"Houston I have a problem" req. virus removal [Archive]

View Full Version : "Houston I have a problem" req. virus removal

wazari

2007-12-04, 16:36

Dear All, my computer has been infected, I think, by many viruses and i cant seem to remove it. I have already run the KASPERSKY ANTI-VIRUS, and I need help to move forward in order to remove away the infection from my PC. Thank you very much for you time and attention.
Scan using the following antivirus database: extended Scan Archives: true Scan Mail Bases: true Scan Target - Folders:C:\
Scan Statistics:
Total number of scanned objects: 99298
Number of viruses found: 9
Number of infected objects: 38
Number of suspicious objects: 0
Duration of the scan process: 01:00:55
Infected Object Name / Virus Name / Last Action
C:\Archivos de programa\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe Infected: Trojan-Downloader.Win32.Bagle.fu skipped
C:\Archivos de programa\Microsoft Office\Office12\XLSTART\PDFWriter.xla Object is locked skipped
C:\Archivos de programa\Microsoft SQL Server\MSSQL.1\MSSQL\Data\master.mdf Object is locked skipped
C:\Archivos de programa\Microsoft SQL Server\MSSQL.1\MSSQL\Data\mastlog.ldf Object is locked skipped
C:\Archivos de programa\Microsoft SQL Server\MSSQL.1\MSSQL\Data\model.mdf Object is locked skipped
C:\Archivos de programa\Microsoft SQL Server\MSSQL.1\MSSQL\Data\modellog.ldf Object is locked skipped
C:\Archivos de programa\Microsoft SQL Server\MSSQL.1\MSSQL\Data\msdbdata.mdf Object is locked skipped
C:\Archivos de programa\Microsoft SQL Server\MSSQL.1\MSSQL\Data\msdblog.ldf Object is locked skipped
C:\Archivos de programa\Microsoft SQL Server\MSSQL.1\MSSQL\Data\tempdb.mdf Object is locked skipped
C:\Archivos de programa\Microsoft SQL Server\MSSQL.1\MSSQL\Data\templog.ldf Object is locked skipped
C:\Archivos de programa\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\ERRORLOG Object is locked skipped
C:\Archivos de programa\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\log_53.trc Object is locked skipped
C:\Documents and Settings\All Users\Datos de programa\driver.exe Infected: Trojan-Dropper.Win32.Mudrop.ek skipped
C:\Documents and Settings\All Users\Datos de programa\waults.exe Infected: Virus.Win32.AutoRun.fw skipped
C:\Documents and Settings\LocalService\Configuración local\Archivos temporales de Internet\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Configuración local\Historial\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Configuración local\Temp\Perflib_Perfdata_624.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\par01sg.UNDP\Configuración local\Archivos temporales de Internet\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\par01sg.UNDP\Configuración local\Archivos temporales de Internet\Content.IE5\4QNRH3MT\bind[2].htm Object is locked skipped
C:\Documents and Settings\par01sg.UNDP\Configuración local\Archivos temporales de Internet\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\par01sg.UNDP\Configuración local\Archivos temporales de Internet\Content.Word\~WRF{B52088A9-9E3C-44FD-834C-E078AFEFDCE0}.tmp Object is locked skipped
C:\Documents and Settings\par01sg.UNDP\Configuración local\Archivos temporales de Internet\Content.Word\~WRS{244A8AA2-E618-4867-BA51-A82823BE896F}.tmp Object is locked skipped
C:\Documents and Settings\par01sg.UNDP\Configuración local\Archivos temporales de Internet\Content.Word\~WRS{B197E6C3-2923-497E-AC40-6B76D98503A2}.tmp Object is locked skipped
C:\Documents and Settings\par01sg.UNDP\Configuración local\Archivos temporales de Internet\Content.Word\~WRS{D278F70C-FC74-47F6-B028-08C62F43FDAB}.tmp Object is locked skipped
C:\Documents and Settings\par01sg.UNDP\Configuración local\Datos de programa\ApplicationHistory\cli.exe.72313fbf.ini.inuse Object is locked skipped
C:\Documents and Settings\par01sg.UNDP\Configuración local\Datos de programa\Google\Google Desktop\b55fa48c5337\dbc2e.ht1 Object is locked skipped
C:\Documents and Settings\par01sg.UNDP\Configuración local\Datos de programa\Google\Google Desktop\b55fa48c5337\dbdam Object is locked skipped
C:\Documents and Settings\par01sg.UNDP\Configuración local\Datos de programa\Google\Google Desktop\b55fa48c5337\dbdao Object is locked skipped
C:\Documents and Settings\par01sg.UNDP\Configuración local\Datos de programa\Google\Google Desktop\b55fa48c5337\dbeam Object is locked skipped
C:\Documents and Settings\par01sg.UNDP\Configuración local\Datos de programa\Google\Google Desktop\b55fa48c5337\dbeao Object is locked skipped
C:\Documents and Settings\par01sg.UNDP\Configuración local\Datos de programa\Google\Google Desktop\b55fa48c5337\dbm Object is locked skipped
C:\Documents and Settings\par01sg.UNDP\Configuración local\Datos de programa\Google\Google Desktop\b55fa48c5337\dbu2d.ht1 Object is locked skipped
C:\Documents and Settings\par01sg.UNDP\Configuración local\Datos de programa\Google\Google Desktop\b55fa48c5337\dbvm.cf1 Object is locked skipped
C:\Documents and Settings\par01sg.UNDP\Configuración local\Datos de programa\Google\Google Desktop\b55fa48c5337\dbvmh.ht1 Object is locked skipped
C:\Documents and Settings\par01sg.UNDP\Configuración local\Datos de programa\Google\Google Desktop\b55fa48c5337\fii.cf1 Object is locked skipped
C:\Documents and Settings\par01sg.UNDP\Configuración local\Datos de programa\Google\Google Desktop\b55fa48c5337\fiih.ht1 Object is locked skipped
C:\Documents and Settings\par01sg.UNDP\Configuración local\Datos de programa\Google\Google Desktop\b55fa48c5337\hp Object is locked skipped
C:\Documents and Settings\par01sg.UNDP\Configuración local\Datos de programa\Google\Google Desktop\b55fa48c5337\hpt2i.ht1 Object is locked skipped
C:\Documents and Settings\par01sg.UNDP\Configuración local\Datos de programa\Google\Google Desktop\b55fa48c5337\rpm.cf1 Object is locked skipped
C:\Documents and Settings\par01sg.UNDP\Configuración local\Datos de programa\Google\Google Desktop\b55fa48c5337\rpm1m.cf1 Object is locked skipped
C:\Documents and Settings\par01sg.UNDP\Configuración local\Datos de programa\Google\Google Desktop\b55fa48c5337\rpm1mh.ht1 Object is locked skipped
C:\Documents and Settings\par01sg.UNDP\Configuración local\Datos de programa\Google\Google Desktop\b55fa48c5337\rpmh.ht1 Object is locked skipped
C:\Documents and Settings\par01sg.UNDP\Configuración local\Datos de programa\Google\Google Desktop\b55fa48c5337\safeweb\goog-black-enchashm.cf1 Object is locked skipped
C:\Documents and Settings\par01sg.UNDP\Configuración local\Datos de programa\Google\Google Desktop\b55fa48c5337\safeweb\goog-black-enchashmh.ht1 Object is locked skipped
C:\Documents and Settings\par01sg.UNDP\Configuración local\Datos de programa\Google\Google Desktop\b55fa48c5337\safeweb\goog-black-urlm.cf1 Object is locked skipped
C:\Documents and Settings\par01sg.UNDP\Configuración local\Datos de programa\Google\Google Desktop\b55fa48c5337\safeweb\goog-black-urlmh.ht1 Object is locked skipped
C:\Documents and Settings\par01sg.UNDP\Configuración local\Datos de programa\Google\Google Desktop\b55fa48c5337\safeweb\goog-malware-domainm.cf1 Object is locked skipped
C:\Documents and Settings\par01sg.UNDP\Configuración local\Datos de programa\Google\Google Desktop\b55fa48c5337\safeweb\goog-malware-domainmh.ht1 Object is locked skipped
C:\Documents and Settings\par01sg.UNDP\Configuración local\Datos de programa\Google\Google Desktop\b55fa48c5337\safeweb\goog-white-domainm.cf1 Object is locked skipped
C:\Documents and Settings\par01sg.UNDP\Configuración local\Datos de programa\Google\Google Desktop\b55fa48c5337\safeweb\goog-white-domainmh.ht1 Object is locked skipped
C:\Documents and Settings\par01sg.UNDP\Configuración local\Datos de programa\Microsoft\Business Contact Manager\MSSmallBusinessOutlook_desconectada.ldf Object is locked skipped
C:\Documents and Settings\par01sg.UNDP\Configuración local\Datos de programa\Microsoft\Business Contact Manager\MSSmallBusinessOutlook_desconectada.mdf Object is locked skipped
C:\Documents and Settings\par01sg.UNDP\Configuración local\Datos de programa\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\par01sg.UNDP\Configuración local\Datos de programa\Microsoft\Media Player\CurrentDatabase_360.wmdb Object is locked skipped
C:\Documents and Settings\par01sg.UNDP\Configuración local\Datos de programa\Microsoft\Messenger\sgrisetti@hotmail.com\SharingMetadata\Logs\Dfsr00005.log Object is locked skipped
C:\Documents and Settings\par01sg.UNDP\Configuración local\Datos de programa\Microsoft\Messenger\sgrisetti@hotmail.com\SharingMetadata\pending.dat Object is locked skipped
C:\Documents and Settings\par01sg.UNDP\Configuración local\Datos de programa\Microsoft\Messenger\sgrisetti@hotmail.com\SharingMetadata\Working\database_5478_7D9_7807_B8AE\dfsr.db Object is locked skipped
C:\Documents and Settings\par01sg.UNDP\Configuración local\Datos de programa\Microsoft\Messenger\sgrisetti@hotmail.com\SharingMetadata\Working\database_5478_7D9_7807_B8AE\fsr.log Object is locked skipped
C:\Documents and Settings\par01sg.UNDP\Configuración local\Datos de programa\Microsoft\Messenger\sgrisetti@hotmail.com\SharingMetadata\Working\database_5478_7D9_7807_B8AE\fsrtmp.log Object is locked skipped
C:\Documents and Settings\par01sg.UNDP\Configuración local\Datos de programa\Microsoft\Messenger\sgrisetti@hotmail.com\SharingMetadata\Working\database_5478_7D9_7807_B8AE\tmp.edb Object is locked skipped
C:\Documents and Settings\par01sg.UNDP\Configuración local\Datos de programa\Microsoft\Outlook\archive.pst/Archive Folders/Sent Items/20 Oct 1999 14:58 to Sara Fracchia:Re: LISTA DE INTERNOS/listado de internos.doc Infected: Virus.MSWord.Bogor.b skipped
C:\Documents and Settings\par01sg.UNDP\Configuración local\Datos de programa\Microsoft\Outlook\archive.pst/Archive Folders/Sent Items/09 Nov 1999 20:07 to All Staff Paraguay:lista de Internos/listado de internos.doc Infected: Virus.MSWord.Bogor.b skipped
C:\Documents and Settings\par01sg.UNDP\Configuración local\Datos de programa\Microsoft\Outlook\archive.pst Mail MS Mail: infected - 2 skipped
C:\Documents and Settings\par01sg.UNDP\Configuración local\Datos de programa\Microsoft\Outlook\archive1.pst Object is locked skipped
C:\Documents and Settings\par01sg.UNDP\Configuración local\Datos de programa\Microsoft\Outlook\outlook.pst Object is locked skipped
C:\Documents and Settings\par01sg.UNDP\Configuración local\Datos de programa\Microsoft\Outlook\~archive1.pst.tmp Object is locked skipped
C:\Documents and Settings\par01sg.UNDP\Configuración local\Datos de programa\Microsoft\Outlook\~Outlook.pst.tmp Object is locked skipped
C:\Documents and Settings\par01sg.UNDP\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\par01sg.UNDP\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\par01sg.UNDP\Configuración local\Datos de programa\Microsoft\Windows Live Contacts\sgrisetti@hotmail.com\real\members.stg Object is locked skipped
C:\Documents and Settings\par01sg.UNDP\Configuración local\Datos de programa\Microsoft\Windows Live Contacts\sgrisetti@hotmail.com\shadow\members.stg Object is locked skipped
C:\Documents and Settings\par01sg.UNDP\Configuración local\Datos de programa\Microsoft\Windows Media\11.0\WMSDKNSD.XML Object is locked skipped
C:\Documents and Settings\par01sg.UNDP\Configuración local\Historial\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\par01sg.UNDP\Configuración local\Historial\History.IE5\MSHist012007120420071205\index.dat Object is locked skipped
C:\Documents and Settings\par01sg.UNDP\Configuración local\Temp\Perflib_Perfdata_60c.dat Object is locked skipped
C:\Documents and Settings\par01sg.UNDP\Configuración local\Temp\Perflib_Perfdata_a78.dat Object is locked skipped
C:\Documents and Settings\par01sg.UNDP\Configuración local\Temp\~DF4F41.tmp Object is locked skipped
C:\Documents and Settings\par01sg.UNDP\Configuración local\Temp\~DF4F73.tmp Object is locked skipped
C:\Documents and Settings\par01sg.UNDP\Configuración local\Temp\~DF870D.tmp Object is locked skipped
C:\Documents and Settings\par01sg.UNDP\Configuración local\Temp\~DF93DB.tmp Object is locked skipped
C:\Documents and Settings\par01sg.UNDP\Configuración local\Temp\~DF9B1.tmp Object is locked skipped
C:\Documents and Settings\par01sg.UNDP\Configuración local\Temp\~DF9C0.tmp Object is locked skipped
C:\Documents and Settings\par01sg.UNDP\Configuración local\Temp\~DFB016.tmp Object is locked skipped
C:\Documents and Settings\par01sg.UNDP\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\par01sg.UNDP\Datos de programa\Gtek\GTUpdate\AUpdate\DellSupport\AUPNP.log Object is locked skipped
C:\Documents and Settings\par01sg.UNDP\Datos de programa\Gtek\GTUpdate\AUpdate\DellSupport\DSAgnt.log Object is locked skipped
C:\Documents and Settings\par01sg.UNDP\Datos de programa\Gtek\GTUpdate\AUpdate\DellSupport\DSAgnt_GTActions.log Object is locked skipped
C:\Documents and Settings\par01sg.UNDP\Datos de programa\Gtek\GTUpdate\AUpdate\DellSupport\gdql_d_DSAgnt.log Object is locked skipped
C:\Documents and Settings\par01sg.UNDP\Datos de programa\Gtek\GTUpdate\AUpdate\DellSupport\glog.log Object is locked skipped
C:\Documents and Settings\par01sg.UNDP\Datos de programa\Microsoft\Outlook\Outlook.NK2 Object is locked skipped
C:\Documents and Settings\par01sg.UNDP\Datos de programa\Microsoft\Outlook\Outlook.srs Object is locked skipped
C:\Documents and Settings\par01sg.UNDP\Datos de programa\Microsoft\Plantillas\Normal.dotm Object is locked skipped
C:\Documents and Settings\par01sg.UNDP\Datos de programa\Microsoft\Plantillas\NormalEmail.dotm Object is locked skipped
C:\Documents and Settings\par01sg.UNDP\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\par01sg.UNDP\ntuser.dat.LOG Object is locked skipped
C:\RECYCLER\S-1-5-21-3036958234-996025526-3834976860-1140\Dc15.zip/InterVideo DVD Copy Platinum 5.0B.004.24C00.exe Infected: Trojan-Downloader.Win32.Bagle.cq skipped
C:\RECYCLER\S-1-5-21-3036958234-996025526-3834976860-1140\Dc15.zip ZIP: infected - 1 skipped
C:\RECYCLER\S-1-5-21-3036958234-996025526-3834976860-1140\Dc16.zip/InterVideo DVD Copy Platinum 5.0B.004.24C00.exe Infected: Trojan-Downloader.Win32.Bagle.fu skipped
C:\RECYCLER\S-1-5-21-3036958234-996025526-3834976860-1140\Dc16.zip ZIP: infected - 1 skipped
C:\RECYCLER\S-1-5-21-3036958234-996025526-3834976860-1140\Dc17.zip/InterVideo DVD Copy Platinum 5.0B.004.24C00.exe Infected: Trojan-Downloader.Win32.Bagle.fu skipped
C:\RECYCLER\S-1-5-21-3036958234-996025526-3834976860-1140\Dc17.zip ZIP: infected - 1 skipped
C:\RECYCLER\S-1-5-21-3036958234-996025526-3834976860-1140\Dc8.exe Infected: Trojan-Downloader.Win32.Bagle.fu skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{C93A7264-03D8-483A-8AF4-E1E03C0454AA}\RP85\A0018276.exe Infected: Trojan-Downloader.Win32.Bagle.fu skipped
C:\System Volume Information\_restore{C93A7264-03D8-483A-8AF4-E1E03C0454AA}\RP85\A0018277.sys Infected: Trojan-Downloader.Win32.Bagle.fv skipped
C:\System Volume Information\_restore{C93A7264-03D8-483A-8AF4-E1E03C0454AA}\RP86\A0018514.exe Infected: Trojan-Downloader.Win32.Bagle.fu skipped
C:\System Volume Information\_restore{C93A7264-03D8-483A-8AF4-E1E03C0454AA}\RP86\A0018517.sys Infected: Trojan-Downloader.Win32.Bagle.fv skipped
C:\System Volume Information\_restore{C93A7264-03D8-483A-8AF4-E1E03C0454AA}\RP86\A0021585.exe Infected: Trojan-Downloader.Win32.Bagle.fu skipped
C:\System Volume Information\_restore{C93A7264-03D8-483A-8AF4-E1E03C0454AA}\RP86\A0021587.sys Infected: Trojan-Downloader.Win32.Bagle.fv skipped
C:\System Volume Information\_restore{C93A7264-03D8-483A-8AF4-E1E03C0454AA}\RP92\A0024966.exe Infected: Trojan-Downloader.Win32.Bagle.fu skipped
C:\System Volume Information\_restore{C93A7264-03D8-483A-8AF4-E1E03C0454AA}\RP92\A0024969.sys Infected: Trojan-Downloader.Win32.Bagle.fv skipped
C:\System Volume Information\_restore{C93A7264-03D8-483A-8AF4-E1E03C0454AA}\RP92\A0024988.exe Infected: Trojan-Downloader.Win32.Bagle.fu skipped
C:\System Volume Information\_restore{C93A7264-03D8-483A-8AF4-E1E03C0454AA}\RP92\A0024992.sys Infected: Trojan-Downloader.Win32.Bagle.fv skipped
C:\System Volume Information\_restore{C93A7264-03D8-483A-8AF4-E1E03C0454AA}\RP94\A0025050.exe Infected: Trojan-Downloader.Win32.Bagle.fu skipped
C:\System Volume Information\_restore{C93A7264-03D8-483A-8AF4-E1E03C0454AA}\RP94\A0025053.sys Infected: Trojan-Downloader.Win32.Bagle.fv skipped
C:\System Volume Information\_restore{C93A7264-03D8-483A-8AF4-E1E03C0454AA}\RP95\A0025198.exe Infected: Trojan-Downloader.Win32.Bagle.fu skipped
C:\System Volume Information\_restore{C93A7264-03D8-483A-8AF4-E1E03C0454AA}\RP95\A0025203.sys Infected: Trojan-Downloader.Win32.Bagle.fv skipped
C:\System Volume Information\_restore{C93A7264-03D8-483A-8AF4-E1E03C0454AA}\RP95\A0025204.exe Infected: Trojan-Downloader.Win32.Bagle.gi skipped
C:\System Volume Information\_restore{C93A7264-03D8-483A-8AF4-E1E03C0454AA}\RP95\A0025221.exe Infected: Trojan-Downloader.Win32.Bagle.fu skipped
C:\System Volume Information\_restore{C93A7264-03D8-483A-8AF4-E1E03C0454AA}\RP95\A0025224.sys Infected: Trojan-Downloader.Win32.Bagle.fv skipped
C:\System Volume Information\_restore{C93A7264-03D8-483A-8AF4-E1E03C0454AA}\RP95\A0025243.exe Infected: Trojan-Downloader.Win32.Bagle.fu skipped
C:\System Volume Information\_restore{C93A7264-03D8-483A-8AF4-E1E03C0454AA}\RP95\A0025247.sys Infected: Trojan-Downloader.Win32.Bagle.fv skipped
C:\System Volume Information\_restore{C93A7264-03D8-483A-8AF4-E1E03C0454AA}\RP95\A0025248.exe Infected: Trojan-Downloader.Win32.Bagle.gi skipped
C:\System Volume Information\_restore{C93A7264-03D8-483A-8AF4-E1E03C0454AA}\RP95\change.log Object is locked skipped
C:\vnc\VNCHooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.332 skipped
C:\vnc\WinVNC.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.a skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\Netlogon.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\exefld\124421.exe Infected: Trojan-Downloader.Win32.Bagle.gi skipped
C:\WINDOWS\exefld\146375.exe Infected: Trojan-Downloader.Win32.Bagle.gi skipped
C:\WINDOWS\exefld\305421.exe Infected: Trojan-Downloader.Win32.Bagle.gi skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped

wazari

2007-12-04, 16:38

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
Scan process completed.

Mr_JAk3

2007-12-04, 20:22

Hello wazari and welcome to the Forums :)

You're infected.

Are you able to post a HijackThis log to here?

Download HJTInstall.exe (http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe) to your Desktop.
Doubleclick HJTInstall.exe to install it.
By default it will install to C:\Program Files\Trend Micro\HijackThis .
Click on Install.
It will create a HijackThis icon on the desktop.
Once installed, it will launch Hijackthis.
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
Copy/Paste the log to your next reply please.

Don't use the Analyse This button, its findings are dangerous if misinterpreted.
DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

wazari

2007-12-04, 21:55

Thank you very much for your response. there is the HijackThis report.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 05:41:33 p.m., on 04/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Broadcom\ASFIPMon\AsfIpMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\All Users\Datos de programa\waults.exe
C:\WINDOWS\system32\ICO.EXE
C:\Archivos de programa\Analog Devices\Core\smax4pnp.exe
C:\Archivos de programa\ATI Technologies\ATI.ACE\cli.exe
C:\Archivos de programa\Archivos comunes\InstallShield\UpdateService\issch.exe
C:\Archivos de programa\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\Pmxmiced.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\Archivos de programa\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\Archivos de programa\ATI Technologies\ATI.ACE\cli.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\Archivos de programa\Microsoft Office\Office12\OUTLOOK.EXE
C:\Archivos de programa\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://finance.partneragencies.org/siteminderagent/undp/UNAGENCYlogin.fcc?TYPE=33554433&REALMOID=06-000932ff-6463-1fe3-9134-8344c1600000&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=$SM$IxKFWn0dESgDcJfzVhDJxtb4JUg9QdCxmuQrTA3lY7k=&TARGET=$SM$https://finance.partneragencies.org/ (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Archivos comunes\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Archivos de programa\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Archivos de programa\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [PMX Daemon] ICO.EXE
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Archivos de programa\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Archivos de programa\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Archivos de programa\Archivos comunes\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Archivos de programa\Archivos comunes\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Archivos de programa\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Archivos de programa\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Archivos de programa\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Archivos de programa\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Archivos de programa\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MsnMsgr] "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Archivos de programa\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background
O4 - HKLM\..\Policies\Explorer\Run: [waults] C:\Documents and Settings\All Users\Datos de programa\waults.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Servicio de red')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Archivos de programa\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Archivos de programa\InterVideo\Common\Bin\WinCinemaMgr.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: iOpus iMacros - {0483894E-2422-45E0-8384-021AFF1AF3CD} - C:\Archivos de programa\iMacros\imacros.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Archivos de programa\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6218F7B5-0D3A-48BA-AE4C-49DCFA63D400} (CSEQueryObject Object) - http://www.myheritage.es/Genoogle/Components/ActiveX/SearchEngineQuery.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = undp.org.py
O17 - HKLM\Software\..\Telephony: DomainName = undp.org.py
O17 - HKLM\System\CCS\Services\Tcpip\..\{7D720405-1BB6-47E7-BD75-F09511F0BAAB}: NameServer = 192.168.20.1,200.10.122.10
O17 - HKLM\System\CCS\Services\Tcpip\..\{A82B3079-228E-4E07-87AD-D28B822BC98B}: NameServer = 192.168.20.1,200.10.122.10
O17 - HKLM\System\CCS\Services\Tcpip\..\{E997A235-DB50-4D21-BEA4-E9CBF56666F7}: NameServer = 192.168.20.1,200.10.122.10
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = undp.org.py
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARCHIV~1\ARCHIV~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\ARCHIV~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Broadcom ASF IP Monitor (ASFIPmon) - Broadcom Corporation - C:\Archivos de programa\Broadcom\ASFIPMon\AsfIpMon.exe
O23 - Service: GoogleDesktopManager - Google - C:\Archivos de programa\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Archivos de programa\Archivos comunes\SureThing Shared\stllssvr.exe
End of file - 8194 bytes

Mr_JAk3

2007-12-06, 14:57

Hi again, you're infected.

You should print these instructions or save these to a text file. Follow these instructions carefully.

Download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
Do NOT run yet.

Make your hidden files visible:
Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Uncheck "Hide protected operating system files"
Click Apply and then the OK and close My Computer.

==================

Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.Fix the O6 entry too if you haven't locked Internet Explorer settings on purpose.
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Policies\Explorer\Run: [waults] C:\Documents and Settings\All Users\Datos de programa\waults.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Open "My Computer" and delete the following files (if present):
C:\Documents and Settings\All Users\Datos de programa\waults.exe

Run ATF Cleaner Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Download Dr.Web CureIt to the desktop -> ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Restart your computer to the safe mode:
Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.
Run a scan with Dr.Web CureIt Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, you should now mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.

When the scan has finished, look if you can click next icon next to the files found http://users.telenet.be/bluepatchy/miekiemoes/images/check.gif
If so, click it and then click the next icon right below and select Move incurable
After the scan, in the menu, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot the computer in Normal Mode,
Post the Cure-it report and a fresh HijackThis log

wazari

2007-12-06, 17:26

Hi Mr Jack, thanks for your help.

I have follow your instructions carefully, but when I have to restart my computer in safe mode, is appear a blue warning screen that show this code: "STOP: 0x0000007B (0XF78AF524, 0XC0000034, 0X00000000, 0X00000000)" and there is nothing I can do, just turn off the computer and star again in normal mode.

Is safe run dr. web in normal mode?. It is something more that I can do?.

Thanks again!

Wazari

Mr_JAk3

2007-12-07, 19:07

Hi :)

Okay you can run the DrWeb in normal mode instead.

:bigthumb:

wazari

2007-12-10, 01:54

Hi Mr. Jack,
This my reports after Dr. Web run.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:19:37 p.m., on 09/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Broadcom\ASFIPMon\AsfIpMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ICO.EXE
C:\WINDOWS\system32\Pmxmiced.exe
C:\Archivos de programa\Analog Devices\Core\smax4pnp.exe
C:\Archivos de programa\ATI Technologies\ATI.ACE\cli.exe
C:\Archivos de programa\Archivos comunes\InstallShield\UpdateService\issch.exe
C:\Archivos de programa\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Archivos de programa\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\Archivos de programa\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\Archivos de programa\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\userinit.exe
C:\Archivos de programa\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://finance.partneragencies.org/siteminderagent/undp/UNAGENCYlogin.fcc?TYPE=33554433&REALMOID=06-000932ff-6463-1fe3-9134-8344c1600000&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=$SM$IxKFWn0dESgDcJfzVhDJxtb4JUg9QdCxmuQrTA3lY7k=&TARGET=$SM$https://finance.partneragencies.org/ (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Archivos comunes\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Archivos de programa\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Archivos de programa\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [PMX Daemon] ICO.EXE
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Archivos de programa\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Archivos de programa\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Archivos de programa\Archivos comunes\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Archivos de programa\Archivos comunes\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Archivos de programa\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Archivos de programa\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Archivos de programa\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Archivos de programa\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Archivos de programa\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MsnMsgr] "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Servicio de red')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Archivos de programa\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Archivos de programa\InterVideo\Common\Bin\WinCinemaMgr.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: iOpus iMacros - {0483894E-2422-45E0-8384-021AFF1AF3CD} - C:\Archivos de programa\iMacros\imacros.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Archivos de programa\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6218F7B5-0D3A-48BA-AE4C-49DCFA63D400} (CSEQueryObject Object) - http://www.myheritage.es/Genoogle/Components/ActiveX/SearchEngineQuery.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = undp.org.py
O17 - HKLM\Software\..\Telephony: DomainName = undp.org.py
O17 - HKLM\System\CCS\Services\Tcpip\..\{7D720405-1BB6-47E7-BD75-F09511F0BAAB}: NameServer = 192.168.20.1,200.10.122.10
O17 - HKLM\System\CCS\Services\Tcpip\..\{A82B3079-228E-4E07-87AD-D28B822BC98B}: NameServer = 192.168.20.1,200.10.122.10
O17 - HKLM\System\CCS\Services\Tcpip\..\{E997A235-DB50-4D21-BEA4-E9CBF56666F7}: NameServer = 192.168.20.1,200.10.122.10
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = undp.org.py
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARCHIV~1\ARCHIV~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\ARCHIV~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Broadcom ASF IP Monitor (ASFIPmon) - Broadcom Corporation - C:\Archivos de programa\Broadcom\ASFIPMon\AsfIpMon.exe
O23 - Service: GoogleDesktopManager - Google - C:\Archivos de programa\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Archivos de programa\Archivos comunes\SureThing Shared\stllssvr.exe
End of file - 7859 bytes

wazari

2007-12-10, 01:56

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, December 09, 2007 9:20:17 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 10/12/2007
Kaspersky Anti-Virus database records: 477952
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
G:\
H:\
M:\

Scan Statistics:
Total number of scanned objects: 93430
Number of viruses found: 5
Number of infected objects: 14
Number of suspicious objects: 0
Duration of the scan process: 00:52:03
Infected Object Name / Virus Name / Last Action
C:\Archivos de programa\Microsoft SQL Server\MSSQL.1\MSSQL\Data\master.mdf Object is locked skipped
C:\Archivos de programa\Microsoft SQL Server\MSSQL.1\MSSQL\Data\mastlog.ldf Object is locked skipped
C:\Archivos de programa\Microsoft SQL Server\MSSQL.1\MSSQL\Data\model.mdf Object is locked skipped
C:\Archivos de programa\Microsoft SQL Server\MSSQL.1\MSSQL\Data\modellog.ldf Object is locked skipped
C:\Archivos de programa\Microsoft SQL Server\MSSQL.1\MSSQL\Data\msdbdata.mdf Object is locked skipped
C:\Archivos de programa\Microsoft SQL Server\MSSQL.1\MSSQL\Data\msdblog.ldf Object is locked skipped
C:\Archivos de programa\Microsoft SQL Server\MSSQL.1\MSSQL\Data\tempdb.mdf Object is locked skipped
C:\Archivos de programa\Microsoft SQL Server\MSSQL.1\MSSQL\Data\templog.ldf Object is locked skipped
C:\Archivos de programa\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\ERRORLOG Object is locked skipped
C:\Archivos de programa\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\log_62.trc Object is locked skipped
C:\Documents and Settings\All Users\Datos de programa\driver.exe Infected: Trojan-Dropper.Win32.Mudrop.ek skipped
C:\Documents and Settings\LocalService\Configuración local\Archivos temporales de Internet\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Configuración local\Historial\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Configuración local\Temp\Perflib_Perfdata_628.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\par01sg.UNDP\Configuración local\Archivos temporales de Internet\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\par01sg.UNDP\Configuración local\Archivos temporales de Internet\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\par01sg.UNDP\Configuración local\Datos de programa\ApplicationHistory\cli.exe.72313fbf.ini.inuse Object is locked skipped
C:\Documents and Settings\par01sg.UNDP\Configuración local\Datos de programa\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\par01sg.UNDP\Configuración local\Datos de programa\Microsoft\Outlook\archive.pst/Archive Folders/Sent Items/20 Oct 1999 14:58 to Sara Fracchia:Re: LISTA DE INTERNOS/listado de internos.doc Infected: Virus.MSWord.Bogor.b skipped
C:\Documents and Settings\par01sg.UNDP\Configuración local\Datos de programa\Microsoft\Outlook\archive.pst/Archive Folders/Sent Items/09 Nov 1999 20:07 to All Staff Paraguay:lista de Internos/listado de internos.doc Infected: Virus.MSWord.Bogor.b skipped
C:\Documents and Settings\par01sg.UNDP\Configuración local\Datos de programa\Microsoft\Outlook\archive.pst Mail MS Mail: infected - 2 skipped
C:\Documents and Settings\par01sg.UNDP\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\par01sg.UNDP\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\par01sg.UNDP\Configuración local\Historial\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\par01sg.UNDP\Configuración local\Historial\History.IE5\MSHist012007120920071210\index.dat Object is locked skipped
C:\Documents and Settings\par01sg.UNDP\Configuración local\Temp\Perflib_Perfdata_1c8.dat Object is locked skipped
C:\Documents and Settings\par01sg.UNDP\Configuración local\Temp\Perflib_Perfdata_960.dat Object is locked skipped
C:\Documents and Settings\par01sg.UNDP\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\par01sg.UNDP\Datos de programa\Microsoft\Internet Explorer\UserData\index.dat Object is locked skipped
C:\Documents and Settings\par01sg.UNDP\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\par01sg.UNDP\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{C93A7264-03D8-483A-8AF4-E1E03C0454AA}\RP101\A0026687.exe Infected: Trojan-Downloader.Win32.Bagle.gi skipped
C:\System Volume Information\_restore{C93A7264-03D8-483A-8AF4-E1E03C0454AA}\RP101\A0026688.exe Infected: Trojan-Downloader.Win32.Bagle.gi skipped
C:\System Volume Information\_restore{C93A7264-03D8-483A-8AF4-E1E03C0454AA}\RP101\A0026689.exe Infected: Trojan-Downloader.Win32.Bagle.gi skipped
C:\System Volume Information\_restore{C93A7264-03D8-483A-8AF4-E1E03C0454AA}\RP101\A0026690.exe Infected: Trojan-Downloader.Win32.Bagle.gi skipped
C:\System Volume Information\_restore{C93A7264-03D8-483A-8AF4-E1E03C0454AA}\RP101\A0026691.exe Infected: Trojan-Downloader.Win32.Bagle.gi skipped
C:\System Volume Information\_restore{C93A7264-03D8-483A-8AF4-E1E03C0454AA}\RP101\A0026692.exe Infected: Trojan-Downloader.Win32.Bagle.gi skipped
C:\System Volume Information\_restore{C93A7264-03D8-483A-8AF4-E1E03C0454AA}\RP101\A0026694.exe Infected: Trojan-Downloader.Win32.Bagle.gi skipped
C:\System Volume Information\_restore{C93A7264-03D8-483A-8AF4-E1E03C0454AA}\RP101\A0026695.exe Infected: Trojan-Downloader.Win32.Bagle.gi skipped
C:\System Volume Information\_restore{C93A7264-03D8-483A-8AF4-E1E03C0454AA}\RP101\A0026697.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.332 skipped
C:\System Volume Information\_restore{C93A7264-03D8-483A-8AF4-E1E03C0454AA}\RP101\A0026698.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.a skipped
C:\System Volume Information\_restore{C93A7264-03D8-483A-8AF4-E1E03C0454AA}\RP101\change.log Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\Netlogon.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.

Mr_JAk3

2007-12-10, 19:27

Hello :)

Looks much better now. How is the pc running?

Delete this leftover file via "My Computer" (if the file exists)
C:\Documents and Settings\All Users\Datos de programa\driver.exe

You don't seem to have a third-party firewall (http://forum.malwareremoval.com/viewtopic.php?p=56#56) installed. You must install one firewall.
It is possible that you're using the Windows XP firewall. That is of course better than nothing but I recommend that you install a more advanced firewall that gives more protection. Windows firewall doesn't eg protect your computer from inbound threats. This means that any malware on your computer is free to "phone home" for more instructions. Remember to use only one firewall at the same time. I'll give you a few alternatives if you want to install a third-party firewall:

These are good (free) firewalls: Sunbelt-Kerio (http://www.sunbelt-software.com/Kerio.cfm)
ZoneAlarm (http://www.zonelabs.com/)
Sygate (http://http://www.majorgeeks.com/download.php?det=3356)
Outpost (http://www.majorgeeks.com/download.php?det=1056)
Comodo (http://www.personalfirewall.comodo.com)

You don't have an antivirus (http://forum.malwareremoval.com/viewtopic.php?p=53#53) on your computer, you must install one antivirus. Otherwise you'll get infected again.

These are good (free) antiviruses: AVG (http://free.grisoft.com)
Antivir (http://www.free-av.com)
Avast (http://www.avast.com)

Post a one more HijackThis log and let me know how the pc is running :bigthumb:

tashi

2007-12-27, 05:22

5) Final Run:
Towards the end of a cleanup please make sure you follow through with any final log requested even if it appears to you that your computer is back to normal operation.
As much as we like our members ;) we would rather not see you back in a few weeks because there was no follow up with the helper.
http://forums.spybot.info/showpost.php?p=1150&postcount=2