Smitfraud-C.Toolbar888, Virtumonde, WebTrends Live

**Moebius** · 2007-07-03, 15:31

Spybot detected this a couple of days before, but it couldnt fix.
Posting HijackThis log (renamed HijackThis_v2.exe into something.exe):

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 15:21:13, on 03/07/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Avast4\aswUpdSv.exe
C:\Archivos de programa\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Archivos de programa\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\rqkalvbb.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wwSecure.exe
C:\Archivos de programa\Avast4\ashMaiSv.exe
C:\Archivos de programa\Avast4\ashWebSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\ARCHIV~1\Avast4\ashDisp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Archivos de programa\Picasa2\PicasaMediaDetector.exe
C:\Archivos de programa\ATI Technologies\ATI.ACE\cli.exe
C:\Archivos de programa\HP\HP Software Update\HPWuSchd2.exe
C:\Archivos de programa\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Spybot - Search & Destroy\TeaTimer.exe
C:\ARCHIV~1\HEWLET~1\Toolbox\STATUS~1\STATUS~1.EXE
C:\Archivos de programa\Google\Google Desktop Search\GoogleDesktop.exe
C:\Archivos de programa\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\Archivos de programa\ATI Technologies\ATI.ACE\cli.exe
C:\Archivos de programa\ATI Technologies\ATI.ACE\cli.exe
C:\Archivos de programa\Outlook Express\msimn.exe
C:\WINDOWS\system32\osyvklnk.exe
C:\Archivos de programa\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Archivos de programa\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\Archivos de programa\Spybot - Search & Destroy\SpybotSD.exe
C:\Documents and Settings\E\Mis documentos\SOMETHING.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.es/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Constantino Moreira S.A.
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O1 - Hosts: 128.100.96.241 NPI15C6CB
O2 - BHO: Aplicación auxiliar de vínculos de Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Archivos comunes\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5ADF3862-9E2E-4ad3-86F7-4510E6550CD0} - C:\WINDOWS\system32\ylhfnvsn.dll
O2 - BHO: (no name) - {640D0632-8402-4A06-BECF-329A57937490} - C:\WINDOWS\system32\awvts.dll
O2 - BHO: (no name) - {CFDE1CF9-75B3-4B1E-B9A7-B5FB88A171E6} - C:\WINDOWS\system32\opnmlki.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [avast!] C:\ARCHIV~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Archivos de programa\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Archivos de programa\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [HP Software Update] "C:\Archivos de programa\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Archivos de programa\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Archivos de programa\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\system32\vwkkotlb.dll",realset
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Archivos de programa\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Archivos de programa\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Servicio de red')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Archivos de programa\HP\Digital Imaging\bin\hpqtra08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe (file missing)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4492F9DD-6837-485B-B506-5AF475B49673}: NameServer = 62.151.2.8
O17 - HKLM\System\CS2\Services\Tcpip\..\{4492F9DD-6837-485B-B506-5AF475B49673}: NameServer = 62.151.2.8
O17 - HKLM\System\CS3\Services\Tcpip\..\{4492F9DD-6837-485B-B506-5AF475B49673}: NameServer = 62.151.2.8
O20 - AppInit_DLLs: C:\ARCHIV~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: awvts - C:\WINDOWS\system32\awvts.dll
O20 - Winlogon Notify: opnmlki - C:\WINDOWS\SYSTEM32\opnmlki.dll
O22 - SharedTaskScheduler: Precargador Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Demonio de caché de las categorías de componente - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Archivos de programa\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Archivos de programa\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Archivos de programa\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Archivos de programa\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Archivos de programa\Avast4\ashWebSv.exe
O23 - Service: Servicio del administrador de discos lógicos (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\rqkalvbb.exe
O23 - Service: Registro de sucesos (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: GoogleDesktopManager - Google - C:\Archivos de programa\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Servicio COM de grabación de CD de IMAPI (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Escritorio remoto compartido de NetMeeting (mnmsrvc) - Unknown owner - C:\WINDOWS\system32\mnmsrvc.exe
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Administrador de sesión de Ayuda de escritorio remoto (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Tarjeta inteligente (SCardSvr) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: Registros y alertas de rendimiento (SysmonLog) - Unknown owner - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: Instantáneas de volumen (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe
O23 - Service: Adaptador de rendimiento de WMI (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe
O23 - Service: Servicio de uso compartido de red del Reproductor de Windows Media (WMPNetworkSvc) - Unknown owner - C:\Archivos de programa\Windows Media Player\WMPNetwk.exe
O23 - Service: Washer AutoComplete (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe

--
End of file - 9552 bytes

And waiting for your instructions to save me...

Regards

**Shaba** · 2007-07-04, 11:07

Hi Moebius

Please download VundoFix.exe to your desktop.

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

1. Download combofix from one of these links:
Link1
Link2
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Post:

- a fresh HijackThis log
- combofix report
- vundofix report

**Moebius** · 2007-07-04, 14:58

Well, I've done all of the stuff, here we go with the logs:

Most recent HijackThis log:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 14:47:17, on 04/07/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Avast4\aswUpdSv.exe
C:\Archivos de programa\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Archivos de programa\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wwSecure.exe
C:\Archivos de programa\Avast4\ashMaiSv.exe
C:\Archivos de programa\Avast4\ashWebSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\ARCHIV~1\Avast4\ashDisp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Archivos de programa\Picasa2\PicasaMediaDetector.exe
C:\Archivos de programa\ATI Technologies\ATI.ACE\cli.exe
C:\Archivos de programa\HP\HP Software Update\HPWuSchd2.exe
C:\Archivos de programa\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Spybot - Search & Destroy\TeaTimer.exe
C:\Archivos de programa\Google\Google Desktop Search\GoogleDesktop.exe
C:\ARCHIV~1\HEWLET~1\Toolbox\STATUS~1\STATUS~1.EXE
C:\Archivos de programa\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\Archivos de programa\ATI Technologies\ATI.ACE\cli.exe
C:\Archivos de programa\ATI Technologies\ATI.ACE\cli.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\Documents and Settings\E\Escritorio\SOMETHING.exe
C:\WINDOWS\system32\hpbpro.exe
C:\WINDOWS\system32\hpbpro.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.es/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: Aplicación auxiliar de vínculos de Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Archivos comunes\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {C199B0CF-3CC3-4727-8498-D1D0258FF76D} - C:\WINDOWS\system32\awvts.dll (file missing)
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [avast!] C:\ARCHIV~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Archivos de programa\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Archivos de programa\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [HP Software Update] "C:\Archivos de programa\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Archivos de programa\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Archivos de programa\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Archivos de programa\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Servicio de red')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Archivos de programa\HP\Digital Imaging\bin\hpqtra08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe (file missing)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4492F9DD-6837-485B-B506-5AF475B49673}: NameServer = 62.151.2.8
O17 - HKLM\System\CS2\Services\Tcpip\..\{4492F9DD-6837-485B-B506-5AF475B49673}: NameServer = 62.151.2.8
O17 - HKLM\System\CS3\Services\Tcpip\..\{4492F9DD-6837-485B-B506-5AF475B49673}: NameServer = 62.151.2.8
O20 - AppInit_DLLs: C:\ARCHIV~1\Google\GOOGLE~2\GOEC62~1.DLL
O22 - SharedTaskScheduler: Precargador Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Demonio de caché de las categorías de componente - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Archivos de programa\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Archivos de programa\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Archivos de programa\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Archivos de programa\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Archivos de programa\Avast4\ashWebSv.exe
O23 - Service: Servicio del administrador de discos lógicos (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Registro de sucesos (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: GoogleDesktopManager - Google - C:\Archivos de programa\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Servicio COM de grabación de CD de IMAPI (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Escritorio remoto compartido de NetMeeting (mnmsrvc) - Unknown owner - C:\WINDOWS\system32\mnmsrvc.exe
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Administrador de sesión de Ayuda de escritorio remoto (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Tarjeta inteligente (SCardSvr) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: Registros y alertas de rendimiento (SysmonLog) - Unknown owner - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: Instantáneas de volumen (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe
O23 - Service: Adaptador de rendimiento de WMI (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe
O23 - Service: Servicio de uso compartido de red del Reproductor de Windows Media (WMPNetworkSvc) - Unknown owner - C:\Archivos de programa\Windows Media Player\WMPNetwk.exe
O23 - Service: Washer AutoComplete (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe

--
End of file - 8296 bytes

**Moebius** · 2007-07-04, 14:59

VUNDOFIX LOG: [NOTE: rebooting crashed the PC at startup screen a couple of times, I booted in Safe Mode to complete operation]

VundoFix V6.5.4

Checking Java version...

Sun Java not detected
Scan started at 14:07:43 04/07/2007

Listing files found while scanning....

C:\windows\system32\awvts.dll
C:\windows\system32\bltokkwv.ini
C:\windows\system32\imchipqb.exe
C:\windows\system32\ohsvgabg.exe
C:\WINDOWS\system32\opnmlki.dll
C:\windows\system32\stvwa.bak1
C:\WINDOWS\system32\stvwa.bak2
C:\windows\system32\stvwa.ini
C:\WINDOWS\system32\vwkkotlb.dll
C:\WINDOWS\system32\ylhfnvsn.dll
C:\windows\system32\yykjedjv.exe

Beginning removal...

Attempting to delete C:\windows\system32\awvts.dll
C:\windows\system32\awvts.dll Has been deleted!

Attempting to delete C:\windows\system32\bltokkwv.ini
C:\windows\system32\bltokkwv.ini Has been deleted!

Attempting to delete C:\windows\system32\imchipqb.exe
C:\windows\system32\imchipqb.exe Has been deleted!

Attempting to delete C:\windows\system32\ohsvgabg.exe
C:\windows\system32\ohsvgabg.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\opnmlki.dll
C:\WINDOWS\system32\opnmlki.dll Could not be deleted.

Attempting to delete C:\windows\system32\stvwa.bak1
C:\windows\system32\stvwa.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\stvwa.bak2
C:\WINDOWS\system32\stvwa.bak2 Has been deleted!

Attempting to delete C:\windows\system32\stvwa.ini
C:\windows\system32\stvwa.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\vwkkotlb.dll
C:\WINDOWS\system32\vwkkotlb.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ylhfnvsn.dll
C:\WINDOWS\system32\ylhfnvsn.dll Has been deleted!

Attempting to delete C:\windows\system32\yykjedjv.exe
C:\windows\system32\yykjedjv.exe Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.5.4

Checking Java version...

Sun Java not detected
Scan started at 14:17:46 04/07/2007

Listing files found while scanning....

C:\windows\system32\opnmlki.dll

Beginning removal...

Attempting to delete C:\windows\system32\opnmlki.dll
C:\windows\system32\opnmlki.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.5.4

Checking Java version...

Sun Java not detected
Scan started at 14:30:13 04/07/2007

Listing files found while scanning....

No infected files were found.

**Moebius** · 2007-07-04, 15:01

COMBOFIX LOG:

"E" - 2007-07-04 14:34:15 - ComboFix 07-07-03.9 - Service Pack 2 [SAFE MODE]

(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\dqhvjtmi.exe
C:\WINDOWS\system32\osyvklnk.exe

* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_DOMAINSERVICE

((((((((((((((((((((((((( Files Created from 2007-06-04 to 2007-07-04 )))))))))))))))))))))))))))))))

2007-07-04 14:33 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-04 14:07 <DIR> d-------- C:\VundoFix Backups
2007-06-29 19:07 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\DATOSD~1\Spybot - Search & Destroy
2007-06-29 19:05 <DIR> d-------- C:\Archivos de programa\SpywareBlaster
2007-06-29 18:51 57,344 --a------ C:\WINDOWS\Unwash6.exe
2007-06-29 18:51 487,936 --a------ C:\WINDOWS\system32\wwSecure.exe
2007-06-29 18:51 <DIR> d-------- C:\DOCUME~1\E\DATOSD~1\Webroot
2007-06-29 18:51 <DIR> d-------- C:\Archivos de programa\Webroot
2007-06-29 18:51 <DIR> d-------- C:\Archivos de programa\Archivos comunes\Webroot Shared
2007-06-29 18:35 <DIR> d-------- C:\e3dd30e40a58a46a42fba40d
2007-06-29 18:22 <DIR> d-------- C:\DOCUME~1\E\DATOSD~1\Google
2007-06-29 18:19 17,920 --a------ C:\WINDOWS\system32\mdimon.dll
2007-06-29 18:11 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\DATOSD~1\BVRP Software
2007-06-29 18:09 <DIR> d-------- C:\DOCUME~1\E\DATOSD~1\Help
2007-06-29 17:53 74,752 --a------ C:\WINDOWS\system32\jst.dll
2007-06-29 17:53 40,960 --a------ C:\WINDOWS\system32\d4channel.dll
2007-06-29 17:53 36,864 --a------ C:\WINDOWS\system32\hpbmmjno.dll
2007-06-29 17:53 32,768 --a------ C:\WINDOWS\system32\compJNI.dll
2007-06-29 17:53 102,400 --a------ C:\WINDOWS\system32\PMLJNI.dll
2007-06-29 17:44 94,208 --a------ C:\WINDOWS\system32\HPZipt12.dll
2007-06-29 17:44 61,440 --a------ C:\WINDOWS\system32\HPZinw12.exe
2007-06-29 17:44 57,344 --a------ C:\WINDOWS\system32\HPZisn12.dll
2007-06-29 17:44 306,688 --a------ C:\WINDOWS\IsUninst.exe
2007-06-29 17:43 98,304 -ra------ C:\WINDOWS\system32\hpzjsn01.dll
2007-06-29 17:43 757,760 -ra------ C:\WINDOWS\system32\hpptpml2.dll
2007-06-29 17:43 73,728 -ra------ C:\WINDOWS\system32\hptcpmib.dll
2007-06-29 17:43 69,632 --a------ C:\WINDOWS\system32\HPZipm12.exe
2007-06-29 17:43 6,912 --a------ C:\WINDOWS\system32\drivers\serscan.sys
2007-06-29 17:43 28,672 -ra------ C:\WINDOWS\system32\hpzjfw01.dll
2007-06-29 17:43 278,584 --a------ C:\WINDOWS\system32\HPZidr12.dll
2007-06-29 17:43 278,528 -ra------ C:\WINDOWS\system32\hpgwiamd.dll
2007-06-29 17:43 266,240 -ra------ C:\WINDOWS\system32\hpp2800s.dll
2007-06-29 17:43 212,992 -ra------ C:\WINDOWS\system32\hptcpmui.dll
2007-06-29 17:43 204,800 --a------ C:\WINDOWS\system32\HPZipr12.dll
2007-06-29 17:43 110,592 -ra------ C:\WINDOWS\system32\hptcpmon.dll
2007-06-29 17:38 54,395 --a------ C:\WINDOWS\hppins01.dat
2007-06-29 17:38 2,392 --------- C:\WINDOWS\hppmdl01.dat
2007-06-29 17:38 <DIR> d-------- C:\Archivos de programa\Archivos comunes\SWF Studio
2007-06-29 17:18 87,040 --a------ C:\WINDOWS\system32\wiafbdrv.dll
2007-06-29 17:18 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2007-06-29 17:17 298,496 --a------ C:\WINDOWS\unin040a.exe
2007-06-29 17:17 <DIR> d-------- C:\DOCUME~1\E\WINDOWS
2007-06-29 17:17 <DIR> d-------- C:\Archivos de programa\Lexmark X1100 Series
2007-06-29 17:14 <DIR> d-------- C:\DOCUME~1\E\DATOSD~1\ATI
2007-06-29 16:33 1,723 --a------ C:\WINDOWS\mozver.dat
2007-06-29 16:29 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\DATOSD~1\WinZip
2007-06-29 16:24 2,560 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-06-29 16:24 2,432 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-06-29 16:24 <DIR> d-------- C:\Archivos de programa\Picasa2
2007-06-29 16:24 <DIR> d-------- C:\Archivos de programa\Google
2007-06-29 16:22 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2007-06-29 16:22 <DIR> d-------- C:\Archivos de programa\Reference Assemblies
2007-06-29 16:18 23,856 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-06-29 16:18 0 --a------ C:\WINDOWS\nsreg.dat
2007-06-29 16:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\DATOSD~1\Windows Genuine Advantage
2007-06-29 16:05 82,944 --a------ C:\WINDOWS\system32\drivers\wdmaud.sys
2007-06-29 16:05 6,400 --a------ C:\WINDOWS\system32\drivers\splitter.sys
2007-06-29 16:05 54,272 --a------ C:\WINDOWS\system32\drivers\swmidi.sys
2007-06-29 16:05 52,864 --a------ C:\WINDOWS\system32\drivers\DMusic.sys
2007-06-29 16:05 49,152 --a------ C:\WINDOWS\system32\ChCfg.exe
2007-06-29 16:05 142,464 --a------ C:\WINDOWS\system32\drivers\aec.sys
2007-06-29 16:04 7,552 --a------ C:\WINDOWS\system32\drivers\MSKSSRV.sys
2007-06-29 16:04 60,800 --a------ C:\WINDOWS\system32\drivers\sysaudio.sys
2007-06-29 16:04 60,288 --a------ C:\WINDOWS\system32\drivers\drmk.sys
2007-06-29 16:04 577,536 --a------ C:\WINDOWS\soundman.exe
2007-06-29 16:04 5,376 --a------ C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2007-06-29 16:04 4,992 --a------ C:\WINDOWS\system32\drivers\MSPQM.sys
2007-06-29 16:04 4,096 --a------ C:\WINDOWS\system32\ksuser.dll
2007-06-29 16:04 4,030,144 --a------ C:\WINDOWS\system32\drivers\alcxwdm.sys
2007-06-29 16:04 315,392 --a------ C:\WINDOWS\alcupd.exe
2007-06-29 16:04 217,088 --a------ C:\WINDOWS\Alcrmv.exe
2007-06-29 16:04 2,944 --a------ C:\WINDOWS\system32\drivers\drmkaud.sys
2007-06-29 16:04 172,416 --a------ C:\WINDOWS\system32\drivers\kmixer.sys
2007-06-29 16:04 147,456 --a------ C:\WINDOWS\system32\RtlCPAPI.dll
2007-06-29 16:04 145,792 --a------ C:\WINDOWS\system32\drivers\portcls.sys
2007-06-29 16:04 10,528,768 --a------ C:\WINDOWS\system32\RTLCPL.exe
2007-06-29 16:04 <DIR> d-------- C:\Archivos de programa\Realtek AC97
2007-06-29 13:58 520,192 --------- C:\WINDOWS\system32\ati2sgag.exe
2007-06-29 13:58 <DIR> d-------- C:\Archivos de programa\ATI Technologies
2007-06-29 13:54 <DIR> d-------- C:\DOCUME~1\E\DATOSD~1\uTorrent
2007-06-29 13:43 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\DATOSD~1\Lavasoft
2007-06-29 13:43 <DIR> d-------- C:\Archivos de programa\Lavasoft
2007-06-29 13:43 <DIR> d-------- C:\Archivos de programa\Archivos comunes\Wise Installation Wizard
2007-06-29 13:39 95,872 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-06-29 13:39 94,552 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-06-29 13:39 85,952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-06-29 13:39 745,600 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-06-29 13:39 499,712 --a------ C:\WINDOWS\system32\MSVCP71.dll
2007-06-29 13:39 43,176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-06-29 13:39 348,160 --a------ C:\WINDOWS\system32\MSVCR71.dll
2007-06-29 13:39 26,888 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-06-29 13:39 23,416 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-06-29 13:39 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2007-06-29 13:39 <DIR> d-------- C:\Archivos de programa\Avast4
2007-06-29 13:35 8,192 --a------ C:\WINDOWS\system32\wshirda.dll
2007-06-29 13:35 59,648 --a------ C:\WINDOWS\system32\drivers\rfcomm.sys
2007-06-29 13:35 3,072 --a------ C:\WINDOWS\system32\drivers\audstub.sys
2007-06-29 13:35 28,160 --a------ C:\WINDOWS\system32\irmon.dll
2007-06-29 13:35 17,024 --a------ C:\WINDOWS\system32\drivers\BthEnum.sys
2007-06-29 13:35 153,600 --a------ C:\WINDOWS\system32\irftp.exe

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-29 16:36:37 -------- d-----w C:\Archivos de programa\Windows Media Connect 2
2007-06-29 16:12:25 -------- d--h--w C:\Archivos de programa\InstallShield Installation Information
2007-06-29 15:53:24 -------- d-----w C:\Archivos de programa\Hewlett-Packard
2007-06-29 15:53:23 -------- d--h--w C:\Archivos de programa\Zero G Registry
2007-06-29 14:54:03 -------- d-----w C:\Archivos de programa\MSBuild
2007-06-29 10:39:30 -------- d-----w C:\Archivos de programa\Windows NT
2007-06-19 09:35:38 -------- d-----w C:\Archivos de programa\DivX
2007-05-18 06:06:56 -------- d-----w C:\Archivos de programa\HP
2007-05-16 07:03:30 -------- d-----w C:\Archivos de programa\Archivos comunes\HP
2007-05-16 06:59:12 -------- d-----w C:\Archivos de programa\Archivos comunes\Hewlett-Packard
2007-04-16 20:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-13 13:19:52 7,680 ----a-w C:\WINDOWS\system32\lsdelete.exe

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2006-10-22 23:08 62080 --a------ C:\Archivos de programa\Archivos comunes\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
2005-05-31 01:04 853672 --a------ C:\ARCHIV~1\SPYBOT~1\SDHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C199B0CF-3CC3-4727-8498-D1D0258FF76D}]
C:\WINDOWS\system32\awvts.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-19 15:56 C:\WINDOWS\system32\bthprops.cpl]
"avast!"="C:\ARCHIV~1\Avast4\ashDisp.exe" [2007-04-30 17:42]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 15:28 C:\WINDOWS\soundman.exe]
"Picasa Media Detector"="C:\Archivos de programa\Picasa2\PicasaMediaDetector.exe" [2007-06-16 01:15]
"ATICCC"="C:\Archivos de programa\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 16:41]
"HP Software Update"="C:\Archivos de programa\HP\HP Software Update\HPWuSchd2.exe" [2005-02-16 23:11]
"Google Desktop Search"="C:\Archivos de programa\Google\Google Desktop Search\GoogleDesktop.exe" [2007-06-29 19:43]
"TomcatStartup 2.5"="C:\Archivos de programa\Hewlett-Packard\Toolbox\hpbpsttp.exe" [2004-11-12 18:57]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 15:42]
"SpybotSD TeaTimer"="C:\Archivos de programa\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoToolbarCustomize"=0 (0x0)
"NoFileMenu"=0 (0x0)
"NoLowDiskSpaceChecks"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\ARCHIV~1\Google\GOOGLE~2\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ

Contents of the 'Scheduled Tasks' folder
2007-07-03 13:00:19 C:\WINDOWS\tasks\User_Feed_Synchronization-{DAC4462A-7CFA-476E-9A19-F4E43B19DBBB}.job

**************************************************************************

catchme 0.3.914 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-04 14:43:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-04 14:44:37 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-04 14:44

--- E O F ---

**Moebius** · 2007-07-04, 15:01

COMBOFIX QUARANTINED FILES.TXT:

Code:

2007-06-29 19:52      4628    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\dqhvjtmi.exe.vir
2007-07-03 14:47      4628    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\osyvklnk.exe.vir
2007-07-04 14:35      846    --a------    C:\Qoobox\Quarantine\Registry_backups\LEGACY_DOMAINSERVICE.reg.cf


Listado de rutas de carpetas
El n£mero de serie del volumen es D09D-CF67
C:\QOOBOX
\---Quarantine
    +---C
    |   \---WINDOWS
    |       \---system32
    |               dqhvjtmi.exe.vir
    |               osyvklnk.exe.vir
    |               
    \---Registry_backups
            LEGACY_DOMAINSERVICE.reg.cf

**Moebius** · 2007-07-04, 15:03

And that's all.

Maybe..I killed the spies yet?

**Shaba** · 2007-07-04, 15:32

Hi

Looking pretty good yes but we're not done yet.

Open HijackThis, click do a system scan only and checkmark these:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {C199B0CF-3CC3-4727-8498-D1D0258FF76D} - C:\WINDOWS\system32\awvts.dll (file missing)

Close all windows including browser and press fix checked.

Reboot.

Please do an online scan with Kaspersky Online Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings
In the scan settings make sure that the following are selected:

o Scan using the following Anti-Virus database:

+ Extended (If available otherwise Standard)

o Scan Options:

+ Scan Archives
+ Scan Mail Bases
Click OK
Now under select a target to scan select My Computer
The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button
Save the file to your desktop.
Copy and paste that information in your next post.

Post:

- a fresh HijackThis log
- kaspersky report

**Moebius** · 2007-07-06, 08:25

Well, I´ve done, here go the logs:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 8:18:02, on 06/07/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Avast4\aswUpdSv.exe
C:\Archivos de programa\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\ARCHIV~1\Avast4\ashDisp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Archivos de programa\Picasa2\PicasaMediaDetector.exe
C:\Archivos de programa\ATI Technologies\ATI.ACE\cli.exe
C:\Archivos de programa\HP\HP Software Update\HPWuSchd2.exe
C:\Archivos de programa\Google\Google Desktop Search\GoogleDesktop.exe
C:\Archivos de programa\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Archivos de programa\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wwSecure.exe
C:\ARCHIV~1\HEWLET~1\Toolbox\STATUS~1\STATUS~1.EXE
C:\Archivos de programa\Avast4\ashMaiSv.exe
C:\Archivos de programa\Avast4\ashWebSv.exe
C:\Archivos de programa\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\Archivos de programa\ATI Technologies\ATI.ACE\cli.exe
C:\Archivos de programa\ATI Technologies\ATI.ACE\cli.exe
C:\Archivos de programa\Outlook Express\msimn.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\EnriqueBouza\Escritorio\SOMETHING.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.es/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: Aplicación auxiliar de vínculos de Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Archivos comunes\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [avast!] C:\ARCHIV~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Archivos de programa\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Archivos de programa\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [HP Software Update] "C:\Archivos de programa\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Archivos de programa\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] C:\Archivos de programa\Corel\Corel Graphics 12\Languages\ES\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=072007 serial=dr12cun-1353003-vhd lang=ES
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Archivos de programa\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKCU\..\Run: [Window Washer] C:\Archivos de programa\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [Index Washer] C:\Archivos de programa\Webroot\Washer\WashIdx.exe "EnriqueBouza"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Servicio de red')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Archivos de programa\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe (file missing)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4492F9DD-6837-485B-B506-5AF475B49673}: NameServer = 62.151.2.8
O17 - HKLM\System\CS2\Services\Tcpip\..\{4492F9DD-6837-485B-B506-5AF475B49673}: NameServer = 62.151.2.8
O17 - HKLM\System\CS3\Services\Tcpip\..\{4492F9DD-6837-485B-B506-5AF475B49673}: NameServer = 62.151.2.8
O20 - AppInit_DLLs: C:\ARCHIV~1\Google\GOOGLE~2\GOEC62~1.DLL
O22 - SharedTaskScheduler: Precargador Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Demonio de caché de las categorías de componente - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Archivos de programa\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Archivos de programa\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Archivos de programa\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Archivos de programa\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Archivos de programa\Avast4\ashWebSv.exe
O23 - Service: Servicio del administrador de discos lógicos (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Registro de sucesos (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: GoogleDesktopManager - Google - C:\Archivos de programa\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Servicio COM de grabación de CD de IMAPI (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Escritorio remoto compartido de NetMeeting (mnmsrvc) - Unknown owner - C:\WINDOWS\system32\mnmsrvc.exe
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Administrador de sesión de Ayuda de escritorio remoto (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Tarjeta inteligente (SCardSvr) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: Registros y alertas de rendimiento (SysmonLog) - Unknown owner - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: Instantáneas de volumen (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe
O23 - Service: Adaptador de rendimiento de WMI (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe
O23 - Service: Servicio de uso compartido de red del Reproductor de Windows Media (WMPNetworkSvc) - Unknown owner - C:\Archivos de programa\Windows Media Player\WMPNetwk.exe
O23 - Service: Washer AutoComplete (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe

--
End of file - 8521 bytes

**Moebius** · 2007-07-06, 08:26

And kaspersky Online: (it detected some "visitors")

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, July 06, 2007 8:06:10 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 5/07/2007
Kaspersky Anti-Virus database records: 358653
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 58343
Number of viruses found: 8
Number of infected objects: 31
Number of suspicious objects: 0
Duration of the scan process: 02:14:02

Infected Object Name / Virus Name / Last Action
C:\Archivos de programa\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Archivos de programa\Avast4\DATA\Avast4.db Object is locked skipped
C:\Archivos de programa\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Archivos de programa\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Archivos de programa\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Archivos de programa\Avast4\DATA\report\Protección residente.txt Object is locked skipped
C:\Documents and Settings\All Users\Datos de programa\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Datos de programa\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Datos de programa\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\E\Configuración local\Datos de programa\Identities\{0FA4FDA7-FDC8-4015-8629-2A50518A125F}\Microsoft\Outlook Express\Comercial - Elementos eliminados.dbx/[From comercial@arien-machine.com][Date Wed, 6 Jun 2007 08:45:49 +0200]/email.doc Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\E\Configuración local\Datos de programa\Identities\{0FA4FDA7-FDC8-4015-8629-2A50518A125F}\Microsoft\Outlook Express\Comercial - Elementos eliminados.dbx/[From irivas@comsa.com][Date Thu, 21 Jun 2007 09:20:41 +0200]/data_comercial.zip/data.rtf .scr Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\E\Configuración local\Datos de programa\Identities\{0FA4FDA7-FDC8-4015-8629-2A50518A125F}\Microsoft\Outlook Express\Comercial - Elementos eliminados.dbx/[From irivas@comsa.com][Date Thu, 21 Jun 2007 09:20:41 +0200]/data_comercial.zip Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\E\Configuración local\Datos de programa\Identities\{0FA4FDA7-FDC8-4015-8629-2A50518A125F}\Microsoft\Outlook Express\Comercial - Elementos eliminados.dbx/[From 06cb6db3@arsenal.co.uk][Date Thu, 28 Jun 2007 08:42:55 +0200]/UNNAMED/message_comercial.zip/details.txt .pif Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\E\Configuración local\Datos de programa\Identities\{0FA4FDA7-FDC8-4015-8629-2A50518A125F}\Microsoft\Outlook Express\Comercial - Elementos eliminados.dbx/[From 06cb6db3@arsenal.co.uk][Date Thu, 28 Jun 2007 08:42:55 +0200]/UNNAMED/message_comercial.zip Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\E\Configuración local\Datos de programa\Identities\{0FA4FDA7-FDC8-4015-8629-2A50518A125F}\Microsoft\Outlook Express\Comercial - Elementos eliminados.dbx/[From 06cb6db3@arsenal.co.uk][Date Thu, 28 Jun 2007 08:42:55 +0200]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\E\Configuración local\Datos de programa\Identities\{0FA4FDA7-FDC8-4015-8629-2A50518A125F}\Microsoft\Outlook Express\Comercial - Elementos eliminados.dbx Mail MS Outlook 5: infected - 6 skipped
C:\Documents and Settings\E\Mis documentos\Downloads\Winzip 11 pro\winzip110.exe/data0000.cab/is67528.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.if skipped
C:\Documents and Settings\E\Mis documentos\Downloads\Winzip 11 pro\winzip110.exe/data0000.cab Infected: not-a-virus:AdWare.Win32.Virtumonde.if skipped
C:\Documents and Settings\E\Mis documentos\Downloads\Winzip 11 pro\winzip110.exe Rsrc-Package: infected - 2 skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Archivos temporales de Internet\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Archivos temporales de Internet\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\ApplicationHistory\cli.exe.72313fbf.ini.inuse Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Google\Google Desktop\d5bfe6e206e1\ch8dfe7597 Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Google\Google Desktop\d5bfe6e206e1\dbc2e.ht1 Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Google\Google Desktop\d5bfe6e206e1\dbdam Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Google\Google Desktop\d5bfe6e206e1\dbdao Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Google\Google Desktop\d5bfe6e206e1\dbeam Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Google\Google Desktop\d5bfe6e206e1\dbeao Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Google\Google Desktop\d5bfe6e206e1\dbm Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Google\Google Desktop\d5bfe6e206e1\dbu2d.ht1 Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Google\Google Desktop\d5bfe6e206e1\dbvm.cf1 Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Google\Google Desktop\d5bfe6e206e1\dbvmh.ht1 Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Google\Google Desktop\d5bfe6e206e1\fii.cf1 Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Google\Google Desktop\d5bfe6e206e1\fiih.ht1 Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Google\Google Desktop\d5bfe6e206e1\hp Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Google\Google Desktop\d5bfe6e206e1\hpt2i.ht1 Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Google\Google Desktop\d5bfe6e206e1\rpm.cf1 Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Google\Google Desktop\d5bfe6e206e1\rpm1m.cf1 Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Google\Google Desktop\d5bfe6e206e1\rpm1mh.ht1 Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Google\Google Desktop\d5bfe6e206e1\rpmh.ht1 Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Google\Google Desktop\d5bfe6e206e1\safeweb\goog-black-enchashm.cf1 Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Google\Google Desktop\d5bfe6e206e1\safeweb\goog-black-enchashmh.ht1 Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Google\Google Desktop\d5bfe6e206e1\safeweb\goog-black-urlm.cf1 Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Google\Google Desktop\d5bfe6e206e1\safeweb\goog-black-urlmh.ht1 Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Google\Google Desktop\d5bfe6e206e1\safeweb\goog-malware-domainm.cf1 Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Google\Google Desktop\d5bfe6e206e1\safeweb\goog-malware-domainmh.ht1 Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Google\Google Desktop\d5bfe6e206e1\safeweb\goog-white-domainm.cf1 Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Google\Google Desktop\d5bfe6e206e1\safeweb\goog-white-domainmh.ht1 Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Identities\{BBBD0510-3E06-4941-98C6-5DEC062BF48C}\Microsoft\Outlook Express\comercial - Bandeja de entrada.dbx Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Identities\{BBBD0510-3E06-4941-98C6-5DEC062BF48C}\Microsoft\Outlook Express\Folders.dbx Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Identities\{BBBD0510-3E06-4941-98C6-5DEC062BF48C}\Microsoft\Outlook Express\Offline.dbx Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Historial\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Temp\2248_zip_dump.doc Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Temp\newtb1handler.log Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Temp\Perflib_Perfdata_1b0.dat Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Temp\Perflib_Perfdata_91c.dat Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Temp\Perflib_Perfdata_93c.dat Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Temp\proxystop-tblauncher.log Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Temp\tblauncher.log Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Temp\toolbox_healer59967.log Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Configuración local\Temp\~DFF607.tmp Object is locked skipped
C:\Documents and Settings\EnriqueBouza\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\EnriqueBouza\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\EnriqueBouza\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Configuración local\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Configuración local\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Configuración local\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\ntuser.dat.LOG Object is locked skipped
C:\e3dd30e40a58a46a42fba40d\e50d24d33a6ddc541ea843635302\update\update.log Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\dqhvjtmi.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\osyvklnk.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{EF9A7EC0-5A45-49C0-AF36-D6A474CB0CBD}\RP14\A0001072.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\System Volume Information\_restore{EF9A7EC0-5A45-49C0-AF36-D6A474CB0CBD}\RP15\A0002120.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\System Volume Information\_restore{EF9A7EC0-5A45-49C0-AF36-D6A474CB0CBD}\RP15\A0002137.exe Infected: Trojan.Win32.Agent.aoy skipped
C:\System Volume Information\_restore{EF9A7EC0-5A45-49C0-AF36-D6A474CB0CBD}\RP15\A0002142.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped
C:\System Volume Information\_restore{EF9A7EC0-5A45-49C0-AF36-D6A474CB0CBD}\RP15\A0002143.exe Infected: Trojan.Win32.Agent.aoy skipped
C:\System Volume Information\_restore{EF9A7EC0-5A45-49C0-AF36-D6A474CB0CBD}\RP15\A0002144.exe Infected: Trojan.Win32.Agent.aoy skipped
C:\System Volume Information\_restore{EF9A7EC0-5A45-49C0-AF36-D6A474CB0CBD}\RP15\A0002145.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\System Volume Information\_restore{EF9A7EC0-5A45-49C0-AF36-D6A474CB0CBD}\RP15\A0002146.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kj skipped
C:\System Volume Information\_restore{EF9A7EC0-5A45-49C0-AF36-D6A474CB0CBD}\RP15\A0002147.exe Infected: Trojan.Win32.Agent.aoy skipped
C:\System Volume Information\_restore{EF9A7EC0-5A45-49C0-AF36-D6A474CB0CBD}\RP15\A0004151.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{EF9A7EC0-5A45-49C0-AF36-D6A474CB0CBD}\RP15\A0005187.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{EF9A7EC0-5A45-49C0-AF36-D6A474CB0CBD}\RP15\A0005188.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{EF9A7EC0-5A45-49C0-AF36-D6A474CB0CBD}\RP17\change.log Object is locked skipped
C:\VundoFix Backups\awvts.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped
C:\VundoFix Backups\imchipqb.exe.bad Infected: Trojan.Win32.Agent.aoy skipped
C:\VundoFix Backups\ohsvgabg.exe.bad Infected: Trojan.Win32.Agent.aoy skipped
C:\VundoFix Backups\opnmlki.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\VundoFix Backups\vwkkotlb.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\VundoFix Backups\ylhfnvsn.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.kj skipped
C:\VundoFix Backups\yykjedjv.exe.bad Infected: Trojan.Win32.Agent.aoy skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_57c.dat Object is locked skipped
C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Thread: Smitfraud-C.Toolbar888, Virtumonde, WebTrends Live

Thread Tools

Display

Smitfraud-C.Toolbar888, Virtumonde, WebTrends Live

Posting Permissions