Trojan-Downloader.Win32.Conhook.v, i need some help here Options

[mongou]

Ive got this trojan for a long time " Trojan-Downloader.Win32.Conhook.v ".AVP detects it but it cant remove it cos it restarts my computer over and over again and it says that this trojan cant be removed. Ive tried programs like Killbox, unlocker,etc and i tried to run the programs on safe mode but any of them couldnt remove the infected file which is awtss.dll in the folder "Windows-> system 32 ".
If someone could check my hijackthis log i'd really appreciate it alot.
Thanks.
Marina.


Logfile of HijackThis v1.99.1
Scan saved at 19:29:15, on 16/01/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\rundll32.exe
C:\Archivos de programa\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\rundll32.exe
C:\Archivos de programa\Ahead\InCD\InCD.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\Archivos de programa\OpenOffice.org 2.0\program\soffice.exe
C:\Archivos de programa\OpenOffice.org 2.0\program\soffice.BIN
C:\WINDOWS\system32\cmd.exe
C:\Archivos de programa\MSN Messenger\msnmsgr.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\Archivos de programa\Windows Media Player\wmplayer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Administrador\Mis documentos\Programas\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.es/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\System32\awtss.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\WINDOWS\Temp\Reader\ActiveX\AcroIEHelper.ocx (file missing)
O2 - BHO: Zango Search Assistant Helper - {56F1D444-11BF-4879-A12B-79CF0177F038} - c:\archivos de programa\zango\zangohook.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [MediaGateway] C:\Archivos de programa\MediaGateway\MediaGateway.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\yqryoc.exe reg_run
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [stnospy] C:\Archivos de programa\SinEspias\No-Spy.exe /autorun
O4 - HKLM\..\Run: [WinDLL (svchost32.dll)] rundll32.exe C:\WINDOWS\System32\svchost32.dll,start
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [KAVPersonal50] C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize
O4 - HKLM\..\Run: [WinDLL (svchost.dll)] rundll32.exe C:\WINDOWS\System32\svchost.dll,start
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Archivos de programa\Ahead\InCD\InCD.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Jet Detection] C:\Archivos de programa\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Archivos de programa\OpenOffice.org 2.0\program\quickstart.exe
O8 - Extra context menu item: =>&Español - http:\\wordreference.com\es\j\iees69.htm
O8 - Extra context menu item: =>English - http:\\wordreference.com\es\en\j\iespen109.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kav...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedCon...bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1135803205748
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1135803898889
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {AD08A333-609E-11D3-950C-008098601567} - http://wordreference.com/Install/Spanish%20to%20English.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\ARCHIV~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: awtss - C:\WINDOWS\SYSTEM32\awtss.dll
O20 - Winlogon Notify: jkhhe - jkhhe.dll (file missing)
O20 - Winlogon Notify: pmnll - pmnll.dll (file missing)
O23 - Service: csvhost - Unknown owner - C:\WINDOWS\System32\csvhost.exe (file missing)
O23 - Service: kasjduijeuusdfs (dllhost32) - Unknown owner - C:\WINDOWS\System32\scvhost32dll.exe (file missing)
O23 - Service: kavsvc - Kaspersky Lab - C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: cyberz mansor (mansor) - Unknown owner - C:\WINDOWS\mansor.exe (file missing)
O23 - Service: nvidGUIv (nvidGUIv2) - Unknown owner - C:\WINDOWS\nvidGUIv.exe (file missing)
O23 - Service: microsoft service host 32 (scvhost 32) - Unknown owner - C:\WINDOWS\System32\scvhost32.exe (file missing)

[LoPhatPhuud]

First:
Open a Command Prompt Window (Start -> Run -> cmd)
Enter the following commands: (then press 'Enter')
sc stop csvhost
sc delete csvhost
sc stop dllhost32
sc delete dllhost32
sc stop nvidGUIv2
sc delete nvidGUIv2
sc stop "scvhost 32"
sc delete "scvhost 32"
exit


Note: It is ok if any of the 'stop' commands fail. That merely indicates that the service is not running


Second:
Before we start fixing anything you may want to PRINT and keep all instructions handy for use in Safe Mode.

Please disable Microsoft Anti-Spyware and/or Spybot TeaTimer if you have them installed so they do not interfere with the fix. You can re-enable these programs when you're finished with all other instructions.

Please download VundoFix.exe to your desktop.
1. Double-click VundoFix.exe to extract the files
2. This will create a VundoFix folder on your desktop.
3. After the files are extracted, please reboot your computer into "Safe Mode". You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight "Safe Mode" then hit enter.
4. Once in "Safe Mode" open the VundoFix folder and double-click on KillVundo.bat
5. You will first be presented with a warning.
It should look like this:

VundoFix V2.13 by Atri
By using VundoFix you agree that you are doing so at your own risk
Press enter to continue....

6. At this point press "Enter" one time.
7. Next you will see:

Please type in the filepath as instructed by the forum staff
and then Press Enter:.

8. At this point please type the following file path (make sure to enter it exactly as below):
C:\WINDOWS\System32\awtss.dll

9. Press "Enter" to continue with the fix.

10. Next you will see:

Please type in the second filepath as instructed by the forum
staff and then press Enter:

11. At this point please type the following file path (make sure to enter it exactly as below):
C:\WINDOWS\System32\sstwa.*

[This will be the vundo filename spelled backwards followed by a (.*)]

12. Press "Enter" to continue with the fix.
13. The fix will run and HijackThis will open. If it does not open automatically, please open it manually.

In HijackThis, please place a check next to the following items:
O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\System32\awtss.dll

O20 - Winlogon Notify: awtss - C:\WINDOWS\SYSTEM32\awtss.dll
O20 - Winlogon Notify: jkhhe - jkhhe.dll (file missing)
O20 - Winlogon Notify: pmnll - pmnll.dll (file missing)


After checking these items CLOSE ALL open windows EXCEPT HijackThis and click "Fix Checked."

14. After you have fixed these items, close Hijackthis.
15. Press "Enter" to exit the program, then manually reboot your computer..
16. Once your machine reboots please continue with the instructions below.

Download and install CCleaner
1. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"
2. Then select the items you wish to clean up.

In the Windows Tab:
• Clean all entries in the "Internet Explorer" section except Cookies.
• Clean all the entries in the "Windows Explorer" section.
• Clean all entries in the "System" section.
• Clean all entries in the "Advanced" section.
• Clean any others that you choose.

In the Applications Tab:
• Clean all except cookies in the Firefox/Mozilla section if you use it.
• Clean all in the Opera section if you use it.
• Clean Sun Java in the Internet Section.
• Clean any others that you choose.

3. Click the "Run Cleaner" button.
4. A pop up box will appear advising this process will permanently delete files from your system.
5. Click "OK" and it will scan and clean your system.
6. Click "exit" when done.

Next run Panda's online ActiveScan.

Save the results of the scan, reboot and copy/paste them back here along with a new HiJackThis log and the vundofix.txt file from the vundofix folder.


If the Vundofix does not work or the user CANNOT BOOT INTO SAFE MODE, try using Adware-Virtumundo Removal Tool v1.2.

Quote:
Please download VirtumundoBeGone.exe:
1. Save it to your Desktop.
2. Locate and double-click VirtumundoBeGone.exe to run it.
3. Follow the instructions.
4. When the tool has finished running, exit and post the log that is produced.
5. Reboot your PC and post a fresh HJT log AND a description of how your PC is running.

If Virtumundo is NOT found, the tool will exit showing the log file.

If Virtumundo is found it will do the following:
Version 1.1
Create a Date/Time Stamped log file (VBG.TXT) on the All Users profile's Desktop.
Kill Internet Explorer and Explorer processes.
Rename the infected files with a .Vir extension (this is disable them from being run)
Remove the Browser Helper Object registry key
Adds a registry value to block file from running in Internet Explorer again.
Remove the Winlogon Notify registry key
Automatically restart the computer (via STOP error)
Note: This is a BLUE SCREEN "Fatal Error" Message. It is normal and expected. The tool ends an important Windows Process that was protecting the file and NT Security STOPS the system as soon as it detects this is happening.

VirusScan will now be able to remove the files normally when you run an on-demand scan.

Then run your antivirus or Ewido to remove any left over files and then post a fresh hjt log & the report from this tool.

Note: This tools does not remove the WinFixer application. WinFixer alone does not cause popups or disrupt the system. If WinFixer was installed on your system because Adware or a Trojan Downloader installed it without your permission, please remove it using the Add/Remove Programs Control Panel Applet.


Third:
Reboot in Safe Mode* and run HiJackThis. <-- IMPORTANT

Check the following items in HijackThis.
(note: If any R* items mark for deletion, do not appear in Safe Mode, re-run HiJackThis in Normal Mode and remove them after you finish removing these items.)
O2 - BHO: Zango Search Assistant Helper - {56F1D444-11BF-4879-A12B-79CF0177F038} - c:\archivos de programa\zango\zangohook.dll (file missing)

O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\yqryoc.exe reg_run
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [stnospy] C:\Archivos de programa\SinEspias\No-Spy.exe /autorun
O4 - HKLM\..\Run: [WinDLL (svchost32.dll)] rundll32.exe C:\WINDOWS\System32\svchost32.dll,start
O4 - HKLM\..\Run: [WinDLL (svchost.dll)] rundll32.exe C:\WINDOWS\System32\svchost.dll,start

O23 - Service: csvhost - Unknown owner - C:\WINDOWS\System32\csvhost.exe (file missing)
O23 - Service: kasjduijeuusdfs (dllhost32) - Unknown owner - C:\WINDOWS\System32\scvhost32dll.exe (file missing)
O23 - Service: cyberz mansor (mansor) - Unknown owner - C:\WINDOWS\mansor.exe (file missing)
O23 - Service: nvidGUIv (nvidGUIv2) - Unknown owner - C:\WINDOWS\nvidGUIv.exe (file missing)
O23 - Service: microsoft service host 32 (scvhost 32) - Unknown owner - C:\WINDOWS\System32\scvhost32.exe (file missing)

Close all windows except HijackThis and click Fix checked.


While still in Safe Mode*, delete the following: (you may need to show hidden files**)
(Files specified without a full path will be located in C:\Windows\ or C:\Windows\System32\)
c:\archivos de programa\zango\ <--delete entire folder
C:\WINDOWS\System32\yqryoc.exe
C:\WINDOWS\Updreg.exe
C:\Archivos de programa\SinEspias\ <--delete entire folder
C:\WINDOWS\System32\svchost32.dll
C:\WINDOWS\System32\svchost.dll
C:\WINDOWS\System32\csvhost.exe
C:\WINDOWS\mansor.exe
C:\WINDOWS\nvidGUIv.exe
C:\WINDOWS\System32\scvhost32.exe

*How to Boot into Safe mode: http://service1.symantec.com/SUPPORT/tsgen...001052409420406
**Show Hidden and System files and folders: http://www.xtra.co.nz/help/0,,4155-1916458,00.html

Also, uncheck the boxes for hiding known file extensions and hiding protected operating system files. We want to see it all. When we finish here, it would be a good idea to rehide the protected operating system files but leave the rest to be shown.

Reboot in normal mode

Run HiJackThis again and post a new log in this thread.


Last:
Please download SilentRunners from here:
http://www.silentrunners.org/Silent%20Runners.zip
Unzip it to the desktop and double-click on it.
If you get any kind of warning message about scripts, please choose to allow the script to run.
When the scan is finished, a message will pop up and a logfile will have been created on the desktop.
Please post the entire contents of this logfile for me to see.

[mongou]

First of all thanks a lot for helping me!! Ive just finished with the second step u wrote. The Trojan-Downloader.Win32.Conhook.v seems disappeared but now i think ve got some more!! anyway,i post u the results of the panda scan,a new hijackthis log and the vundofix.txt.

ACTIVESCAN


Incident Status Location

Virus:Bck/Agent.AAW Disinfected Operating system
Virus:Trj/Pintxatore.P Disinfected Operating system
Adware:Adware/DollarRevenue Not disinfected C:\WINDOWS\System32\gebyx.dll
Adware:adware/adsmart Not disinfected C:\WINDOWS\SYSTEM32\svchost.dll
Adware:adware/dollarrevenue Not disinfected C:\WINDOWS\timessquare1.dat
Adware:adware/wupd Not disinfected C:\ARCHIVOS DE PROGRAMA\MediaGateway
Spyware:spyware/virtumonde Not disinfected Windows Registry
Potentially unwanted tool:application/zango Not disinfected HKEY_CLASSES_ROOT\CLSID\{56F1D444-11BF-4879-A12B-79CF0177F038}
Adware:adware/xplugin Not disinfected Windows Registry
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Administrador\Cookies\administrador@atdmt[2].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Administrador\Cookies\administrador@stats1.reliablestats[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Administrador\Cookies\administrador@tribalfusion[1].txt
Spyware:Cookie/WinFixer Not disinfected C:\Documents and Settings\Administrador\Cookies\administrador@winfixer[2].txt
Adware:Adware/DollarRevenue Not disinfected C:\ca32.exe[rm32.dll]
Adware:Adware/DollarRevenue Not disinfected C:\Documents and Settings\Administrador\Configuración local\Archivos temporales de Internet\Content.IE5\IHWTKLOZ\ca32[1].zip[rm32.dll]
Adware:Adware/DollarRevenue Not disinfected C:\Documents and Settings\Administrador\Configuración local\Temp\tmp0001a4c6
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Administrador\Cookies\administrador@atdmt[2].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Administrador\Cookies\administrador@stats1.reliablestats[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Administrador\Cookies\administrador@tribalfusion[1].txt
Spyware:Cookie/WinFixer Not disinfected C:\Documents and Settings\Administrador\Cookies\administrador@winfixer[2].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Administrador\Escritorio\VundoFix\VundoFix\process.exe
Adware:Adware/DollarRevenue Not disinfected C:\WINDOWS\system32\awtsp.dll
Adware:Adware/DollarRevenue Not disinfected C:\WINDOWS\system32\awtsr.dll
Adware:Adware/DollarRevenue Not disinfected C:\WINDOWS\system32\awvvu.dll
Adware:Adware/DollarRevenue Not disinfected C:\WINDOWS\system32\ca32.exe[rm32.dll]
Adware:Adware/DollarRevenue Not disinfected C:\WINDOWS\system32\ddccc.dll
Adware:Adware/DollarRevenue Not disinfected C:\WINDOWS\system32\gebyx.dll
Adware:Adware/DollarRevenue Not disinfected C:\WINDOWS\system32\geebc.dll
Adware:Adware/DollarRevenue Not disinfected C:\WINDOWS\system32\geebx.dll
Virus:Trj/Pintxatore.P Not disinfected C:\WINDOWS\system32\stealth.exe[stealth.dll]
Virus:Bck/Agent.AAW Disinfected C:\WINDOWS\system32\svchost.dll
Virus:Trj/Pintxatore.P Disinfected C:\WINDOWS\system32\svchost32.dll
HIJACKTHIS LOG

Logfile of HijackThis v1.99.1
Scan saved at 21:40:37, on 19/01/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\rundll32.exe
C:\Archivos de programa\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\rundll32.exe
C:\Archivos de programa\Ahead\InCD\InCD.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\Archivos de programa\OpenOffice.org 2.0\program\soffice.exe
C:\Archivos de programa\OpenOffice.org 2.0\program\soffice.BIN
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\Archivos de programa\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Archivos de programa\Windows Media Player\wmplayer.exe
C:\Documents and Settings\Administrador\Mis documentos\Programas\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.es/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\awtss.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\WINDOWS\Temp\Reader\ActiveX\AcroIEHelper.ocx (file missing)
O2 - BHO: Zango Search Assistant Helper - {56F1D444-11BF-4879-A12B-79CF0177F038} - c:\archivos de programa\zango\zangohook.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: ATLDistrib Object - {83A5F7B7-DC75-44CE-9195-264F41709FA9} - C:\WINDOWS\System32\mljgf.dll
O2 - BHO: (no name) - {EA32FB3B-21C9-42cc-B8EF-01A9B28EDB0D} - C:\WINDOWS\System32\gebyx.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [MediaGateway] C:\Archivos de programa\MediaGateway\MediaGateway.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\yqryoc.exe reg_run
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [stnospy] C:\Archivos de programa\SinEspias\No-Spy.exe /autorun
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [KAVPersonal50] C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Archivos de programa\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [WinDLL (jbi32.dll)] rundll32.exe C:\WINDOWS\System32\jbi32.dll,start
O4 - HKLM\..\Run: [winsysupd] C:\windows\winsysupd.exe
O4 - HKLM\..\RunOnce: [Panda_cleaner_247591] C:\WINDOWS\System32\ActiveScan\pavdr.exe 247591
O4 - HKLM\..\RunOnce: [Panda_cleaner_241108] C:\WINDOWS\System32\ActiveScan\pavdr.exe 241108
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Jet Detection] C:\Archivos de programa\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Archivos de programa\OpenOffice.org 2.0\program\quickstart.exe
O8 - Extra context menu item: =>&Español - http:\\wordreference.com\es\j\iees69.htm
O8 - Extra context menu item: =>English - http:\\wordreference.com\es\en\j\iespen109.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kav...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedCon...bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1135803205748
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1135803898889
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {AD08A333-609E-11D3-950C-008098601567} - http://wordreference.com/Install/Spanish%20to%20English.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\ARCHIV~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: awtss - awtss.dll (file missing)
O20 - Winlogon Notify: gebyx - C:\WINDOWS\SYSTEM32\gebyx.dll
O20 - Winlogon Notify: jkhhe - jkhhe.dll (file missing)
O20 - Winlogon Notify: mljgf - C:\WINDOWS\System32\mljgf.dll
O20 - Winlogon Notify: pmnll - pmnll.dll (file missing)
O23 - Service: kavsvc - Kaspersky Lab - C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: cyberz mansor (mansor) - Unknown owner - C:\WINDOWS\mansor.exe (file missing)
O23 - Service: microsoft service host 32 (scvhost 32) - Unknown owner - C:\WINDOWS\System32\scvhost32.exe (file missing)


VUNDOFIX

--------------------------------------------------------------------------------------

Log from Process
--------------------------------------------------------------------------------------


Killing PID 144 'smss.exe'

Killing PID 748 'explorer.exe'
Killing PID 748 'explorer.exe'
Killing PID 748 'explorer.exe'


Killing PID 216 'winlogon.exe'
Killing PID 216 'winlogon.exe'
Error 0x5 : Acceso denegado.

--------------------------------------------------------------------------------------

C:\WINDOWS\System32\awtss.dll Deleted sucessfully.
C:\WINDOWS\System32\sstwa.* Deleted sucessfully.

Fixing Registry
--------------------------------------------------------------------------------------


Now Im goin with the third step!! Thanks a lot!!!

[LoPhatPhuud]

First:
Before we start fixing anything you may want to PRINT and keep all instructions handy for use in Safe Mode.

Please disable Microsoft Anti-Spyware and/or Spybot TeaTimer if you have them installed so they do not interfere with the fix. You can re-enable these programs when you're finished with all other instructions.

Please download VundoFix.exe to your desktop.
1. Double-click VundoFix.exe to extract the files
2. This will create a VundoFix folder on your desktop.
3. After the files are extracted, please reboot your computer into "Safe Mode". You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight "Safe Mode" then hit enter.
4. Once in "Safe Mode" open the VundoFix folder and double-click on KillVundo.bat
5. You will first be presented with a warning.
It should look like this:

VundoFix V2.13 by Atri
By using VundoFix you agree that you are doing so at your own risk
Press enter to continue....

6. At this point press "Enter" one time.
7. Next you will see:

Please type in the filepath as instructed by the forum staff
and then Press Enter:.

8. At this point please type the following file path (make sure to enter it exactly as below):
C:\WINDOWS\System32\mljgf.dll

9. Press "Enter" to continue with the fix.

10. Next you will see:

Please type in the second filepath as instructed by the forum
staff and then press Enter:

11. At this point please type the following file path (make sure to enter it exactly as below):
C:\WINDOWS\System32\fgjlm.*

[This will be the vundo filename spelled backwards followed by a (.*)]

12. Press "Enter" to continue with the fix.
13. The fix will run and HijackThis will open. If it does not open automatically, please open it manually.

In HijackThis, please place a check next to the following items:
O2 - BHO: ATLDistrib Object - {83A5F7B7-DC75-44CE-9195-264F41709FA9} - C:\WINDOWS\System32\mljgf.dll

O20 - Winlogon Notify: mljgf - C:\WINDOWS\System32\mljgf.dll

After checking these items CLOSE ALL open windows EXCEPT HijackThis and click "Fix Checked."

14. After you have fixed these items, close Hijackthis.
15. Press "Enter" to exit the program, then manually reboot your computer..
16. Once your machine reboots please continue with the instructions below.

Download and install CCleaner
1. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"
2. Then select the items you wish to clean up.

In the Windows Tab:
• Clean all entries in the "Internet Explorer" section except Cookies.
• Clean all the entries in the "Windows Explorer" section.
• Clean all entries in the "System" section.
• Clean all entries in the "Advanced" section.
• Clean any others that you choose.

In the Applications Tab:
• Clean all except cookies in the Firefox/Mozilla section if you use it.
• Clean all in the Opera section if you use it.
• Clean Sun Java in the Internet Section.
• Clean any others that you choose.

3. Click the "Run Cleaner" button.
4. A pop up box will appear advising this process will permanently delete files from your system.
5. Click "OK" and it will scan and clean your system.
6. Click "exit" when done.

Next run Panda's online ActiveScan.

Save the results of the scan, reboot and copy/paste them back here along with a new HiJackThis log and the vundofix.txt file from the vundofix folder.


If the Vundofix does not work or the user CANNOT BOOT INTO SAFE MODE, try using Adware-Virtumundo Removal Tool v1.2.

Quote:
Please download VirtumundoBeGone.exe:
1. Save it to your Desktop.
2. Locate and double-click VirtumundoBeGone.exe to run it.
3. Follow the instructions.
4. When the tool has finished running, exit and post the log that is produced.
5. Reboot your PC and post a fresh HJT log AND a description of how your PC is running.

If Virtumundo is NOT found, the tool will exit showing the log file.

If Virtumundo is found it will do the following:
Version 1.1
Create a Date/Time Stamped log file (VBG.TXT) on the All Users profile's Desktop.
Kill Internet Explorer and Explorer processes.
Rename the infected files with a .Vir extension (this is disable them from being run)
Remove the Browser Helper Object registry key
Adds a registry value to block file from running in Internet Explorer again.
Remove the Winlogon Notify registry key
Automatically restart the computer (via STOP error)
Note: This is a BLUE SCREEN "Fatal Error" Message. It is normal and expected. The tool ends an important Windows Process that was protecting the file and NT Security STOPS the system as soon as it detects this is happening.

VirusScan will now be able to remove the files normally when you run an on-demand scan.

Then run your antivirus or Ewido to remove any left over files and then post a fresh hjt log & the report from this tool.

Note: This tools does not remove the WinFixer application. WinFixer alone does not cause popups or disrupt the system. If WinFixer was installed on your system because Adware or a Trojan Downloader installed it without your permission, please remove it using the Add/Remove Programs Control Panel Applet.


Second:
Reboot in Safe Mode* and run HiJackThis. <-- IMPORTANT

Check the following items in HijackThis.
(note: If any R* items mark for deletion, do not appear in Safe Mode, re-run HiJackThis in Normal Mode and remove them after you finish removing these items.)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com

O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\awtss.dll (file missing)
O2 - BHO: Zango Search Assistant Helper - {56F1D444-11BF-4879-A12B-79CF0177F038} - c:\archivos de programa\zango\zangohook.dll (file missing)
O2 - BHO: ATLDistrib Object - {83A5F7B7-DC75-44CE-9195-264F41709FA9} - C:\WINDOWS\System32\mljgf.dll
O2 - BHO: (no name) - {EA32FB3B-21C9-42cc-B8EF-01A9B28EDB0D} - C:\WINDOWS\System32\gebyx.dll

O4 - HKLM\..\Run: [MediaGateway] C:\Archivos de programa\MediaGateway\MediaGateway.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\yqryoc.exe reg_run
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [stnospy] C:\Archivos de programa\SinEspias\No-Spy.exe /autorun
O4 - HKLM\..\Run: [WinDLL (jbi32.dll)] rundll32.exe C:\WINDOWS\System32\jbi32.dll,start
O4 - HKLM\..\Run: [winsysupd] C:\windows\winsysupd.exe

O20 - Winlogon Notify: awtss - awtss.dll (file missing)
O20 - Winlogon Notify: gebyx - C:\WINDOWS\SYSTEM32\gebyx.dll
O20 - Winlogon Notify: jkhhe - jkhhe.dll (file missing)
O20 - Winlogon Notify: mljgf - C:\WINDOWS\System32\mljgf.dll
O20 - Winlogon Notify: pmnll - pmnll.dll (file missing)

O23 - Service: cyberz mansor (mansor) - Unknown owner - C:\WINDOWS\mansor.exe (file missing)
O23 - Service: microsoft service host 32 (scvhost 32) - Unknown owner - C:\WINDOWS\System32\scvhost32.exe (file missing)


Close all windows except HijackThis and click Fix checked.


While still in Safe Mode*, delete the following: (you may need to show hidden files**)
(Files specified without a full path will be located in C:\Windows\ or C:\Windows\System32\)
c:\archivos de programa\zango\zangohook.dll (file missing)
C:\Archivos de programa\MediaGateway\MediaGateway.exe
C:\WINDOWS\System32\yqryoc.exe reg_run
C:\WINDOWS\System32\jbi32.dll,start
C:\windows\winsysupd.exe
C:\WINDOWS\SYSTEM32\gebyx.dll

*How to Boot into Safe mode: http://service1.symantec.com/SUPPORT/tsgen...001052409420406
**Show Hidden and System files and folders: http://www.xtra.co.nz/help/0,,4155-1916458,00.html

Also, uncheck the boxes for hiding known file extensions and hiding protected operating system files. We want to see it all. When we finish here, it would be a good idea to rehide the protected operating system files but leave the rest to be shown.

Reboot in normal mode

Run HiJackThis again and post a new log in this thread.


Last:
Please download, install, and update the free version of Ewido Security Suite:
http://www.ewido.net/en/download/

[1]From the main ewido screen, click on update in the left menu, then click the Start update button.

[2]After the update finishes (the status bar at the bottom will display "Update successful")


Close the program after updating (don't scan with it yet, we'll do that in SAFE MODE)

Copy the following instructions to have handy as you will need to be offline, in SAFE MODE and with IE closed so you will not be able to view this page during the process.

Reboot your PC into SAFE MODE

How to start the computer in Safe mode
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

Next, run a scan with Ewido.

[3]Click on the Scanner button in the left menu, then click on the Start button. This scan can take quite a while to run, so please be patient

[4]If Ewido finds anything, it will pop up a notification. You can select "remove" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.

[5]When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.

Copy and paste the results from that scan back here please for review :)

*Note: Ewido is a free trial product for 14 days. After that you can purchase it for full features OR you can also keep the free version to use as an on-demand scanner (recommended).
You will still be able to manually update Ewido using the *update* button :)

[mongou]

Thanks for your help!!


Logfile of HijackThis v1.99.1
Scan saved at 13:38:05, on 20/01/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Java\jre1.5.0_06\bin\jusched.exe
C:\Archivos de programa\Ahead\InCD\InCD.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\Archivos de programa\OpenOffice.org 2.0\program\soffice.exe
C:\Archivos de programa\OpenOffice.org 2.0\program\soffice.BIN
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Administrador\Mis documentos\Programas\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.es/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\WINDOWS\Temp\Reader\ActiveX\AcroIEHelper.ocx (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: ATLDistrib Object - {83A5F7B7-DC75-44CE-9195-264F41709FA9} - C:\WINDOWS\System32\mljgf.dll (file missing)
O2 - BHO: (no name) - {EA32FB3B-21C9-42cc-B8EF-01A9B28EDB0D} - C:\WINDOWS\System32\gebyx.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [MediaGateway] C:\Archivos de programa\MediaGateway\MediaGateway.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [KAVPersonal50] C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Archivos de programa\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [WinDLL (jbi32.dll)] rundll32.exe C:\WINDOWS\System32\jbi32.dll,start
O4 - HKLM\..\Run: [winsysupd] C:\windows\winsysupd.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Jet Detection] C:\Archivos de programa\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Archivos de programa\OpenOffice.org 2.0\program\quickstart.exe
O8 - Extra context menu item: =>&Español - http:\\wordreference.com\es\j\iees69.htm
O8 - Extra context menu item: =>English - http:\\wordreference.com\es\en\j\iespen109.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kav...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedCon...bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1135803205748
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1135803898889
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {AD08A333-609E-11D3-950C-008098601567} - http://wordreference.com/Install/Spanish%20to%20English.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\ARCHIV~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: awtss - awtss.dll (file missing)
O20 - Winlogon Notify: gebyx - C:\WINDOWS\SYSTEM32\gebyx.dll
O20 - Winlogon Notify: jkhhe - jkhhe.dll (file missing)
O20 - Winlogon Notify: mljgf - C:\WINDOWS\System32\mljgf.dll (file missing)
O20 - Winlogon Notify: pmnll - pmnll.dll (file missing)
O23 - Service: kavsvc - Kaspersky Lab - C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: cyberz mansor (mansor) - Unknown owner - C:\WINDOWS\mansor.exe (file missing)
O23 - Service: microsoft service host 32 (scvhost 32) - Unknown owner - C:\WINDOWS\System32\scvhost32.exe (file missing)



Incident Status Location

Adware:Adware/DollarRevenue Not disinfected C:\WINDOWS\System32\gebyx.dll
Adware:adware/dollarrevenue Not disinfected C:\WINDOWS\timessquare1.dat
Adware:adware/wupd Not disinfected C:\ARCHIVOS DE PROGRAMA\MediaGateway
Spyware:spyware/virtumonde Not disinfected Windows Registry
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Administrador\Cookies\administrador@atdmt[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Administrador\Cookies\administrador@doubleclick[1].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Administrador\Cookies\administrador@stats1.reliablestats[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Administrador\Cookies\administrador@tribalfusion[1].txt
Spyware:Cookie/WinFixer Not disinfected C:\Documents and Settings\Administrador\Cookies\administrador@winfixer[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Administrador\Cookies\administrador@atdmt[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Administrador\Cookies\administrador@doubleclick[1].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Administrador\Cookies\administrador@stats1.reliablestats[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Administrador\Cookies\administrador@tribalfusion[1].txt
Spyware:Cookie/WinFixer Not disinfected C:\Documents and Settings\Administrador\Cookies\administrador@winfixer[1].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Administrador\Escritorio\VundoFix\VundoFix\process.exe
Adware:Adware/DollarRevenue Not disinfected C:\WINDOWS\system32\awtsp.dll
Adware:Adware/DollarRevenue Not disinfected C:\WINDOWS\system32\awtsr.dll
Adware:Adware/DollarRevenue Not disinfected C:\WINDOWS\system32\awvvu.dll
Adware:Adware/DollarRevenue Not disinfected C:\WINDOWS\system32\ca32.exe[rm32.dll]
Adware:Adware/DollarRevenue Not disinfected C:\WINDOWS\system32\ddccc.dll
Adware:Adware/DollarRevenue Not disinfected C:\WINDOWS\system32\gebyx.dll
Adware:Adware/DollarRevenue Not disinfected C:\WINDOWS\system32\geebc.dll
Adware:Adware/DollarRevenue Not disinfected C:\WINDOWS\system32\geebx.dll
Virus:W32/Sdbot.ftp Disinfected C:\WINDOWS\system32\i
Adware:Adware/DollarRevenue Not disinfected C:\WINDOWS\system32\pmnlk.dll
Virus:Trj/Pintxatore.P Not disinfected C:\WINDOWS\system32\stealth.exe[stealth.dll]



VundoFix V2.15 by Atri
--------------------------------------------------------------------------------------

Listing files contained in the vundofix folder.
--------------------------------------------------------------------------------------

killvundo.bat
process.exe
ReadMe.txt
vundo.reg
vundofix.txt

--------------------------------------------------------------------------------------

Filepaths entered
--------------------------------------------------------------------------------------

The filepath entered was C:\WINDOWS\System32\mljgf.dll

The second filepath entered was C:\WINDOWS\System32\fgjlm

--------------------------------------------------------------------------------------

Log from Process
--------------------------------------------------------------------------------------


Killing PID 144 'smss.exe'

Killing PID 724 'explorer.exe'
Killing PID 724 'explorer.exe'
Killing PID 724 'explorer.exe'


Killing PID 216 'winlogon.exe'
--------------------------------------------------------------------------------------

C:\WINDOWS\System32\mljgf.dll Deleted sucessfully.
C:\WINDOWS\System32\fgjlm Deleted sucessfully.

Fixing Registry
--------------------------------------------------------------------------------------

[mongou]

I post you a new hijackthis log and the results from de ewido scan. thanks once again!

Logfile of HijackThis v1.99.1
Scan saved at 14:43:56, on 20/01/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\logonui.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Java\jre1.5.0_06\bin\jusched.exe
C:\Archivos de programa\Ahead\InCD\InCD.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\Archivos de programa\OpenOffice.org 2.0\program\soffice.exe
C:\Archivos de programa\OpenOffice.org 2.0\program\soffice.BIN
C:\Archivos de programa\ewido anti-malware\ewidoctrl.exe
C:\Archivos de programa\ewido anti-malware\ewidoguard.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Administrador\Mis documentos\Programas\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.es/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\WINDOWS\Temp\Reader\ActiveX\AcroIEHelper.ocx (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {EA32FB3B-21C9-42cc-B8EF-01A9B28EDB0D} - C:\WINDOWS\system32\gebyx.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [KAVPersonal50] C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Archivos de programa\Ahead\InCD\InCD.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Jet Detection] C:\Archivos de programa\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Archivos de programa\OpenOffice.org 2.0\program\quickstart.exe
O8 - Extra context menu item: =>&Español - http:\\wordreference.com\es\j\iees69.htm
O8 - Extra context menu item: =>English - http:\\wordreference.com\es\en\j\iespen109.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kav...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedCon...bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1135803205748
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1135803898889
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {AD08A333-609E-11D3-950C-008098601567} - http://wordreference.com/Install/Spanish%20to%20English.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\ARCHIV~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: gebyx - C:\WINDOWS\SYSTEM32\gebyx.dll
O23 - Service: ewido security suite control - ewido networks - C:\Archivos de programa\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Archivos de programa\ewido anti-malware\ewidoguard.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: cyberz mansor (mansor) - Unknown owner - C:\WINDOWS\mansor.exe (file missing)
O23 - Service: microsoft service host 32 (scvhost 32) - Unknown owner - C:\WINDOWS\System32\scvhost32.exe (file missing)


---------------------------------------------------------
ewido anti-malware - Report de exploración
---------------------------------------------------------

+ Creado en: 14:38:33, 20/01/2006
+ Report-Checksum: BF5AD3D

+ Scan result:

C:\Documents and Settings\Administrador\Cookies\administrador@atdmt[2].txt -> Spyware.Cookie.Atdmt : Limpio con backup
C:\Documents and Settings\Administrador\Cookies\administrador@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Limpio con backup
C:\Documents and Settings\Administrador\Mis documentos\Programas\hijackthis\backups\backup-20060120-135100-504.dll -> Adware.Virtumonde : Limpio con backup
C:\WINDOWS\system32\awtsp.dll -> Adware.Virtumonde : Limpio con backup
C:\WINDOWS\system32\awtsr.dll -> Adware.Virtumonde : Limpio con backup
C:\WINDOWS\system32\awvvu.dll -> Adware.Virtumonde : Limpio con backup
C:\WINDOWS\system32\ca32.exe/rm32.dll -> Adware.Virtumonde : Limpio con backup
C:\WINDOWS\system32\ca32.exe/dr32.exe -> Downloader.Adload.j : Limpio con backup
C:\WINDOWS\system32\ddccc.dll -> Adware.Virtumonde : Limpio con backup
C:\WINDOWS\system32\eraseme_66861.exe -> Backdoor.Aimbot.bn : Limpio con backup
C:\WINDOWS\system32\gebyx.dll -> Adware.Virtumonde : Limpio con backup
C:\WINDOWS\system32\geebc.dll -> Adware.Virtumonde : Limpio con backup
C:\WINDOWS\system32\geebx.dll -> Adware.Virtumonde : Limpio con backup
C:\WINDOWS\system32\mservu.exe -> Backdoor.Rbot : Limpio con backup
C:\WINDOWS\system32\pmnlk.dll -> Adware.Virtumonde : Limpio con backup


::Fin Report

[LoPhatPhuud]

Slowly but surely it is all being removed. You had a multiplr infection of Vundo, along with a few other pieces of 'garbage'. There is a new Vundo removal program that can handle multiple instances and I want to use it to be sure we have them all.


First:
Please download VundoFix.exe to your desktop.

• Double-click VundoFix.exe to run it.
• Click the Scan for Vundo button.
• Once it's done scanning, click the Remove Vundo button.
• You will receive a prompt asking if you want to remove the files, click YES
• Once you click yes, your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will shutdown your computer, click OK.
• Turn your computer back on.
• Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Second:
Check the following items in HijackThis.
(note: If any R* items do not appear in Safe Mode, re-run HiJackThis in Normal Mode and remove them after you finish removing these items.)
02 - BHO: (no name) - {EA32FB3B-21C9-42cc-B8EF-01A9B28EDB0D} - C:\WINDOWS\system32\gebyx.dll

O20 - Winlogon Notify: gebyx - C:\WINDOWS\SYSTEM32\gebyx.dll
O23 - Service: cyberz mansor (mansor) - Unknown owner - C:\WINDOWS\mansor.exe (file missing)
O23 - Service: microsoft service host 32 (scvhost 32) - Unknown owner - C:\WINDOWS\System32\scvhost32.exe (file missing)


[b]Third:
Download: Clear the Cache (freeware) http://www.ccleaner.com/ Once installed, run CCleaner click the Windows [tab] Select the following options: (not all are available for Win98/ME)
Next: click Options click Advanced
Uncheck: "Only delete files older than 48 hrs", click Ok Then click Run Cleaner (bottom right) then Exit

CCleaner should be run with the above settings for each user!


Last:
Please download SilentRunners from here:
http://www.silentrunners.org/Silent%20Runners.zip

Unzip it to the desktop and double-click on it.
Silent Runners will ask if you want to skip the supplementary search.
Please select 'No' to include them. The program will take longer to run, but wil lgive us more information.

If you get any kind of warning message about scripts, please choose to allow the script to run.

When the scan is finished, a message will pop up and a logfile will have been created on the desktop.
The logfile is named 'Startup Programs' by default and will be located where the program is.

Please post the entire contents of this logfile for me to see.

[/b]Close all windows except HijackThis and click Fix checked.

Reboot in normal mode

Run HiJackThis again and post a new log in this thread.

[mongou]

I really appreciate your help.thank u very much!!

First: (vundofix.txt and a new HiJackThis log )

VundoFix V4.0

Listing files found while scanning....

C:\WINDOWS\System32\vtsqo.dll
C:\WINDOWS\System32\oqstv.ini
C:\WINDOWS\System32\oqstv.bak1

C:\WINDOWS\system32\oqstv.bak1
C:\WINDOWS\system32\oqstv.ini
Attempting to delete C:\WINDOWS\System32\oqstv.ini
C:\WINDOWS\System32\oqstv.ini Has been deleted!

Attempting to delete C:\WINDOWS\System32\oqstv.bak1
C:\WINDOWS\System32\oqstv.bak1 Has been deleted!

Performing Repairs to the registry.
Done!





Logfile of HijackThis v1.99.1
Scan saved at 12:51:55, on 21/01/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\Java\jre1.5.0_06\bin\jusched.exe
C:\Archivos de programa\Ahead\InCD\InCD.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\Archivos de programa\OpenOffice.org 2.0\program\soffice.exe
C:\Archivos de programa\OpenOffice.org 2.0\program\soffice.BIN
C:\Archivos de programa\ewido anti-malware\ewidoctrl.exe
C:\Archivos de programa\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Administrador\Mis documentos\Programas\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.es/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\WINDOWS\Temp\Reader\ActiveX\AcroIEHelper.ocx (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [KAVPersonal50] C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Archivos de programa\Ahead\InCD\InCD.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Jet Detection] C:\Archivos de programa\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Archivos de programa\OpenOffice.org 2.0\program\quickstart.exe
O8 - Extra context menu item: =>&Español - http:\\wordreference.com\es\j\iees69.htm
O8 - Extra context menu item: =>English - http:\\wordreference.com\es\en\j\iespen109.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kav...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedCon...bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1135803205748
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1135803898889
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {AD08A333-609E-11D3-950C-008098601567} - http://wordreference.com/Install/Spanish%20to%20English.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\ARCHIV~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: vtsqo - C:\WINDOWS\System32\vtsqo.dll (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Archivos de programa\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Archivos de programa\ewido anti-malware\ewidoguard.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: cyberz mansor (mansor) - Unknown owner - C:\WINDOWS\mansor.exe (file missing)
O23 - Service: microsoft service host 32 (scvhost 32) - Unknown owner - C:\WINDOWS\System32\scvhost32.exe (file missing)

[mongou]

the silent runners log and a new hijackthislog:

"Silent Runners.vbs", revision 43, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "C:\WINDOWS\System32\ctfmon.exe" [MS]
"MSMSGS" = ""C:\Archivos de programa\Messenger\msmsgs.exe" /background" [MS]
"Jet Detection" = "C:\Archivos de programa\Creative\SBAudigy\PROGRAM\ADGJDet.exe" [empty string]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"SunJavaUpdateSched" = "C:\Archivos de programa\Java\jre1.5.0_06\bin\jusched.exe" ["Sun Microsystems, Inc."]
"KAVPersonal50" = "C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize" ["Kaspersky Lab"]
"NeroCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"InCD" = "C:\Archivos de programa\Ahead\InCD\InCD.exe" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\Temp\Reader\ActiveX\AcroIEHelper.ocx" [file not found]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = "SSVHelper Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Extensión de paneo de pantalla del Panel de control"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Extensión de icono de HyperTerminal"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}" = "OpenOffice.org Column Handler"
-> {CLSID}\InProcServer32\(Default) = ""C:\Archivos de programa\OpenOffice.org 2.0\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{087B3AE3-E237-4467-B8DB-5A38AB959AC9}" = "OpenOffice.org Infotip Handler"
-> {CLSID}\InProcServer32\(Default) = ""C:\Archivos de programa\OpenOffice.org 2.0\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{63542C48-9552-494A-84F7-73AA6A7C99C1}" = "OpenOffice.org Property Sheet Handler"
-> {CLSID}\InProcServer32\(Default) = ""C:\Archivos de programa\OpenOffice.org 2.0\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{3B092F0C-7696-40E3-A80F-68D74DA84210}" = "OpenOffice.org Thumbnail Viewer"
-> {CLSID}\InProcServer32\(Default) = ""C:\Archivos de programa\OpenOffice.org 2.0\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Archivos de programa\WinRAR\rarext.dll" [null data]
"{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}" = "UnlockerShellExtension"
-> {CLSID}\InProcServer32\(Default) = "C:\Archivos de programa\Unlocker\UnlockerCOM.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "C:\Archivos de programa\ewido anti-malware\shellhook.dll" ["TODO: <Firmenname>"]

HKLM\System\CurrentControlSet\Control\Session Manager\
INFECTION WARNING! "BootExecute" = "autocheck autochk * PFDNNT C:\WINDOWS\SYSTEM32\SVCHOST.DLL PFDNNT C:\WINDOWS\SYSTEM32\SVCHOST32.DLL" [file not found], [MS], [file not found], [file not found], [file not found], [file not found], [file not found]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! vtsqo\DLLName = "C:\WINDOWS\System32\vtsqo.dll" [file not found]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "C:\Archivos de programa\ewido anti-malware\context.dll" ["ewido networks"]
gstgkxyf\(Default) = "{4b5b632a-e929-483a-855a-ec651504f0da}"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\gqrgk.dll" [file not found]
Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"
-> {CLSID}\InProcServer32\(Default) = "C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus Personal\shellex.dll" ["Kaspersky Lab"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Archivos de programa\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "C:\Archivos de programa\ewido anti-malware\context.dll" ["ewido networks"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Archivos de programa\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"
-> {CLSID}\InProcServer32\(Default) = "C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus Personal\shellex.dll" ["Kaspersky Lab"]
UnlockerShellExtension\(Default) = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}"
-> {CLSID}\InProcServer32\(Default) = "C:\Archivos de programa\Unlocker\UnlockerCOM.dll" [null data]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Archivos de programa\WinRAR\rarext.dll" [null data]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Administrador\Configuración local\Datos de programa\Microsoft\Wallpaper1.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\sspipes.scr" [MS]


Startup items in "Administrador" & "All Users" startup folders:
---------------------------------------------------------------

C:\Documents and Settings\Administrador\Menú Inicio\Programas\Inicio
"OpenOffice.org 2.0" -> shortcut to: "C:\Archivos de programa\OpenOffice.org 2.0\program\quickstart.exe" [null data]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Consola de Sun Java"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}"
-> {CLSID}\InProcServer32\(Default) = "C:\Archivos de programa\Java\jre1.5.0_06\bin\npjpi150_06.dll" ["Sun Microsystems, Inc."]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

ewido security suite control, ewido security suite control, "C:\Archivos de programa\ewido anti-malware\ewidoctrl.exe" ["ewido networks"]
ewido security suite guard, ewido security suite guard, "C:\Archivos de programa\ewido anti-malware\ewidoguard.exe" ["ewido networks"]
kavsvc, kavsvc, "C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe" ["Kaspersky Lab"]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 16 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 11 seconds.
---------- (total run time: 145 seconds)




Logfile of HijackThis v1.99.1
Scan saved at 13:22:00, on 21/01/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Java\jre1.5.0_06\bin\jusched.exe
C:\Archivos de programa\Ahead\InCD\InCD.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\Archivos de programa\OpenOffice.org 2.0\program\soffice.exe
C:\Archivos de programa\OpenOffice.org 2.0\program\soffice.BIN
C:\Archivos de programa\ewido anti-malware\ewidoctrl.exe
C:\Archivos de programa\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrador\Mis documentos\Programas\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.es/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\WINDOWS\Temp\Reader\ActiveX\AcroIEHelper.ocx (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [KAVPersonal50] C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Archivos de programa\Ahead\InCD\InCD.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Jet Detection] C:\Archivos de programa\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Archivos de programa\OpenOffice.org 2.0\program\quickstart.exe
O8 - Extra context menu item: =>&Español - http:\\wordreference.com\es\j\iees69.htm
O8 - Extra context menu item: =>English - http:\\wordreference.com\es\en\j\iespen109.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kav...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedCon...bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1135803205748
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1135803898889
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {AD08A333-609E-11D3-950C-008098601567} - http://wordreference.com/Install/Spanish%20to%20English.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\ARCHIV~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: vtsqo - C:\WINDOWS\System32\vtsqo.dll (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Archivos de programa\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Archivos de programa\ewido anti-malware\ewidoguard.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: cyberz mansor (mansor) - Unknown owner - C:\WINDOWS\mansor.exe (file missing)
O23 - Service: microsoft service host 32 (scvhost 32) - Unknown owner - C:\WINDOWS\System32\scvhost32.exe (file missing)

[LoPhatPhuud]

Just some cleanup left. The main Vundo infection is gone!

First:
Open a Command Prompt Window (Start -> Run -> cmd)
Enter the following commands: (then press 'Enter')
sc stop mansor (ok if it fails)
sc delete mansor

sc stop scvhost 32 (ok if it fails)
sc delete scvhost 32

exit


Second:
Check the following items in HijackThis.
(note: If any R* items do not appear in Safe Mode, re-run HiJackThis in Normal Mode and remove them after you finish removing these items.)
O20 - Winlogon Notify: vtsqo - C:\WINDOWS\System32\vtsqo.dll (file missing)

Close all windows except HijackThis and click Fix checked.

Reboot in normal mode

Run HiJackThis again and post a new log in this thread.

[mongou]

Thank u very much!! :)


Logfile of HijackThis v1.99.1
Scan saved at 12:28:08, on 22/01/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Java\jre1.5.0_06\bin\jusched.exe
C:\Archivos de programa\Ahead\InCD\InCD.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\Archivos de programa\OpenOffice.org 2.0\program\soffice.exe
C:\Archivos de programa\OpenOffice.org 2.0\program\soffice.BIN
C:\Archivos de programa\ewido anti-malware\ewidoctrl.exe
C:\Archivos de programa\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Administrador\Mis documentos\Programas\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.es/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\WINDOWS\Temp\Reader\ActiveX\AcroIEHelper.ocx (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [KAVPersonal50] C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Archivos de programa\Ahead\InCD\InCD.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Jet Detection] C:\Archivos de programa\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Archivos de programa\OpenOffice.org 2.0\program\quickstart.exe
O8 - Extra context menu item: =>&Español - http:\\wordreference.com\es\j\iees69.htm
O8 - Extra context menu item: =>English - http:\\wordreference.com\es\en\j\iespen109.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kav...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedCon...bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1135803205748
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1135803898889
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {AD08A333-609E-11D3-950C-008098601567} - http://wordreference.com/Install/Spanish%20to%20English.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\ARCHIV~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Archivos de programa\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Archivos de programa\ewido anti-malware\ewidoguard.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: microsoft service host 32 (scvhost 32) - Unknown owner - C:\WINDOWS\System32\scvhost32.exe (file missing)

[LoPhatPhuud]

One service is being difficult so lets try to remove it using HiJackThis.

Start HiJackThis
Click on the 'Config' button
Click on the 'Misc Tools' button
Click on the 'Delete an NT Service ...' button
Copy and paste the following:
microsoft service host 32
Press 'OK'

Go back to main HiJackThis page
Run a new scan and post the log in this thread.

[mongou]

I tried but a window appeared saying :

Service 'microsoft service host 32' was not found in the Registry. Make sure you entered the short name of the service ., vbExclamation

I post u the new hojackthis log . Thanks for your patience!!

Logfile of HijackThis v1.99.1
Scan saved at 13:14:45, on 23/01/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Java\jre1.5.0_06\bin\jusched.exe
C:\Archivos de programa\Ahead\InCD\InCD.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\Archivos de programa\OpenOffice.org 2.0\program\soffice.exe
C:\Archivos de programa\OpenOffice.org 2.0\program\soffice.BIN
C:\Archivos de programa\ewido anti-malware\ewidoctrl.exe
C:\Archivos de programa\ewido anti-malware\ewidoguard.exe
C:\Archivos de programa\MSN Messenger\msnmsgr.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Archivos de programa\Windows NT\Accesorios\wordpad.exe
C:\Documents and Settings\Administrador\Mis documentos\Programas\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.es/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\WINDOWS\Temp\Reader\ActiveX\AcroIEHelper.ocx (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [KAVPersonal50] C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Archivos de programa\Ahead\InCD\InCD.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Jet Detection] C:\Archivos de programa\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Archivos de programa\OpenOffice.org 2.0\program\quickstart.exe
O8 - Extra context menu item: =>&Español - http:\\wordreference.com\es\j\iees69.htm
O8 - Extra context menu item: =>English - http:\\wordreference.com\es\en\j\iespen109.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kav...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedCon...bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1135803205748
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1135803898889
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {AD08A333-609E-11D3-950C-008098601567} - http://wordreference.com/Install/Spanish%20to%20English.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\ARCHIV~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Archivos de programa\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Archivos de programa\ewido anti-malware\ewidoguard.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: microsoft service host 32 (scvhost 32) - Unknown owner - C:\WINDOWS\System32\scvhost32.exe (file missing)

[LoPhatPhuud]

There always seems to be one that is difficult. Let's try again.

Do the following and note that the quotes must be used.

Open a Command Prompt Window (Start -> Run -> cmd)
Copy and paste the text in bold, one line at a time, then press 'enter' after each command
sc stop "scvhost 32" (ok if it fails)
sc delete "scvhost 32"
exit


Now run HiJackThis again and post new log in this thread.

[mongou]

Thank u. I think this time it's gone!!


Logfile of HijackThis v1.99.1
Scan saved at 15:18:03, on 24/01/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Java\jre1.5.0_06\bin\jusched.exe
C:\Archivos de programa\Ahead\InCD\InCD.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\Archivos de programa\OpenOffice.org 2.0\program\soffice.exe
C:\Archivos de programa\OpenOffice.org 2.0\program\soffice.BIN
C:\Archivos de programa\ewido anti-malware\ewidoctrl.exe
C:\Archivos de programa\ewido anti-malware\ewidoguard.exe
C:\Archivos de programa\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Administrador\Mis documentos\Programas\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.es/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\WINDOWS\Temp\Reader\ActiveX\AcroIEHelper.ocx (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [KAVPersonal50] C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Archivos de programa\Ahead\InCD\InCD.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Jet Detection] C:\Archivos de programa\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Archivos de programa\OpenOffice.org 2.0\program\quickstart.exe
O8 - Extra context menu item: =>&Español - http:\\wordreference.com\es\j\iees69.htm
O8 - Extra context menu item: =>English - http:\\wordreference.com\es\en\j\iespen109.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kav...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedCon...bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1135803205748
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1135803898889
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {AD08A333-609E-11D3-950C-008098601567} - http://wordreference.com/Install/Spanish%20to%20English.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\ARCHIV~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Archivos de programa\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Archivos de programa\ewido anti-malware\ewidoguard.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe