[gonzalo]

Gents,
I'm quite a bit deseperate with this.

I'm suffering adware that opens Internet explores and goes to web's on their own

I've done the following

Clean temporary files with CCleaner

Scan and Clean with Ad-aware SE
Scan and fix with CWShhredder
Scan and Fix with Spybot and inmunize btw

Scan and clean with Ewido
Scan and clean with Tren Housecall
Scan and clean TrojanHunter

This is my Hijack, Thanks a lot for your support

gfile of HijackThis v1.99.1
Scan saved at 22:34:03, on 18/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\ewido\security suite\ewidoctrl.exe
C:\Archivos de programa\ewido\security suite\ewidoguard.exe
c:\ARCHIV~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\rundll32.exe
C:\WINDOWS\Explorer.EXE
c:\ARCHIV~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\wscntfy.exe
C:\ARCHIV~1\mcafee.com\vso\mcvsshld.exe
C:\WINDOWS\system32\devldr32.exe
c:\archiv~1\mcafee.com\vso\mcvsescn.exe
C:\ARCHIV~1\mcafee.com\agent\McAgent.exe
C:\Archivos de programa\TrojanHunter 4.2\THGuard.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Archivos de programa\Internet Explorer\IEXPLORE.EXE
C:\hijackthis\HijackThis.exe
C:\ARCHIVOS DE PROGRAMA\INTERNET EXPLORER\IEXPLORE.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.terra.es/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O4 - HKLM\..\Run: [MCUpdateExe] C:\ARCHIV~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\ARCHIV~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "c:\ARCHIV~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\ARCHIV~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [THGuard] "C:\Archivos de programa\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: DSLMON.lnk = C:\Archivos de programa\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Archivos de programa\ATI Multimedia\TV\EXPLBAR.DLL
O15 - Trusted Zone: http://www.pandasoftware.com
O15 - Trusted Zone: http://es.trendmicro-europe.com
O15 - Trusted Zone: http://housecall.trendmicro.com
O15 - Trusted Zone: http://housecall60.trendmicro.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{19BBB3EB-57F6-43E3-8D02-5A83330213F9}: NameServer = 62.36.225.150 62.37.228.20
O17 - HKLM\System\CS2\Services\Tcpip\..\{19BBB3EB-57F6-43E3-8D02-5A83330213F9}: NameServer = 62.36.225.150 62.37.228.20
O20 - Winlogon Notify: Themes - C:\WINDOWS\system32\jtno0753e.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\U3VhcmV6LUNvcm9uZWw\command.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Archivos de programa\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Archivos de programa\ewido\security suite\ewidoguard.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Archivos de programa\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\ARCHIV~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\ARCHIV~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\ARCHIV~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Archivos de programa\TuneUp Utilities 2004\WinStylerThemeSvc.exe

Thanks a lot

[Advertisements]

You have the latest version of VX2. Download L2mfix from

http://www.atribune....oads/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

[therock247uk]

You have the latest version of VX2. Download L2mfix from

http://www.atribune....oads/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

[gonzalo]

Here is my log .

Thanks for your help






L2MFIX find log 1.04a
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Themes]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\lvnq0955e.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Usuarios
(ID-IO) ALLOW Read BUILTIN\Usuarios
(ID-NI) ALLOW Full access BUILTIN\Administradores
(ID-IO) ALLOW Full access BUILTIN\Administradores
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{D5A15ED3-6709-D15A-AB5D-87DD212BDA08}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Hoja de propiedades de archivos multimedia"
"{176d6597-26d3-11d1-b350-080036a75b03}"="Administraci¢n de esc ner ICM"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="P gina de seguridad NTFS"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="P gina de propiedades del archivo de documentos OLE"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Extensiones de interfaz para uso compartido"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Extensi¢n CPL del adaptador de pantalla"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Extensi¢n CPL del monitor de pantalla"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Extensi¢n de paneo de pantalla del Panel de control"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="P gina de seguridad DS"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="P gina de compatibilidad"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Extensi¢n de copia de discos"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Extensiones del shell para objetos de la red de Microsoft Windows"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="Administraci¢n de monitor ICM"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="Administraci¢n de impresora ICM"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Extensiones del shell para compresi¢n de archivos"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Extensi¢n del shell de impresora en Web"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Men£ de contexto de cifrado"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Malet¡n"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="Extensi¢n de icono de HyperTerminal"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fuentes"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="Perfil de ICC"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="P gina de seguridad de impresoras"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Extensiones de interfaz para uso compartido"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Extensi¢n PKO cifrada"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Extensi¢n de firma cifrada"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Conexiones de red"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Conexiones de red"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="&C maras y esc neres"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="&C maras y esc neres"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="&C maras y esc neres"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="&C maras y esc neres"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="&C maras y esc neres"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Extensiones del shell para Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="V¡nculos a datos de Microsoft"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Tareas programadas"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Barra de tareas y men£ Inicio"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Buscar"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Ayuda y soporte t‚cnico"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Ayuda y soporte t‚cnico"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Ejecutar..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="Correo electr¢nico"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fuentes"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Herramientas administrativas"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Barra de herramientas de Microsoft Internet"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Estado de la descarga"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Carpeta Shell aumentada"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Carpeta 2 Shell aumentada"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Banda del explorador de Microsoft"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Banda de b£squeda"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Banda multimedia"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="B£squeda en panel"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="B£squeda Web"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Utilidad de opciones del  rbol de Registro"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Direcci¢n"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Cuadro de la direcci¢n"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Autocompletar de Microsoft"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="Lista autocompleta MRU"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Lista autocompleta MRU personalizada"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Barra de progreso emergente"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Analizador de Barra de direcciones"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Lista autocompleta de la historia de Microsoft"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Lista autocompleta de la carpeta Shell de Microsoft"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Contenedor de la Lista m£ltiple de Microsoft"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Men£ de sitio de bandas Shell"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Barra de escritorio Shell"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="Asistencia al usuario"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Configuraci¢n de carpeta global"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Servicio de Historial de las direcciones URL de Microsoft"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="Historial"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Archivos temporales de Internet"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Archivos temporales de Internet"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Hook de b£squeda de direcciones URL de Microsoft"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="Pantalla de bienvenida de IE4 Suite"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Banda de Explorador"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="Carpeta del cach‚ de ActiveX"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Carpeta de suscripciones"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Administrador de aplicaciones de Shell"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Enumerador de aplicaciones instaladas"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="Extractor de vistas en miniatura de archivos GDI+"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Controlador de la informaci¢n de resumen para vistas en miniatura (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="Extractor de vistas en miniatura HTML"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Asistente para la publicaci¢n en Web"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Pedido de impresiones v¡a web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Objeto de Asistente de publicaci¢n de shell"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Asistente para obtener pasaporte"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="Cuentas de usuario"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Carpeta de archivos sin conexi¢n"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="&Personas..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{5E44E225-A408-11CF-B581-008029601108}"="Adaptec DirectCD Shell Extension"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Carpetas Web"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Archivo de canal"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Acceso directo al canal"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Objeto de control de canal"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{00DF1F20-0849-A4D1-0239-00D0AF3E9CB0}"="TuneUp Shredder Shell Context Menu Extension"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{B4D03619-0C63-40B1-9449-169177576B61}"=""
"{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"="TrojanHunter Menu Shell Extension"

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{B4D03619-0C63-40B1-9449-169177576B61}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{B4D03619-0C63-40B1-9449-169177576B61}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{B4D03619-0C63-40B1-9449-169177576B61}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{B4D03619-0C63-40B1-9449-169177576B61}\InprocServer32]
@="C:\\WINDOWS\\system32\\dwnput.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
browseui.dll Sat 3 Sep 2005 1:06:12 A.... 1.020.416 996,50 K
cdbview.dll Fri 18 Nov 2005 22:19:12 ..S.R 237.190 231,63 K
cdfview.dll Sat 3 Sep 2005 1:06:12 A.... 151.552 148,00 K
cdosys.dll Sat 10 Sep 2005 2:55:12 A.... 2.067.968 1,97 M
danim.dll Sat 3 Sep 2005 1:06:14 A.... 1.055.744 1,00 M
dwnput.dll Sat 19 Nov 2005 9:05:06 ..... 237.190 231,63 K
dxtrans.dll Sat 3 Sep 2005 1:06:14 A.... 205.312 200,50 K
extmgr.dll Sat 3 Sep 2005 1:06:14 ..... 55.808 54,50 K
gdi32.dll Thu 6 Oct 2005 4:17:42 A.... 280.064 273,50 K
iepeers.dll Sat 3 Sep 2005 1:06:14 A.... 251.392 245,50 K
inseng.dll Sat 3 Sep 2005 1:06:14 A.... 96.768 94,50 K
ir22l5~1.dll Fri 18 Nov 2005 22:16:00 ..S.R 235.947 230,41 K
jtp807~1.dll Sat 19 Nov 2005 9:00:44 ..S.R 237.190 231,63 K
linkinfo.dll Thu 1 Sep 2005 2:43:36 A.... 19.968 19,50 K
lvnq09~1.dll Sat 19 Nov 2005 1:18:38 ..S.R 237.190 231,63 K
mshtml.dll Tue 4 Oct 2005 16:27:26 A.... 3.013.120 2,87 M
mshtmled.dll Sat 3 Sep 2005 1:06:14 A.... 448.512 438,00 K
msrating.dll Sat 3 Sep 2005 1:06:14 A.... 146.432 143,00 K
mstime.dll Sat 3 Sep 2005 1:06:14 A.... 530.432 518,00 K
netman.dll Mon 22 Aug 2005 19:34:58 A.... 197.632 193,00 K
pngfilt.dll Sat 3 Sep 2005 1:06:14 A.... 39.424 38,50 K
quartz.dll Tue 30 Aug 2005 4:55:42 A.... 1.293.312 1,23 M
shdocvw.dll Sat 3 Sep 2005 1:06:14 A.... 1.484.288 1,41 M
shell32.dll Fri 23 Sep 2005 4:06:56 A.... 8.492.544 8,10 M
shlwapi.dll Sat 3 Sep 2005 1:06:14 A.... 474.112 463,00 K
umpnpmgr.dll Tue 23 Aug 2005 4:39:10 A.... 124.416 121,50 K
urlmon.dll Sat 3 Sep 2005 1:06:14 A.... 604.672 590,50 K
vd5db.dll Sat 19 Nov 2005 8:42:42 ..S.R 237.190 231,63 K
wininet.dll Sat 3 Sep 2005 1:06:14 A.... 660.992 645,50 K
winsrv.dll Thu 1 Sep 2005 2:43:38 A.... 292.352 285,50 K

30 items found: 30 files (5 H/S), 0 directories.
Total of file sizes: 24.429.129 bytes 23,30 M
Locate .tmp files:

C:\WINDOWS\SYSTEM32\
__dele~1.tmp Sat 19 Nov 2005 9:12:08 A.... 237.190 231,63 K

1 item found: 1 file, 0 directories.
Total of file sizes: 237.190 bytes 231,63 K
**********************************************************************************
Directory Listing of system files:
El volumen de la unidad C es SUAREZ-CORONEL
El n£mero de serie del volumen es: 582D-154E

Directorio de C:\WINDOWS\System32

19/11/2005 09:08 <DIR> dllcache
19/11/2005 09:00 237.190 jtp8077ue.dll
19/11/2005 08:42 237.190 Vd5db.dll
19/11/2005 01:18 237.190 lvnq0955e.dll
18/11/2005 22:19 237.190 cDbview.dll
18/11/2005 22:15 235.947 ir22l5fo1.dll
03/03/2002 18:10 <DIR> Microsoft
5 archivos 1.184.707 bytes
2 dirs 5.662.941.184 bytes libres

[therock247uk]

Please download WebRoot SpySweeper from HERE (It's a 2 week trial):

• Click the Free Trial link under to "SpySweeper" to download the program.
• Install it. Once the program is installed, it will open.
• It will prompt you to update to the latest definitions, click Yes.
• Once the definitions are installed, click Options on the left side.
• Click the Sweep Options tab.
• Under What to Sweep please put a check next to the following:
  • Sweep Memory
  • Sweep Registry
  • Sweep Cookies
  • Sweep All User Accounts
  • Enable Direct Disk Sweeping
  • Sweep Contents of Compressed Files
  • Sweep for Rootkits
  • Please UNCHECK Do not Sweep System Restore Folder.
• Click Sweep Now on the left side.
• Click the Start button.
• When it's done scanning, click the Next button.
• Make sure everything has a check next to it, then click the Next button.
• It will remove all of the items found.
• Click Session Log in the upper right corner, copy everything in that window.
• Click the Summary tab and click Finish.
• Paste the contents of the session log you copied into your next reply.

[gonzalo]

Here is the log,

Thanks

*******
15:19: | Start of Session, sábado, 19 de noviembre de 2005 |
15:19: Spy Sweeper started
15:19: Sweep initiated using definitions version 574
15:19: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
15:19: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
15:19: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
15:19: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
15:19: Starting Memory Sweep
15:20: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
15:20: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
15:20: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
15:20: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
15:20: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
15:20: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
15:20: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
15:20: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
15:21: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
15:21: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
15:21: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
15:21: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
15:21: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
15:21: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
15:21: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
15:21: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
15:22: Found Adware: icannnews
15:22: Detected running threat: C:\WINDOWS\system32\lvnq0955e.dll (ID = 83)
15:31: Detected running threat: C:\WINDOWS\system32\dwnput.dll (ID = 83)
15:37: Memory Sweep Complete, Elapsed Time: 00:18:03
15:37: Starting Registry Sweep
15:39: Found Adware: delfin
15:39: HKLM\software\vidmon\ (1 subtraces) (ID = 890155)
15:39: HKLM\software\microsoft\windows\currentversion\uninstall\webdp\ (2 subtraces) (ID = 890173)
15:39: Found Adware: dollarrevenue
15:39: HKLM\software\microsoft\drsmartload\ (1 subtraces) (ID = 916795)
15:39: Found Adware: command
15:39: HKLM\system\currentcontrolset\services\cmdservice\ (12 subtraces) (ID = 958670)
15:39: Found Adware: adbars
15:39: HKU\WRSS_Profile_S-1-5-21-2052111302-920026266-1708537768-1006\software\ruboskizo\ (252 subtraces) (ID = 102629)
15:39: Found Adware: downloadware
15:39: HKU\WRSS_Profile_S-1-5-21-2052111302-920026266-1708537768-1006\software\downloadware\ (15 subtraces) (ID = 125353)
15:39: HKU\WRSS_Profile_S-1-5-21-2052111302-920026266-1708537768-1006\software\medialoads\ (9 subtraces) (ID = 125355)
15:39: Found Adware: hotbar
15:39: HKU\WRSS_Profile_S-1-5-21-2052111302-920026266-1708537768-1006\software\hotbar\ (1188 subtraces) (ID = 127565)
15:39: HKU\WRSS_Profile_S-1-5-21-2052111302-920026266-1708537768-1006\software\microsoft\internet explorer\toolbar\shellbrowser\ || {b195b3b3-8a05-11d3-97a4-0004aca6948e} (ID = 127585)
15:39: HKU\WRSS_Profile_S-1-5-21-2052111302-920026266-1708537768-1006\software\microsoft\internet explorer\toolbar\webbrowser\ || {b195b3b3-8a05-11d3-97a4-0004aca6948e} (ID = 127587)
15:40: Found Adware: networkessentials
15:40: HKU\WRSS_Profile_S-1-5-21-2052111302-920026266-1708537768-1006\software\updater\ (1 subtraces) (ID = 136178)
15:40: Found Adware: saristar dialer
15:40: HKU\WRSS_Profile_S-1-5-21-2052111302-920026266-1708537768-1006\software\coulomb\ (3 subtraces) (ID = 140401)
15:40: Found Adware: cydoor
15:40: HKU\WRSS_Profile_S-1-5-21-2052111302-920026266-1708537768-1006\software\cydoor\ (17 subtraces) (ID = 639126)
15:40: HKU\WRSS_Profile_S-1-5-21-2052111302-920026266-1708537768-1006\software\downloadware\ (15 subtraces) (ID = 775210)
15:40: HKU\WRSS_Profile_S-1-5-21-2052111302-920026266-1708537768-1005\software\ruboskizo\ (36 subtraces) (ID = 102629)
15:40: HKU\WRSS_Profile_S-1-5-21-2052111302-920026266-1708537768-1005\software\downloadware\ (12 subtraces) (ID = 125353)
15:40: HKU\WRSS_Profile_S-1-5-21-2052111302-920026266-1708537768-1005\software\medialoads\ (9 subtraces) (ID = 125355)
15:40: HKU\WRSS_Profile_S-1-5-21-2052111302-920026266-1708537768-1005\software\hotbar\ (785 subtraces) (ID = 127565)
15:40: HKU\WRSS_Profile_S-1-5-21-2052111302-920026266-1708537768-1005\software\microsoft\internet explorer\toolbar\shellbrowser\ || {b195b3b3-8a05-11d3-97a4-0004aca6948e} (ID = 127585)
15:40: HKU\WRSS_Profile_S-1-5-21-2052111302-920026266-1708537768-1005\software\microsoft\internet explorer\toolbar\webbrowser\ || {b195b3b3-8a05-11d3-97a4-0004aca6948e} (ID = 127587)
15:40: HKU\WRSS_Profile_S-1-5-21-2052111302-920026266-1708537768-1005\software\updater\ (1 subtraces) (ID = 136178)
15:40: HKU\WRSS_Profile_S-1-5-21-2052111302-920026266-1708537768-1005\software\cydoor\ (11 subtraces) (ID = 639126)
15:40: HKU\WRSS_Profile_S-1-5-21-2052111302-920026266-1708537768-1005\software\cydoor services\ (ID = 639128)
15:40: HKU\WRSS_Profile_S-1-5-21-2052111302-920026266-1708537768-1005\software\downloadware\ (12 subtraces) (ID = 775210)
15:40: HKU\S-1-5-21-2052111302-920026266-1708537768-1004\software\medialoads\ (14 subtraces) (ID = 125355)
15:40: HKU\S-1-5-21-2052111302-920026266-1708537768-1004\software\vidmon\ (1 subtraces) (ID = 890125)
15:40: HKU\S-1-5-18\software\medialoads\ (2 subtraces) (ID = 125355)
15:40: Registry Sweep Complete, Elapsed Time:00:03:15
15:41: Starting Cookie Sweep
15:41: Found Spy Cookie: hotbar cookie
15:41: [email protected][2].txt (ID = 4207)
15:41: Found Spy Cookie: specificclick.com cookie
15:41: [email protected][1].txt (ID = 3400)
15:41: pilar@hotbar[3].txt (ID = 2797)
15:41: Found Spy Cookie: xiti cookie
15:41: pilar@xiti[1].txt (ID = 3717)
15:41: Cookie Sweep Complete, Elapsed Time: 00:00:02
15:41: Starting File Sweep
15:41: c:\documents and settings\all users\datos de programa\nfo (15 subtraces) (ID = -2147468687)
15:41: c:\windows\system32\nfomon (1 subtraces) (ID = -2147468684)
15:42: a0481994.exe.tcf (ID = 194610)
15:43: Found Adware: look2me
15:43: a0483167.dll (ID = 159)
15:45: a0481984.exe (ID = 185985)
15:48: a0481996.exe (ID = 194150)
15:49: removewebdp.exe (ID = 166172)
15:50: Found Adware: targetsaver
15:50: ikzrm.exe (ID = 195131)
15:51: Found Adware: adtech2005
15:51: a0481985.exe (ID = 194580)
15:54: mon1215.dbd (ID = 57687)
15:55: mon0104.dbd (ID = 57676)
15:58: mon1920.dbd (ID = 57692)
15:59: mon2007.dbd (ID = 57693)
16:03: ikzrl.exe (ID = 195130)
16:03: a0483168.dll (ID = 159)
16:09: Found Adware: spysheriff
16:09: secure32.html (ID = 184319)
16:12: stub_113_4_0_4_0.exe (ID = 193995)
16:15: Found Trojan Horse: trojan-backdoor-us15info
16:15: tool5.exe (ID = 183857)
16:16: a0481992.ocx.tcf (ID = 194608)
16:24: a0481993.dll (ID = 194609)
16:24: jtp8077ue.dll (ID = 159)
16:25: tsuninst.exe (ID = 193501)
16:25: class-barrel (ID = 78229)
16:25: secure32.html (ID = 184319)
16:25: Error: Access violation at address 004C8D80 in module 'WRSSSDK.exe'. Read of address 04D20000.
16:25: __delete_on_reboot__guard.tmp (ID = 159)
16:25: ikzrc.dll (ID = 195129)
16:26: vocabulary (ID = 78283)
16:26: dwnput.dll (ID = 159)
16:26: a0483169.dll (ID = 159)
16:31: oap1wapdmohswa6rtqt.vbs (ID = 185675)
16:31: mon0204.ddx (ID = 57680)
16:31: mon0504.ddx (ID = 57680)
16:31: mon0904.ddx (ID = 57684)
16:31: mon0412.ddx (ID = 57680)
16:31: mon0106.ddx (ID = 57679)
16:31: mon0315.ddx (ID = 57680)
16:31: mon1204.ddx (ID = 57680)
16:31: mon1909.ddx (ID = 57684)
16:31: mon1125.ddx (ID = 57685)
17:14: Warning: Unable to sweep compressed file: System Error. Code: 8.
Espacio de almacenamiento insuficiente para procesar este comando
17:30: Warning: Unable to sweep compressed file: System Error. Code: 8.
Espacio de almacenamiento insuficiente para procesar este comando
17:33: File Sweep Complete, Elapsed Time: 01:52:10
17:33: Full Sweep has completed. Elapsed time 02:14:03
17:33: Traces Found: 2487
17:48: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
17:48: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
17:48: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
17:48: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
17:48: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
17:48: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
17:48: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
17:48: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
17:48: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
17:48: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
17:48: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
17:48: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
17:48: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
17:48: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
17:48: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
17:48: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
17:48: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
17:48: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
17:48: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
17:48: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
17:49: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
17:49: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
17:49: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
17:49: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
17:49: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
17:49: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
17:49: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
17:49: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
17:49: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
17:49: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
17:50: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
17:50: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
17:50: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
17:50: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
17:50: Removal process initiated
17:50: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
17:50: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
17:50: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
17:50: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
17:50: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
17:50: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
17:50: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
17:50: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
17:50: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
17:50: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
17:50: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
17:50: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
17:50: Quarantining All Traces: icannnews
17:51: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
17:51: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
17:51: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
17:51: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
17:51: icannnews is in use. It will be removed on reboot.
17:51: C:\WINDOWS\system32\lvnq0955e.dll is in use. It will be removed on reboot.
17:51: C:\WINDOWS\system32\dwnput.dll is in use. It will be removed on reboot.
17:51: Quarantining All Traces: look2me
17:51: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
17:51: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
17:51: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
17:51: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
17:51: look2me is in use. It will be removed on reboot.
17:51: jtp8077ue.dll is in use. It will be removed on reboot.
17:51: __delete_on_reboot__guard.tmp is in use. It will be removed on reboot.
17:51: dwnput.dll is in use. It will be removed on reboot.
17:51: Quarantining All Traces: spysheriff
17:51: Quarantining All Traces: trojan-backdoor-us15info
17:51: Quarantining All Traces: hotbar
17:51: Quarantining All Traces: adbars
17:51: Quarantining All Traces: adtech2005
17:51: Quarantining All Traces: command
17:51: Quarantining All Traces: cydoor
17:51: Quarantining All Traces: delfin
17:51: Quarantining All Traces: dollarrevenue
17:51: Quarantining All Traces: downloadware
17:51: Quarantining All Traces: networkessentials
17:51: Quarantining All Traces: saristar dialer
17:51: Quarantining All Traces: targetsaver
17:52: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
17:52: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
17:52: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
17:52: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
17:52: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
17:52: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
17:52: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
17:52: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
17:52: Quarantining All Traces: hotbar cookie
17:52: Quarantining All Traces: specificclick.com cookie
17:52: Quarantining All Traces: xiti cookie
17:52: Warning: Launched explorer.exe
17:52: Warning: Quarantine process could not restart Explorer.
17:53: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
17:53: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
17:53: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
17:53: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
17:53: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
17:53: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
17:53: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
17:53: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
17:54: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
17:54: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
17:54: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
17:54: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
17:55: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
17:55: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
17:55: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
17:55: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
17:55: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
17:55: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
17:55: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
17:55: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
17:56: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
17:56: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
17:56: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
17:56: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
17:57: Removal process completed. Elapsed time 00:07:19
17:57: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
17:57: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
17:57: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
17:57: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
17:57: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
17:57: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
17:57: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
17:57: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
17:58: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
17:58: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
17:58: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
17:58: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
17:58: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
17:58: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
17:58: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
17:58: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
********
15:14: | Start of Session, sábado, 19 de noviembre de 2005 |
15:14: Spy Sweeper started
15:16: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
15:16: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
15:16: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
15:16: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
15:17: Your spyware definitions have been updated.
15:17: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
15:17: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
15:17: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
15:17: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
15:18: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
15:18: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
15:18: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
15:18: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
15:19: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
15:19: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
15:19: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
15:19: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
15:19: | End of Session, sábado, 19 de noviembre de 2005 |

[therock247uk]

Post a new Hijackthis log here in a reply.

[gonzalo]

THis is

Logfile of HijackThis v1.99.1
Scan saved at 21:33:38, on 19/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\ewido\security suite\ewidoctrl.exe
C:\Archivos de programa\ewido\security suite\ewidoguard.exe
c:\ARCHIV~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
c:\ARCHIV~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\devldr32.exe
C:\ARCHIV~1\mcafee.com\vso\mcvsshld.exe
C:\Archivos de programa\TrojanHunter 4.2\THGuard.exe
C:\ARCHIV~1\mcafee.com\agent\McAgent.exe
C:\Archivos de programa\Webroot\Spy Sweeper\SpySweeper.exe
c:\archiv~1\mcafee.com\vso\mcvsescn.exe
C:\Archivos de programa\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Archivos de programa\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Archivos de programa\Internet Explorer\IEXPLORE.EXE
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.terra.es
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O4 - HKLM\..\Run: [MCUpdateExe] C:\ARCHIV~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\ARCHIV~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "c:\ARCHIV~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [THGuard] "C:\Archivos de programa\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\ARCHIV~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Archivos de programa\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Archivos de programa\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: DSLMON.lnk = C:\Archivos de programa\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O15 - Trusted Zone: http://www.pandasoftware.com
O15 - Trusted Zone: http://es.trendmicro-europe.com
O15 - Trusted Zone: http://housecall.trendmicro.com
O15 - Trusted Zone: http://housecall60.trendmicro.com
O15 - Trusted Zone: http://www.webroot.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{19BBB3EB-57F6-43E3-8D02-5A83330213F9}: NameServer = 62.36.225.150 62.37.228.20
O17 - HKLM\System\CS2\Services\Tcpip\..\{19BBB3EB-57F6-43E3-8D02-5A83330213F9}: NameServer = 62.36.225.150 62.37.228.20
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: ewido security suite control - ewido networks - C:\Archivos de programa\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Archivos de programa\ewido\security suite\ewidoguard.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Archivos de programa\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\ARCHIV~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\ARCHIV~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\ARCHIV~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Archivos de programa\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Archivos de programa\TuneUp Utilities 2004\WinStylerThemeSvc.exe

[therock247uk]

1. Open Hijackthis and click scan. Then tick and fix the following in Hijackthis with all windows closed except Hijackthis.

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank

2. Then post a new Hijackthis log here in a reply.

[gonzalo]

Thanks,
here is the new log
I've had to shut down ewido, spy sweeper, trojan hunter and rebbot before HijackThis made the required changes.
Then I've reboot again


Logfile of HijackThis v1.99.1
Scan saved at 9:51:53, on 20/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\ewido\security suite\ewidoctrl.exe
C:\Archivos de programa\ewido\security suite\ewidoguard.exe
c:\ARCHIV~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
c:\ARCHIV~1\mcafee.com\vso\mcshield.exe
C:\ARCHIV~1\mcafee.com\vso\mcvsshld.exe
C:\WINDOWS\system32\devldr32.exe
C:\Archivos de programa\TrojanHunter 4.2\THGuard.exe
C:\ARCHIV~1\mcafee.com\agent\McAgent.exe
c:\archiv~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Archivos de programa\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Archivos de programa\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.terra.es
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O4 - HKLM\..\Run: [MCUpdateExe] C:\ARCHIV~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\ARCHIV~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "c:\ARCHIV~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [THGuard] "C:\Archivos de programa\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\ARCHIV~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Archivos de programa\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Archivos de programa\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: DSLMON.lnk = C:\Archivos de programa\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O15 - Trusted Zone: http://www.pandasoftware.com
O15 - Trusted Zone: http://es.trendmicro-europe.com
O15 - Trusted Zone: http://housecall.trendmicro.com
O15 - Trusted Zone: http://housecall60.trendmicro.com
O15 - Trusted Zone: http://www.webroot.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: ewido security suite control - ewido networks - C:\Archivos de programa\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Archivos de programa\ewido\security suite\ewidoguard.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Archivos de programa\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\ARCHIV~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\ARCHIV~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\ARCHIV~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Archivos de programa\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Archivos de programa\TuneUp Utilities 2004\WinStylerThemeSvc.exe

[therock247uk]

Your log is clean

Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:

• Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
• Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
• How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
• How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.

To protect yourself further:

• IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
• MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
• Google Toolbar <= Get the free google toolbar to help stop pop up windows.

I also suggest that you delete any files from "temp", "tmp" folders. In Internet Explorer, click on "Tools" => "Internet Options" => "Delete Files" and select the box that says "Delete All Offline Content" and click on "OK" twice. Also, empty the recycle bin by right clicking on it and selecting "Empty Recycle Bin". These steps should be done on a regular basis.

[gonzalo]

Thaks a lot
I've had not succed installing the Google tool bar ??

Now I do have installed and working together

Ewido
McAfee
Spybot
SpySweeper
TrojanHunter
SpywareGuard
SpywareBlaster
Ad Aware

Plus

IESpyad
MVPS Host file


Should I keep everything installed and working?
Or Should I un installed some of them ?

Thanks a lot for for helpful cooperation.

Best regards and let my know if you need something from sunny Spain

[therock247uk]

Spysweeper, Trojan Hunter and Ewido you can only keep if you pay for them.

[gonzalo]

Thank you,

I assume that i can continue working with all this software together.

Just two questions

1) Spy spweeper says that my Host file is too big.
Is that a problem ?

2) Durin the time I had the ad-ware I was drive to a lot of pop ups some of them adverticing companies as serious as Hertz, or a gubernamental health office!! How is possible that this companies are involved in such a thing !!!!


Best regards and thanks a lot

[therock247uk]

1. It should not be a problem.
2. The popups come from random companys.

[gonzalo]

Thanks a lot for everything.

I do feel my PC is OK right now.

Best regards