Please PLEASE HELP ME GET RID OF THIS NASTY SPYWARE!! i'm so pissed off!! i was just looking for a crack at a site called "www.mscracks.something" and it started, i get the Spyware Sheriff, my desktop got blue with a message in the middle of it that said: "SYSTEM STOPPED system has been stopped due to a seriuos malfunction. Spyware activity has been detected. It is recomended to use spyware removal tool to prevent data loss. Do not use computer before all spyware removed." Also i can't change my desktop background, nor i can activate the TaskManager (it says that is has been disabled by an administrator) and i'm becoming CRAZY with the "EXPLORER.EXE has detected an error and has to shutdown" message.. and when i hit Don't Send or Send (no matter what) it restarts again and again anda again, and over and over again... please HELP MEE!! i'm desperate

gUzAnO

Thanks for further help...

HJT LOG

Logfile of HijackThis v1.99.1
Scan saved at 22:57:02, on 14/06/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Archivos de programa\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
D:\Archivos de programa\Chaintech\DigiDoc\DigiDoc.exe
C:\WINDOWS\system32\web.exe
C:\WINDOWS\svchost.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\vxgame4.exe
C:\WINDOWS\System32\vxgame4.exe
C:\WINDOWS\System32\vxgame4.exe
C:\WINDOWS\System32\vxgame4.exe
c:\windows\system32\okvelxo.exe
C:\Documents and Settings\gUzAnO\Internet Optimizer\optimize.exe
C:\Archivos de programa\WeirdOnTheWeb\WeirdOnTheWeb.exe
C:\WINDOWS\System32\kernels32.exe
C:\WINDOWS\System32\vxgamet2.exe
C:\Archivos de programa\BullsEye Network\bin\bargains.exe
C:\WINDOWS\System32\vxh8jkdq2.exe
C:\WINDOWS\System32\msxct.exe
C:\WINDOWS\System32\vxgame4.exe
C:\WINDOWS\System32\5tcckj5k.exe
C:\Archivos de programa\csta\ssul.exe
C:\WINDOWS\System32\vxgamet2.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
D:\ARCHIV~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\WINDOWS\System32\imapi.exe
D:\Guz\hijackthis\HijackThis.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\dwwin.exe
C:\WINDOWS\System32\taskmgr.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://C:\WINDOWS\blank.mht
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Archivos de programa\SurfSideKick 3\SskBho.dll
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {A811A0F5-006D-540C-EE69-12E198A5EE14} - C:\WINDOWS\cdmagent\kohwtcllql.dll
O2 - BHO: (no name) - {B75F75B8-93F3-429D-FF34-660B206D897A} - C:\WINDOWS\System32\zolk.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
O2 - BHO: ZToolbar Activator Class - {FFF5092F-7172-4018-827B-FA5868FB0478} - C:\WINDOWS\System32\ztoolber.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: ZToolbar - {A6790AA5-C6C7-4BCF-A46D-0FDAC4EA90EB} - C:\WINDOWS\System32\ztoolber.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Archivos de programa\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [vvxjir] c:\windows\system32\okvelxo.exe r
O4 - HKLM\..\Run: [Zone Labs Client] D:\Archivos de programa\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [Systems Restart] Rundll32.exe zolk.dll, DllRegisterServer
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Archivos de programa\SurfSideKick 3\Ssk.exe
O4 - Global Startup: DigiDoc.lnk = D:\Archivos de programa\Chaintech\DigiDoc\DigiDoc.exe
O8 - Extra context menu item: &Download with &DAP - D:\ARCHIV~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - D:\ARCHIV~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://D:\ARCHIV~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - D:\ARCHIV~1\DAP\DAP.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - Trusted IP range: 67.19.178.84
O15 - Trusted IP range: 67.19.178.84 (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1118531826405
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsIns....cab?refid=4600
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: kavsvc - Kaspersky Lab - D:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: svchost.exe (moto) - Unknown owner - C:\WINDOWS\svchost.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

I have downloaded the Ewido suite, CWShredder SPYSUBTRACT PRO 3.0, Ad-aware SE Edition and the spyware blaster, also i have downloaded Kaspersky AV and Zone Alarm PRO

This post has been edited by gUzAnO: Jun 15 2005, 09:42 AM

Did you download Messenger Plus! 3??

*Open HijackThis.
*Click on "Open Misc Tools Section"
*Make sure that both boxes beside "Generate StartupList Log" are checked:

List all minor sections(Full)

and

List Empty Sections(Complete)

Click "Generate StartupList Log".
Click "Yes" at the prompt

It will produce a NotePad Page. I need you to copy the entire contents of that page and paste it here.

well.. here it is ma'am

StartupList report, 24/06/2005, 13:24:37
StartupList version: 1.52.2
Started from : D:\Guz\hijackthis\HijackThis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
D:\Archivos de programa\Zone Labs\ZoneAlarm\zlclient.exe
D:\Archivos de programa\Chaintech\DigiDoc\DigiDoc.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Archivos de programa\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\ctfmon.exe
D:\Archivos de programa\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\msagent\AgentSvr.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
D:\Guz\hijackthis\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\gUzAnO\Menú Inicio\Programas\Inicio]
*No files*

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Menú Inicio\Programas\Inicio]
DigiDoc.lnk = D:\Archivos de programa\Chaintech\DigiDoc\DigiDoc.exe

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Zone Labs Client = D:\Archivos de programa\Zone Labs\ZoneAlarm\zlclient.exe
MSConfig = C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\System32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\INF\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{306D6C21-C1B6-4629-986C-E59E1875B8AF}]
StubPath = "C:\WINDOWS\System32\rundll32.exe" "C:\Archivos de programa\Messenger\msgsc.dll",ShowIconsUser

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.Install.PerUser

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp10.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = C:\WINDOWS\System32\Rundll32.exe C:\WINDOWS\System32\mscories.dll,Install

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=MsgPlusLoader.dll

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Regedit.exe has no CompanyName property! It is either missing or named something else.
- Regedit.exe has no OriginalFilename property! It is either missing or named something else.
- Regedit.exe has no FileDescription property! It is either missing or named something else.

Registry check failed!

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - D:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

--------------------------------------------------

Enumerating Task Scheduler jobs:

*No jobs found*

--------------------------------------------------

Enumerating Download Program Files:

[Office Update Installation Engine]
InProcServer32 = C:\WINDOWS\opuc.dll
CODEBASE = http://office.microsoft.com/officeupdate/content/opuc2.cab

[WUWebControl Class]
InProcServer32 = C:\WINDOWS\System32\wuweb.dll
CODEBASE = http://v5.windowsupdate.microsoft.com/v5co...b?1119539685390

[Java Plug-in 1.5.0_02]
InProcServer32 = C:\Archivos de programa\Java\jre1.5.0_02\bin\npjpi150_02.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab

[Java Plug-in 1.5.0_02]
InProcServer32 = C:\Archivos de programa\Java\jre1.5.0_02\bin\npjpi150_02.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwa...ash/swflash.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
Protocol #1: C:\WINDOWS\system32\mswsock.dll
Protocol #2: C:\WINDOWS\system32\mswsock.dll
Protocol #3: C:\WINDOWS\system32\mswsock.dll
Protocol #4: C:\WINDOWS\system32\rsvpsp.dll
Protocol #5: C:\WINDOWS\system32\rsvpsp.dll
Protocol #6: C:\WINDOWS\system32\mswsock.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\WINDOWS\system32\mswsock.dll
Protocol #10: C:\WINDOWS\system32\mswsock.dll
Protocol #11: C:\WINDOWS\system32\mswsock.dll
Protocol #12: C:\WINDOWS\system32\mswsock.dll
Protocol #13: C:\WINDOWS\system32\mswsock.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

Controlador Microsoft ACPI: System32\DRIVERS\ACPI.sys (system)
Eliminador de eco acústico de núcleo de Microsoft: system32\drivers\aec.sys (manual start)
Entorno de compatibilidad de funciones de red AFD: \SystemRoot\System32\drivers\afd.sys (autostart)
Servicio de alerta: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Servicio de puerta de enlace de capa de aplicación: %SystemRoot%\System32\alg.exe (manual start)
Administración de aplicaciones: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
Servicio de estado de ASP.NET: %SystemRoot%\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (manual start)
Controlador de medios asíncronos de RAS: System32\DRIVERS\asyncmac.sys (manual start)
Controladora estándar IDE/ESDI de disco duro: System32\DRIVERS\atapi.sys (system)
Ati HotKey Poller: %SystemRoot%\System32\Ati2evxx.exe (autostart)
ATI Smart: C:\WINDOWS\system32\ati2sgag.exe (disabled)
ati2mtag: System32\DRIVERS\ati2mtag.sys (manual start)
Protocolo cliente ATM ARP: System32\DRIVERS\atmarpc.sys (manual start)
Audio de Windows: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Controlador auxiliar de audio: System32\DRIVERS\audstub.sys (manual start)
Servicio de transferencia inteligente en segundo plano: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Examinador de equipos: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
CIF USB Camera (2110A): System32\DRIVERS\cccp106.sys (manual start)
Descodificador de título cerrado: System32\DRIVERS\CCDECODE.sys (manual start)
Controlador de CD-ROM: System32\DRIVERS\cdrom.sys (system)
Servicio de Index Server: C:\WINDOWS\System32\cisvc.exe (manual start)
Portafolios: %SystemRoot%\system32\clipsrv.exe (manual start)
C-Media PCI Audio Driver (WDM): system32\drivers\cmaudio.sys (manual start)
Aplicación del sistema COM+: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Servicios de cifrado: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
d347bus: System32\DRIVERS\d347bus.sys (system)
d347prt: System32\Drivers\d347prt.sys (system)
Cliente DHCP: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Controlador de disco: System32\DRIVERS\disk.sys (system)
Servicio del administrador de discos lógicos: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
Controlador del administrador de discos lógicos: System32\drivers\dmio.sys (system)
dmload: System32\drivers\dmload.sys (system)
Administrador de discos lógicos: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Sintetizador DLS Kernel de Microsoft: system32\drivers\DMusic.sys (manual start)
Cliente DNS: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
Descodificador de audio DRM del núcleo de Microsoft: system32\drivers\drmkaud.sys (manual start)
NVIDIA EHCI Debugging Filter: System32\DRIVERS\usbfltr.sys (manual start)
Servicio de informe de errores: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Registro de sucesos: %SystemRoot%\system32\services.exe (autostart)
Sistema de sucesos COM+: C:\WINDOWS\System32\svchost.exe -k netsvcs (manual start)
ewido security suite control: D:\Archivos de programa\ewido\security suite\ewidoctrl.exe (disabled)
ewido security suite driver: \??\D:\Archivos de programa\ewido\security suite\guard.sys (system)
ewido security suite guard: D:\Archivos de programa\ewido\security suite\ewidoguard.exe (autostart)
Compatibilidad de cambio rápido de usuario: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Controlador de la unidad de disquete: System32\DRIVERS\fdc.sys (manual start)
Controlador de disquete: System32\DRIVERS\flpydisk.sys (manual start)
Controlador del administrador de volumen: System32\DRIVERS\ftdisk.sys (system)
Enumerador de puerto para juegos: System32\DRIVERS\gameenum.sys (manual start)
Clasificador de paquetes genéricos: System32\DRIVERS\msgpc.sys (manual start)
Ayuda y soporte técnico: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Acceso a dispositivo de interfaz humana: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Controlador de clases HID de Microsoft: System32\DRIVERS\hidusb.sys (manual start)
IEEE-1284.4 Driver HPZid412: System32\DRIVERS\HPZid412.sys (manual start)
Print Class Driver for IEEE-1284.4 HPZipr12: System32\DRIVERS\HPZipr12.sys (manual start)
USB to IEEE-1284.4 Translation Driver HPZius12: System32\DRIVERS\HPZius12.sys (manual start)
Teclado i8042 y controlador de puerto de mouse PS/2: System32\DRIVERS\i8042prt.sys (system)
Controlador de filtro de grabación de CD: System32\DRIVERS\imapi.sys (system)
Servicio COM de grabación de CD de IMAPI: C:\WINDOWS\System32\imapi.exe (manual start)
Controlador de filtro de tráfico IP: System32\DRIVERS\ipfltdrv.sys (manual start)
Controlador de túnel IP en IP: System32\DRIVERS\ipinip.sys (manual start)
Traductor de direcciones de red IP: System32\DRIVERS\ipnat.sys (manual start)
Controlador IPSEC: System32\DRIVERS\ipsec.sys (system)
Servicio enumerador IR: System32\DRIVERS\irenum.sys (manual start)
Controlador de bus PnP ISA/EISA: System32\DRIVERS\isapnp.sys (system)
Controlador de clase de teclado: System32\DRIVERS\kbdclass.sys (system)
KLIF: \??\C:\WINDOWS\system32\drivers\klif.sys (disabled)
Mezclador de audio de onda Microsoft Kernel: system32\drivers\kmixer.sys (manual start)
Servidor: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Estación de trabajo: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Ayuda de NetBIOS sobre TCP/IP: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Machine Debug Manager: "C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe" (autostart)
MemAccess Library Driver: \SystemRoot\System32\memacc.sys (autostart)
Mensajero: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Escritorio remoto compartido de NetMeeting: C:\WINDOWS\System32\mnmsrvc.exe (manual start)
Controlador de clase de mouse: System32\DRIVERS\mouclass.sys (system)
Redirector de cliente WebDav: System32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Coordinador de transacciones distribuidas de Microsoft: C:\WINDOWS\System32\msdtc.exe (manual start)
Windows Installer: C:\WINDOWS\System32\msiexec.exe /V (manual start)
Proxy de servicio de transferencia de Microsoft: system32\drivers\MSKSSRV.sys (manual start)
Proxy del reloj de transferencia de Microsoft: system32\drivers\MSPCLOCK.sys (manual start)
Proxy del administrador de calidad de transferencia de Microsoft: system32\drivers\MSPQM.sys (manual start)
Convertidor Tee/Sink-to-Sink de transferencia de Microsoft: system32\drivers\MSTEE.sys (manual start)
Controlador UART MIDI Microsoft MPU-401: system32\drivers\msmpu401.sys (manual start)
Códec NABTS/FEC VBI: System32\DRIVERS\NABTSFEC.sys (manual start)
Conexión de TV/Vídeo de Microsoft: System32\DRIVERS\NdisIP.sys (manual start)
Controlador TAPI NDIS de acceso remoto: System32\DRIVERS\ndistapi.sys (manual start)
Protocolo E/S en modo de usuario NDIS: System32\DRIVERS\ndisuio.sys (manual start)
Controlador WAN NDIS de acceso remoto: System32\DRIVERS\ndiswan.sys (manual start)
Interfaz de NetBIOS: System32\DRIVERS\netbios.sys (system)
NetBios a través de Tcpip: System32\DRIVERS\netbt.sys (system)
DDE de red: %SystemRoot%\system32\netdde.exe (manual start)
DSDM de DDE de red: %SystemRoot%\system32\netdde.exe (manual start)
Inicio de sesión en red: %SystemRoot%\System32\lsass.exe (manual start)
Conexiones de red: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
NLA (Network Location Awareness): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Proveedor de compatibilidad con seguridad LM de Windows NT: %SystemRoot%\System32\lsass.exe (manual start)
Medios de almacenamiento extraíbles: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
NVIDIA nForce MCP Networking Adapter Driver: System32\DRIVERS\NVENET.sys (manual start)
nvidesm: System32\DRIVERS\nvidesm.sys (system)
NVIDIA nForce AGP Bus Filter: System32\DRIVERS\nv_agp.sys (system)
Controlador de filtro de tráfico IPX: System32\DRIVERS\nwlnkflt.sys (manual start)
Controlador retransmisor de tráfico IPX: System32\DRIVERS\nwlnkfwd.sys (manual start)
Controlador de puerto paralelo: System32\DRIVERS\parport.sys (manual start)
Pcatip: System32\DRIVERS\Pcatip.sys (manual start)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
PCIIde: System32\DRIVERS\pciide.sys (system)
Low level access layer for CD devices: System32\Drivers\Pcouffin.sys (manual start)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
Pml Driver HPZ12: C:\WINDOWS\System32\HPZipm12.exe (disabled)
Servicios IPSEC: %SystemRoot%\System32\lsass.exe (autostart)
Minipuerto WAN (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Controlador de procesador: System32\DRIVERS\processr.sys (system)
Almacenamiento protegido: %SystemRoot%\system32\lsass.exe (autostart)
Programador de paquetes QoS: System32\DRIVERS\psched.sys (manual start)
Controlador de vínculo paralelo directo: System32\DRIVERS\ptilink.sys (manual start)
PxHelp20: System32\Drivers\PxHelp20.sys (system)
Controlador de conexión automática de acceso remoto: System32\DRIVERS\rasacd.sys (system)
Administrador de conexión automática de acceso remoto: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Minipuerto WAN (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Administrador de conexión de acceso remoto: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Controlador de acceso remoto PPPOE: System32\DRIVERS\raspppoe.sys (manual start)
Paralelo directo: System32\DRIVERS\raspti.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Controlador de redireccionamiento de dispositivos de Terminal Server: System32\DRIVERS\rdpdr.sys (manual start)
Administrador de sesión de Ayuda de escritorio remoto: C:\WINDOWS\system32\sessmgr.exe (manual start)
Controlador de filtro de reproducción de CD de sonido digital: System32\DRIVERS\redbook.sys (system)
Enrutamiento y acceso remoto: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Registro remoto: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Localizador de llamadas a procedimiento remoto (RPC): %SystemRoot%\System32\locator.exe (manual start)
Llamada a procedimiento remoto(RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start)
Administrador de cuentas de seguridad: %SystemRoot%\system32\lsass.exe (autostart)
Sistema de ayuda de tarjeta inteligente: %SystemRoot%\System32\SCardSvr.exe (manual start)
Tarjeta inteligente: %SystemRoot%\System32\SCardSvr.exe (manual start)
Programador de tareas: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: System32\DRIVERS\secdrv.sys (autostart)
Inicio de sesión secundario: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Notificación de sucesos del sistema: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Controlador de filtro Serenum: System32\DRIVERS\serenum.sys (manual start)
Controlador de puerto serie: System32\DRIVERS\serial.sys (system)
Detección de hardware shell: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
BDA Slip De-Framer: System32\DRIVERS\SLIP.sys (manual start)
Divisor de audio del núcleo de Microsoft: system32\drivers\splitter.sys (manual start)
Cola de impresión: %SystemRoot%\system32\spoolsv.exe (autostart)
Controlador de filtro de Restaurar sistema: System32\DRIVERS\sr.sys (system)
Servicio de restauración de sistema: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
Servicio de descubrimientos SSDP: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Adquisición de imágenes de Windows (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart)
Receptor BDA IP: System32\DRIVERS\StreamIP.sys (manual start)
Controlador del bus de software: System32\DRIVERS\swenum.sys (manual start)
Sintetizador de tabla de onda Microsoft Kernel GS: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\System32\dllhost.exe /Processid:{2A7BD3E4-51F0-4380-91EF-69943BC95E2A} (manual start)
Dispositivo de sonido del sistema Kernel de Microsoft: system32\drivers\sysaudio.sys (manual start)
Registros y alertas de rendimiento: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telefonía: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Controlador de protocolo TCP/IP: System32\DRIVERS\tcpip.sys (system)
Controlador de dispositivo de terminal: System32\DRIVERS\termdd.sys (system)
Servicios de Terminal Server: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Temas: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Telnet: C:\WINDOWS\System32\tlntsvr.exe (manual start)
Cliente de seguimiento de vinculos distribuidos: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Windows User Mode Driver Framework: C:\WINDOWS\System32\wdfmgr.exe (autostart)
Dispositivo de actualización Microcode: System32\DRIVERS\update.sys (manual start)
Administrador de carga: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Host de dispositivo Plug and Play universal: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Sistema de alimentación ininterrumpida: %SystemRoot%\System32\ups.exe (manual start)
Controlador primario genérico USB de Microsoft: System32\DRIVERS\usbccgp.sys (manual start)
Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: System32\DRIVERS\usbehci.sys (manual start)
Concentrador habilitado USB2: System32\DRIVERS\usbhub.sys (manual start)
Controlador minipuerto de la controladora de host abierto USB de Microsoft: System32\DRIVERS\usbohci.sys (manual start)
Clase de impresora USB de Microsoft: System32\DRIVERS\usbprint.sys (manual start)
Controlador de escáner USB: System32\DRIVERS\usbscan.sys (manual start)
Dispositivo de almacenamiento masivo de datos USB: System32\DRIVERS\USBSTOR.SYS (manual start)
Controlador de pantalla VGA.: \SystemRoot\System32\drivers\vga.sys (system)
vsdatant: System32\vsdatant.sys (system)
TrueVector Internet Monitor: C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service (autostart)
Instantáneas de volumen: %SystemRoot%\System32\vssvc.exe (manual start)
Horario de Windows: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Controlador ARP IP de acceso remoto: System32\DRIVERS\wanarp.sys (manual start)
Controlador de compatibilidad de audio Microsoft WINMM WDM: system32\drivers\wdmaud.sys (manual start)
Cliente Web: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Instrumental de administración de Windows: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Extensiones de controlador de Instrumental de administración de Windows: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Adaptador de rendimiento de WMI: C:\WINDOWS\System32\wbem\wmiapsrv.exe (manual start)
Códec de teletexto estándar mundial: System32\DRIVERS\WSTCODEC.SYS (manual start)
Actualizaciones automáticas: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Configuración inalámbrica rápida: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
NTPort Library Driver: \SystemRoot\System32\zntport.sys (autostart)


--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: C:\DOCUME~1\gUzAnO\CONFIG~1\Temp\A~NSISu_.exe||C:\||C:\DOCUME~1\gUzAnO\CONFIG~1\Temp\nse7.tmp\Utils.dll||C:\DOCUME~1\gUzAnO\CONFIG~1\Temp\nse7.tmp\|||C

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

End of report, 33.258 bytes
Report generated in 0,172 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only


Regards, G.
yes i downloaded Msg Plus 3 :s is that a bad thing? :s

You chose not to allow the sponsor program which is great. If you would have allowed the sponsor program your system would be infected with LOP - so you are very lucky!

Post a new HiJackThis log for me please.

This post has been edited by bananafanafo: Jun 24 2005, 03:05 PM

ahm... you know.. i ran ewido.. and he spotted out some file infected with LOP i guess... :s that's bad?

Logfile of HijackThis v1.99.1
Scan saved at 17:20:47, on 24/06/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
D:\Archivos de programa\Zone Labs\ZoneAlarm\zlclient.exe
C:\Archivos de programa\Messenger\MSMSGS.EXE
D:\Archivos de programa\Chaintech\DigiDoc\DigiDoc.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\Archivos de programa\MSN Messenger\msnmsgr.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
D:\Guz\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [Zone Labs Client] D:\Archivos de programa\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\MSMSGS.EXE" /background
O4 - Global Startup: DigiDoc.lnk = D:\Archivos de programa\Chaintech\DigiDoc\DigiDoc.exe
O8 - Extra context menu item: &Download with &DAP - D:\ARCHIV~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - D:\ARCHIV~1\DAP\dapextie2.htm
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - D:\ARCHIV~1\DAP\DAP.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1119539685390
O20 - AppInit_DLLs: MsgPlusLoader.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ewido security suite guard - ewido networks - D:\Archivos de programa\ewido\security suite\ewidoguard.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Regards, G.

I don't see any evidence of the LOP infection in your logs so it may have been just some random file that made it to your system. Let's do this:

MWav eScan

Download it, double-click mwav.exe, then unzip it. on the main page leave everything checked and put a check next to "drive", then click "scan clean". While the scan is in progress, there will be a window listing infected items. When it's done, please highlight the items in that window, then press CTRL+C to copy it then paste it here.

Here it is.. the program just deleted the files he thought suspicious :s hope this helps... here's the "LOG"

Fri Jun 24 23:19:16 2005 => Scanning File C:\WINDOWS\System32\web.exe
Fri Jun 24 23:19:17 2005 => File C:\WINDOWS\System32\web.exe infected by "Trojan-Downloader.Win32.Small.agq" Virus. Action Taken: File Deleted.
Fri Jun 24 23:24:53 2005 => Scanning File C:\Documents and Settings\gUzAnO\Datos de programa\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-2fa9f21f-1bb04959.zip
Fri Jun 24 23:24:53 2005 => File C:\Documents and Settings\gUzAnO\Datos de programa\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-2fa9f21f-1bb04959.zip infected by "Trojan.Java.ClassLoader.c" Virus. Action Taken: File Deleted.
Fri Jun 24 23:26:39 2005 => Scanning File C:\System Volume Information\_restore{331D3E74-13D6-44A2-9761-448CAADE1705}\RP98\A0019050.exe
Fri Jun 24 23:26:39 2005 => File C:\System Volume Information\_restore{331D3E74-13D6-44A2-9761-448CAADE1705}\RP98\A0019050.exe infected by "Trojan-Downloader.Win32.Small.agq" Virus. Action Taken: File Deleted.
Fri Jun 24 23:45:38 2005 => Scanning File D:\Guz\hijackthis\backups\backup-20050512-084750-588.dll
Fri Jun 24 23:45:39 2005 => File D:\Guz\hijackthis\backups\backup-20050512-084750-588.dll infected by "Trojan-Downloader.Win32.Swizzor.bo" Virus. Action Taken: File Deleted.
Fri Jun 24 23:45:39 2005 => Scanning File D:\Guz\hijackthis\backups\backup-20050512-150600-452.dll
Fri Jun 24 23:45:39 2005 => File D:\Guz\hijackthis\backups\backup-20050512-150600-452.dll infected by "Trojan-Downloader.Win32.Swizzor.bo" Virus. Action Taken: File Deleted.
Fri Jun 24 23:45:39 2005 => Scanning File D:\Guz\hijackthis\backups\backup-20050614-225902-267.dll
Fri Jun 24 23:45:39 2005 => File D:\Guz\hijackthis\backups\backup-20050614-225902-267.dll infected by "Trojan-Downloader.Win32.Agent.pi" Virus. Action Taken: File Deleted.
Fri Jun 24 23:45:40 2005 => Scanning File D:\Guz\hijackthis\FIXED SPYWARE\Nailfix\Process.exe
Fri Jun 24 23:45:40 2005 => File D:\Guz\hijackthis\FIXED SPYWARE\Nailfix\Process.exe tagged as not-a-virus:Tool.Win32.Processor.20. No Action Taken.
Fri Jun 24 23:45:40 2005 => Scanning File D:\Guz\hijackthis\FIXED SPYWARE\Nailfix.zip
Fri Jun 24 23:45:40 2005 => File D:\Guz\hijackthis\FIXED SPYWARE\Nailfix.zip tagged as not-a-virus:Tool.Win32.Processor.20. No Action Taken.
Fri Jun 24 23:46:59 2005 => Scanning File D:\System Volume Information\_restore{331D3E74-13D6-44A2-9761-448CAADE1705}\RP98\A0019051.dll
Fri Jun 24 23:46:59 2005 => File D:\System Volume Information\_restore{331D3E74-13D6-44A2-9761-448CAADE1705}\RP98\A0019051.dll infected by "Trojan-Downloader.Win32.Swizzor.bo" Virus. Action Taken: File Deleted.
Fri Jun 24 23:46:59 2005 => Scanning File D:\System Volume Information\_restore{331D3E74-13D6-44A2-9761-448CAADE1705}\RP98\A0019052.dll
Fri Jun 24 23:46:59 2005 => File D:\System Volume Information\_restore{331D3E74-13D6-44A2-9761-448CAADE1705}\RP98\A0019052.dll infected by "Trojan-Downloader.Win32.Swizzor.bo" Virus. Action Taken: File Deleted.
Fri Jun 24 23:46:59 2005 => Scanning File D:\System Volume Information\_restore{331D3E74-13D6-44A2-9761-448CAADE1705}\RP98\A0019053.dll
Fri Jun 24 23:47:00 2005 => File D:\System Volume Information\_restore{331D3E74-13D6-44A2-9761-448CAADE1705}\RP98\A0019053.dll infected by "Trojan-Downloader.Win32.Agent.pi" Virus. Action Taken: File Deleted.



Fri Jun 24 23:47:08 2005 => ***** Checking for specific ITW Viruses *****
Fri Jun 24 23:47:08 2005 => Checking for Welchia Virus...
Fri Jun 24 23:47:08 2005 => Checking for LovGate Virus...
Fri Jun 24 23:47:08 2005 => Checking for CodeRed Virus...
Fri Jun 24 23:47:08 2005 => Checking for OpaServ Virus...
Fri Jun 24 23:47:08 2005 => Checking for Sobig.e Virus...
Fri Jun 24 23:47:08 2005 => Checking for Winupie Virus...
Fri Jun 24 23:47:08 2005 => Checking for Swen Virus...
Fri Jun 24 23:47:08 2005 => Checking for JS.Fortnight Virus...
Fri Jun 24 23:47:08 2005 => Checking for Novarg Virus...
Fri Jun 24 23:47:08 2005 => Checking for Pagabot Virus...
Fri Jun 24 23:47:08 2005 => Checking for Parite.b Virus...
Fri Jun 24 23:47:08 2005 => Checking for Parite.a Virus...

Fri Jun 24 23:47:09 2005 => ***** Scanning complete. *****

Fri Jun 24 23:47:09 2005 => Total Number of Files Scanned: 45459
Fri Jun 24 23:47:09 2005 => Total Number of Virus(es) Found: 11
Fri Jun 24 23:47:09 2005 => Total Number of Disinfected Files: 0
Fri Jun 24 23:47:09 2005 => Total Number of Files Renamed: 0
Fri Jun 24 23:47:09 2005 => Total Number of Deleted Files: 9
Fri Jun 24 23:47:09 2005 => Total Number of Errors: 0
Fri Jun 24 23:47:09 2005 => Time Elapsed: 00:30:07
Fri Jun 24 23:47:09 2005 => Virus Database Date: 2005/06/17
Fri Jun 24 23:47:09 2005 => Virus Database Count: 135132

Fri Jun 24 23:47:09 2005 => Scan Completed.


Regards, G.

Ah, I see what the problem might be. You have some Java viruses. So, let's clear them out!

1. Click Start > Control Panel.

2. Double-click the Java icon (coffee cup) in the control panel. (If it says "Java Plug-in" under the icon please find the update button in the Java control panel. Update your Java (otherwise you won't be able to continue!), reboot, and then follow the rest of the instructions.)

3. Under Temporary Internet Files, click the Delete Files button.

There are three options on this window to clear the cache - leave ALL 3 checked.
1. Downloaded Applets
2. Downloaded Applications
3. Other Files

4. Click OK on Delete Temporary Files window.
Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.

5. Click OK to leave the Java Control Panel.

This post has been edited by bananafanafo: Jun 25 2005, 03:42 AM

hi there again i'm fixing someone's else computer, and he has some weird problems... he can't initiate windows XP without the restore cd IN the cd device, but now i've come and check it it starts just fine... i ran HJT and i'm running EWIDO and Shredder too, so i'm posting the HJT log. Well this problem happened about 2 am local time, it starts with a blue screen saying something about the restore of some files... so i'm posting HJT log to see if you can help me thanks in return, regards G.

Logfile of HijackThis v1.99.1
Scan saved at 16:52:24, on 02-07-2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\pctspk.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe
C:\Archivos de programa\MSN Apps\Updater\01.02.3000.1001\es\msnappau.exe
C:\Archivos de programa\iTunes\iTunesHelper.exe
C:\Archivos de programa\QuickTime\qttask.exe
C:\Archivos de programa\Symantec\LiveUpdate\ALUNOTIFY.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Archivos de programa\Messenger\MSMSGS.EXE
C:\Archivos de programa\D-Link AirPlus\AirPlus.exe
C:\Archivos de programa\iPod\bin\iPodService.exe
C:\TEMPORAL\SpySub.exe
C:\TEMPORAL\EWIDO\security suite\ewidoguard.exe
C:\TEMPORAL\EWIDO\security suite\ewidoctrl.exe
C:\TEMPORAL\EWIDO\security suite\securitysuite.exe
C:\TEMPORAL\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://nuyeiekleviefeeotmyaoasot.com/mcasX...evKk6_5HHV.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Archivos de programa\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Archivos de programa\MSN Apps\MSN Toolbar\01.02.4000.1001\es\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Archivos de programa\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Archivos de programa\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Archivos de programa\MSN Apps\MSN Toolbar\01.02.4000.1001\es\msntb.dll
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [ccApp] "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\ARCHIV~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [msnappau] "C:\Archivos de programa\MSN Apps\Updater\01.02.3000.1001\es\msnappau.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Archivos de programa\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ALUAlert] C:\Archivos de programa\Symantec\LiveUpdate\ALUNOTIFY.EXE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\MSMSGS.EXE" /background
O4 - Global Startup: D-Link AirPlus.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SpySubtract.lnk = C:\TEMPORAL\SpySub.exe
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Archivos de programa\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30CE93AE-4987-483C-9ABE-F2BD5301AB70} - http://64.158.165.49/output/100039/uk/dbga...dsldbaccess.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by10fd.bay10.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1112820578616
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\TEMPORAL\EWIDO\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\TEMPORAL\EWIDO\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Archivos de programa\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Archivos de programa\Norton AntiVirus\navapsvc.exe
O23 - Service: W2k PCtel speaker phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\ARCHIV~1\ARCHIV~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\SNDSrvc.exe

This post has been edited by gUzAnO: Jul 2 2005, 03:02 PM

If you're not having any other problems with your system, you're welcome. You never came back to say whether you were good or not...

For your friend's system, I recommend starting a new topic with his HiJackThis log.

For your system, I recommend XP Service Pack 2. Go to http://www.microsoft.com click on "Windows Update" on the left side then click.

Congratulations your log is clean! Great job on the clean up

I recommend checking the http://www.microsoft.com website periodically for critical updates to install.

Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:

Ewido Security Suite <= Protection against Trojans, Worms, Dialers, Hijackers, Spyware, and Keyloggers.

Detect and Remove Programs:

• How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
• How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.

Prevention Programs:

• Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
• Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
• MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
• Google Toolbar <= Get the free google toolbar to help stop pop up windows.

Other necessary Programs:

• AntiVirus Program<= An AntiVirus program is a must! Whether it is a free version like AVG or Anti-Vir, or a shareware version like Norton or Kapersky, this is a must have.
• Firewall<= A firewall is definitely a must have. Three good free versions are Sygate, Kerio, and ZoneAlarm.

well my system is having some troubles yet but i think i can't get rid of 'em. for example in this page http://www.inacap.cl (it's like the page of a college) i can't see all the buttons (i think it's macromedia shockwave app. or a java app) and i did whatever you said and i still can't get rid of it, BUT other pages come to work normally after that and after some appropiate configuration of ZA, and i do have EWIDO running on my system zone alarm too, spyware blaster and ad-aware, i lack of one good Anti Virus as Kaspersky because i tried AVG free edition and it's not as good as kaspersky or other "top" AV's.. :/ and i don't like SP2 because last time i installed it my system became a mess!! and i had to format it :s i really really REEEEEEEEEEEEEEEAAAAAAAALLLLLLLLLLLYYYYYY appreciate your help i'm doubtless in debt with you thank you very very much and i will start a new log for my friend's pc

It sounds like a problem with your java program. I recommend uninstalling Sun Java, then re-installing it.

As far as SP2 messing up your system, it will do that if you try installing it while your system is still infected. Your system was highly infected when you got here with just SP1, so I'm just letting you know your system will become infected again if you do not install Service Pack 2. Installed a clean system, it will be fine. I have Service Pack 2 and not a single problem

will you help me with my friends pc?

Post a new topic. Someone may get to it before me because I have to go for a few hours. You will get helped, though

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.