different domains to Prompt

When all these settings have been made, click on the OK button.

If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

See this link for a listing of some online & their stand-alone antivirus programs:

Virus, Spyware, and Malware Protection and Removal Resources (http://www.bleepingcomputer.com/forums/topic405.html)


Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.


Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see the link below:

Understanding and Using Firewalls (http://www.bleepingcomputer.com/tutorials/tutorial60.html)


Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com (http://www.windowsupdate.com) regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.


Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

A tutorial on installing & using this product can be found here:

Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer (http://www.bleepingcomputer.com/forums/?showtutorial=48)


Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/tutorials/tutorial49.html)


Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

Here are some additional utilities that will enhance your safety

IE/Spyad (http://www.spywarewarrior.com/uiuc/resource.htm) <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Comodo BOCLEAN (http://www.comodo.com/boclean/boclean.html) <= Stop identity thieves from getting personal information. Instantly detects well over 1,000,000 unique, variant and repack malware in total. And it's free.
Winpatrol (http://www.winpatrol.com/) <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software (http://www.winpatrol.com/features.html)

Stand Up and Be Counted ---> Malware Complaints (http://www.malwarecomplaints.info/index.php) <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Also, please read this great article by Tony Klein So How Did I Get Infected In First Place (http://castlecops.com/postlite7736-.html)

Happy surfing and stay clean!

Shaba
2007-07-13, 12:30
Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.