[gfailen]

Hello.
This is a relatively new installation of win xp (SP1). Just after the initial activation of my adsl internet provider account, a virus and worm entered the system. It were detected but not deleted by the first antivirus I had
installed (McAffee VirusScan). LAter, AVG free antivirus deleted another virus but now doesn´t find anything. I couldn´t update the Virusscan and also couldn´t reactivate its online scan (it seemed to have taken control of virusscan) so I deleted it (couldn´t do a clean uninstallation from control panel/add-remove programs, so I deleted manually most of the files (which I was able to). So now viruscan doesn´t work. Just in case, I have the avg running.

Symtoms: after entering Windows, some things can happen:

1) The computer seems to be freezed when I try to open any file (i.e. a word file). No cntrl-Alt-del, only unplug.
2) After internet connection, many data is unploading and downloading without my intervention, but no internet access to any web page.
3) Not so bad behaviour, as now (fortunately!): only some web pages are no available at the first try, but yes after refreshing them.

java seems to be not working (for example, I cannot change the color of this text or underly some words with the icons above).

Online Panda doesn´t work when I try to scan the computer.

Ad-Aware doesn´t find anything, nor AVG Anti-Spyware:



---------------------------------------------------------
AVG Anti-Spyware - Informe del análisis
---------------------------------------------------------

+ Creado en: 5:52:29 PM 12/2/2006

+ Resultado del análisis:



C:\WINDOWS\system32\TFTP2348 -> Backdoor.Rbot : Limpios.
C:\WINDOWS\system32\TFTP428 -> Backdoor.Rbot : Limpios.
C:\Documents and Settings\Master\Cookies\master@com[1].txt ->

TrackingCookie.Com : Limpios.


::Fin del informe

---------------------------------------------------------

Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 12:22:59 AM, on 12/3/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Archivos de

programa\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Archivos de programa\eMule\emule.exe
C:\Archivos de programa\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Archivos de programa\Huawei Technologies\Huawei SmartAX MT810\dslmon.exe
C:\Archivos de programa\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Archivos de programa\Internet Explorer\iexplore.exe
F:\Mis Documentos\Gabriel\Downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

Vínculos
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -

C:\Archivos de programa\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} -

c:\archivos de programa\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910}

- C:\Archivos de programa\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\archivos

de programa\google\googletoolbar1.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -

C:\Archivos de programa\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [Windows Update Firewall System] ctfmoz.exe
O4 - HKLM\..\Run: [Microsoft dll Host Service ] wstde.exe
O4 - HKLM\..\Run: [Microsoft Security Monitor Process] C:\WINDOWS\msmp.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Archivos de programa\Grisoft\AVG

Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\RunServices: [Windows Update Firewall System] ctfmoz.exe
O4 - HKLM\..\RunServices: [Microsoft dll Host Service ] wstde.exe
O4 - HKLM\..\RunServices: [Windows modes Verifiexr] windogom.exe
O4 - HKLM\..\RunServices: [Microsoft Security Monitor Process]

C:\WINDOWS\msmp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Archivos de

programa\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Microsoft dll Host Service ] wstde.exe
O4 - HKCU\..\Run: [eMuleAutoStart] C:\Archivos de programa\eMule\emule.exe

-AutoStart
O4 - HKCU\..\RunServices: [Microsoft dll Host Service ] wstde.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Archivos de

programa\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: DSLMON.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://update.micros.../client/wuweb_s

ite.cab?1164851623820
O17 -

HKLM\System\CCS\Services\Tcpip\..\{0F7EAF61-C7BE-4D6B-B51B-34B2FE44FE21}:

NameServer = 200.42.0.108,200.42.0.109
O17 -

HKLM\System\CCS\Services\Tcpip\..\{EAC979D5-4381-4592-8907-6F62A3C99D6E}:

NameServer = 200.45.191.35 200.45.191.40
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} -

"C:\ARCHIV~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. -

C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -

C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -

C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision

Corporation - C:\Archivos de programa\Archivos

comunes\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Servicio de registro de McAfee (McAfeeFramework) - Unknown

owner - C:\Archivos de programa\Network Associates\Common

Framework\FrameworkService.exe (file missing)
O23 - Service: Network Associates McShield (McShield) - Unknown owner -

C:\Archivos de programa\Network Associates\VirusScan\Mcshield.exe (file

missing)
O23 - Service: Network Associates Task Manager (McTaskManager) - Unknown

owner - C:\Archivos de programa\Network Associates\VirusScan\VsTskMgr.exe

(file missing)
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner -

C:\WINDOWS\System32\wdfmgr.exe (file missing)


---------------------------------

Many thanks in advance!

[Advertisements]

Hi

Rescan with Hijack this and choose "save log", When notepad opens click on "format and uncheck wordwrap and repost the log ( its too hard to read with the double spacing)

[loophole]

Hi

Rescan with Hijack this and choose "save log", When notepad opens click on "format and uncheck wordwrap and repost the log ( its too hard to read with the double spacing)