Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hey David D-Trojanator.. Now I Can't Add My Reply?


  • This topic is locked This topic is locked
21 replies to this topic

#1 BLEEP my computer

BLEEP my computer

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:11 PM

Posted 14 June 2006 - 05:55 AM

Hello-

Thanks in advance for any help you can give me. My prblems started a few months ago with random popup adds that weren't too disturbing at the time. Then I got a message while on MSN messenger chatting with a friedn I clicked the link that said something like (look at our fotos on myspace). I click the link and thats when things really started to get bad. Since then my computer has been complete over run with porblems. The small icons I had installed on the tool bar at the bottom of my screen are gone, my startup page is gone, and I get bombarded by popups, and attempts by I don't know what to download more viruses... Simply put I am OVERWHELMED. I went though the preperatory steps on the bleeping computer page and things are a little better now... but still not good.

Hopefully waiting your response-

Logfile of HijackThis v1.99.1
Scan saved at 12:41:47, on 14/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSetMgr.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\SNDSrvc.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
C:\windows\system32\spoolsv.exe
C:\windows\Explorer.EXE
C:\windows\system32\wfxsnt40.exe
C:\Archivos de programa\Java\jre1.5.0_06\bin\jusched.exe
C:\Archivos de programa\Archivos comunes\Logitech\QCDriver\LVCOMS.EXE
C:\Archivos de programa\DIGStream\digstream.exe
C:\Archivos de programa\HP\HP Software Update\HPWuSchd2.exe
C:\windows\system32\drivers\helpsys\msnexplorer.exe
C:\windows\system32\drivers\helpsys\iexplorer.exe
C:\Archivos de programa\ipwins\ipwins.exe
C:\Archivos de programa\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe
C:\mActiveX.exe
C:\Archivos de programa\Zone Labs\ZoneAlarm\zlclient.exe
C:\windows\system32\ctfmon.exe
C:\Documents and Settings\user1\Mis documentos\?ssembly\c?rss.exe
C:\Archivos de programa\Symantec\WinFax\WFXCTL32.EXE
C:\Archivos de programa\Telefonica\Kit ADSL USB\DSLMON.exe
C:\Archivos de programa\HP\Digital Imaging\bin\hpqtra08.exe
C:\Archivos de programa\D-Link AirPlus Xtreme G\AirPlus.exe
C:\Archivos de programa\TClock\TClock.exe
C:\Archivos de programa\a-squared\wa2start.exe
C:\Archivos de programa\Norton AntiVirus\navapsvc.exe
C:\Archivos de programa\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Archivos de programa\Norton AntiVirus\IWP\NPFMntor.exe
C:\windows\system32\svchost.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\Archivos de programa\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\system32\WFXSVC.EXE
C:\Archivos de programa\Symantec\WinFax\WFXMOD32.EXE
C:\windows\system32\rundll32.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\Archivos de programa\ACT\act.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O3 - Toolbar: BitComet Toolbar - {2E608F70-C430-4bc5-96F6-608E02EBA5B2} - C:\Archivos de programa\BitComet Toolbar\v2.0.0.1\BitComet_Toolbar.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Archivos de programa\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Archivos de programa\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [LVCOMS] C:\Archivos de programa\Archivos comunes\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [DIGStream] C:\Archivos de programa\DIGStream\digstream.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Archivos de programa\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Evidence Eliminator] C:\Archivos de programa\Evidence Eliminator\ee.exe /m
O4 - HKLM\..\Run: [MSN Explorer] C:\windows\system32\drivers\helpsys\msnexplorer.exe
O4 - HKLM\..\Run: [Intranet Explorer] C:\windows\system32\drivers\helpsys\iexplorer.exe
O4 - HKLM\..\Run: [IpWins] C:\Archivos de programa\ipwins\ipwins.exe
O4 - HKLM\..\Run: [keyboard] C:\\keyboard25.exe
O4 - HKLM\..\Run: [defender] C:\\defender25.exe
O4 - HKLM\..\Run: [ccApp] "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\ARCHIV~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [newname] C:\\newname25.exe
O4 - HKLM\..\Run: [Win643] C:\mActiveX.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Archivos de programa\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [Evidence Eliminator] C:\Archivos de programa\Evidence Eliminator\ee.exe /m
O4 - HKCU\..\Run: [MSN Explorer] C:\windows\system32\drivers\helpsys\msnexplorer.exe
O4 - HKCU\..\Run: [Intranet Explorer] C:\windows\system32\drivers\helpsys\iexplorer.exe
O4 - HKCU\..\Run: [TClock.exe] C:\Archivos de programa\TClock\tclock_install.exe
O4 - HKCU\..\Run: [Wsdgg] C:\Documents and Settings\user1\Mis documentos\?ssembly\c?rss.exe
O4 - HKCU\..\Run: [rwkk] C:\ARCHIV~1\ARCHIV~1\rwkk\rwkkm.exe
O4 - Global Startup: Desktop Manager.lnk = C:\Archivos de programa\Research In Motion\BlackBerry\DesktopMgr.exe
O4 - Global Startup: Controller.LNK = C:\Archivos de programa\Symantec\WinFax\WFXCTL32.EXE
O4 - Global Startup: Consola KIT ADSL.lnk = C:\Archivos de programa\Telefonica\Kit ADSL USB\DSLMON.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Archivos de programa\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: ACS.lnk = ?
O4 - Global Startup: D-Link AirPlus Xtreme G Configuration Utility.lnk = ?
O4 - Global Startup: D-Link REG Utility.lnk = ?
O8 - Extra context menu item: &MyToolBar Search - res://C:\Archivos de programa\ToolBar888\MyToolBar.dll/MENUSEARCH.HTM
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Archivos de programa\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Archivos de programa\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Archivos de programa\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Archivos de programa\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Archivos de programa\Yahoo!\Common\yiesrvc.dll (file missing)
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/as...rl/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://promo.dollarrevenue.com/activex/pro...432322D2D2D.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by116fd.bay116.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {7DFDB8FD-B498-4958-B930-38021B94351D} (imlUCID Class) - http://imlive.com/chatsource/ImlCID.cab
O16 - DPF: {B9A296D4-38AC-4566-8168-F7ACAF7D35E6} (Eyeball Video Session Control) - http://imlive.com/ChatSource/gVideoContol.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{144EAFA7-3EEB-4F5F-ADA0-F097E6C06CC7}: NameServer = 80.58.0.33,80.58.32.97
O17 - HKLM\System\CS1\Services\Tcpip\..\{144EAFA7-3EEB-4F5F-ADA0-F097E6C06CC7}: NameServer = 80.58.0.33,80.58.32.97
O17 - HKLM\System\CS2\Services\Tcpip\..\{144EAFA7-3EEB-4F5F-ADA0-F097E6C06CC7}: NameServer = 80.58.0.33,80.58.32.97
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\ARCHIV~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: C:\windows\system32\userinit.dll
O20 - Winlogon Notify: WindowsUpdate - C:\windows\system32\i8420ihoe84c0.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Archivos de programa\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\windows\Q0FMRVJP\command.exe (file missing)
O23 - Service: LiveUpdate - Symantec Corporation - C:\ARCHIV~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Servicio Auto-Protect de Norton AntiVirus (navapsvc) - Symantec Corporation - C:\Archivos de programa\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Archivos de programa\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Archivos de programa\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\ARCHIV~1\ARCHIV~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINDOWS\system32\WFXSVC.EXE

BC AdBot (Login to Remove)

 


#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:11:11 AM

Posted 16 June 2006 - 12:46 PM

Hello there, and welcome to BleepingComputer
Sorry for the delay in getting back to you.

Generate an Uninstall List
  • Open HijackThis
  • Click on Open Misc Tools Section
  • Click on Open Uninstall Manager
  • Click on Save list
  • Save it to your Desktop
* Please download Look2Me-Destroyer.exe to your desktop.
  • Close all windows before continuing.
  • Double-click Look2Me-Destroyer.exe to run it.
  • Put a check next to Run this program as a task.
  • You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
  • When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
  • Once it's done scanning, click the Remove L2M button.
  • You will receive a Done Scanning message, click OK.
  • When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
  • Your computer will then shutdown.
  • Turn your computer back on.
  • Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log, along with the uninstall list.
If Look2Me-Destroyer does not reopen automatically, reboot and try again.
If you receive a message from your firewall about this program accessing the internet please allow it.

David

#3 Guest_BLEEP my computer (2)_*

Guest_BLEEP my computer (2)_*

  • Guests
  • OFFLINE
  •  

Posted 17 June 2006 - 05:38 AM

Hey D-trojanator-

I did what you asked, my original screen name was "BLEEP my computer" but I had to change it to BLEEP my computer (2) because after I restarted my computer after running through the steps you asked, I had to re-log in to the site and... for the life of me, couldn't remeber my login name... I was in quite a hurry when I registered for this site last week.

Anyway, I ran the L2M destroyer etc.. and here are my new logs... could we continue in this thread now (I've written down my login name and password).

THANK YOU SOOOOO MUCH :thumbsup:


Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 17/06/2006 11:22:25

Infected! C:\windows\system32\q4rq0e95eh.dll
Infected! C:\WINDOWS\system32\mybsync.dll
Infected! C:\WINDOWS\system32\fp0203doe.dll
Infected! C:\WINDOWS\system32\enpul1791.dll
Infected! C:\WINDOWS\system32\gsu32.dll
Infected! C:\WINDOWS\system32\q4rq0e95eh.dll

Attempting to delete infected files...

Attempting to delete: C:\windows\system32\q4rq0e95eh.dll
C:\windows\system32\q4rq0e95eh.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\mybsync.dll
C:\WINDOWS\system32\mybsync.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\fp0203doe.dll
C:\WINDOWS\system32\fp0203doe.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\enpul1791.dll
C:\WINDOWS\system32\enpul1791.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\gsu32.dll
C:\WINDOWS\system32\gsu32.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\q4rq0e95eh.dll
C:\WINDOWS\system32\q4rq0e95eh.dll Deleted successfully!

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Explorer

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{75BA79BE-9DA7-4D47-8B7F-B8EE4011C7D8}"
HKCR\Clsid\{75BA79BE-9DA7-4D47-8B7F-B8EE4011C7D8}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{E62DBEFA-27A2-4EFF-A6FE-0E1829B791FE}"
HKCR\Clsid\{E62DBEFA-27A2-4EFF-A6FE-0E1829B791FE}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{025069EF-B2F5-417E-922A-24A9AC6DE2BD}"
HKCR\Clsid\{025069EF-B2F5-417E-922A-24A9AC6DE2BD}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{E9A475FA-3C06-47D7-B4B1-8718981B94FB}"
HKCR\Clsid\{E9A475FA-3C06-47D7-B4B1-8718981B94FB}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{0EF6E2F3-474A-4B1A-A914-E7B721562E80}"
HKCR\Clsid\{0EF6E2F3-474A-4B1A-A914-E7B721562E80}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{CAC56165-7817-4BC3-AC28-966B3B2AFE19}"
HKCR\Clsid\{CAC56165-7817-4BC3-AC28-966B3B2AFE19}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{E6876E39-A3DA-4F4B-809A-2E6DA837F814}"
HKCR\Clsid\{E6876E39-A3DA-4F4B-809A-2E6DA837F814}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{AE7DE0AA-3192-4731-9B39-725327B9B4CA}"
HKCR\Clsid\{AE7DE0AA-3192-4731-9B39-725327B9B4CA}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{F39D3A84-C8EE-4157-9A7F-9EA3750D61BC}"
HKCR\Clsid\{F39D3A84-C8EE-4157-9A7F-9EA3750D61BC}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administradores - Succeeded

--------------------------

Logfile of HijackThis v1.99.1
Scan saved at 12:01:23, on 17/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSetMgr.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\SNDSrvc.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
C:\windows\system32\spoolsv.exe
C:\windows\Explorer.EXE
C:\windows\system32\wfxsnt40.exe
C:\Archivos de programa\Java\jre1.5.0_06\bin\jusched.exe
C:\Archivos de programa\Archivos comunes\Logitech\QCDriver\LVCOMS.EXE
C:\Archivos de programa\DIGStream\digstream.exe
C:\Archivos de programa\HP\HP Software Update\HPWuSchd2.exe
C:\Archivos de programa\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\windows\system32\drivers\helpsys\msnexplorer.exe
C:\windows\system32\drivers\helpsys\iexplorer.exe
C:\Archivos de programa\ipwins\ipwins.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe
C:\mActiveX.exe
C:\Archivos de programa\Zone Labs\ZoneAlarm\zlclient.exe
C:\windows\pop06ap2.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\Archivos de programa\QuickTime\qttask.exe
C:\windows\system32\ctfmon.exe
C:\Documents and Settings\user1\Mis documentos\?ssembly\c?rss.exe
C:\Archivos de programa\Symantec\WinFax\WFXCTL32.EXE
C:\Archivos de programa\Telefonica\Kit ADSL USB\DSLMON.exe
C:\Archivos de programa\HP\Digital Imaging\bin\hpqtra08.exe
C:\Archivos de programa\D-Link AirPlus Xtreme G\AirPlus.exe
C:\Archivos de programa\TClock\TClock.exe
C:\Archivos de programa\Norton AntiVirus\navapsvc.exe
C:\Archivos de programa\Windows Media Player\npdsplay.exe
C:\Archivos de programa\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Archivos de programa\Norton AntiVirus\IWP\NPFMntor.exe
C:\windows\system32\svchost.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\Archivos de programa\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\system32\WFXSVC.EXE
C:\Archivos de programa\Symantec\WinFax\WFXMOD32.EXE
C:\Archivos de programa\Messenger\msmsgs.exe
C:\windows\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, C:\windows\system32\iyxeh.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,sufhssb.exe
O3 - Toolbar: BitComet Toolbar - {2E608F70-C430-4bc5-96F6-608E02EBA5B2} - C:\Archivos de programa\BitComet Toolbar\v2.0.0.1\BitComet_Toolbar.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Archivos de programa\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Archivos de programa\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [LVCOMS] C:\Archivos de programa\Archivos comunes\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [DIGStream] C:\Archivos de programa\DIGStream\digstream.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Archivos de programa\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Evidence Eliminator] C:\Archivos de programa\Evidence Eliminator\ee.exe /m
O4 - HKLM\..\Run: [MSN Explorer] C:\windows\system32\drivers\helpsys\msnexplorer.exe
O4 - HKLM\..\Run: [Intranet Explorer] C:\windows\system32\drivers\helpsys\iexplorer.exe
O4 - HKLM\..\Run: [IpWins] C:\Archivos de programa\ipwins\ipwins.exe
O4 - HKLM\..\Run: [keyboard] C:\\keyboard25.exe
O4 - HKLM\..\Run: [defender] C:\\defender25.exe
O4 - HKLM\..\Run: [ccApp] "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\ARCHIV~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [newname] C:\\newname25.exe
O4 - HKLM\..\Run: [Win643] C:\mActiveX.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Archivos de programa\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [pop06ap] C:\windows\pop06ap2.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [Evidence Eliminator] C:\Archivos de programa\Evidence Eliminator\ee.exe /m
O4 - HKCU\..\Run: [MSN Explorer] C:\windows\system32\drivers\helpsys\msnexplorer.exe
O4 - HKCU\..\Run: [Intranet Explorer] C:\windows\system32\drivers\helpsys\iexplorer.exe
O4 - HKCU\..\Run: [TClock.exe] C:\Archivos de programa\TClock\tclock_install.exe
O4 - HKCU\..\Run: [Wsdgg] C:\Documents and Settings\user1\Mis documentos\?ssembly\c?rss.exe
O4 - HKCU\..\Run: [rwkk] C:\ARCHIV~1\ARCHIV~1\rwkk\rwkkm.exe
O4 - Global Startup: Desktop Manager.lnk = C:\Archivos de programa\Research In Motion\BlackBerry\DesktopMgr.exe
O4 - Global Startup: Controller.LNK = C:\Archivos de programa\Symantec\WinFax\WFXCTL32.EXE
O4 - Global Startup: Consola KIT ADSL.lnk = C:\Archivos de programa\Telefonica\Kit ADSL USB\DSLMON.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Archivos de programa\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: ACS.lnk = ?
O4 - Global Startup: D-Link AirPlus Xtreme G Configuration Utility.lnk = ?
O4 - Global Startup: D-Link REG Utility.lnk = ?
O8 - Extra context menu item: &MyToolBar Search - res://C:\Archivos de programa\ToolBar888\MyToolBar.dll/MENUSEARCH.HTM
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Archivos de programa\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Archivos de programa\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Archivos de programa\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Archivos de programa\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\windows\system32\dmonwv.dll
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\windows\system32\dmonwv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Archivos de programa\Yahoo!\Common\yiesrvc.dll (file missing)
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mmohsix.com
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/as...rl/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://promo.dollarrevenue.com/activex/pro...432322D2D2D.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by116fd.bay116.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) - http://cabs.media-motor.net/cabs/joysaver.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {7DFDB8FD-B498-4958-B930-38021B94351D} (imlUCID Class) - http://imlive.com/chatsource/ImlCID.cab
O16 - DPF: {B9A296D4-38AC-4566-8168-F7ACAF7D35E6} (Eyeball Video Session Control) - http://imlive.com/ChatSource/gVideoContol.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab
O16 - DPF: {E055C02E-6258-40FF-80A7-3BDA52FACAD7} (Installer Class) - http://activex.matcash.com/speedtest2.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{144EAFA7-3EEB-4F5F-ADA0-F097E6C06CC7}: NameServer = 80.58.0.33,80.58.32.97
O17 - HKLM\System\CS1\Services\Tcpip\..\{144EAFA7-3EEB-4F5F-ADA0-F097E6C06CC7}: NameServer = 80.58.0.33,80.58.32.97
O17 - HKLM\System\CS2\Services\Tcpip\..\{144EAFA7-3EEB-4F5F-ADA0-F097E6C06CC7}: NameServer = 80.58.0.33,80.58.32.97
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\ARCHIV~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: C:\windows\system32\userinit.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Archivos de programa\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\windows\Q0FMRVJP\command.exe (file missing)
O23 - Service: LiveUpdate - Symantec Corporation - C:\ARCHIV~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Servicio Auto-Protect de Norton AntiVirus (navapsvc) - Symantec Corporation - C:\Archivos de programa\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Archivos de programa\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Archivos de programa\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\ARCHIV~1\ARCHIV~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINDOWS\system32\WFXSVC.EXE

-------------------

ACT!
Actualización de seguridad para Windows XP (KB883939)
Actualización de seguridad para Windows XP (KB890046)
Actualización de seguridad para Windows XP (KB893756)
Actualización de seguridad para Windows XP (KB896358)
Actualización de seguridad para Windows XP (KB896422)
Actualización de seguridad para Windows XP (KB896423)
Actualización de seguridad para Windows XP (KB896424)
Actualización de seguridad para Windows XP (KB896428)
Actualización de seguridad para Windows XP (KB896688)
Actualización de seguridad para Windows XP (KB899587)
Actualización de seguridad para Windows XP (KB899588)
Actualización de seguridad para Windows XP (KB899589)
Actualización de seguridad para Windows XP (KB899591)
Actualización de seguridad para Windows XP (KB900725)
Actualización de seguridad para Windows XP (KB901017)
Actualización de seguridad para Windows XP (KB901214)
Actualización de seguridad para Windows XP (KB902400)
Actualización de seguridad para Windows XP (KB903235)
Actualización de seguridad para Windows XP (KB904706)
Actualización de seguridad para Windows XP (KB905414)
Actualización de seguridad para Windows XP (KB905749)
Actualización de seguridad para Windows XP (KB905915)
Actualización para Windows XP (KB894391)
Actualización para Windows XP (KB896727)
Actualización para Windows XP (KB898461)
Actualización para Windows XP (KB910437)
Ad-aware 6 Professional
Adobe Download Manager 2.0 (solo quitar)
Adobe Reader 7.0
a-squared Free 1.6.5
BitComet 0.60
BitComet Toolbar
BlackBerry Desktop Software 4.0
BlackBerry Desktop Software 4.0
ccCommon
DivX
DivX Player
D-Link AirPlus Xtreme G Adapter
ESPNMotion
FinePixViewer Ver.4.2
FUJIFILM USB Driver
HijackThis 1.99.1
HP Deskjet 3900 series
HP Extended Capabilities 5.0
HP Image Zone Express
HP Imaging Device Functions 5.0
HP Software Update
HP Solution Center & Imaging Support Tools 5.0
ImageMixer VCD2 for FinePix
Internet Worm Protection
IpWins
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment, SE v1.4.2_07
Kazaa Lite Resurrection 0.0.7.6 F
KazaaBegone 1.25
Kit ADSL USB
Labtec WebCam
LiveAdvisor (Symantec Corporation)
LiveReg (Symantec Corporation)
LiveUpdate 3.0 (Symantec Corporation)
Macromedia Flash Player 8
Media-motor
Microsoft Office Standard Edition 2003
Microsoft Office Standard Edition 2003
MicroStaff WINASPI
Mozilla Firefox (1.5.0.4)
MSN Messenger 7.5
Norton AntiVirus 2005
Norton AntiVirus 2005 (Symantec Corporation)
Norton AntiVirus Help
Norton AntiVirus Parent MSI
Norton AntiVirus SYMLT MSI
Norton WMI Update
RAW FILE CONVERTER LE
Revisión de Windows XP - KB834707
Revisión de Windows XP - KB867282
Revisión de Windows XP - KB873333
Revisión de Windows XP - KB873339
Revisión de Windows XP - KB885250
Revisión de Windows XP - KB885835
Revisión de Windows XP - KB885836
Revisión de Windows XP - KB886185
Revisión de Windows XP - KB887472
Revisión de Windows XP - KB887742
Revisión de Windows XP - KB888113
Revisión de Windows XP - KB888302
Revisión de Windows XP - KB890047
Revisión de Windows XP - KB890175
Revisión de Windows XP - KB890859
Revisión de Windows XP - KB890923
Revisión de Windows XP - KB891781
Revisión de Windows XP - KB893066
Revisión de Windows XP - KB893086
SPBBC
Spybot - Search & Destroy 1.2
Symantec
Symantec Script Blocking Installer
Symantec WinFax PRO 10.0
SymNet
TeamSpeak 2 RC2
ToolBar888
Web Nexus Network
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Installer Clean Up
Yahoo! extras
Yazzle by OIN
ZoneAlarm

#4 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London

Posted 17 June 2006 - 10:55 AM

Hi there.

I've merged the topics together so we can keep everything organised. Please try and reply in this thread from now on. It is a good idea to print off these instructions - they will be needed later when internet access is not available. You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above. It is important that you complete the following instructions in the correct order, and also that you don't miss anything out! :thumbsup:

Click on start, then control panel, and then double-click on add/remove programs. From within add/remove program uninstall the following if they exist by double-clicking on the following entries:

IpWins
Media-motor
ToolBar888
Web Nexus Network
Yazzle by OIN


* Please download Ewido anti-malware ; it is a free version of the program.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu
  • Launch ewido by double-clicking on the icon on your desktop.
  • The program will now open to the main screen.
  • When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display ("Update successful")
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates
Don't run it yet.

Download Brute Force Uninstaller to your C:\
  • Unzip it to a folder of its own (C:\BFU). So BFU should be on your root. In most cases this is C:\
  • Download qoofix.bat (rightclick on this link and choose save as)
  • Place qoofix.bat in your C:\BFU - folder. (Important!)
  • Doubleclick qooFix.bat, Close all browsers and explorer folders.
  • Choose option 1 (Qoolfix autofix) and follow the prompts.
  • Please be patient, it will take about five minutes.
Reboot into SAFE MODE
By pressing the F8 key right when Windows starts, usually right after you hear your computer
beep when you reboot it (some versions of windows will display 'Starting Windows' with a grey progress bar)
you will be brought to a menu where you can choose to boot into safe mode.

*Now start a new scan with HJT and place a checkmark next to each of the following items (if present):

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, C:\windows\system32\iyxeh.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,sufhssb.exe
O4 - HKLM\..\Run: [MSN Explorer] C:\windows\system32\drivers\helpsys\msnexplorer.exe
O4 - HKLM\..\Run: [Intranet Explorer] C:\windows\system32\drivers\helpsys\iexplorer.exe
O4 - HKLM\..\Run: [IpWins] C:\Archivos de programa\ipwins\ipwins.exe
O4 - HKLM\..\Run: [keyboard] C:\\keyboard25.exe
O4 - HKLM\..\Run: [defender] C:\\defender25.exe
O4 - HKLM\..\Run: [newname] C:\\newname25.exe
O4 - HKLM\..\Run: [Win643] C:\mActiveX.exe
O4 - HKLM\..\Run: [pop06ap] C:\windows\pop06ap2.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKCU\..\Run: [MSN Explorer] C:\windows\system32\drivers\helpsys\msnexplorer.exe
O4 - HKCU\..\Run: [Intranet Explorer] C:\windows\system32\drivers\helpsys\iexplorer.exe
O4 - HKCU\..\Run: [Wsdgg] C:\Documents and Settings\user1\Mis documentos\?ssembly\c?rss.exe
O4 - HKCU\..\Run: [rwkk] C:\ARCHIV~1\ARCHIV~1\rwkk\rwkkm.exe
O8 - Extra context menu item: &MyToolBar Search - res://C:\Archivos de programa\ToolBar888\MyToolBar.dll/MENUSEARCH.HTM
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\windows\system32\dmonwv.dll
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\windows\system32\dmonwv.dll
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mmohsix.com
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://promo.dollarrevenue.com/activex/pro...432322D2D2D.exe
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) - http://cabs.media-motor.net/cabs/joysaver.cab
O20 - AppInit_DLLs: C:\windows\system32\userinit.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\windows\Q0FMRVJP\command.exe (file missing)


* Make sure your Internet Explorer is closed and click on "Fix Checked" and exit HijackThis when finished.

* Using Windows Explorer, locate the following files/folders, and delete them if still present:

C:\windows\system32\iyxeh.exe <--file
C:\windows\system32\sufhssb.exe <--file
C:\windows\system32\drivers\helpsys\msnexplorer.exe <--file
C:\windows\system32\drivers\helpsys\iexplorer.exe <--file
C:\Archivos de programa\ipwins <--folder
C:\keyboard25.exe <--file
C:\defender25.exe <--file
C:\newname25.exe <--file
C:\mActiveX.exe <--file
C:\windows\pop06ap2.exe <--file
C:\Program Files\Internet Optimizer <--folder
C:\Documents and Settings\user1\Mis documentos\?ssembly <--folder
^^ Above folder will have a letter replacing the ? and will contain "csrss.exe"
C:\Archivos de programa\ARCHIV~1\rwkk <--folder
C:\Archivos de programa\ToolBar888 <--folder
C:\windows\system32\dmonwv.dll <--file
C:\windows\system32\userinit.dll <--file

* Open Ewido anti-malware
Click on scanner
  • Click Complete System Scan and the scan will begin.
  • During the scan it will prompt you to clean files, click OK
  • When the scan is finished, look at the bottom of the screen and click the Save report button.
  • Save the report to your desktop
Close Ewido

* Please reboot back to normal mode and post a new Hijackthis log and the ewido log.
David

#5 Guest_BLEEP my computer (2)_*

Guest_BLEEP my computer (2)_*

  • Guests
  • OFFLINE
  •  

Posted 18 June 2006 - 02:39 AM

Hey David-

I logged in as usual and clicked on "my topics" and went to the new combined thread and followed all the steps. when I tried to reply with my HJT and Ewido logs I told that I cannot reply to this log because the topic was created by another user, and I am not an admistrator blah blah blah... Maybe when you merged the two topics it was listed that you created the thread??? just a guess.

Anyway, here is my HJT log below. I also ran ewido in safe mode and it found over 230 malware files and I deleted them all. I am 99% sure I saved the log properly to my desktop when Ewido was finished, but when I restarted more computer in normal mode I couldn't for the life of me find the ewido log anywhere. Hopufully we can still move forward with the HJT log... or do I have to re-run ewido in safe mode and post you a log?

THANK YOU THANK YOU.

Logfile of HijackThis v1.99.1
Scan saved at 9:08:26, on 18/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSetMgr.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\SNDSrvc.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
C:\windows\system32\spoolsv.exe
C:\windows\Explorer.EXE
C:\windows\system32\wfxsnt40.exe
C:\Archivos de programa\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Archivos de programa\Java\jre1.5.0_06\bin\jusched.exe
C:\Archivos de programa\Archivos comunes\Logitech\QCDriver\LVCOMS.EXE
C:\Archivos de programa\HP\HP Software Update\HPWuSchd2.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe
C:\Archivos de programa\Zone Labs\ZoneAlarm\zlclient.exe
C:\Archivos de programa\QuickTime\qttask.exe
C:\Archivos de programa\ewido anti-malware\ewidoctrl.exe
C:\windows\system32\ctfmon.exe
C:\windows\system32\drivers\helpsys\iexplorer.exe
C:\Archivos de programa\Symantec\WinFax\WFXCTL32.EXE
C:\Archivos de programa\Telefonica\Kit ADSL USB\DSLMON.exe
C:\Archivos de programa\HP\Digital Imaging\bin\hpqtra08.exe
C:\Archivos de programa\Norton AntiVirus\navapsvc.exe
C:\Archivos de programa\D-Link AirPlus Xtreme G\AirPlus.exe
C:\Archivos de programa\Norton AntiVirus\IWP\NPFMntor.exe
C:\Archivos de programa\TClock\TClock.exe
C:\windows\system32\svchost.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Archivos de programa\BitComet\ReadMe.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\system32\WFXSVC.EXE
C:\Archivos de programa\Symantec\WinFax\WFXMOD32.EXE
C:\Archivos de programa\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Archivos de programa\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\Archivos de programa\MSN Messenger\msnmsgr.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, C:\windows\system32\iyxeh.exe
F2 - REG:system.ini: UserInit=C:\windows\SYSTEM32\Userinit.exe,sufhssb.exe
O3 - Toolbar: BitComet Toolbar - {2E608F70-C430-4bc5-96F6-608E02EBA5B2} - C:\Archivos de programa\BitComet Toolbar\v2.0.0.1\BitComet_Toolbar.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Archivos de programa\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Archivos de programa\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [LVCOMS] C:\Archivos de programa\Archivos comunes\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [DIGStream] C:\Archivos de programa\DIGStream\digstream.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Archivos de programa\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Evidence Eliminator] C:\Archivos de programa\Evidence Eliminator\ee.exe /m
O4 - HKLM\..\Run: [ccApp] "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\ARCHIV~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Win643] C:\mActiveX.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Archivos de programa\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Intranet Explorer] C:\windows\system32\drivers\helpsys\iexplorer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [Evidence Eliminator] C:\Archivos de programa\Evidence Eliminator\ee.exe /m
O4 - HKCU\..\Run: [MSN Explorer] C:\windows\system32\drivers\helpsys\msnexplorer.exe
O4 - HKCU\..\Run: [Intranet Explorer] C:\windows\system32\drivers\helpsys\iexplorer.exe
O4 - HKCU\..\Run: [TClock.exe] C:\Archivos de programa\TClock\tclock_install.exe
O4 - HKCU\..\Run: [Wsdgg] C:\Documents and Settings\user1\Mis documentos\?ssembly\c?rss.exe
O4 - HKCU\..\Run: [rwkk] C:\ARCHIV~1\ARCHIV~1\rwkk\rwkkm.exe
O4 - Global Startup: Desktop Manager.lnk = C:\Archivos de programa\Research In Motion\BlackBerry\DesktopMgr.exe
O4 - Global Startup: Controller.LNK = C:\Archivos de programa\Symantec\WinFax\WFXCTL32.EXE
O4 - Global Startup: Consola KIT ADSL.lnk = C:\Archivos de programa\Telefonica\Kit ADSL USB\DSLMON.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Archivos de programa\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: ACS.lnk = ?
O4 - Global Startup: D-Link AirPlus Xtreme G Configuration Utility.lnk = ?
O4 - Global Startup: D-Link REG Utility.lnk = ?
O8 - Extra context menu item: &MyToolBar Search - res://C:\Archivos de programa\ToolBar888\MyToolBar.dll/MENUSEARCH.HTM
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Archivos de programa\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Archivos de programa\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Archivos de programa\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Archivos de programa\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Archivos de programa\Yahoo!\Common\yiesrvc.dll (file missing)
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mmohsix.com
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/as...rl/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by116fd.bay116.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {7DFDB8FD-B498-4958-B930-38021B94351D} (imlUCID Class) - http://imlive.com/chatsource/ImlCID.cab
O16 - DPF: {B9A296D4-38AC-4566-8168-F7ACAF7D35E6} (Eyeball Video Session Control) - http://imlive.com/ChatSource/gVideoContol.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab
O16 - DPF: {E055C02E-6258-40FF-80A7-3BDA52FACAD7} (Installer Class) - http://activex.matcash.com/speedtest2.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{144EAFA7-3EEB-4F5F-ADA0-F097E6C06CC7}: NameServer = 80.58.0.33,80.58.32.97
O17 - HKLM\System\CS1\Services\Tcpip\..\{144EAFA7-3EEB-4F5F-ADA0-F097E6C06CC7}: NameServer = 80.58.0.33,80.58.32.97
O17 - HKLM\System\CS2\Services\Tcpip\..\{144EAFA7-3EEB-4F5F-ADA0-F097E6C06CC7}: NameServer = 80.58.0.33,80.58.32.97
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\ARCHIV~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Archivos de programa\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\windows\Q0FMRVJP\command.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Archivos de programa\ewido anti-malware\ewidoctrl.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\ARCHIV~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Servicio Auto-Protect de Norton AntiVirus (navapsvc) - Symantec Corporation - C:\Archivos de programa\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Archivos de programa\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Archivos de programa\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\ARCHIV~1\ARCHIV~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINDOWS\system32\WFXSVC.EXE

#6 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Members
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:11:11 AM

Posted 18 June 2006 - 02:49 AM

Hang on.

Merging the topics of two Nicks was my error.
Admins will fix this.

sorry,
Regards
Koan

//Edit: meanwhile, I've sent a PM to the DT about this mixup.

Edited by KoanYorel, 18 June 2006 - 02:56 AM.

The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#7 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London

Posted 18 June 2006 - 05:36 PM

Hey there, let's continue in this thread from now using BLEEP my computer (2). You should be able to reply this way, sorry about the mixup. I've decided I want to take this log step by step instead of taking the fix all in one go - it might be slightly more time consuming but it's the best way to ensure your computer returns to how you want it. In the logs that were in the other thread, I saw remenants of an Alcra infection, so let's try and remove that now. Also, I want to run DrWeb cureit, as this program will remove the bulk of remaining malware files on your computer.

* Please download Dr Web-Cureit!
--> Save the folder to your desktop.
--> Don't run it yet.

* Download Brute Force Uninstaller.
Unzip it to a folder of it’s own (c:\BFU).
Read here how to unzip/extract properly:
http://metallica.geekstogo.com/xpcompressedexplanation.html
Start the Brute Force Uninstaller by doubleclicking BFU.exe

Next to the 'scriptfile to execute'-window you'll see a little icon as shown in next picture: Posted Image
When you click that icon, a little window will open that says: 'Please enter the full URL to the sript you want to execute'
In the field, copy and paste next URL:

http://metallica.geekstogo.com/alcanshorty.bfu

Click Ok.
Then click execute in Brute Force Uninstaller.

Extra note:
If nothing happens after pressing the Execute button, this means that the script didn't download. In that case, download the script ( alcanshorty.bfu ) manually from above url ( rightclick on it and choose 'save as' and save it in your BFU-folder). Then start BFU.exe again and click the browse button next to the 'scriptfile to execute'-window
Browse to the script you downloaded and Click Ok and Execute in Brute Force Uninstaller.


Wait for the complete script execution box to popup and press OK.
Press exit to terminate the BFU program.

* Download Combofix to your desktop.
Doubleclick combo.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.

* Reboot into SAFE MODE
By pressing the F8 key right when Windows starts, usually right after you hear your computer
beep when you reboot it (some versions of windows will display 'Starting Windows' with a grey progress bar)
you will be brought to a menu where you can choose to boot into safe mode.
If it does not work on the first try, reboot and try again, as you have to be quick when you press it.

* Run Dr Web-Cureit!
--> Double-click the "drweb-cureit.exe" and click "ok" in the prompt window that will open, asking "start the express scan now".
--> It will first make a quick scan of your system, let it clean what it finds, and when it says "done" in the lower left corner click on all your drive's.
--> A red dot will mark the selected drive(s) . Then hit the pedestrian who now has turned green.
--> Click on the green man in the right corner, it will scan ALL your drive's, hit yes to all.
--> Click 'Yes to all' if it asks if you want to cure/move the file.
--> When the scan has finished, in the menu, click file and choose save report list
--> Save the report to your desktop. The report will be called DrWeb.csv
--> Close Dr.Web Cureit.
--> Reboot your computer back to normal mode.

Post the combofix log in your next reply together with a new hijackthislog, along with the drweb cureit log. Then we can start the deletion of remaining files.
David

Edited by D-Trojanator, 18 June 2006 - 05:37 PM.


#8 BLEEP my computer

BLEEP my computer
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:11 AM

Posted 19 June 2006 - 05:46 PM

Hey guys... Well i finally got back to this thread and I am on a mission to clean my laptop or all problems no matter how long it takes!!! :thumbsup: These viruses and bugs don't scare me any more! Lets kill em all!!!

OK I followed all the steps exactly as you told me (I SWEAR) but the combofix.txt log is nowhere to be found :flowers:

Here are my new HJT log and drweb log.

Logfile of HijackThis v1.99.1
Scan saved at 0:41:44, on 20/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSetMgr.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\SNDSrvc.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
C:\windows\system32\spoolsv.exe
C:\windows\Explorer.EXE
C:\windows\system32\wfxsnt40.exe
C:\Archivos de programa\Java\jre1.5.0_06\bin\jusched.exe
C:\Archivos de programa\Archivos comunes\Logitech\QCDriver\LVCOMS.EXE
C:\Archivos de programa\HP\HP Software Update\HPWuSchd2.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe
C:\Archivos de programa\Zone Labs\ZoneAlarm\zlclient.exe
C:\Archivos de programa\QuickTime\qttask.exe
C:\windows\system32\ctfmon.exe
C:\Archivos de programa\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Archivos de programa\Research In Motion\BlackBerry\DesktopMgr.exe
C:\Archivos de programa\Symantec\WinFax\WFXCTL32.EXE
C:\Archivos de programa\Telefonica\Kit ADSL USB\DSLMON.exe
C:\Archivos de programa\HP\Digital Imaging\bin\hpqtra08.exe
C:\Archivos de programa\D-Link AirPlus Xtreme G\AirPlus.exe
C:\Archivos de programa\Archivos comunes\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe
C:\Archivos de programa\TClock\TClock.exe
C:\Archivos de programa\D-Link AirPlus Xtreme G\athcfg11.exe
C:\Archivos de programa\Archivos comunes\Research In Motion\USB Drivers\BbDevMgr.exe
C:\Archivos de programa\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Archivos de programa\ewido anti-malware\ewidoctrl.exe
C:\Archivos de programa\Norton AntiVirus\navapsvc.exe
C:\Archivos de programa\Norton AntiVirus\IWP\NPFMntor.exe
C:\Archivos de programa\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\windows\system32\svchost.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\system32\WFXSVC.EXE
C:\Archivos de programa\Symantec\WinFax\WFXMOD32.EXE
C:\Archivos de programa\Microsoft Office\OFFICE11\EXCEL.EXE
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, C:\windows\system32\iyxeh.exe
F2 - REG:system.ini: UserInit=C:\windows\SYSTEM32\Userinit.exe,sufhssb.exe
O3 - Toolbar: BitComet Toolbar - {2E608F70-C430-4bc5-96F6-608E02EBA5B2} - C:\Archivos de programa\BitComet Toolbar\v2.0.0.1\BitComet_Toolbar.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Archivos de programa\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Archivos de programa\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [LVCOMS] C:\Archivos de programa\Archivos comunes\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [DIGStream] C:\Archivos de programa\DIGStream\digstream.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Archivos de programa\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Evidence Eliminator] C:\Archivos de programa\Evidence Eliminator\ee.exe /m
O4 - HKLM\..\Run: [ccApp] "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\ARCHIV~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Win643] C:\mActiveX.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Archivos de programa\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [rhlqhl] C:\windows\system32\rphain.exe reg_run
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [Evidence Eliminator] C:\Archivos de programa\Evidence Eliminator\ee.exe /m
O4 - HKCU\..\Run: [MSN Explorer] C:\windows\system32\drivers\helpsys\msnexplorer.exe
O4 - HKCU\..\Run: [Intranet Explorer] C:\windows\system32\drivers\helpsys\iexplorer.exe
O4 - HKCU\..\Run: [TClock.exe] C:\Archivos de programa\TClock\tclock_install.exe
O4 - HKCU\..\Run: [Wsdgg] C:\Documents and Settings\user1\Mis documentos\?ssembly\c?rss.exe
O4 - HKCU\..\Run: [rwkk] C:\ARCHIV~1\ARCHIV~1\rwkk\rwkkm.exe
O4 - HKCU\..\Run: [nessj] C:\windows\system32\rphain.exe reg_run
O4 - Global Startup: Desktop Manager.lnk = C:\Archivos de programa\Research In Motion\BlackBerry\DesktopMgr.exe
O4 - Global Startup: Controller.LNK = C:\Archivos de programa\Symantec\WinFax\WFXCTL32.EXE
O4 - Global Startup: Consola KIT ADSL.lnk = C:\Archivos de programa\Telefonica\Kit ADSL USB\DSLMON.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Archivos de programa\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: ACS.lnk = ?
O4 - Global Startup: D-Link AirPlus Xtreme G Configuration Utility.lnk = ?
O4 - Global Startup: D-Link REG Utility.lnk = ?
O8 - Extra context menu item: &MyToolBar Search - res://C:\Archivos de programa\ToolBar888\MyToolBar.dll/MENUSEARCH.HTM
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Archivos de programa\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Archivos de programa\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Archivos de programa\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Archivos de programa\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Archivos de programa\Yahoo!\Common\yiesrvc.dll (file missing)
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mmohsix.com
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/as...rl/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by116fd.bay116.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {7DFDB8FD-B498-4958-B930-38021B94351D} (imlUCID Class) - http://imlive.com/chatsource/ImlCID.cab
O16 - DPF: {B9A296D4-38AC-4566-8168-F7ACAF7D35E6} (Eyeball Video Session Control) - http://imlive.com/ChatSource/gVideoContol.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab
O16 - DPF: {E055C02E-6258-40FF-80A7-3BDA52FACAD7} (Installer Class) - http://activex.matcash.com/speedtest2.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{144EAFA7-3EEB-4F5F-ADA0-F097E6C06CC7}: NameServer = 80.58.0.33,80.58.32.97
O17 - HKLM\System\CS1\Services\Tcpip\..\{144EAFA7-3EEB-4F5F-ADA0-F097E6C06CC7}: NameServer = 80.58.0.33,80.58.32.97
O17 - HKLM\System\CS2\Services\Tcpip\..\{144EAFA7-3EEB-4F5F-ADA0-F097E6C06CC7}: NameServer = 80.58.0.33,80.58.32.97
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\ARCHIV~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Archivos de programa\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Archivos de programa\ewido anti-malware\ewidoctrl.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\ARCHIV~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Servicio Auto-Protect de Norton AntiVirus (navapsvc) - Symantec Corporation - C:\Archivos de programa\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Archivos de programa\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Archivos de programa\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\ARCHIV~1\ARCHIV~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINDOWS\system32\WFXSVC.EXE

--------------------------

rphain.exe C:\windows\system32 Trojan.Qoologic será curado después del reinicio.
iyxeh.exe C:\windows\system32 Trojan.Qoologic será curado después del reinicio.
microsofts.com.exe C:\ BackDoor.Oscar Deleted.
wnvdt.dat C:\WINDOWS\system32 Trojan.Qoologic Deleted.
mc-110-12-0000193.exe C:\Documents and Settings\user1\Configuración local\Temp Trojan.DownLoader.10472 Incurable.Moved.
mc-110-12-0000193.exe C:\Documents and Settings\Administrador\DoctorWeb\Quarantine Trojan.DownLoader.10472 Incurable.Moved.
mc-110-12-0000190.exe C:\Documents and Settings\Administrador\DoctorWeb\Quarantine Trojan.DownLoader.10472 Incurable.Moved.
mc-110-12-0000191.exe C:\Documents and Settings\Administrador\DoctorWeb\Quarantine Trojan.DownLoader.10472 Incurable.Moved.
mc-110-12-0000190.exe C:\Documents and Settings\Administrador\DoctorWeb\Quarantine Trojan.DownLoader.10472 Incurable.Moved.
mc-110-12-0000191.exe C:\Documents and Settings\Administrador\DoctorWeb\Quarantine Trojan.DownLoader.10472 Incurable.Moved.
mc-110-12-0000190.exe C:\Documents and Settings\Administrador\DoctorWeb\Quarantine Trojan.DownLoader.10472 Incurable.Moved.
mc-110-12-0000191.exe C:\Documents and Settings\Administrador\DoctorWeb\Quarantine Trojan.DownLoader.10472 Incurable.Moved.
mc-110-12-0000190.exe C:\Documents and Settings\Administrador\DoctorWeb\Quarantine Trojan.DownLoader.10472 Incurable.Moved.
mc-110-12-0000191.exe C:\Documents and Settings\Administrador\DoctorWeb\Quarantine Trojan.DownLoader.10472 Incurable.Moved.
mc-110-12-0000190.exe C:\Documents and Settings\Administrador\DoctorWeb\Quarantine Trojan.DownLoader.10472 Incurable.Moved.
mc-110-12-0000191.exe C:\Documents and Settings\Administrador\DoctorWeb\Quarantine Trojan.DownLoader.10472 Incurable.Moved.
mc-110-12-0000190.exe C:\Documents and Settings\Administrador\DoctorWeb\Quarantine Trojan.DownLoader.10472 Incurable.Moved.
mc-110-12-0000191.exe C:\Documents and Settings\Administrador\DoctorWeb\Quarantine Trojan.DownLoader.10472 Incurable.Moved.
mc-110-12-0000190.exe C:\Documents and Settings\Administrador\DoctorWeb\Quarantine Trojan.DownLoader.10472 Incurable.Moved.
mc-110-12-0000191.exe C:\Documents and Settings\Administrador\DoctorWeb\Quarantine Trojan.DownLoader.10472 Incurable.Moved.
mc-110-12-0000190.exe C:\Documents and Settings\Administrador\DoctorWeb\Quarantine Trojan.DownLoader.10472 Incurable.Moved.
mc-110-12-0000191.exe C:\Documents and Settings\Administrador\DoctorWeb\Quarantine Trojan.DownLoader.10472 Incurable.Moved.
mc-110-12-0000190.exe C:\Documents and Settings\Administrador\DoctorWeb\Quarantine Trojan.DownLoader.10472 Incurable.Moved.
mc-110-12-0000191.exe C:\Documents and Settings\Administrador\DoctorWeb\Quarantine Trojan.DownLoader.10472 Incurable.Moved.
mc-110-12-0000190.exe C:\Documents and Settings\Administrador\DoctorWeb\Quarantine Trojan.DownLoader.10472 Incurable.Moved.
mc-110-12-0000191.exe C:\Documents and Settings\Administrador\DoctorWeb\Quarantine Trojan.DownLoader.10472 Incurable.Moved.
mc-110-12-0000190.exe C:\Documents and Settings\Administrador\DoctorWeb\Quarantine Trojan.DownLoader.10472 Incurable.Moved.
mc-110-12-0000191.exe C:\Documents and Settings\Administrador\DoctorWeb\Quarantine Trojan.DownLoader.10472 Incurable.Moved.
mc-110-12-0000190.exe C:\Documents and Settings\Administrador\DoctorWeb\Quarantine Trojan.DownLoader.10472 Incurable.Moved.
mc-110-12-0000191.exe C:\Documents and Settings\Administrador\DoctorWeb\Quarantine Trojan.DownLoader.10472 Incurable.Moved.
mc-110-12-0000190.exe C:\Documents and Settings\Administrador\DoctorWeb\Quarantine Trojan.DownLoader.10472 Incurable.Moved.
mc-110-12-0000191.exe C:\Documents and Settings\Administrador\DoctorWeb\Quarantine Trojan.DownLoader.10472 Incurable.Moved.
mc-110-12-0000190.exe C:\Documents and Settings\Administrador\DoctorWeb\Quarantine Trojan.DownLoader.10472 Incurable.Moved.
mc-110-12-0000191.exe C:\Documents and Settings\Administrador\DoctorWeb\Quarantine Trojan.DownLoader.10472 Incurable.Moved.
mc-110-12-0000190.exe C:\Documents and Settings\Administrador\DoctorWeb\Quarantine Trojan.DownLoader.10472 Incurable.Moved.
mc-110-12-0000191.exe C:\Documents and Settings\Administrador\DoctorWeb\Quarantine Trojan.DownLoader.10472 Incurable.Moved.
mc-110-12-0000190.exe C:\Documents and Settings\Administrador\DoctorWeb\Quarantine Trojan.DownLoader.10472 Incurable.Moved.
mc-110-12-0000191.exe C:\Documents and Settings\Administrador\DoctorWeb\Quarantine Trojan.DownLoader.10472 Incurable.Moved.
mc-110-12-0000190.exe C:\Documents and Settings\Administrador\DoctorWeb\Quarantine Trojan.DownLoader.10472 Incurable.Moved.
mc-110-12-0000191.exe C:\Documents and Settings\Administrador\DoctorWeb\Quarantine Trojan.DownLoader.10472 Incurable.Moved.
mc-110-12-0000190.exe C:\Documents and Settings\Administrador\DoctorWeb\Quarantine Trojan.DownLoader.10472 Incurable.Moved.
mc-110-12-0000191.exe C:\Documents and Settings\Administrador\DoctorWeb\Quarantine Trojan.DownLoader.10472 Incurable.Moved.
mc-110-12-0000190.exe C:\Documents and Settings\Administrador\DoctorWeb\Quarantine Trojan.DownLoader.10472 Incurable.Moved.
mc-110-12-0000191.exe C:\Documents and Settings\Administrador\DoctorWeb\Quarantine Trojan.DownLoader.10472 Incurable.Moved.
mc-110-12-0000190.exe C:\Documents and Settings\Administrador\DoctorWeb\Quarantine Trojan.DownLoader.10472 Incurable.Moved.
mc-110-12-0000191.exe C:\Documents and Settings\Administrador\DoctorWeb\Quarantine Trojan.DownLoader.10472 Incurable.Moved.
mc-110-12-0000190.exe C:\Documents and Settings\Administrador\DoctorWeb\Quarantine Trojan.DownLoader.10472 Incurable.Moved.
mc-110-12-0000191.exe C:\Documents and Settings\Administrador\DoctorWeb\Quarantine Trojan.DownLoader.10472 Incurable.Moved.
mc-110-12-0000190.exe C:\Documents and Settings\Administrador\DoctorWeb\Quarantine Trojan.DownLoader.10472 Incurable.Moved.
mc-110-12-0000191.exe C:\Documents and Settings\Administrador\DoctorWeb\Quarantine Trojan.DownLoader.10472 Incurable.Moved.
mc-110-12-0000190.exe C:\Documents and Settings\Administrador\DoctorWeb\Quarantine Trojan.DownLoader.10472 Incurable.Moved.
mc-110-12-0000191.exe C:\Documents and Settings\Administrador\DoctorWeb\Quarantine Trojan.DownLoader.10472 Incurable.Moved.
mc-110-12-0000190.exe C:\Documents and Settings\Administrador\DoctorWeb\Quarantine Trojan.DownLoader.10472 Incurable.Moved.
mc-110-12-0000191.exe C:\Documents and Settings\Administrador\DoctorWeb\Quarantine Trojan.DownLoader.10472 Incurable.Moved.
mc-110-12-0000190.exe C:\Documents and Settings\Administrador\DoctorWeb\Quarantine Trojan.DownLoader.10472 Incurable.Moved.
mc-110-12-0000191.exe C:\Documents and Settings\Administrador\DoctorWeb\Quarantine Trojan.DownLoader.10472 Incurable.Moved.
mc-110-12-0000190.exe C:\Documents and Settings\Administrador\DoctorWeb\Quarantine Trojan.DownLoader.10472 Incurable.Moved.
mc-110-12-0000191.exe C:\Documents and Settings\Administrador\DoctorWeb\Quarantine Trojan.DownLoader.10472 Incurable.Moved.
mc-110-12-0000190.exe C:\Documents and Settings\Administrador\DoctorWeb\Quarantine Trojan.DownLoader.10472 Incurable.Moved.
mc-110-12-0000191.exe C:\Documents and Settings\Administrador\DoctorWeb\Quarantine Trojan.DownLoader.10472 Incurable.Moved.
mc-110-12-0000190.exe C:\Documents and Settings\Administrador\DoctorWeb\Quarantine Trojan.DownLoader.10472 Incurable.Moved.
mc-110-12-0000191.exe C:\Documents and Settings\Administrador\DoctorWeb\Quarantine Trojan.DownLoader.10472 Incurable.Moved.
mc-110-12-0000190.exe C:\Documents and Settings\Administrador\DoctorWeb\Quarantine Trojan.DownLoader.10472 Incurable.Moved.
mc-110-12-0000191.exe C:\Documents and Settings\Administrador\DoctorWeb\Quarantine Trojan.DownLoader.10472 Incurable.Moved.
mc-110-12-0000190.exe C:\Documents and Settings\Administrador\DoctorWeb\Quarantine Trojan.DownLoader.10472 Incurable.Moved.
mc-110-12-0000191.exe C:\Documents and Settings\Administrador\DoctorWeb\Quarantine Trojan.DownLoader.10472 Incurable.Moved.
mc-110-12-0000190.exe C:\Documents and Settings\Administrador\DoctorWeb\Quarantine Trojan.DownLoader.10472 Incurable.Moved.
mc-110-12-0000191.exe C:\Documents and Settings\Administrador\DoctorWeb\Quarantine Trojan.DownLoader.10472 Incurable.Moved.
mc-110-12-0000190.exe C:\Documents and Settings\Administrador\DoctorWeb\Quarantine Trojan.DownLoader.10472 Incurable.Moved.
mc-110-12-0000191.exe C:\Documents and Settings\Administrador\DoctorWeb\Quarantine Trojan.DownLoader.10472 Incurable.Moved.
mc-110-12-0000190.exe C:\Documents and Settings\Administrador\DoctorWeb\Quarantine Trojan.DownLoader.10472 Incurable.Moved.
mc-110-12-0000191.exe C:\Documents and Settings\Administrador\DoctorWeb\Quarantine Trojan.DownLoader.10472 Incurable.Moved.
mc-110-12-0000190.exe C:\Documents and Settings\Administrador\DoctorWeb\Quarantine Trojan.DownLoader.10472 Incurable.Moved.
mc-110-12-0000191.exe C:\Documents and Settings\Administrador\DoctorWeb\Quarantine Trojan.DownLoader.10472 Incurable.Moved.
mc-110-12-0000190.exe C:\Documents and Settings\Administrador\DoctorWeb\Quarantine Trojan.DownLoader.10472 Incurable.Moved.
mc-110-12-0000191.exe C:\Documents and Settings\Administrador\DoctorWeb\Quarantine Trojan.DownLoader.10472 Incurable.Moved.
mc-110-12-0000190.exe C:\Documents and Settings\Administrador\DoctorWeb\Quarantine Trojan.DownLoader.10472 Incurable.Moved.
mc-110-12-0000191.exe C:\Documents and Settings\Administrador\DoctorWeb\Quarantine Trojan.DownLoader.10472 Incurable.Moved.
mc-110-12-0000190.exe C:\Documents and Settings\Administrador\DoctorWeb\Quarantine Trojan.DownLoader.10472 Incurable.Moved.
mc-110-12-0000191.exe C:\Documents and Settings\Administrador\DoctorWeb\Quarantine Trojan.DownLoader.10472 Incurable.Moved.
mc-110-12-0000190.exe C:\Documents and Settings\Administrador\DoctorWeb\Quarantine Trojan.DownLoader.10472 Incurable.Moved.
mc-110-12-0000191.exe C:\Documents and Settings\Administrador\DoctorWeb\Quarantine Trojan.DownLoader.10472 Incurable.Moved.
mc-110-12-0000190.exe C:\Documents and Settings\Administrador\DoctorWeb\Quarantine Trojan.DownLoader.10472 Incurable.Moved.
mc-110-12-0000191.exe C:\Documents and Settings\Administrador\DoctorWeb\Quarantine Trojan.DownLoader.10472 Incurable.Moved.
mc-110-12-0000190.exe C:\Documents and Settings\Administrador\DoctorWeb\Quarantine Trojan.DownLoader.10472 Incurable.Moved.
mc-110-12-0000191.exe C:\Documents and Settings\Administrador\DoctorWeb\Quarantine Trojan.DownLoader.10472 Incurable.Moved.
mc-110-12-0000190.exe C:\Documents and Settings\Administrador\DoctorWeb\Quarantine Trojan.DownLoader.10472 Incurable.Moved.
mc-110-12-0000191.exe C:\Documents and Settings\Administrador\DoctorWeb\Quarantine Trojan.DownLoader.10472 Incurable.Moved.
mc-110-12-0000190.exe C:\Documents and Settings\Administrador\DoctorWeb\Quarantine Trojan.DownLoader.10472 Incurable.Moved.

#9 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:11:11 AM

Posted 20 June 2006 - 05:30 AM

Hey Bleep!

Thanks for much for sorting out the usernames, it will be much easier from now on. You've done really well and the number of infected files on your computer are falling. I really need to see that combofix log though - it's the easiest way of removing the stubbourn Qoologix infection you have; the other ways are much more time consuming. Can you run combofix again, using the instructions below, but this time complete it in normal mode - last time I asked you to run it in safe mode so perhaps this is what caused the log to disappear:

* Download Combofix to your desktop.
Doubleclick combo.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.

However, if the log will not appear in normal mode, we are going to have to take the slightly longer process. Only complete the following if you were not able to get the combofix log. This should also be completed in normal mode:

*Download FindQool.zip save it to your C:\.

Extract (unzip) the files inside into their own folder called FindQool.
Read here how to unzip/extract properly:
Xp Compressed Explanation

This folder should be present on your C:\
In case it's not present there, move the FindQool folder to C:\ otherwise it won't work.
Then open the FindQool folder.
Locate and double-click the Qlocate.bat file to run it.

This will scan your system.
Wait until a text opens.

So, please post back with either the combofix log or the findqoo log depening on whether you were able to get the combofix log.
David

#10 BLEEP my computer

BLEEP my computer
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:11 PM

Posted 20 June 2006 - 03:51 PM

David the Trojan Slayer!

What up man? I got the Combofis log for you! :thumbsup:

We will kill these bastards. By the way they have also invaded the clock on the bottow corner of my screen it now is a bit different color and it says TClock when I leave my pointer on it... not a big problem but its a pride thing now... I want em all dead!

Thanks again for your help!!!

Start Time= 20/06/2006 21:47:30,41
Running from: C:\DOCUME~1\USER1\ESCRIT~1\COMBOFIX.EXE

(((((((((((((((((((((((((((((((((((((((((((((((( Qoologic's Log ))))))))))))))))))))))))))))))))))))))))))))))))))))))

15:30:35,03

Not all files found by this method are bad. There may be legitimate files found
This log should be examined by a trained analyst


* * * PRE-RUN - Filepaths extracted from the Registry * * * * * * * * * * * * * * * * * * * * * *


C:\windows\system32\rphain.exe
C:\windows\system32\rphain.exe
C:\windows\system32\iyxeh.exe
C:\WINDOWS\SYSTEM32\SUFHSSB.EXE


* * * PRE-RUN - Filepaths extracted by Memory Dump * * * * * * * * * * * * * * * * * * * * * *


C:\windows\system32\xwgayvl.dll
C:\windows\system32\xwgayvl.dll
C:\windows\system32\wnvdt.dat
C:\windows\system32\sufhssb.exe
C:\windows\system32\rphain.exe
C:\windows\system32\rphain.exe
C:\windows\system32\rphain.exe
C:\windows\system32\iyxeh.exe
C:\windows\qkngy.dll
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\kwsbo.exe


* * * PRE-RUN - Filepaths from Locate * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


2006-06-15 00:33:22 127.488 "C:\WINDOWS\system32\rphain.exe"
2006-06-15 00:33:24 28.672 "C:\WINDOWS\system32\iyxeh.exe"
2006-06-15 00:33:22 23.552 "C:\WINDOWS\system32\sufhssb.exe"
2006-06-18 08:46:30 51.712 "C:\WINDOWS\system32\xwgayvl.dll"
2006-05-15 18:24:34 466.944 "C:\WINDOWS\system32\capicom.dll"
2006-04-03 11:40:10 14.048 "C:\WINDOWS\system32\spmsg.dll"
2006-06-18 08:46:30 127.488 "C:\WINDOWS\system32\wnvdt.dat"
2006-06-19 12:34:32 309 "C:\WINDOWS\qkngy.dll"
2006-06-15 00:33:20 52 "C:\WINDOWS\qvbblb.dat"


* * * POST-RUN - Files in the Quarantine folder * * * * * * * * * * * * * * * * * * * * * * * * *
(((((((((((((((((((((((((((((((((((((((((((((((( Qoologic's Log ))))))))))))))))))))))))))))))))))))))))))))))))))))))

21:24:09,36

Not all files found by this method are bad. There may be legitimate files found
This log should be examined by a trained analyst


* * * PRE-RUN - Filepaths extracted from the Registry * * * * * * * * * * * * * * * * * * * * * *


C:\windows\system32\rphain.exe
C:\windows\system32\rphain.exe
C:\windows\system32\iyxeh.exe
C:\WINDOWS\SYSTEM32\SUFHSSB.EXE
C:\WINDOWS\SYSTEM32\SUFHSSB.EXE


* * * PRE-RUN - Filepaths from Locate * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


2006-06-15 00:33:22 23.552 "C:\WINDOWS\system32\sufhssb.exe"
2006-06-18 08:46:30 51.712 "C:\WINDOWS\system32\xwgayvl.dll"
2006-05-15 18:24:34 466.944 "C:\WINDOWS\system32\capicom.dll"
2006-04-03 11:40:10 14.048 "C:\WINDOWS\system32\spmsg.dll"
2006-06-19 12:34:32 309 "C:\WINDOWS\qkngy.dll"
2006-06-15 00:33:20 52 "C:\WINDOWS\qvbblb.dat"


* * * POST-RUN - Files in the Quarantine folder * * * * * * * * * * * * * * * * * * * * * * * * *
(((((((((((((((((((((((((((((((((((((((((((((((( Qoologic's Log ))))))))))))))))))))))))))))))))))))))))))))))))))))))

21:48:48,71

Not all files found by this method are bad. There may be legitimate files found
This log should be examined by a trained analyst


* * * PRE-RUN - Filepaths extracted from the Registry * * * * * * * * * * * * * * * * * * * * * *


C:\windows\system32\rphain.exe
C:\windows\system32\rphain.exe
C:\windows\system32\iyxeh.exe
C:\WINDOWS\SYSTEM32\SUFHSSB.EXE
C:\WINDOWS\SYSTEM32\SUFHSSB.EXE
C:\WINDOWS\SYSTEM32\SUFHSSB.EXE


* * * PRE-RUN - Filepaths from Locate * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


2006-06-15 00:33:22 23.552 "C:\WINDOWS\system32\sufhssb.exe"
2006-06-18 08:46:30 51.712 "C:\WINDOWS\system32\xwgayvl.dll"
2006-05-15 18:24:34 466.944 "C:\WINDOWS\system32\capicom.dll"
2006-04-03 11:40:10 14.048 "C:\WINDOWS\system32\spmsg.dll"
2006-06-19 12:34:32 309 "C:\WINDOWS\qkngy.dll"
2006-06-15 00:33:20 52 "C:\WINDOWS\qvbblb.dat"


* * * POST-RUN - Files in the Quarantine folder * * * * * * * * * * * * * * * * * * * * * * * * *

Directorio de C:\qoobox

18/06/2006 08:46 51.712 xwgayvl.dll.vir
15/06/2006 00:33 23.552 sufhssb.exe.vir

Total de archivos en la lista:

DO NOT DELETE ANY FILES FROM THIS DIRECTORY UNLESS INSTRUCTED TO


* * * POST-RUN - Filepaths from Locate * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


2006-05-15 18:24:34 466.944 "C:\WINDOWS\system32\capicom.dll"
2006-04-03 11:40:10 14.048 "C:\WINDOWS\system32\spmsg.dll"
2006-06-19 12:34:32 309 "C:\WINDOWS\qkngy.dll"
2006-06-15 00:33:20 52 "C:\WINDOWS\qvbblb.dat"


((((((((((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\newname.dat
C:\WINDOWS\keyboard1.dat
C:\windows\teller2.chk
C:\Archivos de programa\network monitor
C:\Archivos de programa\snowball wars
C:\Documents and Settings\LocalService\Datos de programa\NetMon


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-06-19 12:34:32 309 ( A.... ) "C:\WINDOWS\qkngy.dll"
2006-06-18 00:56:48 9211 ( A.... ) "C:\BFU qoofix.bat"
2006-06-18 00:42:32 9211 ( A.... ) "C:\BFU.bat"
2006-06-18 00:36:50 ( .D... ) "C:\Archivos de programa\ewido anti-malware"
2006-06-15 13:19:14 ( .D... ) "C:\Archivos de programa\QuickTime"
2006-06-14 11:40:10 ( .D... ) "C:\Archivos de programa\Zone Labs"
2006-06-14 00:17:20 ( .D... ) "C:\Archivos de programa\Archivos comunes\InetGet"
2006-06-13 12:49:36 ( .D... ) "C:\Archivos de programa\a-squared"
2006-06-12 16:44:28 ( .D... ) "C:\Archivos de programa\SymNetDrv"
2006-06-12 14:56:18 ( .D... ) "C:\Archivos de programa\Archivos comunes\rwkk"
2006-06-12 02:26:36 ( .D... ) "C:\Archivos de programa\TClock"
2006-06-12 02:26:34 ( .D... ) "C:\Archivos de programa\InetGet2"
2006-06-12 02:22:12 ( .D... ) "C:\Archivos de programa\Windows"
2006-06-12 01:58:36 2560 ( A.... ) "C:\WINDOWS\_MSRSTRT.EXE"
2006-05-17 11:23:38 579888 ( ..... ) "C:\WINDOWS\system32\LegitCheckControl.dll"
2006-05-15 18:24:34 466944 ( A.... ) "C:\WINDOWS\system32\capicom.dll"
2006-04-03 11:40:10 14048 ( ..... ) "C:\WINDOWS\system32\spmsg.dll"


((((((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"WinFaxAppPortStarter"="wfxsnt40.exe"
"UserFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,\
6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,75,00
"SunJavaUpdateSched"="C:\\Archivos de programa\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"REGSHAVE"="C:\\Archivos de programa\\REGSHAVE\\REGSHAVE.EXE /AUTORUN"
"LVCOMS"="C:\\Archivos de programa\\Archivos comunes\\Logitech\\QCDriver\\LVCOMS.EXE"
"DIGStream"="C:\\Archivos de programa\\DIGStream\\digstream.exe"
"HP Software Update"="C:\\Archivos de programa\\HP\\HP Software Update\\HPWuSchd2.exe"
"Evidence Eliminator"="C:\\Archivos de programa\\Evidence Eliminator\\ee.exe /m"
"ccApp"="\"C:\\Archivos de programa\\Archivos comunes\\Symantec Shared\\ccApp.exe\""
"Symantec NetDriver Monitor"="C:\\ARCHIV~1\\SYMNET~1\\SNDMon.exe /Consumer"
"Win643"="C:\\mActiveX.exe"
"Zone Labs Client"="C:\\Archivos de programa\\Zone Labs\\ZoneAlarm\\zlclient.exe"
"QuickTime Task"="\"C:\\Archivos de programa\\QuickTime\\qttask.exe\" -atboottime"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex]
"flags"=dword:00000008

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex\000]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktopChanges"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\windows\\system32\\ctfmon.exe"
"Evidence Eliminator"="C:\\Archivos de programa\\Evidence Eliminator\\ee.exe /m"
"MSN Explorer"="C:\\windows\\system32\\drivers\\helpsys\\msnexplorer.exe"
"Intranet Explorer"="C:\\windows\\system32\\drivers\\helpsys\\iexplorer.exe"
"TClock.exe"="C:\\Archivos de programa\\TClock\\tclock_install.exe"
"Wsdgg"="C:\\Documents and Settings\\user1\\Mis documentos\\?ssembly\\c?rss.exe"
"rwkk"="C:\\ARCHIV~1\\ARCHIV~1\\rwkk\\rwkkm.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"WinUpdate.exe"="C:\\Archivos de programa\\Windows\\WinUpdate.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=dword:00000000
"NoDispAppearancePage"=dword:00000000
"NoColorChoice"=dword:00000000
"NoSizeChoice"=dword:00000000
"NoDispBackgroundPage"=dword:00000000
"NoDispScrSavPage"=dword:00000000
"NoDispCPL"=dword:00000000
"NoVisualStyleChoice"=dword:00000000
"NoDispSettingsPage"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="Mi página de inicio actual"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,00,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,52,01,00,00,23,00,00,00,7c,00,00,00,72,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Precargador Browseui"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Demonio de caché de las categorías de componente"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{A213B520-C6C2-11d0-AF9D-008029E1027E}"=""
"{54D9498B-CF93-414F-8984-8CE7FDE0D391}"="ewido shell guard"


Contents of the 'Scheduled Tasks' folder
C:\windows\tasks\Norton AntiVirus - Analizar el equipo - user1.job

Completion time: 20/06/2006 21:54:08,08
ComboFix ver 06.06.19 - This logfile is located at C:\ComboFix.txt


------------------

Logfile of HijackThis v1.99.1
Scan saved at 22:50:28, on 20/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSetMgr.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\SNDSrvc.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
C:\windows\system32\spoolsv.exe
C:\windows\Explorer.EXE
C:\Archivos de programa\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Archivos de programa\ewido anti-malware\ewidoctrl.exe
C:\Archivos de programa\Norton AntiVirus\navapsvc.exe
C:\Archivos de programa\Norton AntiVirus\IWP\NPFMntor.exe
C:\windows\system32\svchost.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\system32\WFXSVC.EXE
C:\Archivos de programa\Symantec\WinFax\WFXMOD32.EXE
C:\windows\system32\wfxsnt40.exe
C:\Archivos de programa\Java\jre1.5.0_06\bin\jusched.exe
C:\Archivos de programa\Archivos comunes\Logitech\QCDriver\LVCOMS.EXE
C:\Archivos de programa\HP\HP Software Update\HPWuSchd2.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe
C:\Archivos de programa\Zone Labs\ZoneAlarm\zlclient.exe
C:\Archivos de programa\QuickTime\qttask.exe
C:\windows\system32\ctfmon.exe
C:\Archivos de programa\Symantec\WinFax\WFXCTL32.EXE
C:\Archivos de programa\Telefonica\Kit ADSL USB\DSLMON.exe
C:\Archivos de programa\HP\Digital Imaging\bin\hpqtra08.exe
C:\Archivos de programa\D-Link AirPlus Xtreme G\AirPlus.exe
C:\Archivos de programa\TClock\TClock.exe
C:\Archivos de programa\Windows\wWinUpdate.exe
C:\Archivos de programa\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Archivos de programa\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\windows\system32\NOTEPAD.EXE
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O3 - Toolbar: BitComet Toolbar - {2E608F70-C430-4bc5-96F6-608E02EBA5B2} - C:\Archivos de programa\BitComet Toolbar\v2.0.0.1\BitComet_Toolbar.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Archivos de programa\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Archivos de programa\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [LVCOMS] C:\Archivos de programa\Archivos comunes\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [DIGStream] C:\Archivos de programa\DIGStream\digstream.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Archivos de programa\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Evidence Eliminator] C:\Archivos de programa\Evidence Eliminator\ee.exe /m
O4 - HKLM\..\Run: [ccApp] "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\ARCHIV~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Win643] C:\mActiveX.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Archivos de programa\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [Evidence Eliminator] C:\Archivos de programa\Evidence Eliminator\ee.exe /m
O4 - HKCU\..\Run: [MSN Explorer] C:\windows\system32\drivers\helpsys\msnexplorer.exe
O4 - HKCU\..\Run: [Intranet Explorer] C:\windows\system32\drivers\helpsys\iexplorer.exe
O4 - HKCU\..\Run: [TClock.exe] C:\Archivos de programa\TClock\tclock_install.exe
O4 - HKCU\..\Run: [Wsdgg] C:\Documents and Settings\user1\Mis documentos\?ssembly\c?rss.exe
O4 - HKCU\..\Run: [rwkk] C:\ARCHIV~1\ARCHIV~1\rwkk\rwkkm.exe
O4 - Global Startup: Desktop Manager.lnk = C:\Archivos de programa\Research In Motion\BlackBerry\DesktopMgr.exe
O4 - Global Startup: Controller.LNK = C:\Archivos de programa\Symantec\WinFax\WFXCTL32.EXE
O4 - Global Startup: Consola KIT ADSL.lnk = C:\Archivos de programa\Telefonica\Kit ADSL USB\DSLMON.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Archivos de programa\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: ACS.lnk = ?
O4 - Global Startup: D-Link AirPlus Xtreme G Configuration Utility.lnk = ?
O4 - Global Startup: D-Link REG Utility.lnk = ?
O8 - Extra context menu item: &MyToolBar Search - res://C:\Archivos de programa\ToolBar888\MyToolBar.dll/MENUSEARCH.HTM
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Archivos de programa\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Archivos de programa\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Archivos de programa\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Archivos de programa\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Archivos de programa\Yahoo!\Common\yiesrvc.dll (file missing)
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mmohsix.com
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/as...rl/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by116fd.bay116.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {7DFDB8FD-B498-4958-B930-38021B94351D} (imlUCID Class) - http://imlive.com/chatsource/ImlCID.cab
O16 - DPF: {B9A296D4-38AC-4566-8168-F7ACAF7D35E6} (Eyeball Video Session Control) - http://imlive.com/ChatSource/gVideoContol.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab
O16 - DPF: {E055C02E-6258-40FF-80A7-3BDA52FACAD7} (Installer Class) - http://activex.matcash.com/speedtest2.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{144EAFA7-3EEB-4F5F-ADA0-F097E6C06CC7}: NameServer = 80.58.0.33,80.58.32.97
O17 - HKLM\System\CS1\Services\Tcpip\..\{144EAFA7-3EEB-4F5F-ADA0-F097E6C06CC7}: NameServer = 80.58.0.33,80.58.32.97
O17 - HKLM\System\CS2\Services\Tcpip\..\{144EAFA7-3EEB-4F5F-ADA0-F097E6C06CC7}: NameServer = 80.58.0.33,80.58.32.97
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\ARCHIV~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Archivos de programa\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Archivos de programa\ewido anti-malware\ewidoctrl.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\ARCHIV~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Servicio Auto-Protect de Norton AntiVirus (navapsvc) - Symantec Corporation - C:\Archivos de programa\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Archivos de programa\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Archivos de programa\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\ARCHIV~1\ARCHIV~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINDOWS\system32\WFXSVC.EXE

#11 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:11:11 AM

Posted 21 June 2006 - 06:07 AM

Hey there,

It is a good idea to print off these instructions - they will be needed later when internet access is not available. You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
It is important that you complete the following instructions in the correct order, and also that you don't miss anything out!

* Please run the uninstaller by using the tutorial found here:
http://www.outerinfo.com/howto.html
Then Reboot! (v.important)

*Click on start, then control panel, and then double-click on add/remove programs. From within add/remove program uninstall the following if they exist by double-clicking on the following entries:
Tclock

* Please set your system to show hidden files; please see here if you're unsure how to do this.

* Download: DelDomains.inf
  • Locate "DelDomains.inf" right-click and select: Install
  • Note: you will not see any on-screen action ...
  • This will remove all entries in the Trusted, Restricted,and Enhanced Security Configuration Zones.
  • Note once you do this, any previous restricted zone hacks (spywareblaster, ie-spyad, etc) will need to be reapplyed.
*Boot into Safe Mode (without networking support!)
By pressing the F8 key right when Windows starts, usually right after you hear your computer
beep when you reboot it (some versions of windows will display 'Starting Windows' with a grey progress bar)
you will be brought to a menu where you can choose to boot into safe mode.

*Now start a new scan with HJT and place a checkmark next to each of the following items (if present):

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O3 - Toolbar: BitComet Toolbar - {2E608F70-C430-4bc5-96F6-608E02EBA5B2} - C:\Archivos de programa\BitComet Toolbar\v2.0.0.1\BitComet_Toolbar.dll (file missing)
O4 - HKLM\..\Run: [Win643] C:\mActiveX.exe
O4 - HKCU\..\Run: [TClock.exe] C:\Archivos de programa\TClock\tclock_install.exe
O4 - HKCU\..\Run: [Wsdgg] C:\Documents and Settings\user1\Mis documentos\?ssembly\c?rss.exe
O4 - HKCU\..\Run: [rwkk] C:\ARCHIV~1\ARCHIV~1\rwkk\rwkkm.exe
O8 - Extra context menu item: &MyToolBar Search - res://C:\Archivos de programa\ToolBar888\MyToolBar.dll/MENUSEARCH.HTM
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mmohsix.com


* Make sure your Internet Explorer is closed and click on "Fix Checked" and exit HijackThis when finished.

* Using Windows Explorer, locate the following files/folders, and delete them if still present:

C:\mActiveX.exe <--file
C:\windows\system32\rphain.exe <--file
C:\windows\system32\iyxeh.exe <--file
C:\windows\system32\sufhssb.exe <--file
C:\windows\system32\xwgayvl.dll <--file
C:\windows\system32\wnvdt.dat <--file
C:\windows\system32\sufhssb.exe <--file
C:\windows\qkngy.dll <--file
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\kwsbo.exe <--file
C:\windows\qvbblb.dat <--file
C:\WINDOWS\newname.dat <--file
C:\WINDOWS\keyboard1.dat <--file
C:\windows\teller2.chk <--file
C:\windows\_MSRSTRT.EXE <--file
C:\Archivos de programa\Windows <--do not delete "windows NT"
C:\qoobox <--folder
C:\Archivos de programa\network monitor <--folder
C:\Archivos de programa\snowball wars <--folder
C:\Archivos de programa\Archivos comunes\rwkk <--folder
C:\Archivos de programa\InetGet2 <--folder
C:\Archivos de programa\TClock <--folder
C:\Archivos de programa\ToolBar888 <--folder

Please reboot back to normal mode and post a new Hijackthis log.
David

#12 BLEEP my computer

BLEEP my computer
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:11 PM

Posted 21 June 2006 - 09:34 AM

Hey D-Trojanator...

I did as you asked... and here is my new HJT log.

Are we getting closer to victor???

Thanks again! BLEEP!

Logfile of HijackThis v1.99.1
Scan saved at 16:30:54, on 21/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSetMgr.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\SNDSrvc.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
C:\windows\system32\spoolsv.exe
C:\windows\Explorer.EXE
C:\windows\system32\wfxsnt40.exe
C:\Archivos de programa\Java\jre1.5.0_06\bin\jusched.exe
C:\Archivos de programa\Archivos comunes\Logitech\QCDriver\LVCOMS.EXE
C:\Archivos de programa\HP\HP Software Update\HPWuSchd2.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe
C:\Archivos de programa\Zone Labs\ZoneAlarm\zlclient.exe
C:\Archivos de programa\QuickTime\qttask.exe
C:\windows\system32\ctfmon.exe
C:\Archivos de programa\Symantec\WinFax\WFXCTL32.EXE
C:\Archivos de programa\Telefonica\Kit ADSL USB\DSLMON.exe
C:\Archivos de programa\HP\Digital Imaging\bin\hpqtra08.exe
C:\Archivos de programa\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Archivos de programa\D-Link AirPlus Xtreme G\AirPlus.exe
C:\Archivos de programa\D-Link AirPlus Xtreme G\Reg.exe
C:\Archivos de programa\ewido anti-malware\ewidoctrl.exe
C:\Archivos de programa\Norton AntiVirus\navapsvc.exe
C:\Archivos de programa\Norton AntiVirus\IWP\NPFMntor.exe
C:\windows\system32\svchost.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Archivos de programa\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\Archivos de programa\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\system32\WFXSVC.EXE
C:\Archivos de programa\Symantec\WinFax\WFXMOD32.EXE
C:\windows\system32\wuauclt.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Archivos de programa\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Archivos de programa\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [LVCOMS] C:\Archivos de programa\Archivos comunes\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [DIGStream] C:\Archivos de programa\DIGStream\digstream.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Archivos de programa\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Evidence Eliminator] C:\Archivos de programa\Evidence Eliminator\ee.exe /m
O4 - HKLM\..\Run: [ccApp] "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\ARCHIV~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Zone Labs Client] C:\Archivos de programa\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [Evidence Eliminator] C:\Archivos de programa\Evidence Eliminator\ee.exe /m
O4 - HKCU\..\Run: [MSN Explorer] C:\windows\system32\drivers\helpsys\msnexplorer.exe
O4 - HKCU\..\Run: [Intranet Explorer] C:\windows\system32\drivers\helpsys\iexplorer.exe
O4 - HKCU\..\Run: [TClock.exe] C:\Archivos de programa\TClock\tclock_install.exe
O4 - HKCU\..\Run: [rwkk] C:\ARCHIV~1\ARCHIV~1\rwkk\rwkkm.exe
O4 - Global Startup: Desktop Manager.lnk = C:\Archivos de programa\Research In Motion\BlackBerry\DesktopMgr.exe
O4 - Global Startup: Controller.LNK = C:\Archivos de programa\Symantec\WinFax\WFXCTL32.EXE
O4 - Global Startup: Consola KIT ADSL.lnk = C:\Archivos de programa\Telefonica\Kit ADSL USB\DSLMON.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Archivos de programa\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: ACS.lnk = ?
O4 - Global Startup: D-Link AirPlus Xtreme G Configuration Utility.lnk = ?
O4 - Global Startup: D-Link REG Utility.lnk = ?
O8 - Extra context menu item: &MyToolBar Search - res://C:\Archivos de programa\ToolBar888\MyToolBar.dll/MENUSEARCH.HTM
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Archivos de programa\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Archivos de programa\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Archivos de programa\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Archivos de programa\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Archivos de programa\Yahoo!\Common\yiesrvc.dll (file missing)
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/as...rl/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by116fd.bay116.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {7DFDB8FD-B498-4958-B930-38021B94351D} (imlUCID Class) - http://imlive.com/chatsource/ImlCID.cab
O16 - DPF: {B9A296D4-38AC-4566-8168-F7ACAF7D35E6} (Eyeball Video Session Control) - http://imlive.com/ChatSource/gVideoContol.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab
O16 - DPF: {E055C02E-6258-40FF-80A7-3BDA52FACAD7} (Installer Class) - http://activex.matcash.com/speedtest2.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{144EAFA7-3EEB-4F5F-ADA0-F097E6C06CC7}: NameServer = 80.58.0.33,80.58.32.97
O17 - HKLM\System\CS1\Services\Tcpip\..\{144EAFA7-3EEB-4F5F-ADA0-F097E6C06CC7}: NameServer = 80.58.0.33,80.58.32.97
O17 - HKLM\System\CS2\Services\Tcpip\..\{144EAFA7-3EEB-4F5F-ADA0-F097E6C06CC7}: NameServer = 80.58.0.33,80.58.32.97
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\ARCHIV~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Archivos de programa\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Archivos de programa\ewido anti-malware\ewidoctrl.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\ARCHIV~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Servicio Auto-Protect de Norton AntiVirus (navapsvc) - Symantec Corporation - C:\Archivos de programa\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Archivos de programa\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Archivos de programa\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\ARCHIV~1\ARCHIV~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINDOWS\system32\WFXSVC.EXE

#13 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:11:11 AM

Posted 21 June 2006 - 01:22 PM

Can you post a new ComboFix log please.
The Hijackthis log is looking much better, but we aren't done yet.
David

#14 BLEEP my computer

BLEEP my computer
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:11 PM

Posted 21 June 2006 - 05:47 PM

What's crakin?

Here you go... have it!

Start Time= 22/06/2006 0:40:06,00
Running from: C:\DOCUME~1\USER1\ESCRIT~1\COMBOFIX.EXE

QuickScan did not find any signs of infected files

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-06-18 00:56:48 9211 ( A.... ) "C:\BFU qoofix.bat"
2006-06-18 00:42:32 9211 ( A.... ) "C:\BFU.bat"
2006-06-18 00:36:50 ( .D... ) "C:\Archivos de programa\ewido anti-malware"
2006-06-15 13:19:14 ( .D... ) "C:\Archivos de programa\QuickTime"
2006-06-14 11:40:10 ( .D... ) "C:\Archivos de programa\Zone Labs"
2006-06-14 00:17:20 ( .D... ) "C:\Archivos de programa\Archivos comunes\InetGet"
2006-06-13 12:49:36 ( .D... ) "C:\Archivos de programa\a-squared"
2006-06-12 02:26:34 ( .D... ) "C:\Archivos de programa\InetGet2"
2006-06-08 12:08:36 534208 ( A.... ) "C:\WINDOWS\system32\SymNeti.dll"
2006-06-08 12:08:36 161472 ( A.... ) "C:\WINDOWS\system32\SymRedir.dll"
2006-05-17 11:23:38 579888 ( ..... ) "C:\WINDOWS\system32\LegitCheckControl.dll"
2006-05-16 14:34:38 87808 ( A.... ) "C:\WINDOWS\system32\S32EVNT1.DLL"
2006-05-15 18:24:34 466944 ( A.... ) "C:\WINDOWS\system32\capicom.dll"
2006-04-03 11:40:10 14048 ( ..... ) "C:\WINDOWS\system32\spmsg.dll"


((((((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"WinFaxAppPortStarter"="wfxsnt40.exe"
"UserFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,\
6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,75,00
"SunJavaUpdateSched"="C:\\Archivos de programa\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"REGSHAVE"="C:\\Archivos de programa\\REGSHAVE\\REGSHAVE.EXE /AUTORUN"
"LVCOMS"="C:\\Archivos de programa\\Archivos comunes\\Logitech\\QCDriver\\LVCOMS.EXE"
"DIGStream"="C:\\Archivos de programa\\DIGStream\\digstream.exe"
"HP Software Update"="C:\\Archivos de programa\\HP\\HP Software Update\\HPWuSchd2.exe"
"Evidence Eliminator"="C:\\Archivos de programa\\Evidence Eliminator\\ee.exe /m"
"Zone Labs Client"="C:\\Archivos de programa\\Zone Labs\\ZoneAlarm\\zlclient.exe"
"QuickTime Task"="\"C:\\Archivos de programa\\QuickTime\\qttask.exe\" -atboottime"
"ccApp"="\"C:\\Archivos de programa\\Archivos comunes\\Symantec Shared\\ccApp.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktopChanges"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\windows\\system32\\ctfmon.exe"
"Evidence Eliminator"="C:\\Archivos de programa\\Evidence Eliminator\\ee.exe /m"
"MSN Explorer"="C:\\windows\\system32\\drivers\\helpsys\\msnexplorer.exe"
"Intranet Explorer"="C:\\windows\\system32\\drivers\\helpsys\\iexplorer.exe"
"TClock.exe"="C:\\Archivos de programa\\TClock\\tclock_install.exe"
"rwkk"="C:\\ARCHIV~1\\ARCHIV~1\\rwkk\\rwkkm.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"WinUpdate.exe"="C:\\Archivos de programa\\Windows\\WinUpdate.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=dword:00000000
"NoDispAppearancePage"=dword:00000000
"NoColorChoice"=dword:00000000
"NoSizeChoice"=dword:00000000
"NoDispBackgroundPage"=dword:00000000
"NoDispScrSavPage"=dword:00000000
"NoDispCPL"=dword:00000000
"NoVisualStyleChoice"=dword:00000000
"NoDispSettingsPage"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="Mi página de inicio actual"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,00,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,52,01,00,00,23,00,00,00,7c,00,00,00,72,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Precargador Browseui"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Demonio de caché de las categorías de componente"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{A213B520-C6C2-11d0-AF9D-008029E1027E}"=""
"{54D9498B-CF93-414F-8984-8CE7FDE0D391}"="ewido shell guard"


Contents of the 'Scheduled Tasks' folder
C:\windows\tasks\Norton AntiVirus - Ejecutar an lisis de todo el sistema - user1.job

Completion time: 22/06/2006 0:42:10,60
ComboFix ver 06.06.19 - This logfile is located at C:\ComboFix.txt

#15 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:11:11 AM

Posted 22 June 2006 - 05:08 AM

Hi Bleep!

Just a few more files to delete now, but we are going to have to force them to go.

* Download KillBox from here
- Click killbox.exe.
- Select the option "Delete on reboot".
- Click the button: All Files (!important!)
- Now it should flash green.

Now copy the next bold part:

C:\windows\system32\drivers\helpsys\msnexplorer.exe
C:\windows\system32\drivers\helpsys\iexplorer.exe
C:\Archivos de programa\TClock
C:\Archivos de programa\Windows
C:\Archivos de programa\Archivos comunes\rwkk


- Open 'file' in the killboxmenu on top and choose Paste from clipboard
- Then press the button that looks like a red circle with a white X in it.
- Killbox will tell you that all listed files will be removed on next reboot and asks if you would like to Reboot now, click YES
- If you don't get that message, reboot manually.
- Your computer should reboot now.

Ignore the errors you'll get after reboot, that's normal, they will be gone after performing next steps.. Please post back with a new combo fix log and a Hijackthis log and let me know how the computer is running.
David




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users