# Solved: Please Help - Blackworm, Perhaps Blaster/Sasser - SDBot - 60 second shutdowns



## OxfordBarney (Dec 14, 2004)

I need to clean a lot of mess from my system, and would appreciate a quick assistance. My hijackthis log follows:

Logfile of HijackThis v1.99.1
Scan saved at 23:39:47, on 18/03/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Archivos de programa\Panda Software\Panda Antivirus Titanium\Pavsrv51.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Archivos de programa\Panda Software\Panda Antivirus Titanium\AVENGINE.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\ARCHIV~1\EzButton\CPATR10.EXE
C:\Archivos de programa\Synaptics\SynTP\SynTPLpr.exe
C:\Archivos de programa\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\sistray.EXE
C:\WINDOWS\System32\khooker.exe
C:\Archivos de programa\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Archivos de programa\Panda Software\Panda Antivirus Titanium\APVXDWIN.EXE
C:\WINDOWS\LTSMMSG.exe
C:\Archivos de programa\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Archivos de programa\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Archivos de programa\STA Kit ADSL\CnxDslTb.exe
C:\Archivos de programa\Webroot\Spy Sweeper\SpySweeper.exe
C:\Archivos de programa\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\Archivos de programa\Panda Software\Panda Antivirus Titanium\pavProxy.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Archivos de programa\ewido anti-malware\ewidoguard.exe
C:\Archivos de programa\ewido anti-malware\ewidoctrl.exe
C:\Documents and Settings\Esfera\Configuración local\Temp\Directorio temporal 1 para hijackthis.zip\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.beep.es/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\sisUSBrg.exe
O4 - HKLM\..\Run: [CPATR10] C:\ARCHIV~1\EzButton\CPATR10.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Archivos de programa\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Archivos de programa\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Archivos de programa\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Archivos de programa\Panda Software\Panda Antivirus Titanium\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Archivos de programa\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Archivos de programa\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [CnxDslTaskBar] C:\Archivos de programa\STA Kit ADSL\CnxDslTb.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Archivos de programa\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [AVG7_CC] C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O14 - IERESET.INF: START_PAGE_URL=http://www.beep.es/
O17 - HKLM\System\CCS\Services\Tcpip\..\{D6E7F14B-578C-42DC-B427-468EAE38916F}: NameServer = 194.158.64.9 194.158.64.10
O17 - HKLM\System\CCS\Services\Tcpip\..\{F3EA66DF-AE4D-4865-8F7F-FF7A7CB59334}: NameServer = 194.158.88.2,194.158.64.7
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Archivos de programa\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Archivos de programa\ewido anti-malware\ewidoguard.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Archivos de programa\Panda Software\Panda Antivirus Titanium\Pavsrv51.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Archivos de programa\Webroot\Spy Sweeper\WRSSSDK.exe

Thanks and appreciation.


----------



## OxfordBarney (Dec 14, 2004)

Also, when I try to run Ewido, AVG comes up with virus warnings asking to heal SDBot - MedMan.exe. I heal a few, but after three or four, the system shuts down.
OxfordBarney


----------



## Cheeseball81 (Mar 3, 2004)

To abort the shudown, go to Start - run and type in:

*shutdown -a*

Run the Blaster removal tool:

http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html

and also run the Sasser removal tool:

http://www.symantec.com/avcenter/venc/data/w32.sasser.removal.tool.html

Reboot, post a new Hijack This log.


----------



## OxfordBarney (Dec 14, 2004)

Thank you Cheeseball81 for your help. I ran the symantec blaster and sasser removal tools, and also spywareblaster, spybot S&D, and ewido. Before running the virus removal tools that you suggested, I had already run AVG Free Edition and quarantined many trojans. The blaster and sasser removal tools showed no infection, but maybe AVG had already quarantined them. In spite of this p.exe just appeared again, and I sent it to the virus vault. Hopefully blaster and sasser haven´t re-infected.
Please check the latest hijackthis log as follows:

Logfile of HijackThis v1.99.1
Scan saved at 16:12:42, on 19/03/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Archivos de programa\ewido anti-malware\ewidoctrl.exe
C:\Archivos de programa\ewido anti-malware\ewidoguard.exe
C:\Archivos de programa\Panda Software\Panda Antivirus Titanium\Pavsrv51.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Archivos de programa\Panda Software\Panda Antivirus Titanium\AVENGINE.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\ARCHIV~1\EzButton\CPATR10.EXE
C:\Archivos de programa\Synaptics\SynTP\SynTPLpr.exe
C:\Archivos de programa\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\sistray.EXE
C:\WINDOWS\System32\khooker.exe
C:\Archivos de programa\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Archivos de programa\Panda Software\Panda Antivirus Titanium\APVXDWIN.EXE
C:\WINDOWS\LTSMMSG.exe
C:\Archivos de programa\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Archivos de programa\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Archivos de programa\STA Kit ADSL\CnxDslTb.exe
C:\Archivos de programa\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Archivos de programa\Panda Software\Panda Antivirus Titanium\pavProxy.exe
C:\Archivos de programa\Webroot\Spy Sweeper\SpySweeper.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Esfera\Configuración local\Temp\Directorio temporal 3 para hijackthis.zip\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.beep.es/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\sisUSBrg.exe
O4 - HKLM\..\Run: [CPATR10] C:\ARCHIV~1\EzButton\CPATR10.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Archivos de programa\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Archivos de programa\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Archivos de programa\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Archivos de programa\Panda Software\Panda Antivirus Titanium\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Archivos de programa\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Archivos de programa\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [CnxDslTaskBar] C:\Archivos de programa\STA Kit ADSL\CnxDslTb.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Archivos de programa\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [AVG7_CC] C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O14 - IERESET.INF: START_PAGE_URL=http://www.beep.es/
O17 - HKLM\System\CCS\Services\Tcpip\..\{D6E7F14B-578C-42DC-B427-468EAE38916F}: NameServer = 194.158.64.9 194.158.64.10
O17 - HKLM\System\CCS\Services\Tcpip\..\{F3EA66DF-AE4D-4865-8F7F-FF7A7CB59334}: NameServer = 194.158.88.2,194.158.64.7
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Archivos de programa\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Archivos de programa\ewido anti-malware\ewidoguard.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Archivos de programa\Panda Software\Panda Antivirus Titanium\Pavsrv51.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Archivos de programa\Webroot\Spy Sweeper\WRSSSDK.exe


----------



## Cheeseball81 (Mar 3, 2004)

Run *ActiveScan* online virus scan:
http://www.pandasoftware.com/products/activescan.htm

Once you are on the Panda site click the Scan your PC button.
A new window will open...click the Check Now button.
Enter your Country.
Enter your State/Province.
Enter your e-mail address and click send.
Select either Home User or Company.
Click the big Scan Now button.
If it wants to install an ActiveX component allow it.
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on My Computer to start the scan.
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. 
Post the contents of the ActiveScan report.


----------



## OxfordBarney (Dec 14, 2004)

I am trying to do the panda activescan, but the virus keeps hanging the system everytime I try to access panda. AVG pops up warnings about sdbot p.exe or medman.exe YOW, or Generic.QUK. It doesn´t help to quarantine. I´ll keep trying. It just popped up again.


----------



## OxfordBarney (Dec 14, 2004)

Once the AVG warnings start popping up, the system slowly lows and eventually grinds to a halt. Now I´m seeing detections of system32\hosts.exe agobot.bhj. I´ll keep trying to run panda before the system grinds down - it´s like a race. Even typing these messages.


----------



## OxfordBarney (Dec 14, 2004)

More new ones are starting to appear - also virus detected while opening file system32\mswld32.exe trojan hhorse irc/backdoor.sdbot.YJO and Generic.QUK while opening eraseme.exe


----------



## OxfordBarney (Dec 14, 2004)

The panda scan finally completed and I´m hoping it wasn´t shortened. The scan results are as follows:

Incident Status Location

Adware:adware/dollarrevenue Not disinfected C:\WINDOWS\keyboard31.dat 
Adware:adware/maxifiles Not disinfected C:\ARCHIVOS DE PROGRAMA\ARCHIVOS COMUNES\Windows 
Adware:adware/webhancer Not disinfected C:\ARCHIVOS DE PROGRAMA\webHancer 
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Esfera\Cookies\[email protected][1].txt 
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Esfera\Cookies\[email protected][2].txt 
Spyware:Cookie/Rn11 Not disinfected C:\Documents and Settings\Esfera\Cookies\[email protected][2].txt  
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Esfera\Cookies\[email protected][2].txt 
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Esfera\Cookies\[email protected][1].txt 
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Esfera\Cookies\[email protected][2].txt 
Spyware:Cookie/Rn11 Not disinfected C:\Documents and Settings\Esfera\Cookies\[email protected][2].txt 
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Esfera\Cookies\[email protected][2].txt 
Virus:W32/Sdbot.ftp Not disinfected C:\WINDOWS\system32\i 
Many thanks.


----------



## Cheeseball81 (Mar 3, 2004)

Download *KillBox* here: http://www.downloads.subratam.org/KillBox.exe
Save it to your desktop.
*DO NOT* run it yet.

Boot into Safe Mode.

* Double click on Killbox.exe to run it.

Put a tick by *Standard File Kill*.
In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time:

*C:\WINDOWS\keyboard31.dat 
C:\ARCHIVOS DE PROGRAMA\ARCHIVOS COMUNES\Windows 
C:\ARCHIVOS DE PROGRAMA\webHancer 
C:\WINDOWS\system32\i *

Click on the button that has the red circle with the X in the middle after you enter each file.
It will ask for confirmation to delete the file.
Click Yes.
Continue with that procedure until you have pasted all of these in the "Paste Full Path of File to Delete" box.
Killbox may tell you that one or more files do not exist.
If that happens, just continue on with all the files. Be sure you don't miss any.
Next in Killbox go to *Tools > Delete Temp Files*
In the window that pops up, put a check by ALL the options there except these three:
*XP Prefetch
Recent
History*
Now click the *Delete Selected Temp Files* button.
Exit the Killbox.

Finally go to Control Panel > Internet Options. 
On the General tab under "Temporary Internet Files" Click "Delete Files". 
Put a check by "Delete Offline Content" and click OK. 
Click on the Programs tab then click the "Reset Web Settings" button. 
Click Apply then OK.

Empty the Recycle Bin.

Reboot, post a new Hijack This log.


----------



## OxfordBarney (Dec 14, 2004)

Thank you very much for that. I have done as you requested, but when I re-boot, I still am getting AVG Virus Detections as follows: 
While opening file: C:\Windows\system32\erasme_02770.exe Trojan horse Generic.QUK
While opening file: C:\Windows\system32\eraseme_37264.exe Trojan horse IRC/BackDoor.SdBot.NJX, and the others seem to still be popping up such as other BackDoor.SdBot.NJX and Agobot.BHJ

I thought that maybe the echoes from System Restore were being detected, but deactivating and reactivating System Restore hasn´t prevented the detections.

Logfile of HijackThis v1.99.1
Scan saved at 23:58:40, on 19/03/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Archivos de programa\ewido anti-malware\ewidoctrl.exe
C:\Archivos de programa\ewido anti-malware\ewidoguard.exe
C:\Archivos de programa\Panda Software\Panda Antivirus Titanium\Pavsrv51.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Archivos de programa\Panda Software\Panda Antivirus Titanium\AVENGINE.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\ARCHIV~1\EzButton\CPATR10.EXE
C:\Archivos de programa\Synaptics\SynTP\SynTPLpr.exe
C:\Archivos de programa\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\sistray.EXE
C:\WINDOWS\System32\khooker.exe
C:\Archivos de programa\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Archivos de programa\Panda Software\Panda Antivirus Titanium\APVXDWIN.EXE
C:\WINDOWS\LTSMMSG.exe
C:\Archivos de programa\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Archivos de programa\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Archivos de programa\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Archivos de programa\STA Kit ADSL\CnxDslTb.exe
C:\Archivos de programa\Panda Software\Panda Antivirus Titanium\pavProxy.exe
C:\Archivos de programa\Webroot\Spy Sweeper\SpySweeper.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\Documents and Settings\Esfera\Configuración local\Temp\Directorio temporal 7 para hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/nwshp?hl=es&tab=wn&q=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.beep.es/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\sisUSBrg.exe
O4 - HKLM\..\Run: [CPATR10] C:\ARCHIV~1\EzButton\CPATR10.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Archivos de programa\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Archivos de programa\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Archivos de programa\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Archivos de programa\Panda Software\Panda Antivirus Titanium\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Archivos de programa\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Archivos de programa\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [CnxDslTaskBar] C:\Archivos de programa\STA Kit ADSL\CnxDslTb.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Archivos de programa\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [AVG7_CC] C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O14 - IERESET.INF: START_PAGE_URL=http://www.beep.es/
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D6E7F14B-578C-42DC-B427-468EAE38916F}: NameServer = 194.158.64.9 194.158.64.10
O17 - HKLM\System\CCS\Services\Tcpip\..\{F3EA66DF-AE4D-4865-8F7F-FF7A7CB59334}: NameServer = 194.158.88.2,194.158.64.7
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Archivos de programa\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Archivos de programa\ewido anti-malware\ewidoguard.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Archivos de programa\Panda Software\Panda Antivirus Titanium\Pavsrv51.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Archivos de programa\Webroot\Spy Sweeper\WRSSSDK.exe


----------



## Cheeseball81 (Mar 3, 2004)

Download *WinPFind*: http://www.bleepingcomputer.com/files/winpfind.php
Right Click the Zip Folder and Select "*Extract All*"
Extract it somewhere you will remember like the Desktop.
Don't do anything with it yet.

Reboot into *Safe Mode*.
Restart your computer and as soon as it starts booting up again continuously tap *F8*. 
A menu should come up where you will be given the option to enter Safe Mode.

Doubleclick *WinPFind.exe*
Click "*Configure Scan Options*"
Select "*Run Add ONs*" and then select *ALL* the options in the box below it, Press Apply
Now Click "*Start Scan*"
*It will scan the entire System, so please be patient!*
Once the Scan is Complete
Reboot back to Normal Mode!
Go to the *WinPFind folder*
Locate *WinPFind.txt*
Place those results in the next post!. 
It will be too big to post so you will need to attach it to your reply.


----------



## OxfordBarney (Dec 14, 2004)

Thank you again.

I have attached the WinPFind text file as you requested.

Before you sent your reply, I started a panda scan again. Strangely enough this time a virus was detected early in the scan. Last time, the only virus detected appeared near the end of the scan. I cancelled the scan after completing only one quarter of it, but for your interest I am copying the partial details here. This is a different virus than appeare before. Please remember that this is only a incomplete scan.

Please let me know if you cannot open the attached WinPFind text file, and I´ll copy it in parts.


----------



## OxfordBarney (Dec 14, 2004)

Oops, forgot to copy the partial panda scan. Here it is ----------

Incident Status Location

Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Esfera\Cookies\[email protected][1].txt 
Virus:W32/Sdbot.ftp Not disinfected C:\!KillBox\i 
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Esfera\Cookies\[email protected][1].txt


----------



## Cheeseball81 (Mar 3, 2004)

Boot into *Safe Mode*.

Double click on Killbox.exe to run it.

Put a tick by Standard File Kill.
In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time:

*C:\WINDOWS\SYSTEM32\MSDNSD32.exe
C:\WINDOWS\SYSTEM32\MSWLD32.exe
C:\WINDOWS\SYSTEM32\p.exe
C:\WINDOWS\system32\pmnkj.dll
C:\Windows\system32\erasme_02770.exe
C:\Windows\system32\eraseme_37264.exe*

Click on the button that has the red circle with the X in the middle after you enter each file.
It will ask for confirmation to delete the file.
Click Yes.
Continue with that procedure until you have pasted all of these in the "Paste Full Path of File to Delete" box.
Killbox may tell you that one or more files do not exist.
If that happens, just continue on with all the files. Be sure you don't miss any.
Exit KillBox.

Reboot, post a new log.


----------



## OxfordBarney (Dec 14, 2004)

Thank you again.

I did as you requested. Unfortunately, I am still getting the detections of agobot.BHJ while opening system32\host.exe, irc/backdoor.sdbot.xrm while opening system32 mrcw34.exe, eraseme_02770.exe, irc/backdoor.sdbot.yow while opening C:\!Killbox\msdnsd32.exe. Actually all of the trojan horses are still being detected (i.e. Generic.QUK, irc/backdoor.sdbot.njx, while trying to open the files (including p.exe, eraseme_02770.exe) from within C:\!Killbox\, and others still trying to open files still from within system 32 (i.e. host.exe, myhost.exe, the other eraseme files).

The detections are diminished, however, but only marginally.

I am doing another panda scan, and will post it shortly. Here´s my hijackthis log.

Logfile of HijackThis v1.99.1
Scan saved at 8:38:51, on 20/03/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Archivos de programa\ewido anti-malware\ewidoctrl.exe
C:\Archivos de programa\ewido anti-malware\ewidoguard.exe
C:\Archivos de programa\Panda Software\Panda Antivirus Titanium\Pavsrv51.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Archivos de programa\Panda Software\Panda Antivirus Titanium\AVENGINE.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\ARCHIV~1\EzButton\CPATR10.EXE
C:\Archivos de programa\Synaptics\SynTP\SynTPLpr.exe
C:\Archivos de programa\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\sistray.EXE
C:\WINDOWS\System32\khooker.exe
C:\Archivos de programa\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Archivos de programa\Panda Software\Panda Antivirus Titanium\APVXDWIN.EXE
C:\WINDOWS\LTSMMSG.exe
C:\Archivos de programa\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Archivos de programa\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Archivos de programa\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Archivos de programa\STA Kit ADSL\CnxDslTb.exe
C:\Archivos de programa\Panda Software\Panda Antivirus Titanium\pavProxy.exe
C:\Archivos de programa\Webroot\Spy Sweeper\SpySweeper.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\Documents and Settings\Esfera\Configuración local\Temp\Directorio temporal 8 para hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/nwshp?hl=es&tab=wn&q=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.beep.es/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\sisUSBrg.exe
O4 - HKLM\..\Run: [CPATR10] C:\ARCHIV~1\EzButton\CPATR10.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Archivos de programa\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Archivos de programa\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Archivos de programa\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Archivos de programa\Panda Software\Panda Antivirus Titanium\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Archivos de programa\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Archivos de programa\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [CnxDslTaskBar] C:\Archivos de programa\STA Kit ADSL\CnxDslTb.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Archivos de programa\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [AVG7_CC] C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O14 - IERESET.INF: START_PAGE_URL=http://www.beep.es/
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D6E7F14B-578C-42DC-B427-468EAE38916F}: NameServer = 194.158.64.9 194.158.64.10
O17 - HKLM\System\CCS\Services\Tcpip\..\{F3EA66DF-AE4D-4865-8F7F-FF7A7CB59334}: NameServer = 194.158.88.2,194.158.64.7
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Archivos de programa\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Archivos de programa\ewido anti-malware\ewidoguard.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Archivos de programa\Panda Software\Panda Antivirus Titanium\Pavsrv51.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Archivos de programa\Webroot\Spy Sweeper\WRSSSDK.exe


----------



## OxfordBarney (Dec 14, 2004)

Also, I deleted in the killbox eraseme_02770.exe, since erasme_02770.exe was not found and I assumed that I had given you a mis-spelling. The former was found and deleted from the Killbox. I don´t understand why the files that we do delete are continuing to be detected by AVG from with C:\!Killbox\.
This is one stubborn nasty.
OxfordBarney


----------



## OxfordBarney (Dec 14, 2004)

Here are the scan results of Panda. The SdBot virus seems to be showing up from within KillBox. However, the system32\keyboard.exe is very interesting in that I remember yesterday that SpySweeper detected that this was trying to be installed - twice. I ticked both of the SpySweeper boxes for the two keyboard.exe files, and ticked remove (supposedly to disallow the installation). Obviously, it didn´t work as it seems to have gotten around SpySweeper.

We seem to be killing some branches of the weed, but the root is still intact and is sprouting new weeds.

AVG virus detection activity seems to have returned to constant detection again. with 30 second countdown boxes showing openings of the eraseme files from within the !Killbox directory, mrcw34.exe, MedMan.exe, host.exe, etc and the identification of Agobot and SdBot viruses continues.

Incident Status Location

Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Esfera\Cookies\[email protected][1].txt 
Virus:W32/Sdbot.ftp Not disinfected C:\!KillBox\i 
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Esfera\Cookies\[email protected][1].txt 
Virus:W32/Gaobot.MNM.worm Not disinfected C:\WINDOWS\system32\keyboard.exe


----------



## Cheeseball81 (Mar 3, 2004)

Use KillBox on this one: C:\WINDOWS\system32\keyboard.exe

Anything in C:\!Killbox can be deleted. Those are just back ups KillBox makes after you remove a file.


----------



## OxfordBarney (Dec 14, 2004)

Thank you. I Killboxed the keyboard.exe file. When I deleted the Killbox backup files through normal deletion, the virus detetion messages changed and are now referring to the same viruses (i.e. Agobot, SdBot) being detected while opening Dc1, Dc2, Dc3, Dc4, Dc5, Dc6, Dc7.exe files within C:\RECYCLERS\S-1-5-21-...many numbers. The same file host.exe in the system32 folder is also still being referenced in the detection messages.


----------



## Cheeseball81 (Mar 3, 2004)

Empty the Recycle Bin and see if they still get detected.


----------



## OxfordBarney (Dec 14, 2004)

OK I emptied the recycle bin, and that stopped the dc#.exe files from triggering detections, but the host.exe, MedMan.exe, mrcw34.exe, and myhost.exe in the system32 directory are still triggering detections while they are being opened by SdBot and Agobot. But it only seems to be down to those four .EXE files.


----------



## OxfordBarney (Dec 14, 2004)

Also, eraseme_46248.exe in system32 is triggering.


----------



## Cheeseball81 (Mar 3, 2004)

Okay let's use KillBox on the following:

*C:\WINDOWS\system32\host.exe
C:\WINDOWS\system32\MedMan.exe
C:\WINDOWS\system32\mrcw34.exe
C:\WINDOWS\system32\myhost.exe 
C:\WINDOWS\system32\eraseme_46248.exe*


----------



## OxfordBarney (Dec 14, 2004)

Thank you - that seems to have stopped the AVG Virus detections. Does that mean that all of those programs had been installed by the virus, and that the virus is still actively trying to access them, but because they are gone the virus is inert? Or is the virus actually gone now?

Could you please comment on whether my hijackthis log below is clean?

Also, should I install SP2 from Windows Update, or is it OK to keep going with SP1? Any other things that you can suggest I do to thoroughly clean my system?

Thanks a lot for your kind help, and here is my hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 19:51:32, on 20/03/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Archivos de programa\ewido anti-malware\ewidoctrl.exe
C:\Archivos de programa\ewido anti-malware\ewidoguard.exe
C:\Archivos de programa\Panda Software\Panda Antivirus Titanium\Pavsrv51.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Archivos de programa\Panda Software\Panda Antivirus Titanium\AVENGINE.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\ARCHIV~1\EzButton\CPATR10.EXE
C:\Archivos de programa\Synaptics\SynTP\SynTPLpr.exe
C:\Archivos de programa\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\sistray.EXE
C:\WINDOWS\System32\khooker.exe
C:\Archivos de programa\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Archivos de programa\Panda Software\Panda Antivirus Titanium\APVXDWIN.EXE
C:\WINDOWS\LTSMMSG.exe
C:\Archivos de programa\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Archivos de programa\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Archivos de programa\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Archivos de programa\STA Kit ADSL\CnxDslTb.exe
C:\Archivos de programa\Webroot\Spy Sweeper\SpySweeper.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Archivos de programa\Panda Software\Panda Antivirus Titanium\pavProxy.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\Documents and Settings\Esfera\Configuración local\Temp\Directorio temporal 13 para hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/nwshp?hl=es&tab=wn&q=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.beep.es/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\sisUSBrg.exe
O4 - HKLM\..\Run: [CPATR10] C:\ARCHIV~1\EzButton\CPATR10.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Archivos de programa\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Archivos de programa\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Archivos de programa\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Archivos de programa\Panda Software\Panda Antivirus Titanium\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Archivos de programa\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Archivos de programa\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [CnxDslTaskBar] C:\Archivos de programa\STA Kit ADSL\CnxDslTb.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Archivos de programa\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [AVG7_CC] C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O14 - IERESET.INF: START_PAGE_URL=http://www.beep.es/
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D6E7F14B-578C-42DC-B427-468EAE38916F}: NameServer = 194.158.64.9 194.158.64.10
O17 - HKLM\System\CCS\Services\Tcpip\..\{F3EA66DF-AE4D-4865-8F7F-FF7A7CB59334}: NameServer = 194.158.88.2,194.158.64.7
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Archivos de programa\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Archivos de programa\ewido anti-malware\ewidoguard.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Archivos de programa\Panda Software\Panda Antivirus Titanium\Pavsrv51.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Archivos de programa\Webroot\Spy Sweeper\WRSSSDK.exe


----------



## OxfordBarney (Dec 14, 2004)

Oddly enough, as soon as I sent that message, the detection of the myhost.exe file reappeared. I will delete it again.


----------



## Cheeseball81 (Mar 3, 2004)

It may be finding it in the !KillBox folder again but yes your log looks clean.

I think it would be in your best interest to go ahead and install SP2.

Plus read here on *How to tighten your computer's security settings*: http://forums.techguy.org/t208517.html


----------



## OxfordBarney (Dec 14, 2004)

Hello Cheeseball81. This is very strange. One of the troublesome files keeps coming back to trigger the detections. First it was myhost.exe that was triggered, and so I went back and deleted it, then host.exe which I then deleted, and now p.exe. Each time I was in Safe Mode I made sure that they were all deleted, and also that the Killbox backups were seleted also while I was in Safe Mode. Only one file makes an appearance at a time now, but once I delete it using killbox, and re-boot, a different one exclusively appears, and then another after deletion and then re-boot. I can´t seem to clear the system.


----------



## Cheeseball81 (Mar 3, 2004)

Please rerun WinPFind and post the results.


----------



## OxfordBarney (Dec 14, 2004)

This is getting ridiculous!!! A new file called MSWSA32.exe in system32 was sprouting the detections and I deleted it and the Killbox backup, and I re-deleted all of the other files, a couple of which were found (they obviously were re-installed). Now another new file called eraseme_46116.exe is triggering detections, as well as the NSWSA32.exe again. I would love to get to the root of this problem quickly.


----------



## OxfordBarney (Dec 14, 2004)

OK - I´ll do that now.


----------



## OxfordBarney (Dec 14, 2004)

The computer´s locking up alot again, and so I´m having trouble getting this information to you. I have done the WinPFind Scan but can´t attach it as it´s hanging the computer. I also did a Panda scan and the C:\WINDOWS\system32\i virus was detected as a virus again. It´s back as well.


----------



## OxfordBarney (Dec 14, 2004)

Finally I was able to attach this WinPFind log before the detections started hanging the system again. As I said the C:\WINDOWS\system32\i file was detected by Panda again as a virus. This is one of the ones we killboxed before. The other detections are continuing again.


----------



## Cookiegal (Aug 27, 2003)

Download and unzip BFUzip from http://www.merijn.org/files/bfu.zip
Run the program and click the Web button as shown here:









Use this URL to copy into the address bar of the Download script window:
* http://metallica.geekstogo.com/alcanshorty.bfu*

Execute the script by clicking the Execute button.

_If you have any questions about the use of BFU please read here:
http://metallica.geekstogo.com/BFUinstructions.html _

Then reboot and post back with a* HijackThis log*.


----------



## OxfordBarney (Dec 14, 2004)

Thanks for your help, CookieGal. 
Sorry about the delay, as I am in a European timezone.
I ran the BFU script and re-booted as you requested. So far, one detection of viral activity upon C:\WINDOWS\system32\eraseme_46116.exe has ocurred after re-boot. Here´s the hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 8:20:00, on 21/03/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Archivos de programa\ewido anti-malware\ewidoctrl.exe
C:\Archivos de programa\ewido anti-malware\ewidoguard.exe
C:\Archivos de programa\Panda Software\Panda Antivirus Titanium\Pavsrv51.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Panda Software\Panda Antivirus Titanium\AVENGINE.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\ARCHIV~1\EzButton\CPATR10.EXE
C:\Archivos de programa\Synaptics\SynTP\SynTPLpr.exe
C:\Archivos de programa\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\sistray.EXE
C:\WINDOWS\System32\khooker.exe
C:\Archivos de programa\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Archivos de programa\Panda Software\Panda Antivirus Titanium\APVXDWIN.EXE
C:\WINDOWS\LTSMMSG.exe
C:\Archivos de programa\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Archivos de programa\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Archivos de programa\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Archivos de programa\STA Kit ADSL\CnxDslTb.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\Archivos de programa\Panda Software\Panda Antivirus Titanium\pavProxy.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\Documents and Settings\Esfera\Configuración local\Temp\Directorio temporal 2 para hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/nwshp?hl=es&tab=wn&q=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.beep.es/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\sisUSBrg.exe
O4 - HKLM\..\Run: [CPATR10] C:\ARCHIV~1\EzButton\CPATR10.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Archivos de programa\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Archivos de programa\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Archivos de programa\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Archivos de programa\Panda Software\Panda Antivirus Titanium\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Archivos de programa\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Archivos de programa\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [CnxDslTaskBar] C:\Archivos de programa\STA Kit ADSL\CnxDslTb.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O14 - IERESET.INF: START_PAGE_URL=http://www.beep.es/
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D6E7F14B-578C-42DC-B427-468EAE38916F}: NameServer = 194.158.64.9 194.158.64.10
O17 - HKLM\System\CCS\Services\Tcpip\..\{F3EA66DF-AE4D-4865-8F7F-FF7A7CB59334}: NameServer = 194.158.88.2,194.158.64.7
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Archivos de programa\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Archivos de programa\ewido anti-malware\ewidoguard.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Archivos de programa\Panda Software\Panda Antivirus Titanium\Pavsrv51.exe


----------



## Cookiegal (Aug 27, 2003)

Download RootkitRevealer from *here* (link is at the very bottom of the page).
Unzip it to your desktop.
Open the RootkitRevealer folder and double-click *rootkitrevealer.exe*
Click the *Scan* button (bottom right)
It may take a while to scan (don't do anything while it's running)
When it's done, go up to *File - Save*. Choose to save it to your desktop.
Open *RootkitRevealer.txt* on your desktop and copy the entire contents and paste them here.


----------



## OxfordBarney (Dec 14, 2004)

Thank you for that. I'm working on running RootkitRevealer now. I've tried twice, and although the program scans, the computer hangs when I try to save it to the Desktop. The first scan showed two discrepancies, one in system32, and the second scan showed sixteen discrepancies, but the one in system 32 wasn't there. I'm scanning a third time, and hopefully I'll be able to save this result.


----------



## OxfordBarney (Dec 14, 2004)

The virus detections are continuing during the scan, and the scan seems to have changed the nature of the detections. Now the viruses are being detected while opening files which start with C:\System Volume Information\_restore(letter/number combinations).


----------



## OxfordBarney (Dec 14, 2004)

CookieGal - this scan just completed with no discrepancies to report. What should I do now?


----------



## OxfordBarney (Dec 14, 2004)

Another RootkitRevealer scan just completed produced 19 discrepancies. It seems that the scans produce discrepancies while the computer is connected to the internet, but no discrepancies when not connected. Again, when I click Save ..., the computer hangs. I'm on a neighbouring computer now, and the problem computer is still completely jammed during the save attempt. I can read the results from here, and one of the discrepancies is C:\WINDOWS\system32\ftpupd.exe of size 0 bytes, and it says "Hidden from Windows API". The other 18 discrepancies all are contained within Temporary Internet Files. I believe that there are no discrepancies when the scan is run while the computer is offline.


----------



## Cheeseball81 (Mar 3, 2004)

* *Click here* to download ATF Cleaner by Atribune and save it to your desktop.
Double-click *ATF-Cleaner.exe* to run the program.

Under *Main* choose: *Select All*

Click the *Empty Selected* button.
*If you use Firefox:*
Click *Firefox* at the top and choose: *Select All*

Click the *Empty Selected* button.

*NOTE:* If you would like to keep your saved passwords, please click *No* at the prompt.



*If you use Opera:*
Click *Opera* at the top and choose: *Select All*

Click the *Empty Selected* button.

*

[*]NOTE:* If you would like to keep your saved passwords, please click *No* at the prompt.



Click *Exit* on the Main menu to close the program.


Boot into *Safe Mode*.

KillBox the following:

*C:\WINDOWS\system32\ftpupd.exe
C:\WINDOWS\system32\eraseme_46116.exe *

Reboot to Normal Mode.

Run RootKitRevealer again and let us know the results.


----------



## OxfordBarney (Dec 14, 2004)

Hello Cheeseball81!!!
I've just spent the last two hours trying to do as you requested. I successfully downloaded ATF Cleaner and ran it. No problems. It deleted all the temp files. Then I went ahead and Killboxed those two files, deleted them from the Killbox backups, and emptied the Recycle Bin. I also killboxed the system32 dr32.exe and rm32.dll files that are now also triggering detections. I also re-deleted all of the earlier ones, some of which had re-appeared. Then I re-booted into normal mode.
Immediately, p.exe was back, and I know I had just killboxed that in safe mode. And then host.exe and myhost.exe of system32 made their appearance. I then ran RootkitRevealer as requested. 10 discrepancies were found. As before, as soon as I went to File - Save, the RootkitRevealer locked. It's almost as if the viral script is coded to prevent it's use. Coincidentally, I also couldn't save RootkitRevealer.exe to my desktop, since as soon as I clicked save after its download, MedMan.exe detection appeared and made it hang. I could only run it immediately instead of saving it.
As I explained, I cannot save the results of the RootkitRevealer Scan, but I can read them to you (I am on a neighbouring computer). Of the 10 discrepancies, 3 are our friends host.exe, myhost.exe, and now rm32.dll of system32 directory. 6 are registry entries with data mismatches and inconsistent lengths. The 10th one I can't read now because the system finally moved to the saving stage, which produced a box which covered the results, which I can't move because of the hanging system.


----------



## OxfordBarney (Dec 14, 2004)

Hi Cheeseball81. Is there any chance that we can work on this for a bit, as I am on Europe time and don't know if I can handle another late night? It's 9:30pm here now.


----------



## Cheeseball81 (Mar 3, 2004)

How many usernames (profiles) are on this system?


----------



## OxfordBarney (Dec 14, 2004)

Just Esfera and Administrator - two


----------



## Cheeseball81 (Mar 3, 2004)

Which account are you on right now


----------



## OxfordBarney (Dec 14, 2004)

I´m on Esfera


----------



## Cheeseball81 (Mar 3, 2004)

It also appears you are running *2* anti-virus programs at the same time. That can cause conflicts. I'd remove one of them a.s.a.p.

Please *RIGHT-CLICK HERE* to download Silent Runner's.
Save it to the desktop.
Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
You will receive a prompt:
*Do you want to skip supplementary searches?
click NO*

You will see a text file appear on the desktop - *it's not done, let it run (it won't appear to be doing anything!)*
Once you receive the prompt *All Done!*, open the text file on the desktop, copy that entire log, and paste it here.
**NOTE* If you receive any warning message about scripts, please choose to allow the script to run.*


----------



## OxfordBarney (Dec 14, 2004)

I´ve shut down Panda and kept AVG running. Is this adequate, or do I need to completely uninstall one?


----------



## Cheeseball81 (Mar 3, 2004)

I would uninstall it. You run the risk of them not playing nicely.

Do this along with Silent Runners:

Open Hijack This.
Click on *Open Misc Tools Section*
Make sure that both boxes beside "Generate StartupList Log" are checked:

*List all minor sections(Full)*
*List Empty Sections(Complete)*

Click *Generate StartupList Log*.
Click *Yes* at the prompt.
It will open a text file. Please copy the entire contents of that page and paste it here.


----------



## OxfordBarney (Dec 14, 2004)

I didn´t want to uninstall AVG, since this was actively doing the detections and therefore apparently monitoring well, but I couldn´t uninstall Panda Titanium due to some RPC inability. So I uninstalled AVG, and there was a small RPC error at the end of the uninstall, although it appeared to be successful. After uninstalling AVG, I re-booted. Of course the AVG detections are no longer happening. However, suddenly I am getting Ewido alarms concerning the following three items: ConHook, Look2Me, SmallBuy.
The above may be relevant, and I will now complete your instructions.


----------



## OxfordBarney (Dec 14, 2004)

I hate to say this but I think that AVG was accomplishing something. I have had to switch to another computer to make this communication because immediately after transmitting that last message, pop-ups started flying, my home page was switched to www.findthewebsiteyouneed.com, www.google.com was made a restricted site, etc., downloads were flying, hard-drive whizzing, etc.


----------



## OxfordBarney (Dec 14, 2004)

Is there something you can suggest before I switch my modem back to the compromised computer in question and attempt to complete your instructions?


----------



## OxfordBarney (Dec 14, 2004)

I'm going to have to call it a night - it's 11:30 pm here. I'll get back to the compromised computer tomorrow morning, see what you have to say through the night, and I'll get back to regaining control of the computer and executing your suggestions in the morning.


----------



## Cheeseball81 (Mar 3, 2004)

Please post a fresh HJT log in the morning. Along with the Silent Runners log and StartupList log.


----------



## Cookiegal (Aug 27, 2003)

*Click here* to download CWShredder.

Now boot to safe mode, close all browser windows, open cwshredder.exe then click *Fix* and let it run.

Then restart your computer.


----------



## OxfordBarney (Dec 14, 2004)

OK - thank you for that. I´ll execute your instructions one at a time. First, here´s the Silent Runners log.

"Silent Runners.vbs", revision 44, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "C:\WINDOWS\System32\ctfmon.exe" [MS]
"MSMSGS" = ""C:\Archivos de programa\Messenger\msmsgs.exe" /background" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"SoundMan" = "SOUNDMAN.EXE" ["Avance Logic, Inc."]
"SiSUSBRG" = "C:\WINDOWS\sisUSBrg.exe" ["Silicon Integrated Systems Corp."]
"CPATR10" = "C:\ARCHIV~1\EzButton\CPATR10.EXE" ["Dritek System Inc."]
"SynTPLpr" = "C:\Archivos de programa\Synaptics\SynTP\SynTPLpr.exe" ["Synaptics, Inc."]
"SynTPEnh" = "C:\Archivos de programa\Synaptics\SynTP\SynTPEnh.exe" ["Synaptics, Inc."]
"SiS Tray" = "C:\WINDOWS\System32\sistray.EXE" ["Silicon Integrated Systems Corporation"]
"SiS KHooker" = "C:\WINDOWS\System32\khooker.exe" ["Silicon Integrated Systems Corporation"]
"AdaptecDirectCD" = ""C:\Archivos de programa\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"" ["Roxio"]
"APVXDWIN" = ""C:\Archivos de programa\Panda Software\Panda Antivirus Titanium\APVXDWIN.EXE" /s" ["Panda Software International"]
"LTSMMSG" = "LTSMMSG.exe" ["Lucent Technologies"]
"Share-to-Web Namespace Daemon" = "C:\Archivos de programa\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" ["Hewlett-Packard"]
"CamMonitor" = "C:\Archivos de programa\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe" [empty string]
"CnxDslTaskBar" = "C:\Archivos de programa\STA Kit ADSL\CnxDslTb.exe" ["Conexant Systems Inc."]
"libmm" = "rundll32.exe C:\WINDOWS\System32\libmm.dll,start" [MS]
"keyboard" = "C:\windows\keyboard4.exe" ["."]
"mousepad" = "C:\windows\mousepad4.exe" ["ÄÂÃÌÀ"]
"newname" = "C:\windows\newname4.exe" ["mudes"]

HKLM\Software\Microsoft\Active Setup\Installed Components\
{306D6C21-C1B6-4629-986C-E59E1875B8AF}\(Default) = (no title provided)
\StubPath = ""C:\WINDOWS\System32\rundll32.exe" "C:\Archivos de programa\Messenger\msgsc.dll",ShowIconsUser" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{20D57A66-F7DF-467d-907B-9B7F4A118AB7}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\System32\mllif.dll" [null data]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\ARCHIV~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{6001CDF7-6F45-471b-A203-0225615E35A7}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\DH.dll" [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Extensión de paneo de pantalla del Panel de control"
-> {HKLM...CLSID} = "Extensión de paneo de pantalla del Panel de control"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Extensión de icono de HyperTerminal"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{5E44E225-A408-11CF-B581-008029601108}" = "Adaptec DirectCD Shell Extension"
-> {HKLM...CLSID} = "Adaptec DirectCD Shell Extension"
\InProcServer32\(Default) = "C:\ARCHIV~1\Roxio\EASYCD~1\DirectCD\Shellex.dll" ["Roxio"]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Extensión de iconos de archivo de Outlook"
\InProcServer32\(Default) = "C:\Archivos de programa\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Archivos de programa\Microsoft Office\Office10\msohev.dll" [MS]
"{65756541-C65C-11CD-0000-4B656E696100}" = "Panda Antivirus"
-> {HKLM...CLSID} = "Panda Antivirus"
\InProcServer32\(Default) = "C:\Archivos de programa\Panda Software\Panda Antivirus Titanium\ShellTit.DLL" ["Panda Software International"]
"{A4DF5659-0801-4A60-9607-1C48695EFDA9}" = "Carpeta de carga de Share-to-Web"
-> {HKLM...CLSID} = "Carpeta de carga de Share-to-Web"
\InProcServer32\(Default) = "C:\Archivos de programa\Hewlett-Packard\HP Share-to-Web\HPGS2WNS.DLL" ["Hewlett-Packard"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "C:\Archivos de programa\ewido anti-malware\shellhook.dll" ["TODO: <Firmenname>"]
INFECTION WARNING! "{20D57A66-F7DF-467d-907B-9B7F4A118AB7}" = "*a" (unwritable string)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\System32\mllif.dll" [null data]

HKLM\System\CurrentControlSet\Control\Session Manager\
INFECTION WARNING! "BootExecute" = "autocheck autochk * SsiEfr.e" [file not found], [MS], [file not found], [file not found]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! mllif\DLLName = "mllif.dll" [null data]
INFECTION WARNING! WRNotifier\DLLName = "WRLogonNTF.dll" ["Webroot Software, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {HKLM...CLSID} = "Ctest Object"
\InProcServer32\(Default) = "C:\Archivos de programa\ewido anti-malware\context.dll" ["ewido networks"]
Panda Antivirus\(Default) = "{65756541-C65C-11CD-0000-4B656E696100}"
-> {HKLM...CLSID} = "Panda Antivirus"
\InProcServer32\(Default) = "C:\Archivos de programa\Panda Software\Panda Antivirus Titanium\ShellTit.DLL" ["Panda Software International"]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {HKLM...CLSID} = "Ctest Object"
\InProcServer32\(Default) = "C:\Archivos de programa\ewido anti-malware\context.dll" ["ewido networks"]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
Panda Antivirus\(Default) = "{65756541-C65C-11CD-0000-4B656E696100}"
-> {HKLM...CLSID} = "Panda Antivirus"
\InProcServer32\(Default) = "C:\Archivos de programa\Panda Software\Panda Antivirus Titanium\ShellTit.DLL" ["Panda Software International"]

Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Esfera\Configuración local\Datos de programa\Microsoft\Wallpaper1.bmp"

Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]

Startup items in "Esfera" & "All Users" startup folders:
--------------------------------------------------------

C:\Documents and Settings\All Users\Menú Inicio\Programas\Inicio
"Microsoft Office" -> shortcut to: "C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE -b -l" [MS]

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 31
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Miscellaneous IE Hijack Points
------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.beep.es/

Missing lines (compared with English-language version):
[Strings]: 1 line

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

ewido security suite control, ewido security suite control, "C:\Archivos de programa\ewido anti-malware\ewidoctrl.exe" ["ewido networks"]
ewido security suite guard, ewido security suite guard, "C:\Archivos de programa\ewido anti-malware\ewidoguard.exe" ["ewido networks"]
Panda anti-virus service, PAVSRV, "C:\Archivos de programa\Panda Software\Panda Antivirus Titanium\Pavsrv51.exe" ["Panda Software"]

----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 67 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 22 seconds.
---------- (total run time: 275 seconds)


----------



## OxfordBarney (Dec 14, 2004)

Here´s the StartupList Log. It´s too long to post, and so I have attached it as an attachment.


----------



## OxfordBarney (Dec 14, 2004)

Here´s the hijackthis log. All of these logs have been produced before running CWShredder. Once I run this log, I will run CWShredder, and re-post.

Logfile of HijackThis v1.99.1
Scan saved at 8:07:22, on 22/03/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\ewido anti-malware\ewidoctrl.exe
C:\Archivos de programa\ewido anti-malware\ewidoguard.exe
C:\Archivos de programa\Panda Software\Panda Antivirus Titanium\Pavsrv51.exe
C:\Archivos de programa\Panda Software\Panda Antivirus Titanium\AVENGINE.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\ARCHIV~1\EzButton\CPATR10.EXE
C:\Archivos de programa\Synaptics\SynTP\SynTPLpr.exe
C:\Archivos de programa\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\sistray.EXE
C:\WINDOWS\System32\khooker.exe
C:\Archivos de programa\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Archivos de programa\Panda Software\Panda Antivirus Titanium\APVXDWIN.EXE
C:\WINDOWS\LTSMMSG.exe
C:\Archivos de programa\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Archivos de programa\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Archivos de programa\STA Kit ADSL\CnxDslTb.exe
C:\WINDOWS\System32\rundll32.exe
C:\Archivos de programa\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Archivos de programa\Panda Software\Panda Antivirus Titanium\pavProxy.exe
C:\windows\mousepad4.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\Documents and Settings\Esfera\Escritorio\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.beep.es/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: (no name) - {20D57A66-F7DF-467d-907B-9B7F4A118AB7} - C:\WINDOWS\System32\mllif.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6001CDF7-6F45-471b-A203-0225615E35A7} - C:\WINDOWS\DH.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\sisUSBrg.exe
O4 - HKLM\..\Run: [CPATR10] C:\ARCHIV~1\EzButton\CPATR10.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Archivos de programa\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Archivos de programa\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Archivos de programa\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Archivos de programa\Panda Software\Panda Antivirus Titanium\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Archivos de programa\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Archivos de programa\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [CnxDslTaskBar] C:\Archivos de programa\STA Kit ADSL\CnxDslTb.exe
O4 - HKLM\..\Run: [libmm] rundll32.exe C:\WINDOWS\System32\libmm.dll,start
O4 - HKLM\..\Run: [keyboard] C:\windows\keyboard4.exe
O4 - HKLM\..\Run: [mousepad] C:\windows\mousepad4.exe
O4 - HKLM\..\Run: [newname] C:\windows\newname4.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O14 - IERESET.INF: START_PAGE_URL=http://www.beep.es/
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D6E7F14B-578C-42DC-B427-468EAE38916F}: NameServer = 194.158.64.9 194.158.64.10
O17 - HKLM\System\CCS\Services\Tcpip\..\{F3EA66DF-AE4D-4865-8F7F-FF7A7CB59334}: NameServer = 194.158.88.2,194.158.64.7
O20 - Winlogon Notify: mllif - C:\WINDOWS\SYSTEM32\mllif.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: ewido security suite control - ewido networks - C:\Archivos de programa\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Archivos de programa\ewido anti-malware\ewidoguard.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Archivos de programa\Panda Software\Panda Antivirus Titanium\Pavsrv51.exe
O23 - Service: TZZXJPPLMFAICFB - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Esfera\CONFIG~1\Temp\TZZXJPPLMFAICFB.exe
O23 - Service: UWCCMFXRQPO - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Esfera\CONFIG~1\Temp\UWCCMFXRQPO.exe
O23 - Service: VNKRUWT - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Esfera\CONFIG~1\Temp\VNKRUWT.exe
O23 - Service: YAQUVZ - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Esfera\CONFIG~1\Temp\YAQUVZ.exe
O23 - Service: ZXKWTMZMQLA - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Esfera\CONFIG~1\Temp\ZXKWTMZMQLA.exe


----------



## OxfordBarney (Dec 14, 2004)

I ran CWShredder. That solved some of the browser problems. Ewido continues to throw up alerts for ConHook and the others mentioned earlier. mllif.dll nnnnn.dll and many other Ewido file alerts. There is constant bandwidth activity, mostly data being sent across the modem, and rundll32.exe is the constant and most active process.

Here´s the post-CWShredder hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 9:00:20, on 22/03/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\ewido anti-malware\ewidoctrl.exe
C:\Archivos de programa\ewido anti-malware\ewidoguard.exe
C:\Archivos de programa\Panda Software\Panda Antivirus Titanium\Pavsrv51.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Panda Software\Panda Antivirus Titanium\AVENGINE.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\ARCHIV~1\EzButton\CPATR10.EXE
C:\Archivos de programa\Synaptics\SynTP\SynTPLpr.exe
C:\Archivos de programa\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\sistray.EXE
C:\WINDOWS\System32\khooker.exe
C:\Archivos de programa\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Archivos de programa\Panda Software\Panda Antivirus Titanium\APVXDWIN.EXE
C:\WINDOWS\LTSMMSG.exe
C:\Archivos de programa\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Archivos de programa\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Archivos de programa\STA Kit ADSL\CnxDslTb.exe
C:\WINDOWS\System32\rundll32.exe
C:\Archivos de programa\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\windows\mousepad4.exe
C:\Archivos de programa\Panda Software\Panda Antivirus Titanium\pavProxy.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Esfera\Escritorio\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/nwshp?hl=en&tab=wn&q=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.beep.es/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: (no name) - {20D57A66-F7DF-467d-907B-9B7F4A118AB7} - C:\WINDOWS\System32\mllif.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6001CDF7-6F45-471b-A203-0225615E35A7} - C:\WINDOWS\DH.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\sisUSBrg.exe
O4 - HKLM\..\Run: [CPATR10] C:\ARCHIV~1\EzButton\CPATR10.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Archivos de programa\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Archivos de programa\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Archivos de programa\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Archivos de programa\Panda Software\Panda Antivirus Titanium\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Archivos de programa\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Archivos de programa\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [CnxDslTaskBar] C:\Archivos de programa\STA Kit ADSL\CnxDslTb.exe
O4 - HKLM\..\Run: [libmm] rundll32.exe C:\WINDOWS\System32\libmm.dll,start
O4 - HKLM\..\Run: [keyboard] C:\windows\keyboard4.exe
O4 - HKLM\..\Run: [mousepad] C:\windows\mousepad4.exe
O4 - HKLM\..\Run: [newname] C:\windows\newname4.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O14 - IERESET.INF: START_PAGE_URL=http://www.beep.es/
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D6E7F14B-578C-42DC-B427-468EAE38916F}: NameServer = 194.158.64.9 194.158.64.10
O17 - HKLM\System\CCS\Services\Tcpip\..\{F3EA66DF-AE4D-4865-8F7F-FF7A7CB59334}: NameServer = 194.158.88.2,194.158.64.7
O20 - Winlogon Notify: mllif - C:\WINDOWS\SYSTEM32\mllif.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: ewido security suite control - ewido networks - C:\Archivos de programa\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Archivos de programa\ewido anti-malware\ewidoguard.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Archivos de programa\Panda Software\Panda Antivirus Titanium\Pavsrv51.exe
O23 - Service: TZZXJPPLMFAICFB - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Esfera\CONFIG~1\Temp\TZZXJPPLMFAICFB.exe
O23 - Service: UWCCMFXRQPO - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Esfera\CONFIG~1\Temp\UWCCMFXRQPO.exe
O23 - Service: VNKRUWT - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Esfera\CONFIG~1\Temp\VNKRUWT.exe
O23 - Service: YAQUVZ - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Esfera\CONFIG~1\Temp\YAQUVZ.exe
O23 - Service: ZXKWTMZMQLA - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Esfera\CONFIG~1\Temp\ZXKWTMZMQLA.exe


----------



## OxfordBarney (Dec 14, 2004)

The pop-ups that continue to be active are ad.bannerconnect.net ads.


----------



## OxfordBarney (Dec 14, 2004)

And here´s the post-CWShredder Silent Runners log:

"Silent Runners.vbs", revision 44, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "C:\WINDOWS\System32\ctfmon.exe" [MS]
"MSMSGS" = ""C:\Archivos de programa\Messenger\msmsgs.exe" /background" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"SoundMan" = "SOUNDMAN.EXE" ["Avance Logic, Inc."]
"SiSUSBRG" = "C:\WINDOWS\sisUSBrg.exe" ["Silicon Integrated Systems Corp."]
"CPATR10" = "C:\ARCHIV~1\EzButton\CPATR10.EXE" ["Dritek System Inc."]
"SynTPLpr" = "C:\Archivos de programa\Synaptics\SynTP\SynTPLpr.exe" ["Synaptics, Inc."]
"SynTPEnh" = "C:\Archivos de programa\Synaptics\SynTP\SynTPEnh.exe" ["Synaptics, Inc."]
"SiS Tray" = "C:\WINDOWS\System32\sistray.EXE" ["Silicon Integrated Systems Corporation"]
"SiS KHooker" = "C:\WINDOWS\System32\khooker.exe" ["Silicon Integrated Systems Corporation"]
"AdaptecDirectCD" = ""C:\Archivos de programa\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"" ["Roxio"]
"APVXDWIN" = ""C:\Archivos de programa\Panda Software\Panda Antivirus Titanium\APVXDWIN.EXE" /s" ["Panda Software International"]
"LTSMMSG" = "LTSMMSG.exe" ["Lucent Technologies"]
"Share-to-Web Namespace Daemon" = "C:\Archivos de programa\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" ["Hewlett-Packard"]
"CamMonitor" = "C:\Archivos de programa\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe" [empty string]
"CnxDslTaskBar" = "C:\Archivos de programa\STA Kit ADSL\CnxDslTb.exe" ["Conexant Systems Inc."]
"libmm" = "rundll32.exe C:\WINDOWS\System32\libmm.dll,start" [MS]
"keyboard" = "C:\windows\keyboard4.exe" ["."]
"mousepad" = "C:\windows\mousepad4.exe" ["ÄÂÃÌÀ"]
"newname" = "C:\windows\newname4.exe" ["mudes"]

HKLM\Software\Microsoft\Active Setup\Installed Components\
{306D6C21-C1B6-4629-986C-E59E1875B8AF}\(Default) = (no title provided)
\StubPath = ""C:\WINDOWS\System32\rundll32.exe" "C:\Archivos de programa\Messenger\msgsc.dll",ShowIconsUser" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{20D57A66-F7DF-467d-907B-9B7F4A118AB7}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\System32\mllif.dll" [null data]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\ARCHIV~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{6001CDF7-6F45-471b-A203-0225615E35A7}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\DH.dll" [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Extensión de paneo de pantalla del Panel de control"
-> {HKLM...CLSID} = "Extensión de paneo de pantalla del Panel de control"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Extensión de icono de HyperTerminal"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{5E44E225-A408-11CF-B581-008029601108}" = "Adaptec DirectCD Shell Extension"
-> {HKLM...CLSID} = "Adaptec DirectCD Shell Extension"
\InProcServer32\(Default) = "C:\ARCHIV~1\Roxio\EASYCD~1\DirectCD\Shellex.dll" ["Roxio"]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Extensión de iconos de archivo de Outlook"
\InProcServer32\(Default) = "C:\Archivos de programa\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Archivos de programa\Microsoft Office\Office10\msohev.dll" [MS]
"{65756541-C65C-11CD-0000-4B656E696100}" = "Panda Antivirus"
-> {HKLM...CLSID} = "Panda Antivirus"
\InProcServer32\(Default) = "C:\Archivos de programa\Panda Software\Panda Antivirus Titanium\ShellTit.DLL" ["Panda Software International"]
"{A4DF5659-0801-4A60-9607-1C48695EFDA9}" = "Carpeta de carga de Share-to-Web"
-> {HKLM...CLSID} = "Carpeta de carga de Share-to-Web"
\InProcServer32\(Default) = "C:\Archivos de programa\Hewlett-Packard\HP Share-to-Web\HPGS2WNS.DLL" ["Hewlett-Packard"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "C:\Archivos de programa\ewido anti-malware\shellhook.dll" ["TODO: <Firmenname>"]
INFECTION WARNING! "{20D57A66-F7DF-467d-907B-9B7F4A118AB7}" = "*Z" (unwritable string)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\System32\mllif.dll" [null data]

HKLM\System\CurrentControlSet\Control\Session Manager\
INFECTION WARNING! "BootExecute" = "autocheck autochk * SsiEfr.e" [file not found], [MS], [file not found], [file not found]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! mllif\DLLName = "mllif.dll" [null data]
INFECTION WARNING! WRNotifier\DLLName = "WRLogonNTF.dll" ["Webroot Software, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {HKLM...CLSID} = "Ctest Object"
\InProcServer32\(Default) = "C:\Archivos de programa\ewido anti-malware\context.dll" ["ewido networks"]
Panda Antivirus\(Default) = "{65756541-C65C-11CD-0000-4B656E696100}"
-> {HKLM...CLSID} = "Panda Antivirus"
\InProcServer32\(Default) = "C:\Archivos de programa\Panda Software\Panda Antivirus Titanium\ShellTit.DLL" ["Panda Software International"]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {HKLM...CLSID} = "Ctest Object"
\InProcServer32\(Default) = "C:\Archivos de programa\ewido anti-malware\context.dll" ["ewido networks"]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
Panda Antivirus\(Default) = "{65756541-C65C-11CD-0000-4B656E696100}"
-> {HKLM...CLSID} = "Panda Antivirus"
\InProcServer32\(Default) = "C:\Archivos de programa\Panda Software\Panda Antivirus Titanium\ShellTit.DLL" ["Panda Software International"]

Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Esfera\Configuración local\Datos de programa\Microsoft\Wallpaper1.bmp"

Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]

Startup items in "Esfera" & "All Users" startup folders:
--------------------------------------------------------

C:\Documents and Settings\All Users\Menú Inicio\Programas\Inicio
"Microsoft Office" -> shortcut to: "C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE -b -l" [MS]

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 31
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Miscellaneous IE Hijack Points
------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.beep.es/

Missing lines (compared with English-language version):
[Strings]: 1 line

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

ewido security suite control, ewido security suite control, "C:\Archivos de programa\ewido anti-malware\ewidoctrl.exe" ["ewido networks"]
ewido security suite guard, ewido security suite guard, "C:\Archivos de programa\ewido anti-malware\ewidoguard.exe" ["ewido networks"]
Panda anti-virus service, PAVSRV, "C:\Archivos de programa\Panda Software\Panda Antivirus Titanium\Pavsrv51.exe" ["Panda Software"]

----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 68 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 20 seconds.
---------- (total run time: 266 seconds)


----------



## OxfordBarney (Dec 14, 2004)

I ran RootkitRevealer and it showed no discrepancies. When I first double-clicked the icon to run it, a Panda alert was triggered at the same time as an Ewido alert. The Panda alert described Blaster and the file msblast.exe (going only from my memory of the file name).


----------



## Cheeseball81 (Mar 3, 2004)

Rescan with Hijack This.
Close all browser windows except Hijack This.
Put a check mark beside these entries and click "Fix Checked".

*O2 - BHO: (no name) - {20D57A66-F7DF-467d-907B-9B7F4A118AB7} - C:\WINDOWS\System32\mllif.dll

O2 - BHO: (no name) - {6001CDF7-6F45-471b-A203-0225615E35A7} - C:\WINDOWS\DH.dll (file missing)

O4 - HKLM\..\Run: [libmm] rundll32.exe C:\WINDOWS\System32\libmm.dll,start

O4 - HKLM\..\Run: [keyboard] C:\windows\keyboard4.exe

O4 - HKLM\..\Run: [mousepad] C:\windows\mousepad4.exe

O4 - HKLM\..\Run: [newname] C:\windows\newname4.exe

O20 - Winlogon Notify: mllif - C:\WINDOWS\SYSTEM32\mllif.dll*

Exit Hijack This.

Double-click on Killbox.exe to run it.
Put a tick by *Delete on Reboot*.
Copy the following files to clipboard by highlighting it and pressing CTRL + C (or, after highlighting, right-click and choose copy):

*C:\WINDOWS\System32\libmm.dll
C:\windows\keyboard4.exe
C:\windows\mousepad4.exe
C:\windows\newname4.exe
C:\WINDOWS\System32\mllif.dll
C:\WINDOWS\DH.dll*

Next in Killbox go to File > Paste from clipboard
Click on the *All Files *button.
Next click on the button that has the red circle with the white X in the middle.
It will ask for confimation to delete the files on next reboot and ask you if you want to reboot now.
Click *Yes* and let the computer reboot.

Post a new Hijack This log.


----------



## OxfordBarney (Dec 14, 2004)

OK - I´m copying the clipboard into Killbox for delete on reboot. But the Killbox window only seems to hold five files at a time. The last file DH.dll isn´t showing and I don´t want to go ahead without your confirmation in case we must kill them all at once.


----------



## Cheeseball81 (Mar 3, 2004)

DH.dll is probably already gone so you can skip that one. You could always do a manual seach for it afterwards.


----------



## OxfordBarney (Dec 14, 2004)

Ok, thanks - I´ve done as requested and here´s the latest hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 19:35:10, on 22/03/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\ewido anti-malware\ewidoctrl.exe
C:\Archivos de programa\ewido anti-malware\ewidoguard.exe
C:\Archivos de programa\Panda Software\Panda Antivirus Titanium\Pavsrv51.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Panda Software\Panda Antivirus Titanium\AVENGINE.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\ARCHIV~1\EzButton\CPATR10.EXE
C:\Archivos de programa\Synaptics\SynTP\SynTPLpr.exe
C:\Archivos de programa\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\sistray.EXE
C:\WINDOWS\System32\khooker.exe
C:\Archivos de programa\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Archivos de programa\Panda Software\Panda Antivirus Titanium\APVXDWIN.EXE
C:\WINDOWS\LTSMMSG.exe
C:\Archivos de programa\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Archivos de programa\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Archivos de programa\STA Kit ADSL\CnxDslTb.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\Archivos de programa\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Archivos de programa\Panda Software\Panda Antivirus Titanium\pavProxy.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\Documents and Settings\Esfera\Escritorio\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/nwshp?hl=en&tab=wn&q=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.beep.es/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: DosSpecFolder Object - {3E1BEA96-02D9-4992-B508-9B51819D9D86} - C:\WINDOWS\System32\fccdd.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\sisUSBrg.exe
O4 - HKLM\..\Run: [CPATR10] C:\ARCHIV~1\EzButton\CPATR10.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Archivos de programa\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Archivos de programa\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Archivos de programa\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Archivos de programa\Panda Software\Panda Antivirus Titanium\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Archivos de programa\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Archivos de programa\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [CnxDslTaskBar] C:\Archivos de programa\STA Kit ADSL\CnxDslTb.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O14 - IERESET.INF: START_PAGE_URL=http://www.beep.es/
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D6E7F14B-578C-42DC-B427-468EAE38916F}: NameServer = 194.158.64.9 194.158.64.10
O17 - HKLM\System\CCS\Services\Tcpip\..\{F3EA66DF-AE4D-4865-8F7F-FF7A7CB59334}: NameServer = 194.158.88.2,194.158.64.7
O20 - Winlogon Notify: fccdd - C:\WINDOWS\System32\fccdd.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: ewido security suite control - ewido networks - C:\Archivos de programa\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Archivos de programa\ewido anti-malware\ewidoguard.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Archivos de programa\Panda Software\Panda Antivirus Titanium\Pavsrv51.exe
O23 - Service: TZZXJPPLMFAICFB - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Esfera\CONFIG~1\Temp\TZZXJPPLMFAICFB.exe
O23 - Service: UWCCMFXRQPO - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Esfera\CONFIG~1\Temp\UWCCMFXRQPO.exe
O23 - Service: VNKRUWT - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Esfera\CONFIG~1\Temp\VNKRUWT.exe
O23 - Service: YAQUVZ - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Esfera\CONFIG~1\Temp\YAQUVZ.exe
O23 - Service: ZXKWTMZMQLA - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Esfera\CONFIG~1\Temp\ZXKWTMZMQLA.exe


----------



## Cheeseball81 (Mar 3, 2004)

Download and run *VundoFix*: http://www.atribune.org/ccount/click.php?id=4
Double-click *VundoFix.exe* to run it.
Put a check next to *Run VundoFix as a task*.
You will receive a message saying vundofix will close and re-open in a minute or less. Click *OK*.
When VundoFix re-opens, click the *Scan for Vundo* button.
Once it's done scanning, click the *Remove Vundo* button.
You will receive a prompt asking if you want to remove the files, click *YES*.
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click *OK*.
Turn your computer back on.
Please post the contents of *C:\vundofix.txt* and a new HijackThis log.


----------



## OxfordBarney (Dec 14, 2004)

After doing this I am still getting Ewido alarms for ConHook - rm32.dll, a file simply called .exe, something similar to fcaxx.exe, all in system32.
Here are the Vundofix text contents:


VundoFix V4.2.35

Checking Java version...

Sun Java not detected
Scan started at 19:48:15 22/03/2006

Listing files found while scanning....

C:\WINDOWS\System32\urqnm.dll
C:\WINDOWS\System32\urqnm.dll

C:\WINDOWS\system32\ddccf.bak1
C:\WINDOWS\system32\ddccf.ini
C:\WINDOWS\system32\fccdd.dll
Attempting to delete C:\WINDOWS\System32\urqnm.dll
C:\WINDOWS\System32\urqnm.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ddccf.bak1
C:\WINDOWS\system32\ddccf.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\ddccf.ini
C:\WINDOWS\system32\ddccf.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\fccdd.dll
C:\WINDOWS\system32\fccdd.dll Has been deleted!

Performing Repairs to the registry.
Done!


----------



## Cheeseball81 (Mar 3, 2004)

Download and install Java Runtime Environment Version 5.0 Update 6 here: http://java.com/en/download/windows_ie.jsp

Post a new Hijack This log.


----------



## OxfordBarney (Dec 14, 2004)

Many thanks. OK - I installed the Java Runtime Environment and re-started. I am still getting Ewido alerts for fccax.dll Downloader.ConHook.y and Small.eo. Also, when I re-start, a DOS box is still appearing which says simply cmd.exe, which then disappears. There is still constant activity over my modem, with twice as many bytes being sent as received (about 2Mb per minute is being sent). It is constant. When I shut down rundll32.exe also needs to finalize - what is that doing?

Here is my hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 22:51:23, on 22/03/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\ewido anti-malware\ewidoctrl.exe
C:\Archivos de programa\ewido anti-malware\ewidoguard.exe
C:\Archivos de programa\Panda Software\Panda Antivirus Titanium\Pavsrv51.exe
C:\Archivos de programa\Panda Software\Panda Antivirus Titanium\AVENGINE.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\ARCHIV~1\EzButton\CPATR10.EXE
C:\Archivos de programa\Synaptics\SynTP\SynTPLpr.exe
C:\Archivos de programa\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\sistray.EXE
C:\WINDOWS\System32\khooker.exe
C:\Archivos de programa\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Archivos de programa\Panda Software\Panda Antivirus Titanium\APVXDWIN.EXE
C:\WINDOWS\LTSMMSG.exe
C:\Archivos de programa\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Archivos de programa\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Archivos de programa\STA Kit ADSL\CnxDslTb.exe
C:\Archivos de programa\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\System32\rundll32.exe
C:\Archivos de programa\Panda Software\Panda Antivirus Titanium\pavProxy.exe
C:\Archivos de programa\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Esfera\Escritorio\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/nwshp?hl=en&tab=wn&q=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.beep.es/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: (no name) - {20D57A66-F7DF-467d-907B-9B7F4A118AB7} - C:\WINDOWS\System32\fccax.dll
O2 - BHO: DosSpecFolder Object - {3E1BEA96-02D9-4992-B508-9B51819D9D86} - C:\WINDOWS\System32\fccdd.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\sisUSBrg.exe
O4 - HKLM\..\Run: [CPATR10] C:\ARCHIV~1\EzButton\CPATR10.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Archivos de programa\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Archivos de programa\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Archivos de programa\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Archivos de programa\Panda Software\Panda Antivirus Titanium\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Archivos de programa\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Archivos de programa\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [CnxDslTaskBar] C:\Archivos de programa\STA Kit ADSL\CnxDslTb.exe
O4 - HKLM\..\Run: [libmm] rundll32.exe C:\WINDOWS\System32\libmm.dll,start
O4 - HKLM\..\Run: [newname] C:\windows\newname4.exe
O4 - HKLM\..\Run: [keyboard] C:\windows\keyboard4.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.beep.es/
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D6E7F14B-578C-42DC-B427-468EAE38916F}: NameServer = 194.158.64.9 194.158.64.10
O17 - HKLM\System\CCS\Services\Tcpip\..\{F3EA66DF-AE4D-4865-8F7F-FF7A7CB59334}: NameServer = 194.158.88.2,194.158.64.7
O20 - Winlogon Notify: fccax - C:\WINDOWS\SYSTEM32\fccax.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: ewido security suite control - ewido networks - C:\Archivos de programa\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Archivos de programa\ewido anti-malware\ewidoguard.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Archivos de programa\Panda Software\Panda Antivirus Titanium\Pavsrv51.exe
O23 - Service: TZZXJPPLMFAICFB - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Esfera\CONFIG~1\Temp\TZZXJPPLMFAICFB.exe
O23 - Service: UWCCMFXRQPO - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Esfera\CONFIG~1\Temp\UWCCMFXRQPO.exe
O23 - Service: VNKRUWT - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Esfera\CONFIG~1\Temp\VNKRUWT.exe
O23 - Service: YAQUVZ - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Esfera\CONFIG~1\Temp\YAQUVZ.exe
O23 - Service: ZXKWTMZMQLA - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Esfera\CONFIG~1\Temp\ZXKWTMZMQLA.exe


----------



## OxfordBarney (Dec 14, 2004)

Now an Ewido alert for vtuuu.dll also Downloader.ConHook.y.


----------



## OxfordBarney (Dec 14, 2004)

After leaving the computer and returning, it was completely jammed up but the modem activity was continuing non-stop. I had to restart it. Upon doing so the Ewido alert fccax.dll re-appeared, and an error appeared which said "The Instruction in 0x77f4234e Makes Reference to the Memory in 0x909006ef. The Memory Cannot Be Written. Click OK to Close the Program." As soon as I clicked OK the 60 second shutdown came on (which I aborted). In the time it took me to type this post, 10 Mb of data was sent over the modem, and 2 Mb was received. The modem is not even taking breaths.


----------



## Cheeseball81 (Mar 3, 2004)

I'm very concerned why new things keep constantly appearing.

Please download *Webroot SpySweeper* from here: http://www.webroot.com/consumer/products/spysweeper/index.html?acode=af1&rc=4129

(It's a 2 week trial.)

* Click the Free Trial link under "SpySweeper" to download the program.
* Install it. Once the program is installed, it will open.
* It will prompt you to update to the latest definitions, click Yes.
* Once the definitions are installed, click Options on the left side.
* Click the Sweep Options tab.
* Under What to Sweep please put a check next to the following:
o Sweep Memory
o Sweep Registry
o Sweep Cookies
o Sweep All User Accounts
o Enable Direct Disk Sweeping
o Sweep Contents of Compressed Files
o Sweep for Rootkits

o Please UNCHECK Do not Sweep System Restore Folder.

* Click Sweep Now on the left side.
* Click the Start button.
* When it's done scanning, click the Next button.
* Make sure everything has a check next to it, then click the Next button.
* It will remove all of the items found.
* Click Session Log in the upper right corner, copy everything in that window.
* Click the Summary tab and click Finish.
* Paste the contents of the session log you copied into your next reply.

Also post a new Hijack This log.


----------



## OxfordBarney (Dec 14, 2004)

I ran Spysweeper and it located ConHook. However, it said that not all threats could be removed until the computer is re-started, and it asked if I want to re-start the computer. When I clicked Yes, it didn´t re-start. I´m hoping that when I re-start manually, it will delete. The detections of fccax.dll stopped, but were replaced with detections of awvwx.dll also ConHook. My concern is that fccax.dll morphed into awvwx.dll when an attempt was made to delete it, because the detections are of the same description (Downloader.ConHook.y) but the file name has changed. Also, the SpySweeper log doesn´t mention awvwx.dll, and so it may not be deleted upon start-up since it may have been created as a copy of fccax.dll after the scan completed. If what I say above is true about the virus morphing to a new name after the scan and before the start-up deletion, perhaps we should shut off Ewido on the assumption that it had caused the virus to stall and therefore remain in use (maybe it was in use by Ewido). My concern is that if we shut off Ewido, the trojan will be able to run amock. Anyway, I will now re-boot, hope that the start-up kills it, and paste the hijackthis log. Here is the session log for SpySweeper:
********
0:01: | Start of Session, jueves, 23 de marzo de 2006 |
0:01: Spy Sweeper started
0:01: Sweep initiated using definitions version 639
0:01: Found Trojan Horse: trojan-downloader-conhook
0:01: HKCR\clsid\{20d57a66-f7df-467d-907b-9b7f4a118ab7}\inprocserver32\ (2 subtraces) (ID = 1190600)
0:01: fccax.dll (ID = 1190600)
0:01: Starting Memory Sweep
0:06: Memory Sweep Complete, Elapsed Time: 00:04:36
0:06: Starting Registry Sweep
0:06: Found Adware: dollarrevenue
0:06: HKLM\software\microsoft\drsmartload2\ (1 subtraces) (ID = 1134137)
0:06: HKCR\clsid\{20d57a66-f7df-467d-907b-9b7f4a118ab7}\ (3 subtraces) (ID = 1190599)
0:06: HKLM\software\classes\clsid\{20d57a66-f7df-467d-907b-9b7f4a118ab7}\ (3 subtraces) (ID = 1190601)
0:06: HKLM\software\microsoft\windows\currentversion\explorer\shellexecutehooks\ || {20d57a66-f7df-467d-907b-9b7f4a118ab7} (ID = 1190602)
0:06: Found Adware: findthewebsiteyouneed hijack
0:06: HKU\S-1-5-21-240936306-2413756436-2274281639-1005\software\microsoft\internet explorer\search\searchassistant explorer\main\ || default_search_url (ID = 555437)
0:06: Registry Sweep Complete, Elapsed Time:00:00:26
0:06: Starting Cookie Sweep
0:06: Found Spy Cookie: yieldmanager cookie
0:06: [email protected][2].txt (ID = 3751)
0:06: Found Spy Cookie: belnk cookie
0:06: [email protected][1].txt (ID = 2292)
0:06: [email protected][2].txt (ID = 2293)
0:06: Found Spy Cookie: server.iad.liveperson cookie
0:06: [email protected][2].txt (ID = 3341)
0:06: Found Spy Cookie: statcounter cookie
0:06: esfera[email protected][1].txt (ID = 3447)
0:06: Found Spy Cookie: tacoda cookie
0:06: [email protected][2].txt (ID = 6444)
0:06: Found Spy Cookie: myaffiliateprogram.com cookie
0:06: [email protected][1].txt (ID = 3032)
0:06: Cookie Sweep Complete, Elapsed Time: 00:00:05
0:06: Starting File Sweep
0:07: Found Adware: zquest
0:07: a0018357.dll (ID = 266849)
0:07: Found Trojan Horse: rbot
0:07: a0003101.exe (ID = 264408)
0:08: newfrn.exe (ID = 215816)
0:08: a0002090.exe (ID = 264408)
0:09: a0016267.exe (ID = 264408)
0:09: Found Adware: command
0:09: mte3ndi6odoxng.exe (ID = 185985)
0:10: a0002093.exe (ID = 264408)
0:10: dr140306.exe (ID = 267188)
0:10: a0003103.exe (ID = 264408)
0:20: drsmartload1.exe (ID = 245972)
0:20: a0016268.exe (ID = 264408)
0:20: Found Adware: targetsaver
0:20: vocabulary (ID = 78283)
0:20: class-barrel (ID = 78229)
0:21: a0001121.exe (ID = 264408)
0:23: Warning: Invalid Stream
0:23: Warning: File not found
0:24: File Sweep Complete, Elapsed Time: 00:17:12
0:24: Full Sweep has completed. Elapsed time 00:22:22
0:24: Traces Found: 37
0:29: Removal process initiated
0:29: Quarantining All Traces: rbot
0:29: Quarantining All Traces: dollarrevenue
0:29: Quarantining All Traces: trojan-downloader-conhook
0:29: trojan-downloader-conhook is in use. It will be removed on reboot.
0:29: fccax.dll is in use. It will be removed on reboot.
0:29: Quarantining All Traces: zquest
0:29: Quarantining All Traces: command
0:29: Quarantining All Traces: findthewebsiteyouneed hijack
0:29: Quarantining All Traces: targetsaver
0:29: Quarantining All Traces: belnk cookie
0:29: Quarantining All Traces: myaffiliateprogram.com cookie
0:29: Quarantining All Traces: server.iad.liveperson cookie
0:29: Quarantining All Traces: statcounter cookie
0:29: Quarantining All Traces: tacoda cookie
0:29: Quarantining All Traces: yieldmanager cookie
0:31: Preparing to restart your computer. Please wait...
0:31: Removal process completed. Elapsed time 00:01:38
********
23:58: | Start of Session, miércoles, 22 de marzo de 2006 |
23:58: Spy Sweeper started
23:59: Your spyware definitions have been updated.
0:01: | End of Session, jueves, 23 de marzo de 2006 |


----------



## OxfordBarney (Dec 14, 2004)

This is unbelievable. Upon start-up, SpySweeper reported the following, after I told it to block the various attempts:

Spy Sweeper will provide you with detailed information about the operations being performed in this area.
The Spy Communication shield has blocked access to: www.onli-ne.com
The Spy Communication shield has blocked access to: www.onli-ne.com
BHO Shield: found: -- BHO installation denied at user request
ActiveX Shield: found: Adware: zquest, version 1.0.0.0 -- Installation denied
Spy Installation Shield: found: Adware: command, version 1.0.0.0 -- Execution Denied
The Spy Communication shield has blocked access to: promo.dollarrevenue.com
The Spy Communication shield has blocked access to: promo.dollarrevenue.com
ActiveX Shield: found: Adware: zquest, version 1.0.0.0 -- Installation denied

Also, the modem is still pouring data both ways, Ewido has thrown up a new alert for a new file awtrq.dll, and my home page has again been switched to www.findthewebsiteyouneed.com.

Here´s my latest hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 1:09:24, on 23/03/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\ewido anti-malware\ewidoctrl.exe
C:\Archivos de programa\ewido anti-malware\ewidoguard.exe
C:\Archivos de programa\Panda Software\Panda Antivirus Titanium\Pavsrv51.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Archivos de programa\Panda Software\Panda Antivirus Titanium\AVENGINE.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\ARCHIV~1\EzButton\CPATR10.EXE
C:\Archivos de programa\Synaptics\SynTP\SynTPLpr.exe
C:\Archivos de programa\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\sistray.EXE
C:\WINDOWS\System32\khooker.exe
C:\Archivos de programa\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Archivos de programa\Panda Software\Panda Antivirus Titanium\APVXDWIN.EXE
C:\WINDOWS\LTSMMSG.exe
C:\Archivos de programa\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Archivos de programa\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Archivos de programa\STA Kit ADSL\CnxDslTb.exe
C:\Archivos de programa\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\System32\rundll32.exe
C:\Archivos de programa\Java\jre1.5.0_06\bin\jusched.exe
C:\Archivos de programa\Panda Software\Panda Antivirus Titanium\pavProxy.exe
C:\Archivos de programa\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\Documents and Settings\Esfera\Escritorio\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.beep.es/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: (no name) - {20D57A66-F7DF-467d-907B-9B7F4A118AB7} - C:\WINDOWS\System32\awtrq.dll
O2 - BHO: DosSpecFolder Object - {3E1BEA96-02D9-4992-B508-9B51819D9D86} - C:\WINDOWS\System32\fccdd.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\sisUSBrg.exe
O4 - HKLM\..\Run: [CPATR10] C:\ARCHIV~1\EzButton\CPATR10.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Archivos de programa\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Archivos de programa\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Archivos de programa\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Archivos de programa\Panda Software\Panda Antivirus Titanium\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Archivos de programa\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Archivos de programa\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [CnxDslTaskBar] C:\Archivos de programa\STA Kit ADSL\CnxDslTb.exe
O4 - HKLM\..\Run: [libmm] rundll32.exe C:\WINDOWS\System32\libmm.dll,start
O4 - HKLM\..\Run: [newname] C:\windows\newname4.exe
O4 - HKLM\..\Run: [keyboard] C:\windows\keyboard4.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Archivos de programa\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.beep.es/
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D6E7F14B-578C-42DC-B427-468EAE38916F}: NameServer = 194.158.64.9 194.158.64.10
O17 - HKLM\System\CCS\Services\Tcpip\..\{F3EA66DF-AE4D-4865-8F7F-FF7A7CB59334}: NameServer = 194.158.88.2,194.158.64.7
O20 - Winlogon Notify: awtrq - C:\WINDOWS\SYSTEM32\awtrq.dll
O20 - Winlogon Notify: fccax - fccax.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: ewido security suite control - ewido networks - C:\Archivos de programa\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Archivos de programa\ewido anti-malware\ewidoguard.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Archivos de programa\Panda Software\Panda Antivirus Titanium\Pavsrv51.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Archivos de programa\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: TZZXJPPLMFAICFB - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Esfera\CONFIG~1\Temp\TZZXJPPLMFAICFB.exe
O23 - Service: UWCCMFXRQPO - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Esfera\CONFIG~1\Temp\UWCCMFXRQPO.exe
O23 - Service: VNKRUWT - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Esfera\CONFIG~1\Temp\VNKRUWT.exe
O23 - Service: YAQUVZ - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Esfera\CONFIG~1\Temp\YAQUVZ.exe
O23 - Service: ZXKWTMZMQLA - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Esfera\CONFIG~1\Temp\ZXKWTMZMQLA.exe


----------



## Cheeseball81 (Mar 3, 2004)

Rerun VundoFix.
Then post the contents of *C:\vundofix.txt* and a new HijackThis log.


----------



## Cookiegal (Aug 27, 2003)

Looks like a new variant of vundo.


----------



## Cheeseball81 (Mar 3, 2004)

Yes I agree. I was just about to post it on Derek's site so Atribune can update the fix.

Edit: Actually the first CLSID is a known Vundo.B - - I am curious about "O2 - BHO: DosSpecFolder Object" though.

What do you think?


----------



## Cookiegal (Aug 27, 2003)

Too bad we couldn't get the file to upload though.

I posted it at Geeks to Go for Atribune.


----------



## Cookiegal (Aug 27, 2003)

That's the one I was referring to.


----------



## Cheeseball81 (Mar 3, 2004)

Okay good. :up: Great minds


----------



## OxfordBarney (Dec 14, 2004)

Here are the Vundofix.txt (today´s log appended to yesterday´s) and hijackthis log files. What has happened to my Java that I installed yesterday? It´s saying that it´s not detected. The computer is also not showing the Runtime Environment icon in the bottom bar, although it was showing after I installed it. I didn´t remove it.

In the hijackthis log, you will notice that the system32 file has changed again to yabyv.dll and it is throwing up Ewido alerts again as infection Downloader.ConHook.y, but under this file name. The old file names of awtrq.dll and awvwx.dll seem to have disappeared, although these weren´t deleted by Vundofix?

Also, while starting up the DOS window appeared again showing \system32\cmd.exe above but the box apparently remaining blank.

VundoFix V4.2.35

Checking Java version...

Sun Java not detected
Scan started at 19:48:15 22/03/2006

Listing files found while scanning....

C:\WINDOWS\System32\urqnm.dll
C:\WINDOWS\System32\urqnm.dll

C:\WINDOWS\system32\ddccf.bak1
C:\WINDOWS\system32\ddccf.ini
C:\WINDOWS\system32\fccdd.dll
Attempting to delete C:\WINDOWS\System32\urqnm.dll
C:\WINDOWS\System32\urqnm.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ddccf.bak1
C:\WINDOWS\system32\ddccf.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\ddccf.ini
C:\WINDOWS\system32\ddccf.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\fccdd.dll
C:\WINDOWS\system32\fccdd.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V4.2.35

Checking Java version...

Sun Java not detected
Scan started at 8:03:00 23/03/2006

Listing files found while scanning....

C:\WINDOWS\system32\adcfe.bak1
C:\WINDOWS\system32\adcfe.ini
C:\WINDOWS\system32\efcda.dll
Attempting to delete C:\WINDOWS\system32\adcfe.bak1
C:\WINDOWS\system32\adcfe.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\adcfe.ini
C:\WINDOWS\system32\adcfe.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\efcda.dll
C:\WINDOWS\system32\efcda.dll Has been deleted!

Performing Repairs to the registry.
Done!

Logfile of HijackThis v1.99.1
Scan saved at 8:20:27, on 23/03/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\ewido anti-malware\ewidoctrl.exe
C:\Archivos de programa\ewido anti-malware\ewidoguard.exe
C:\Archivos de programa\Panda Software\Panda Antivirus Titanium\Pavsrv51.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Panda Software\Panda Antivirus Titanium\AVENGINE.EXE
C:\Archivos de programa\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\ARCHIV~1\EzButton\CPATR10.EXE
C:\Archivos de programa\Synaptics\SynTP\SynTPLpr.exe
C:\Archivos de programa\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\sistray.EXE
C:\WINDOWS\System32\khooker.exe
C:\Archivos de programa\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Archivos de programa\Panda Software\Panda Antivirus Titanium\APVXDWIN.EXE
C:\WINDOWS\LTSMMSG.exe
C:\Archivos de programa\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Archivos de programa\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Archivos de programa\STA Kit ADSL\CnxDslTb.exe
C:\Archivos de programa\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\System32\rundll32.exe
C:\windows\newname4.exe
C:\Archivos de programa\Panda Software\Panda Antivirus Titanium\pavProxy.exe
C:\Archivos de programa\Java\jre1.5.0_06\bin\jusched.exe
C:\Archivos de programa\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Esfera\Escritorio\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.beep.es/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: (no name) - {20D57A66-F7DF-467d-907B-9B7F4A118AB7} - C:\WINDOWS\System32\yabyv.dll
O2 - BHO: DosSpecFolder Object - {3E1BEA96-02D9-4992-B508-9B51819D9D86} - C:\WINDOWS\System32\efcda.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\sisUSBrg.exe
O4 - HKLM\..\Run: [CPATR10] C:\ARCHIV~1\EzButton\CPATR10.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Archivos de programa\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Archivos de programa\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Archivos de programa\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Archivos de programa\Panda Software\Panda Antivirus Titanium\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Archivos de programa\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Archivos de programa\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [CnxDslTaskBar] C:\Archivos de programa\STA Kit ADSL\CnxDslTb.exe
O4 - HKLM\..\Run: [libmm] rundll32.exe C:\WINDOWS\System32\libmm.dll,start
O4 - HKLM\..\Run: [newname] C:\windows\newname4.exe
O4 - HKLM\..\Run: [keyboard] C:\windows\keyboard4.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Archivos de programa\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.beep.es/
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F3EA66DF-AE4D-4865-8F7F-FF7A7CB59334}: NameServer = 194.158.88.2,194.158.64.7
O20 - Winlogon Notify: fccax - fccax.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O20 - Winlogon Notify: yabyv - C:\WINDOWS\SYSTEM32\yabyv.dll
O23 - Service: ewido security suite control - ewido networks - C:\Archivos de programa\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Archivos de programa\ewido anti-malware\ewidoguard.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Archivos de programa\Panda Software\Panda Antivirus Titanium\Pavsrv51.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Archivos de programa\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: TZZXJPPLMFAICFB - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Esfera\CONFIG~1\Temp\TZZXJPPLMFAICFB.exe
O23 - Service: UWCCMFXRQPO - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Esfera\CONFIG~1\Temp\UWCCMFXRQPO.exe
O23 - Service: VNKRUWT - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Esfera\CONFIG~1\Temp\VNKRUWT.exe
O23 - Service: YAQUVZ - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Esfera\CONFIG~1\Temp\YAQUVZ.exe
O23 - Service: ZXKWTMZMQLA - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Esfera\CONFIG~1\Temp\ZXKWTMZMQLA.exe


----------



## OxfordBarney (Dec 14, 2004)

Also, please bear in mind that this is an unpatched system which the previous owner has also not updated to SP2. Do I need to clear the viruses and adware before patching, or after?


----------



## Cheeseball81 (Mar 3, 2004)

After. If you install SP2 on an infected machine, it will cause serious problems.
It really appears as though you have a newer Vundo variant. We have to wait for the tool to be updated first.


----------



## OxfordBarney (Dec 14, 2004)

Thank you Cheeseball81. How do we have the tool updated, and how long do I need to wait? Thanks for your help.


----------



## Cheeseball81 (Mar 3, 2004)

You're welcome.  Probably today. I'll check. If I don't find out, Cookiegal can find out for sure.


----------



## OxfordBarney (Dec 14, 2004)

Were you able to post all required data to the antivirus writers simply from the information in my logs? If so, that is amazing. I'm surprised that they don't need to have file copies. I'll wait anxiously for the cure. Once again, your help is greatly appreciated.


----------



## Cheeseball81 (Mar 3, 2004)

I'd like to try this tool.

*Adware-Virtumundo Removal Tool v1.2 (Associated with WinFixer Popups)*

Note: This tool does not remove the WinFixer application. WinFixer alone does not cause popups or disrupt the system. If WinFixer was installed on your system because Adware or a Trojan Downloader installed it without your permission, please remove it using the Add/Remove Programs Control Panel Applet.

If Virtumundo is not found, the tool will exit showing the log file.
If Virtumundo is found it will do the following:
Version 1.1
Create a Date/Time Stamped log file (VBG.TXT) on the All Users profile's Desktop.
Kill Internet Explorer and Explorer processes.
Rename the infected files with a .Vir extension (this is disable them from being run)
Remove the Browser Helper Object registry key
Adds a registry value to block file from running in Internet Explorer again.
Remove the Winlogon Notify registry key
Automatically restart the computer (via STOP error)
Note: This is a BLUE SCREEN "Fatal Error" Message. It is normal and expected. The tool ends an important Windows Process that was protecting the file and NT Security STOPS the system as soon as it detects this is happening.

Version 1.2
Removed the instruction to Stop McShield
Cleaned up some logging messages.
Added checking for BHO with no default name. These entries will be checked to see if they are referenced to be start up with WinLogon. If it is, it will be tagged as Virtumundo and removed.

VirusScan will now be able to remove the files normally when you run an on-demand scan.

Download Link -> http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe

After the tool completes, run your anti-virus program - then post a new Hijack This log.


----------



## Cookiegal (Aug 27, 2003)

Also, your last log indicates the BFU didn't work. I believe it's because it's not running from the proper location and I have updated instructions for that but I would like to see the new log after running the last tool that Cheeseball81 suggested.


----------



## Cookiegal (Aug 27, 2003)

Cheeseball81 said:


> You're welcome.  Probably today. I'll check. If I don't find out, Cookiegal can find out for sure.


Haven't heard from Atribune yet but I would expect we'll hear something by tomorrow.


----------



## Flrman1 (Jul 26, 2002)

You can use the Avenger to remove this Karen.


----------



## Cookiegal (Aug 27, 2003)

Flrman1 said:


> You can use the Avenger to remove this Karen.


I thought about using it Mark but I got the impression swandog wanted us to use it as little as possible and only when nothing else would work as a last resort.


----------



## Cookiegal (Aug 27, 2003)

Alright, rather than waiting, let's use Avenger on this.

1. Please *download* *The Avenger* by Swandog46 to your *Desktop*.
Click on Avenger.zip to open the file
Extract *avenger.exe* to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (*Ctrl+C*):



> Files to delete:
> C:\WINDOWS\SYSTEM32\yabyv.dll


_*
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.*_

3. Now, *start The Avenger program* by clicking on its icon on your desktop.
 Under "*Script file to execute*" choose "*Input Script Manually*".
Now click on the *Magnifying Glass icon* which will open a new window titled "*View/edit script*" 
 Paste the text copied to clipboard into this window by pressing (*Ctrl+V*).
 Click *Done* 
 Now click on the *Green Light* to begin execution of the script 
 Answer "*Yes*" twice when prompted.
4. *The Avenger will automatically do the following*:
It will *Restart your computer*. ( In cases where the code to execute contains "*Drivers to Unload*", The Avenger will actually *restart your system twice.*) 
On reboot, it will briefly *open a black command window* on your desktop, this is normal.
After the restart, it *creates a log file* that should open with the results of Avengers actions. This log file will be located at *C:\avenger.txt*
 The Avenger will also have *backed up all the files, etc., that you asked it to delete*, and will have zipped them and moved the zip archives to *C:\avenger\backup.zip*.
5. Please *copy/paste* the content of *c:\avenger.txt* into your reply *along with a fresh HJT log * by using *Add/Reply*


----------



## OxfordBarney (Dec 14, 2004)

Thank you. When I re-started the computer, the ConHook file changed again, this time to geeca.dll. You will notice this in the hijackthis log posted below. You will also notice that the second BHO changes with each re-start. This time it is xxwtt.dll. I went ahead and ran Avenger, but inputted the file C:\WINDOWS\System32\geeca.dll instead of the old virus name. After clicking the first "Yes" after the green light, Avenger produced and error saying that the selected file does not appear to be a valid script. I will post the Avenger error here now, just before the latest hijackthis log.

//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Error: selected file does not appear to be a valid script.
Error code: 0

Logfile of HijackThis v1.99.1
Scan saved at 14:49:29, on 24/03/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\ewido anti-malware\ewidoctrl.exe
C:\Archivos de programa\ewido anti-malware\ewidoguard.exe
C:\Archivos de programa\Panda Software\Panda Antivirus Titanium\Pavsrv51.exe
C:\Archivos de programa\Panda Software\Panda Antivirus Titanium\AVENGINE.EXE
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\ARCHIV~1\EzButton\CPATR10.EXE
C:\Archivos de programa\Synaptics\SynTP\SynTPLpr.exe
C:\Archivos de programa\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\sistray.EXE
C:\WINDOWS\System32\khooker.exe
C:\Archivos de programa\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Archivos de programa\Panda Software\Panda Antivirus Titanium\APVXDWIN.EXE
C:\WINDOWS\LTSMMSG.exe
C:\Archivos de programa\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Archivos de programa\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Archivos de programa\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Archivos de programa\STA Kit ADSL\CnxDslTb.exe
C:\Archivos de programa\Panda Software\Panda Antivirus Titanium\pavProxy.exe
C:\Archivos de programa\Java\jre1.5.0_06\bin\jusched.exe
C:\Archivos de programa\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\WINDOWS\SYSTEM32\rundll32.exe
C:\WINDOWS\System32\a.exe
C:\Documents and Settings\Esfera\Escritorio\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/nwshp?hl=en&tab=wn&q=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.beep.es/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: (no name) - {20D57A66-F7DF-467d-907B-9B7F4A118AB7} - C:\WINDOWS\System32\geeca.dll
O2 - BHO: DosSpecFolder Object - {3E1BEA96-02D9-4992-B508-9B51819D9D86} - C:\WINDOWS\System32\xxwtt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\sisUSBrg.exe
O4 - HKLM\..\Run: [CPATR10] C:\ARCHIV~1\EzButton\CPATR10.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Archivos de programa\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Archivos de programa\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Archivos de programa\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Archivos de programa\Panda Software\Panda Antivirus Titanium\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Archivos de programa\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Archivos de programa\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [CnxDslTaskBar] C:\Archivos de programa\STA Kit ADSL\CnxDslTb.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Archivos de programa\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.beep.es/
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D6E7F14B-578C-42DC-B427-468EAE38916F}: NameServer = 194.158.64.9 194.158.64.10
O17 - HKLM\System\CCS\Services\Tcpip\..\{F3EA66DF-AE4D-4865-8F7F-FF7A7CB59334}: NameServer = 194.158.88.2,194.158.64.7
O20 - Winlogon Notify: fccax - fccax.dll (file missing)
O20 - Winlogon Notify: geeca - C:\WINDOWS\SYSTEM32\geeca.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O20 - Winlogon Notify: xxwtt - C:\WINDOWS\System32\xxwtt.dll
O23 - Service: ewido security suite control - ewido networks - C:\Archivos de programa\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Archivos de programa\ewido anti-malware\ewidoguard.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Archivos de programa\Panda Software\Panda Antivirus Titanium\Pavsrv51.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Archivos de programa\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: TZZXJPPLMFAICFB - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Esfera\CONFIG~1\Temp\TZZXJPPLMFAICFB.exe
O23 - Service: UWCCMFXRQPO - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Esfera\CONFIG~1\Temp\UWCCMFXRQPO.exe
O23 - Service: VNKRUWT - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Esfera\CONFIG~1\Temp\VNKRUWT.exe
O23 - Service: YAQUVZ - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Esfera\CONFIG~1\Temp\YAQUVZ.exe
O23 - Service: ZXKWTMZMQLA - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Esfera\CONFIG~1\Temp\ZXKWTMZMQLA.exe


----------



## OxfordBarney (Dec 14, 2004)

Also now, I am receiving a new message in a Microsoft Internet Explorer box saying "There has been a security breach by the Blackworm Virus. We recommend you DOWNLOAD one of the security softwares to prevent further malware infections." Even when I clicked the X in the corner, it took me to a website called Protection Centre - Help Protect Your PC. The software that it is asking me to download is WinAntiVirusPRO 2006 and Win AntiSpyware 2006. This Protection Centre is saying that they have detected spyware on my PC.


----------



## OxfordBarney (Dec 14, 2004)

I will await your further instructions on how to get around the Avenger error so that we can execute AVENGER!


----------



## OxfordBarney (Dec 14, 2004)

After the attempt to run Avenger, I ran VirtumundoBeGone as suggested by Cheeseball81. As explained, it re-started the system. I then ran SpySweeper and Virtumond was detected as the file xxwtt.dll (the second BHO that we weren´t sure about). In the SpySweeper log below, xxwtt.dll was to have been removed at start-up, but it is still there. However, the problem first BHO (the one that keeps changing its name and which in its latest incarnation was geeca.dll) is gone for the first time. This could be good news thanks to Cheesball81. Also, SpySweeper detected rbot in our old friend file p.exe which had returned. My concern is that xxwtt.dll is still there and this was detected as Virtumund. However, my system is behaving better suddenly. Here´s the SpySweeper log, and the hijackthis log follows:

********
15:15: | Start of Session, viernes, 24 de marzo de 2006 |
15:15: Spy Sweeper started
15:15: Sweep initiated using definitions version 640
15:15: Starting Memory Sweep
15:16: Found Adware: virtumonde
15:16: Detected running threat: C:\WINDOWS\system32\xxwtt.dll (ID = 77)
15:19: Memory Sweep Complete, Elapsed Time: 00:04:00
15:19: Starting Registry Sweep
15:20: Found Adware: findthewebsiteyouneed hijack
15:20: HKLM\software\microsoft\internet explorer\main\ || search page (ID = 125241)
15:20: Found Adware: zquest
15:20: HKCR\clsid\{6001cdf7-6f45-471b-a203-0225615e35a7}\ (3 subtraces) (ID = 1074389)
15:20: HKLM\software\classes\clsid\{6001cdf7-6f45-471b-a203-0225615e35a7}\ (3 subtraces) (ID = 1074513)
15:20: Found Trojan Horse: trojan-downloader-conhook
15:20: HKLM\software\microsoft\windows\currentversion\explorer\shellexecutehooks\ || {20d57a66-f7df-467d-907b-9b7f4a118ab7} (ID = 1190602)
15:20: HKU\S-1-5-21-240936306-2413756436-2274281639-1005\software\microsoft\internet explorer\main\ || default_search_url (ID = 125236)
15:20: HKU\S-1-5-21-240936306-2413756436-2274281639-1005\software\microsoft\internet explorer\search\searchassistant explorer\main\ || default_search_url (ID = 555437)
15:20: HKU\S-1-5-21-240936306-2413756436-2274281639-1005\software\microsoft\internet explorer\main\ || default_search_url (ID = 790269)
15:20: Registry Sweep Complete, Elapsed Time:00:00:34
15:20: Starting Cookie Sweep
15:20: Found Spy Cookie: statcounter cookie
15:20: [email protected][2].txt (ID = 3447)
15:20: Found Spy Cookie: yieldmanager cookie
15:20: [email protected][1].txt (ID = 3751)
15:20: [email protected][1].txt (ID = 3447)
15:20: Found Spy Cookie: reliablestats cookie
15:20: [email protected][2].txt (ID = 3254)
15:20: Cookie Sweep Complete, Elapsed Time: 00:00:01
15:20: Starting File Sweep
15:20: dh.dll (ID = 266849)
15:20: Found Adware: dollarrevenue
15:20: a0023546.exe (ID = 268841)
15:21: a0020420.exe (ID = 268841)
15:22: a0021564.exe (ID = 215816)
15:22: Found Adware: command
15:22: a0021565.exe (ID = 185985)
15:23: newname4.exe (ID = 268845)
15:23: a0020421.exe (ID = 268843)
15:23: a0020422.exe (ID = 268845)
15:24: a0021563.exe (ID = 267188)
15:24: Found Trojan Horse: rbot
15:24: p.exe (ID = 264408)
15:24: dr140306.exe (ID = 267188)
15:25: newname4[1].exe (ID = 268845)
15:25: mte3ndi6odoxng.exe (ID = 185985)
15:29: a0023545.exe (ID = 268843)
15:30: mousepad4[1].exe (ID = 268843)
15:30: keyboard4[1].exe (ID = 268841)
15:30: mousepad4.exe (ID = 268843)
15:31: keyboard4.exe (ID = 268841)
15:32: a0023548.exe (ID = 268845)
15:32: Found Adware: look2me
15:32: installer.exe (ID = 168558)
15:33: nbmkcert.dll (ID = 163672)
15:35: dh.ini (ID = 268430)
15:35: File Sweep Complete, Elapsed Time: 00:15:23
15:36: Full Sweep has completed. Elapsed time 00:20:07
15:36: Traces Found: 40
15:38: Removal process initiated
15:39: Quarantining All Traces: look2me
15:39: Quarantining All Traces: rbot
15:39: Quarantining All Traces: virtumonde
15:40: Warning: Failed to export "HKEY_LOCAL_MACHINE\\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\xxwtt": El cliente no dispone de un privilegio requerido
15:42: Warning: Failed to export "HKEY_CLASSES_ROOT\\CLSID\{3E1BEA96-02D9-4992-B508-9B51819D9D86}": El cliente no dispone de un privilegio requerido
15:43: Warning: Failed to export "HKEY_LOCAL_MACHINE\\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3E1BEA96-02D9-4992-B508-9B51819D9D86}": El cliente no dispone de un privilegio requerido
15:43: virtumonde is in use. It will be removed on reboot.
15:43: C:\WINDOWS\system32\xxwtt.dll is in use. It will be removed on reboot.
15:43: Quarantining All Traces: dollarrevenue
15:43: Quarantining All Traces: trojan-downloader-conhook
15:43: Quarantining All Traces: findthewebsiteyouneed hijack
15:43: Quarantining All Traces: reliablestats cookie
15:43: Quarantining All Traces: statcounter cookie
15:43: Quarantining All Traces: yieldmanager cookie
15:44: Quarantining All Traces: zquest
15:45: Warning: Failed to export "HKEY_LOCAL_MACHINE\software\classes\clsid\{6001cdf7-6f45-471b-a203-0225615e35a7}\": El cliente no dispone de un privilegio requerido
15:46: Warning: Failed to export "HKEY_CLASSES_ROOT\clsid\{6001cdf7-6f45-471b-a203-0225615e35a7}\": El cliente no dispone de un privilegio requerido
15:46: Failed to quarantine zquest
15:46: Quarantining All Traces: command
15:46: Preparing to restart your computer. Please wait...
15:46: Removal process completed. Elapsed time 00:08:21
********

Logfile of HijackThis v1.99.1
Scan saved at 16:22:13, on 24/03/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\ewido anti-malware\ewidoctrl.exe
C:\Archivos de programa\ewido anti-malware\ewidoguard.exe
C:\Archivos de programa\Panda Software\Panda Antivirus Titanium\Pavsrv51.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Archivos de programa\Panda Software\Panda Antivirus Titanium\AVENGINE.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\ARCHIV~1\EzButton\CPATR10.EXE
C:\Archivos de programa\Synaptics\SynTP\SynTPLpr.exe
C:\Archivos de programa\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\sistray.EXE
C:\WINDOWS\System32\khooker.exe
C:\Archivos de programa\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Archivos de programa\Panda Software\Panda Antivirus Titanium\APVXDWIN.EXE
C:\WINDOWS\LTSMMSG.exe
C:\Archivos de programa\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Archivos de programa\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Archivos de programa\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Archivos de programa\STA Kit ADSL\CnxDslTb.exe
C:\Archivos de programa\Java\jre1.5.0_06\bin\jusched.exe
C:\Archivos de programa\Panda Software\Panda Antivirus Titanium\pavProxy.exe
C:\Archivos de programa\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\Documents and Settings\Esfera\Escritorio\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/nwshp?hl=en&tab=wn&q=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.beep.es/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: DosSpecFolder Object - {3E1BEA96-02D9-4992-B508-9B51819D9D86} - C:\WINDOWS\System32\xxwtt.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\sisUSBrg.exe
O4 - HKLM\..\Run: [CPATR10] C:\ARCHIV~1\EzButton\CPATR10.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Archivos de programa\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Archivos de programa\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Archivos de programa\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Archivos de programa\Panda Software\Panda Antivirus Titanium\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Archivos de programa\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Archivos de programa\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [CnxDslTaskBar] C:\Archivos de programa\STA Kit ADSL\CnxDslTb.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Archivos de programa\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.beep.es/
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D6E7F14B-578C-42DC-B427-468EAE38916F}: NameServer = 194.158.64.9 194.158.64.10
O17 - HKLM\System\CCS\Services\Tcpip\..\{F3EA66DF-AE4D-4865-8F7F-FF7A7CB59334}: NameServer = 194.158.88.2,194.158.64.7
O20 - Winlogon Notify: fccax - fccax.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O20 - Winlogon Notify: xxwtt - C:\WINDOWS\System32\xxwtt.dll (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Archivos de programa\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Archivos de programa\ewido anti-malware\ewidoguard.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Archivos de programa\Panda Software\Panda Antivirus Titanium\Pavsrv51.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Archivos de programa\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: TZZXJPPLMFAICFB - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Esfera\CONFIG~1\Temp\TZZXJPPLMFAICFB.exe
O23 - Service: UWCCMFXRQPO - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Esfera\CONFIG~1\Temp\UWCCMFXRQPO.exe
O23 - Service: VNKRUWT - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Esfera\CONFIG~1\Temp\VNKRUWT.exe
O23 - Service: YAQUVZ - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Esfera\CONFIG~1\Temp\YAQUVZ.exe
O23 - Service: ZXKWTMZMQLA - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Esfera\CONFIG~1\Temp\ZXKWTMZMQLA.exe


----------



## Cheeseball81 (Mar 3, 2004)

Rescan with Hijack This.
Close all browser windows except Hijack This.
Put a check mark beside these entries and click "Fix Checked".

*O2 - BHO: DosSpecFolder Object - {3E1BEA96-02D9-4992-B508-9B51819D9D86} - C:\WINDOWS\System32\xxwtt.dll (file missing)

O20 - Winlogon Notify: fccax - fccax.dll (file missing)

O20 - Winlogon Notify: xxwtt - C:\WINDOWS\System32\xxwtt.dll (file missing)*

Reboot, post a new log.


----------



## OxfordBarney (Dec 14, 2004)

Thank you Cheesball81.

Here´s the latest log:

Logfile of HijackThis v1.99.1
Scan saved at 19:03:44, on 24/03/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\ewido anti-malware\ewidoctrl.exe
C:\Archivos de programa\ewido anti-malware\ewidoguard.exe
C:\Archivos de programa\Panda Software\Panda Antivirus Titanium\Pavsrv51.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Archivos de programa\Panda Software\Panda Antivirus Titanium\AVENGINE.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\ARCHIV~1\EzButton\CPATR10.EXE
C:\Archivos de programa\Synaptics\SynTP\SynTPLpr.exe
C:\Archivos de programa\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\sistray.EXE
C:\WINDOWS\System32\khooker.exe
C:\Archivos de programa\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Archivos de programa\Panda Software\Panda Antivirus Titanium\APVXDWIN.EXE
C:\WINDOWS\LTSMMSG.exe
C:\Archivos de programa\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Archivos de programa\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Archivos de programa\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Archivos de programa\STA Kit ADSL\CnxDslTb.exe
C:\Archivos de programa\Java\jre1.5.0_06\bin\jusched.exe
C:\Archivos de programa\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Archivos de programa\Panda Software\Panda Antivirus Titanium\pavProxy.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Esfera\Escritorio\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/nwshp?hl=en&tab=wn&q=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.beep.es/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\sisUSBrg.exe
O4 - HKLM\..\Run: [CPATR10] C:\ARCHIV~1\EzButton\CPATR10.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Archivos de programa\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Archivos de programa\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Archivos de programa\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Archivos de programa\Panda Software\Panda Antivirus Titanium\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Archivos de programa\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Archivos de programa\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [CnxDslTaskBar] C:\Archivos de programa\STA Kit ADSL\CnxDslTb.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Archivos de programa\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.beep.es/
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F3EA66DF-AE4D-4865-8F7F-FF7A7CB59334}: NameServer = 194.158.88.2,194.158.64.7
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: ewido security suite control - ewido networks - C:\Archivos de programa\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Archivos de programa\ewido anti-malware\ewidoguard.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Archivos de programa\Panda Software\Panda Antivirus Titanium\Pavsrv51.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Archivos de programa\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: TZZXJPPLMFAICFB - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Esfera\CONFIG~1\Temp\TZZXJPPLMFAICFB.exe
O23 - Service: UWCCMFXRQPO - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Esfera\CONFIG~1\Temp\UWCCMFXRQPO.exe
O23 - Service: VNKRUWT - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Esfera\CONFIG~1\Temp\VNKRUWT.exe
O23 - Service: YAQUVZ - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Esfera\CONFIG~1\Temp\YAQUVZ.exe
O23 - Service: ZXKWTMZMQLA - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Esfera\CONFIG~1\Temp\ZXKWTMZMQLA.exe


----------



## OxfordBarney (Dec 14, 2004)

Cheeseball81!! I´m have a feeling that we killed this thing by applying your suggestion and running Adware - Virtumundo Removal Tool v.2.1. Here is the log of that session. It targeted and killed the file geeca.dll (recognizing it as Virtumundo) before allowing it to morph under a new name, terminated the process rundll32 which was running non-stop (and which is now no longer running), and the modem activity has ceased. I am no longer getting the Ewido alerts. VundoFix didn´t work, but VundoBeGone may have. I will run SpySweeper and post that log. But first here is the log of the Virtumundo Removal Tool:

[03/24/2006, 15:10:32] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Esfera\Escritorio\VirtumundoBeGone.exe" )
[03/24/2006, 15:10:37] - Detected System Information:
[03/24/2006, 15:10:37] - Windows Version: 5.1.2600, Service Pack 1
[03/24/2006, 15:10:37] - Current Username: Esfera (Admin)
[03/24/2006, 15:10:37] - Windows is in NORMAL mode.
[03/24/2006, 15:10:37] - Searching for Browser Helper Objects:
[03/24/2006, 15:10:37] - BHO 1: {20D57A66-F7DF-467d-907B-9B7F4A118AB7} ()
[03/24/2006, 15:10:37] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/24/2006, 15:10:38] - Checking for HKLM\...\Winlogon\Notify\geeca
[03/24/2006, 15:10:38] - Found: HKLM\...\Winlogon\Notify\geeca - This is probably Virtumundo.
[03/24/2006, 15:10:38] - Assigning {20D57A66-F7DF-467d-907B-9B7F4A118AB7} MSEvents Object
[03/24/2006, 15:10:38] - BHO list has been changed! Starting over...
[03/24/2006, 15:10:38] - BHO 1: {20D57A66-F7DF-467d-907B-9B7F4A118AB7} (MSEvents Object)
[03/24/2006, 15:10:38] - ALERT: Found MSEvents Object!
[03/24/2006, 15:10:38] - BHO 2: {3E1BEA96-02D9-4992-B508-9B51819D9D86} (DosSpecFolder Object)
[03/24/2006, 15:10:38] - BHO 3: {53707962-6F74-2D53-2644-206D7942484F} ()
[03/24/2006, 15:10:38] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/24/2006, 15:10:38] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[03/24/2006, 15:10:38] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[03/24/2006, 15:10:38] - BHO 4: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[03/24/2006, 15:10:38] - Finished Searching Browser Helper Objects
[03/24/2006, 15:10:38] - *** Detected MSEvents Object
[03/24/2006, 15:10:38] - Trying to remove MSEvents Object...
[03/24/2006, 15:10:39] - Terminating Process: IEXPLORE.EXE
[03/24/2006, 15:10:40] - Terminating Process: RUNDLL32.EXE
[03/24/2006, 15:10:40] - Disabling Automatic Shell Restart
[03/24/2006, 15:10:40] - Terminating Process: EXPLORER.EXE
[03/24/2006, 15:10:41] - Suspending the NT Session Manager System Service
[03/24/2006, 15:10:41] - Terminating Windows NT Logon/Logoff Manager
[03/24/2006, 15:10:41] - Re-enabling Automatic Shell Restart
[03/24/2006, 15:10:41] - File to disable: C:\WINDOWS\System32\geeca.dll
[03/24/2006, 15:10:41] - Renaming C:\WINDOWS\System32\geeca.dll -> C:\WINDOWS\System32\geeca.dll.vir
[03/24/2006, 15:10:42] - File successfully renamed!
[03/24/2006, 15:10:42] - Removing HKLM\...\Browser Helper Objects\{20D57A66-F7DF-467d-907B-9B7F4A118AB7}
[03/24/2006, 15:10:42] - Removing HKCR\CLSID\{20D57A66-F7DF-467d-907B-9B7F4A118AB7}
[03/24/2006, 15:10:42] - Adding Kill Bit for ActiveX for GUID: {20D57A66-F7DF-467d-907B-9B7F4A118AB7}
[03/24/2006, 15:10:42] - Deleting ATLEvents/MSEvents Registry entries
[03/24/2006, 15:10:42] - Removing HKLM\...\Winlogon\Notify\geeca
[03/24/2006, 15:10:42] - Searching for Browser Helper Objects:
[03/24/2006, 15:10:42] - BHO 1: {3E1BEA96-02D9-4992-B508-9B51819D9D86} (DosSpecFolder Object)
[03/24/2006, 15:10:42] - BHO 2: {53707962-6F74-2D53-2644-206D7942484F} ()
[03/24/2006, 15:10:42] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/24/2006, 15:10:42] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[03/24/2006, 15:10:42] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[03/24/2006, 15:10:42] - BHO 3: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[03/24/2006, 15:10:42] - Finished Searching Browser Helper Objects
[03/24/2006, 15:10:42] - Finishing up...
[03/24/2006, 15:10:42] - A restart is needed.
[03/24/2006, 15:10:54] - Attempting to Restart via STOP error (Blue Screen!)


----------



## Cheeseball81 (Mar 3, 2004)

The log looks clean now. But I don't know if I am convinced that we got all the baddies.
How is the computer running? Are you still getting any detections?


----------



## OxfordBarney (Dec 14, 2004)

The computer is running much better, rundll32 activity ceased (it was constant), and the modem activity has ceased (it also was constant). I will run a few scans. There was a lot more than Virtumundo on it, and some of the lesser ones are probably still there since the computer still jams (although less frequently). But the real nasty appears to have been Virtumundo. I also want to discuss upgrading to SP2 and completely patching the system. I would like you to tell me when it is safe to do the patching and upgrading (i.e. when it is completely clean). I will run a few scans and post shortly.


----------



## Cheeseball81 (Mar 3, 2004)

I'd like to run another online scanner to be 100% sure.

Run *Kaspersky* online virus scan here: http://www.kaspersky.com/virusscanner

When given the option, choose the "Extended database" for the scan.
When it's finished, save the results from the scan and post them here.


----------



## OxfordBarney (Dec 14, 2004)

OK I´ll do that now. I had to re-start the computer just now as it jammed while running SpySweeper. I feel certain tthat this is a different, and less severe, problem than we had though. I´ll get back to you with the Kaspersky results.


----------



## OxfordBarney (Dec 14, 2004)

That link to the Kaspersky Virusscanner is dead. Do you have another? I could just do a search for it and get it from MajorGeeks or Download.com or whoever.


----------



## Cheeseball81 (Mar 3, 2004)

Really? It opened for me. You could always try another scan with Panda Activescan instead.


----------



## OxfordBarney (Dec 14, 2004)

Also, when I click on various icons, they don´t respond at times. The icons which don´t respond change. Earlier, my Control Panel wasn´t opening. Now it is, but the Add/Remove Programs icon and the Internet Explorer Bar are not responding. When I re-boot, the response returns.


----------



## OxfordBarney (Dec 14, 2004)

I´ll bet if I re-boot, the Kaspersky link will work. I´ll do so now.


----------



## OxfordBarney (Dec 14, 2004)

I´m having trouble accessing certain websites, almost as if my internet settings have been altered to restrict antivirus sites. I can´t access your Kaspersky link, or any links presented by a Google search for Kaspersky scanforvirus or virusscan. Also, when I click Panda ActiveScan on my desktop, it also results in a dead link.


----------



## OxfordBarney (Dec 14, 2004)

I still cannot access Kaspersky or run Panda Activescan. They are showing as dead links. Here are the results of my SpySweeper scan:

20:57: | Start of Session, viernes, 24 de marzo de 2006 |
20:57: Spy Sweeper started
20:57: Sweep initiated using definitions version 640
20:57: Starting Memory Sweep
21:00: Memory Sweep Complete, Elapsed Time: 00:03:23
21:00: Starting Registry Sweep
21:01: Found Adware: zquest
21:01: HKCR\clsid\{6001cdf7-6f45-471b-a203-0225615e35a7}\ (3 subtraces) (ID = 1074389)
21:01: HKLM\software\classes\clsid\{6001cdf7-6f45-471b-a203-0225615e35a7}\ (3 subtraces) (ID = 1074513)
21:01: Registry Sweep Complete, Elapsed Time:00:00:28
21:01: Starting Cookie Sweep
21:01: Found Spy Cookie: yieldmanager cookie
21:01: [email protected][1].txt (ID = 3751)
21:01: Found Spy Cookie: burstnet cookie
21:01: [email protected][2].txt (ID = 2336)
21:01: Found Spy Cookie: clickbank cookie
21:01: [email protected][2].txt (ID = 2398)
21:01: Found Spy Cookie: statcounter cookie
21:01: [email protected][1].txt (ID = 3447)
21:01: Found Spy Cookie: tacoda cookie
21:01: [email protected][1].txt (ID = 6444)
21:01: Cookie Sweep Complete, Elapsed Time: 00:00:00
21:01: Starting File Sweep
21:13: File Sweep Complete, Elapsed Time: 00:12:06
21:13: Full Sweep has completed. Elapsed time 00:16:06
21:13: Traces Found: 13
21:16: Removal process initiated
21:16: Quarantining All Traces: burstnet cookie
21:16: Quarantining All Traces: clickbank cookie
21:16: Quarantining All Traces: statcounter cookie
21:16: Quarantining All Traces: tacoda cookie
21:16: Quarantining All Traces: yieldmanager cookie
21:16: Quarantining All Traces: zquest
21:16: Removal process completed. Elapsed time 00:00:06


----------



## OxfordBarney (Dec 14, 2004)

This is ridiculous - I´ve just had another Ewido detection for Backdoor.SdBot and the system slowed to 10 second response time. I couldn´t even type this post without re-booting. The file that was shown in the detection was another eraseme_63316 (I´m not sure about the number). Where is this thing coming from? Could it be open ports? Should we patch my system as part of this cure? Could it be RPC or IRC? Here´s another hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 21:56:11, on 24/03/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\ewido anti-malware\ewidoctrl.exe
C:\Archivos de programa\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\ARCHIV~1\EzButton\CPATR10.EXE
C:\Archivos de programa\Synaptics\SynTP\SynTPLpr.exe
C:\Archivos de programa\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\sistray.EXE
C:\WINDOWS\System32\khooker.exe
C:\Archivos de programa\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\LTSMMSG.exe
C:\Archivos de programa\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Archivos de programa\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Archivos de programa\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Archivos de programa\STA Kit ADSL\CnxDslTb.exe
C:\Archivos de programa\Java\jre1.5.0_06\bin\jusched.exe
C:\Archivos de programa\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\SYSTEM32\ftp.exe
C:\Documents and Settings\Esfera\Escritorio\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/nwshp?hl=en&tab=wn&q=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.beep.es/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\sisUSBrg.exe
O4 - HKLM\..\Run: [CPATR10] C:\ARCHIV~1\EzButton\CPATR10.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Archivos de programa\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Archivos de programa\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Archivos de programa\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Archivos de programa\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Archivos de programa\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [CnxDslTaskBar] C:\Archivos de programa\STA Kit ADSL\CnxDslTb.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Archivos de programa\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.beep.es/
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D6E7F14B-578C-42DC-B427-468EAE38916F}: NameServer = 194.158.64.9 194.158.64.10
O17 - HKLM\System\CCS\Services\Tcpip\..\{F3EA66DF-AE4D-4865-8F7F-FF7A7CB59334}: NameServer = 194.158.88.2,194.158.64.7
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: ewido security suite control - ewido networks - C:\Archivos de programa\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Archivos de programa\ewido anti-malware\ewidoguard.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Archivos de programa\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: TZZXJPPLMFAICFB - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Esfera\CONFIG~1\Temp\TZZXJPPLMFAICFB.exe
O23 - Service: UWCCMFXRQPO - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Esfera\CONFIG~1\Temp\UWCCMFXRQPO.exe
O23 - Service: VNKRUWT - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Esfera\CONFIG~1\Temp\VNKRUWT.exe
O23 - Service: YAQUVZ - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Esfera\CONFIG~1\Temp\YAQUVZ.exe
O23 - Service: ZXKWTMZMQLA - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Esfera\CONFIG~1\Temp\ZXKWTMZMQLA.exe


----------



## Cheeseball81 (Mar 3, 2004)

Please rerun WinPFind and post the results. (or attach it if it's too long)


----------



## OxfordBarney (Dec 14, 2004)

I´ve attached the WinPFind.txt file as requested.


----------



## Cheeseball81 (Mar 3, 2004)

Boot into Safe Mode.

Double click on Killbox.exe to run it.

Put a tick by *Standard File Kill*.
In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time:

*C:\WINDOWS\SYSTEM32\a.exe
C:\WINDOWS\SYSTEM32\cz32.exe
C:\WINDOWS\system32\libwz.dll
C:\WINDOWS\system32\ttwxx.bak1
C:\WINDOWS\system32\ttwxx.ini*

Click on the button that has the red circle with the X in the middle after you enter each file.
It will ask for confirmation to delete the file.
Click Yes.
Continue with that procedure until you have pasted all of these in the "Paste Full Path of File to Delete" box.
Killbox may tell you that one or more files do not exist.
If that happens, just continue on with all the files. Be sure you don't miss any.
Next in Killbox go to *Tools > Delete Temp Files*

Reboot. Let us know what the status of the system is.


----------



## Cookiegal (Aug 27, 2003)

It would also be wise to re-run the Alcan fix as there were files still showing in the log after it was run the last time. Please remove the one you downloaded previously and be very care of where you download it as that is crucial for it being successful.

Please download *Brute Force Uninstaller*. Unzip it to its own folder and call the folder (c:\BFU). *You must create the folder BFU in that location or it will not work.*

Double click BFU.exe to run the program and click the Web button as shown here:









Use this URL to copy into the address bar of the Download script window:
* http://metallica.geekstogo.com/alcanshorty.bfu*

Execute the script by clicking the Execute button.

_If you have any questions about the use of BFU please read here:
http://metallica.geekstogo.com/BFUinstructions.html _

Then reboot and post back with a* HijackThis log*.


----------



## OxfordBarney (Dec 14, 2004)

Ok - I´ll do that. I have fixed the problem of the dead links. My hosts file had been altered to create the misdirections. All of the antivirus sites were misdirected. This has been repaired and therefore, I can, and will, now do the Kaspersky online scan, and then Panda, and then post both logs. I will then run the Brute Force Uninstaller (after removing the old one and re-installing correctly), and re-post a hijackthis log. I have two virus detections happening, rbot and sdbot. At least we killed the Virtumundo (I´m assuming this is also known as ConHook) virus. This computer desperately needs to be patched.


----------



## OxfordBarney (Dec 14, 2004)

Here are the results of the Kaspersky scan. It appears that the Virtumundo virus (ConHook) has re-appeared again as geecd.dll, and various other names as well. I know I have rbot (p.exe) infection as well as SdBot.

Saturday, March 25, 2006 8:36:33 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 25/03/2006
Kaspersky Anti-Virus database records: 183913

Scan Settings 
Scan using the following antivirus database extended 
Scan Archives true 
Scan Mail Bases true

Scan Target Critical Areas 
C:\WINDOWS
C:\DOCUME~1\Esfera\CONFIG~1\Temp\

Scan Statistics 
Total number of scanned objects 14896 
Number of viruses found 12 
Number of infected objects 39 
Number of suspicious objects 0 
Duration of the scan process 00:14:47

Infected Object Name Virus Name Last Action 
C:\WINDOWS\keyboard5.exe Infected: Trojan-Downloader.Win32.VB.zl skipped

C:\WINDOWS\mousepad5.exe Infected: Trojan-Clicker.Win32.VB.ly skipped

C:\WINDOWS\newname5.exe Infected: Trojan-Downloader.Win32.Adload.ae skipped

C:\WINDOWS\system32\awtrq.dll Infected: Trojan-Downloader.Win32.ConHook.y skipped

C:\WINDOWS\system32\config\systemprofile\Configuración local\Archivos temporales de Internet\Content.IE5\UX44QHXS\drsmartload[1].exe Infected: Trojan-Downloader.Win32.VB.vz skipped

C:\WINDOWS\system32\config\systemprofile\Configuración local\Archivos temporales de Internet\Content.IE5\UX44QHXS\rp5[1].exe Infected: Backdoor.Win32.PackBot.ab skipped

C:\WINDOWS\system32\dr32.exe Infected: Trojan-Downloader.Win32.VB.vz skipped

C:\WINDOWS\system32\drivers\etc\hosts.20060324-235807.backup Infected: Trojan.Win32.Qhost.cy skipped

C:\WINDOWS\system32\eraseme_63316.exe Infected: Backdoor.Win32.SdBot.xd skipped

C:\WINDOWS\system32\geeca.dll.vir Infected: Trojan-Downloader.Win32.ConHook.y skipped

C:\WINDOWS\system32\geecd.dll Infected: Trojan-Downloader.Win32.ConHook.y skipped

C:\WINDOWS\system32\i Infected: Trojan-Downloader.BAT.Ftp.ab skipped

C:\WINDOWS\system32\jkhff.dll Infected: Trojan-Downloader.Win32.ConHook.y skipped

C:\WINDOWS\system32\khfcy.dll Infected: Trojan-Downloader.Win32.ConHook.y skipped

C:\WINDOWS\system32\MSWSA32.exe Infected: Backdoor.Win32.Rbot.gen skipped

C:\WINDOWS\system32\p.exe Infected: Backdoor.Win32.Rbot.asu skipped

C:\WINDOWS\system32\TFTP740 Infected: Backdoor.Win32.Rbot.asy skipped

C:\WINDOWS\system32\tuspm.dll Infected: Trojan-Downloader.Win32.ConHook.y skipped

C:\WINDOWS\system32\yabyv.dll Infected: Trojan-Downloader.Win32.ConHook.y skipped

C:\WINDOWS\system32\__delete_on_reboot__nnnnn.dll Infected: Trojan-Downloader.Win32.ConHook.y skipped

C:\WINDOWS\system32\__delete_on_reboot__pmnkh.dll Infected: Trojan-Downloader.Win32.ConHook.y skipped

C:\WINDOWS\system32\__delete_on_reboot__yabab.dll Infected: Trojan-Downloader.Win32.ConHook.y skipped

C:\DOCUME~1\Esfera\CONFIG~1\Temp\tmp000237c5 Infected: Trojan-Downloader.Win32.ConHook.y skipped

C:\DOCUME~1\Esfera\CONFIG~1\Temp\tmp00023fab Infected: Trojan-Downloader.Win32.ConHook.y skipped

C:\DOCUME~1\Esfera\CONFIG~1\Temp\tmp0002463e Infected: Trojan-Downloader.Win32.ConHook.y skipped

C:\DOCUME~1\Esfera\CONFIG~1\Temp\tmp0002510a Infected: Trojan-Downloader.Win32.ConHook.y skipped

C:\DOCUME~1\Esfera\CONFIG~1\Temp\tmp0002736c Infected: Trojan-Downloader.Win32.ConHook.y skipped

C:\DOCUME~1\Esfera\CONFIG~1\Temp\tmp00027525 Infected: Trojan-Downloader.Win32.ConHook.y skipped

C:\DOCUME~1\Esfera\CONFIG~1\Temp\tmp000278e6 Infected: Trojan-Downloader.Win32.ConHook.y skipped

C:\DOCUME~1\Esfera\CONFIG~1\Temp\tmp000290e1 Infected: Trojan-Downloader.Win32.ConHook.y skipped

C:\DOCUME~1\Esfera\CONFIG~1\Temp\tmp00029467 Infected: Trojan-Downloader.Win32.ConHook.y skipped

C:\DOCUME~1\Esfera\CONFIG~1\Temp\tmp0002ae06 Infected: Trojan-Downloader.Win32.ConHook.y skipped

C:\DOCUME~1\Esfera\CONFIG~1\Temp\tmp0002b3d0 Infected: Trojan-Downloader.Win32.ConHook.y skipped

C:\DOCUME~1\Esfera\CONFIG~1\Temp\tmp00034eb9 Infected: Trojan-Downloader.Win32.ConHook.y skipped

C:\DOCUME~1\Esfera\CONFIG~1\Temp\tmp00045951 Infected: Trojan-Downloader.Win32.ConHook.y skipped

C:\DOCUME~1\Esfera\CONFIG~1\Temp\tmp0004cf6b Infected: Trojan-Downloader.Win32.ConHook.y skipped

C:\DOCUME~1\Esfera\CONFIG~1\Temp\tmp0017e405 Infected: Trojan-Downloader.Win32.ConHook.y skipped

C:\DOCUME~1\Esfera\CONFIG~1\Temp\tmp001f0683 Infected: Trojan-Downloader.Win32.ConHook.y skipped

C:\DOCUME~1\Esfera\CONFIG~1\Temp\tmp021ff977 Infected: Trojan-Downloader.Win32.ConHook.y skipped

Scan process completed.


----------



## OxfordBarney (Dec 14, 2004)

Here are the results of the Panda Scan:

Incident Status Location

Adware:adware/dollarrevenue Not disinfected C:\WINDOWS\keyboard41.dat 
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Esfera\Cookies\[email protected][2].txt 
Possible Virus. Not disinfected C:\Documents and Settings\Esfera\Configuración local\Temp\eijgfgwt.dll 
Possible Virus. Not disinfected C:\Documents and Settings\Esfera\Configuración local\Temp\nuzlcc.dll 
Adware:Adware/DollarRevenue Not disinfected C:\Documents and Settings\Esfera\Configuración local\Temp\tmp000237c5 
Adware:Adware/DollarRevenue Not disinfected C:\Documents and Settings\Esfera\Configuración local\Temp\tmp00023fab  
Adware:Adware/DollarRevenue Not disinfected C:\Documents and Settings\Esfera\Configuración local\Temp\tmp0002463e 
Adware:Adware/DollarRevenue Not disinfected C:\Documents and Settings\Esfera\Configuración local\Temp\tmp0002510a 
Adware:Adware/DollarRevenue Not disinfected C:\Documents and Settings\Esfera\Configuración local\Temp\tmp0002736c 
Adware:Adware/DollarRevenue Not disinfected C:\Documents and Settings\Esfera\Configuración local\Temp\tmp00027525 
Adware:Adware/DollarRevenue Not disinfected C:\Documents and Settings\Esfera\Configuración local\Temp\tmp000278e6 
Adware:Adware/DollarRevenue Not disinfected C:\Documents and Settings\Esfera\Configuración local\Temp\tmp000290e1 
Adware:Adware/DollarRevenue Not disinfected C:\Documents and Settings\Esfera\Configuración local\Temp\tmp00029467 
Adware:Adware/DollarRevenue Not disinfected C:\Documents and Settings\Esfera\Configuración local\Temp\tmp0002ae06 
Adware:Adware/DollarRevenue Not disinfected C:\Documents and Settings\Esfera\Configuración local\Temp\tmp0002b3d0 
Adware:Adware/DollarRevenue Not disinfected C:\Documents and Settings\Esfera\Configuración local\Temp\tmp00034eb9 
Adware:Adware/DollarRevenue Not disinfected C:\Documents and Settings\Esfera\Configuración local\Temp\tmp00045951  
Adware:Adware/DollarRevenue Not disinfected C:\Documents and Settings\Esfera\Configuración local\Temp\tmp0004cf6b 
Adware:Adware/DollarRevenue Not disinfected C:\Documents and Settings\Esfera\Configuración local\Temp\tmp0017e405 
Adware:Adware/DollarRevenue Not disinfected C:\Documents and Settings\Esfera\Configuración local\Temp\tmp001f0683 
Adware:Adware/DollarRevenue Not disinfected C:\Documents and Settings\Esfera\Configuración local\Temp\tmp021ff977 
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Esfera\Cookies\[email protected][2].txt 
Adware:Adware/DollarRevenue Not disinfected C:\Documents and Settings\Esfera\cz32.exe[rm32.dll] 
Adware:Adware/DollarRevenue Not disinfected C:\Documents and Settings\Esfera\Escritorio\hijackthis\backups\backup-20060322-185731-693.dll 
Virus:Bck/Small.HI Disinfected C:\WINDOWS\system32\.exe 
Adware:Adware/DollarRevenue Not disinfected C:\WINDOWS\system32\awtrq.dll 
Virus:W32/Sdbot.GWB.worm Disinfected C:\WINDOWS\system32\config\systemprofile\Configuración local\Archivos temporales de Internet\Content.IE5\UX44QHXS\rp5[1].exe 
Virus:Trj/Qhost.gen Disinfected C:\WINDOWS\system32\drivers\etc\hosts.20060324-235807.backup  
Virus:W32/Sdbot.FKE.worm Disinfected C:\WINDOWS\system32\eraseme_63316.exe 
Adware:Adware/DollarRevenue Not disinfected C:\WINDOWS\system32\geeca.dll.vir 
Adware:Adware/DollarRevenue Not disinfected C:\WINDOWS\system32\geecd.dll 
Virus:Bck/Small.HI Disinfected C:\WINDOWS\system32\hwclock.exe 
Virus:W32/Sdbot.ftp Disinfected C:\WINDOWS\system32\i 
Adware:Adware/DollarRevenue Not disinfected C:\WINDOWS\system32\jkhff.dll 
Adware:Adware/DollarRevenue Not disinfected C:\WINDOWS\system32\khfcy.dll 
Virus:W32/Sdbot.FYT.worm Disinfected C:\WINDOWS\system32\MSWSA32.exe 
Virus:W32/Gaobot.MMD.worm Disinfected C:\WINDOWS\system32\p.exe 
Possible Virus. Not disinfected C:\WINDOWS\system32\qghumeay.dll 
Adware:Adware/DollarRevenue Not disinfected C:\WINDOWS\system32\tuspm.dll  
Adware:Adware/DollarRevenue Not disinfected C:\WINDOWS\system32\yabyv.dll 
Adware:Adware/DollarRevenue Not disinfected C:\WINDOWS\system32\__delete_on_reboot__nnnnn.dll 
Adware:Adware/DollarRevenue Not disinfected C:\WINDOWS\system32\__delete_on_reboot__pmnkh.dll 
Adware:Adware/DollarRevenue Not disinfected C:\WINDOWS\system32\__delete_on_reboot__yabab.dll 
Adware:Adware/ConsumerAlertSystem Not disinfected C:\WinFrgn.exe


----------



## OxfordBarney (Dec 14, 2004)

OK - I´ve executed Brute Force Uninstaller from within the directory C:\BFU. I have installed the trial version of Kaspersky Personal Pro, and this seems to be preventing my computer from hanging. It has blocked and deleted access to a few files such as newname4.exe, and others. Also, it has repelled attacks from the internet called Intrusion.Win.LSASS.exploit from address 85.94.172.122. Here´s the hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 10:14:07, on 25/03/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\ewido anti-malware\ewidoctrl.exe
C:\Archivos de programa\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\ARCHIV~1\EzButton\CPATR10.EXE
C:\Archivos de programa\Synaptics\SynTP\SynTPLpr.exe
C:\Archivos de programa\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\sistray.EXE
C:\WINDOWS\System32\khooker.exe
C:\Archivos de programa\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\LTSMMSG.exe
C:\Archivos de programa\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Archivos de programa\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Archivos de programa\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Archivos de programa\STA Kit ADSL\CnxDslTb.exe
C:\Archivos de programa\Java\jre1.5.0_06\bin\jusched.exe
C:\Archivos de programa\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\Documents and Settings\Esfera\Escritorio\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/nwshp?hl=en&tab=wn&q=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.beep.es/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\sisUSBrg.exe
O4 - HKLM\..\Run: [CPATR10] C:\ARCHIV~1\EzButton\CPATR10.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Archivos de programa\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Archivos de programa\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Archivos de programa\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Archivos de programa\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Archivos de programa\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [CnxDslTaskBar] C:\Archivos de programa\STA Kit ADSL\CnxDslTb.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Archivos de programa\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kav.exe" /minimize
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.beep.es/
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D6E7F14B-578C-42DC-B427-468EAE38916F}: NameServer = 194.158.64.9 194.158.64.10
O17 - HKLM\System\CCS\Services\Tcpip\..\{F3EA66DF-AE4D-4865-8F7F-FF7A7CB59334}: NameServer = 194.158.88.2,194.158.64.7
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: ewido security suite control - ewido networks - C:\Archivos de programa\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Archivos de programa\ewido anti-malware\ewidoguard.exe
O23 - Service: Hardware Clock Driver (hwclock) - Unknown owner - C:\WINDOWS\System32\hwclock.exe (file missing)
O23 - Service: kavsvc - Kaspersky Lab - C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kavsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Archivos de programa\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: TZZXJPPLMFAICFB - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Esfera\CONFIG~1\Temp\TZZXJPPLMFAICFB.exe
O23 - Service: UWCCMFXRQPO - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Esfera\CONFIG~1\Temp\UWCCMFXRQPO.exe
O23 - Service: VNKRUWT - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Esfera\CONFIG~1\Temp\VNKRUWT.exe
O23 - Service: YAQUVZ - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Esfera\CONFIG~1\Temp\YAQUVZ.exe
O23 - Service: ZXKWTMZMQLA - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Esfera\CONFIG~1\Temp\ZXKWTMZMQLA.exe


----------



## OxfordBarney (Dec 14, 2004)

I ran Kaspersky Personal Pro trial version and several viruses showed up as you can see in the above logs. I killed them with Kaspersky as prompted. 16 were killed while 17 had been detected, and so one was missed. When I re-booted the following Kaspersky alert appeared - "Attention! Your computer has been attacked from the internet. Network attack Intrusion.Win.LSASS.ASN1-kill-bill.exploit from address 194.158.100.144 has been successfully repelled. It appears that now that I have Kaspersky installed, it may be repelling many of the previous attacks that were causing some of the problems. My computer hasn´t been locking up since I installed Kaspersky. Here are the results of a Panda Scan created after killing the 16 viruses and re-booting:

Incident Status Location

Adware:adware/dollarrevenue Not disinfected C:\WINDOWS\keyboard41.dat 
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Esfera\Cookies\[email protected][2].txt 
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Esfera\Cookies\[email protected][2].txt 
Possible Virus. Not disinfected C:\Documents and Settings\Esfera\Configuración local\Temp\eijgfgwt.dll 
Possible Virus. Not disinfected C:\Documents and Settings\Esfera\Configuración local\Temp\nuzlcc.dll 
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Esfera\Cookies\[email protected][2].txt 
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Esfera\Cookies\[email protected][2].txt 
Possible Virus. Not disinfected C:\WINDOWS\system32\qghumeay.dll


----------



## Cookiegal (Aug 27, 2003)

Click Start - Run - and type in:

*services.msc*

Click OK.

In the services window find *Hardware Clock Driver*.
Right click and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Start-up Type" in the dropdown menu select "Disabled". Click Apply then OK. Exit the Services utility.

*Note:* You may get an error here when trying to access the properties of the service. If you do get an error, just select the service and look there in the top left of the main service window and click "Stop" to stop the service. If that gives an error or it is already stopped, just skip this step and proceed with the rest.

Open HijackThis and click on the "Open Misc Tools section button. Now click on the "Delete an NT service" button. Copy and paste this line in that box:

*hwclock*

Click OK.

Boot to safe mode.

Run Killbox on these files:

*C:\WINDOWS\keyboard41.dat

C:\WINDOWS\system32\qghumeay.dll

C:\WINDOWS\System32\hwclock.exe

C:\Documents and Settings\Esfera\Configuración local\Temp\eijgfgwt.dll

C:\Documents and Settings\Esfera\Configuración local\Temp\nuzlcc.dll*

Reboot back to windows normally and run Kaspersky again and post a new HijackThis log and the log from Kaspersky please.


----------



## Cookiegal (Aug 27, 2003)

* *Click here* to download ATF Cleaner by Atribune and save it to your desktop.
Double-click *ATF-Cleaner.exe* to run the program.
Under *Main* choose: *Select All*
Click the *Empty Selected* button.
*If you use Firefox:*
Click *Firefox* at the top and choose: *Select All*
Click the *Empty Selected* button.
*NOTE:* If you would like to keep your saved passwords, please click *No* at the prompt.


*If you use Opera:*
Click *Opera* at the top and choose: *Select All*
Click the *Empty Selected* button.
*
[*]NOTE:* If you would like to keep your saved passwords, please click *No* at the prompt.


Click *Exit* on the Main menu to close the program.


----------



## OxfordBarney (Dec 14, 2004)

Ok - I´ve done as you suggested. The c:\windows\keyboard41.dat didn´t exist, and so I deleted c:\windows\keyboard51.dat which happened to exist. I chose this file because the malware had kept changing the number up by 10. After running Kaspersky, no infected objects were found. I also ran ATF Cleaner, and also Look2Me Destroyer. At some stage however, a file called ccapp2.exe became a running process and was sending data over the internet. I downloaded the trial version of Prevx1, and this located the malware and jailed it. I re-booted again and re-ran Prevx1, which found another malware called system.dll in a temporary folder. I therefore re-ran ATF Cleaner.

I have attached the latest WinPFind.txt to this post. Here´s also the latest hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 18:43:01, on 26/03/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\ewido anti-malware\ewidoctrl.exe
C:\Archivos de programa\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\Prevx1\PXAgent.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\svchost.exe
C:\ARCHIV~1\EzButton\CPATR10.EXE
C:\Archivos de programa\Synaptics\SynTP\SynTPLpr.exe
C:\Archivos de programa\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\sistray.EXE
C:\WINDOWS\System32\khooker.exe
C:\Archivos de programa\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\LTSMMSG.exe
C:\Archivos de programa\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Archivos de programa\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Archivos de programa\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Archivos de programa\STA Kit ADSL\CnxDslTb.exe
C:\Archivos de programa\Java\jre1.5.0_06\bin\jusched.exe
C:\Archivos de programa\Webroot\Spy Sweeper\SpySweeper.exe
C:\Archivos de programa\Prevx1\PXConsole.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Archivos de programa\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\Documents and Settings\Esfera\Escritorio\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/nwshp?hl=en&tab=wn&q=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.beep.es/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\sisUSBrg.exe
O4 - HKLM\..\Run: [CPATR10] C:\ARCHIV~1\EzButton\CPATR10.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Archivos de programa\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Archivos de programa\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Archivos de programa\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Archivos de programa\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Archivos de programa\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [CnxDslTaskBar] C:\Archivos de programa\STA Kit ADSL\CnxDslTb.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Archivos de programa\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kav.exe" /minimize
O4 - HKLM\..\Run: [PrevxOne] C:\Archivos de programa\Prevx1\PXConsole.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.beep.es/
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D6E7F14B-578C-42DC-B427-468EAE38916F}: NameServer = 194.158.64.9 194.158.64.10
O17 - HKLM\System\CCS\Services\Tcpip\..\{F3EA66DF-AE4D-4865-8F7F-FF7A7CB59334}: NameServer = 194.158.88.2,194.158.64.7
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: ewido security suite control - ewido networks - C:\Archivos de programa\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Archivos de programa\ewido anti-malware\ewidoguard.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kavsvc.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Archivos de programa\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Archivos de programa\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: TZZXJPPLMFAICFB - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Esfera\CONFIG~1\Temp\TZZXJPPLMFAICFB.exe
O23 - Service: UWCCMFXRQPO - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Esfera\CONFIG~1\Temp\UWCCMFXRQPO.exe
O23 - Service: VNKRUWT - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Esfera\CONFIG~1\Temp\VNKRUWT.exe
O23 - Service: YAQUVZ - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Esfera\CONFIG~1\Temp\YAQUVZ.exe
O23 - Service: ZXKWTMZMQLA - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Esfera\CONFIG~1\Temp\ZXKWTMZMQLA.exe


----------



## OxfordBarney (Dec 14, 2004)

Here is the WinPFind.txt file attached to this post that I promised in my last post. I am still getting attacked constantly from the internet (the last one hour session saw 250 attacks), in form Intrusion.Win.LSASS.exploit, but these attacks are being repelled sucessfully by Kaspersky. I have amended my hosts file through MVPS. However, I am anxious to upgrade my system to SP2 and fully patch it, but I´ll await your go-ahead since I understand that the system must be completely clean before doing so.


----------



## Cookiegal (Aug 27, 2003)

Go to *Start * *Run * type in *redegit *and then click OK.

Navigate to this value in the registry

HKEY_LOCAL_MACHINE\Software\Microsoft\*OLE*

Right click on the *OLE *value and choose export. Save it to your desktop in case something goes wrong. This will serve as a back up and you will just have to double click on it and allow it to enter the registry but *only if needed*.

Now, in the right-hand pane, double click on Enable DCOM and a dialog box will open up. You will see just the letter *N* there. Change the N to a *Y *and click OK

In the same window, right click on:

*Antivirus Protection Services*

and select delete

Boot to safe mode and run Killbox on these items:

*C:\WINDOWS\System32\ccapp2.exe

C:\WINDOWS\SYSTEM32\TFTP3216*

Reboot and post another HijackThis log please.


----------



## OxfordBarney (Dec 14, 2004)

OK - I´ve done those things and booted up again. I´m still getting the internet attacks although they are being repelled by Kaspersky (this one is "Network attack Intrusion.Win.LSASS.ASN1-kill-bill.exploit from address 194.158.65.43"). Already 12 network attacks since booting up. Here´s my hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 21:26:37, on 26/03/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\ewido anti-malware\ewidoctrl.exe
C:\Archivos de programa\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\Prevx1\PXAgent.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Webroot\Spy Sweeper\WRSSSDK.exe
C:\ARCHIV~1\EzButton\CPATR10.EXE
C:\Archivos de programa\Synaptics\SynTP\SynTPLpr.exe
C:\Archivos de programa\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\sistray.EXE
C:\WINDOWS\System32\khooker.exe
C:\Archivos de programa\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\LTSMMSG.exe
C:\Archivos de programa\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Archivos de programa\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Archivos de programa\STA Kit ADSL\CnxDslTb.exe
C:\Archivos de programa\Java\jre1.5.0_06\bin\jusched.exe
C:\Archivos de programa\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Archivos de programa\Webroot\Spy Sweeper\SpySweeper.exe
C:\Archivos de programa\Prevx1\PXConsole.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\Documents and Settings\Esfera\Escritorio\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/nwshp?hl=en&tab=wn&q=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.beep.es/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\sisUSBrg.exe
O4 - HKLM\..\Run: [CPATR10] C:\ARCHIV~1\EzButton\CPATR10.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Archivos de programa\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Archivos de programa\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Archivos de programa\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Archivos de programa\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Archivos de programa\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [CnxDslTaskBar] C:\Archivos de programa\STA Kit ADSL\CnxDslTb.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Archivos de programa\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kav.exe" /minimize
O4 - HKLM\..\Run: [PrevxOne] C:\Archivos de programa\Prevx1\PXConsole.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.beep.es/
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D6E7F14B-578C-42DC-B427-468EAE38916F}: NameServer = 194.158.64.9 194.158.64.10
O17 - HKLM\System\CCS\Services\Tcpip\..\{F3EA66DF-AE4D-4865-8F7F-FF7A7CB59334}: NameServer = 194.158.88.2,194.158.64.7
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: ewido security suite control - ewido networks - C:\Archivos de programa\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Archivos de programa\ewido anti-malware\ewidoguard.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kavsvc.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Archivos de programa\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Archivos de programa\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: TZZXJPPLMFAICFB - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Esfera\CONFIG~1\Temp\TZZXJPPLMFAICFB.exe
O23 - Service: UWCCMFXRQPO - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Esfera\CONFIG~1\Temp\UWCCMFXRQPO.exe
O23 - Service: VNKRUWT - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Esfera\CONFIG~1\Temp\VNKRUWT.exe
O23 - Service: YAQUVZ - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Esfera\CONFIG~1\Temp\YAQUVZ.exe
O23 - Service: ZXKWTMZMQLA - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Esfera\CONFIG~1\Temp\ZXKWTMZMQLA.exe


----------



## Cookiegal (Aug 27, 2003)

As long as those are incoming and Kaspersky is repelling them, you are fine. Those attacks are because of vulnerabilities that haven't been patched.

Now you need to get this computer patched as quickly as possible.


Are you having any other issues?


----------



## OxfordBarney (Dec 14, 2004)

I don´t see any other issues right now. Thank you very much! The computer feels so much better - just fine now. Shall I go ahead and upgrade to SP2 next and then make sure all patches are installed, or should I patch SP1 using Automatic Updates first, and then upgrade to SP2? I also defragged the hard drive last night, and I´ll lock the hosts file (although I know that some of these viruses can get through the lock), which I have already modified using MVPS.


----------



## Cookiegal (Aug 27, 2003)

You can go right to SP2 and then go for any additional critical updates.

Before you do that, you should flush out all previous restore points and create a new one.

To turn off system restore, on the Desktop, right click on *My Computer* and click on *Properties.*
Click the *System Restore* tab.
Check *Turn off System Restore.*
Click Apply and then click OK.

Restart your computer, turn System Restore back on and create a restore point.

To create a new restore point, click on *Start* - *All Programs* - *Accessories* - *System Tools* and then select *System Restore*.

In the System Restore wizard, select *Create a restore point* and click the Next button.

Type a name for your new restore point then click on Create.

I also recommend downloading  *SPYWAREBLASTER & SPYWAREGUARD* for added protection.

*Read here* for info on how to tighten your security.


----------



## OxfordBarney (Dec 14, 2004)

OK - I´ve flushed the system restore. I ran a Kaspersky scan and Panda Scan to make sure that the system is clear before I upgrade to SP2. Kaspersky showed nothing, but Panda showed the following:

Incident Status Location 

Adware:adware/dollarrevenue Not disinfected C:\WINDOWS\newname.dat 

ccapp2.exe again tried to start, but Prevx1 blocked and jailed it.

Am I still safe to upgrade to SP2 now? Would the upgrade prevent this recurring infection?


----------



## Cookiegal (Aug 27, 2003)

I would say go ahead and install SP2 at this point. Until the system is patched, all kinds of infections will try to penetrate through the vulnerabilities. Once you've done that go to Microsoft and get all of the critical updates.

Let us know how it goes please.


----------



## OxfordBarney (Dec 14, 2004)

Ok - thank you. I went ahead and upgraded to SP2. It required that I patch SP1 first, which I did. I upgraded, and then patched the SP2 upgrade as well. I did a PandaScan, and it came up clean. The internet attacks subsided, but I still get the odd one which is repelled by Kaspersky. The latest is from today Intrusion.Win.MSSQL.worm.Helkern. Should I keep Kaspersky just because of these attacks? I´d prefer to use AVG Free Edition for obvious reasons, and Microsoft AntiSpyware. Of course the Spybot S&D, SpywareBlaster, and Ad-Aware SE will stay. Many thanks for your kindest help.


----------



## OxfordBarney (Dec 14, 2004)

Here´s my post-SP2 installation hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 15:32:41, on 30/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\ewido anti-malware\ewidoctrl.exe
C:\Archivos de programa\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\Prevx1\PXAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\ARCHIV~1\EzButton\CPATR10.EXE
C:\Archivos de programa\Synaptics\SynTP\SynTPLpr.exe
C:\Archivos de programa\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\sistray.EXE
C:\WINDOWS\System32\khooker.exe
C:\Archivos de programa\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\LTSMMSG.exe
C:\Archivos de programa\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Archivos de programa\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Archivos de programa\STA Kit ADSL\CnxDslTb.exe
C:\Archivos de programa\Java\jre1.5.0_06\bin\jusched.exe
C:\Archivos de programa\Prevx1\PXConsole.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\Archivos de programa\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Archivos de programa\SpywareGuard\sgmain.exe
C:\Archivos de programa\SpywareGuard\sgbhp.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\Documents and Settings\Esfera\Escritorio\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/nwshp?hl=en&tab=wn&q=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.beep.es/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Archivos de programa\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\sisUSBrg.exe
O4 - HKLM\..\Run: [CPATR10] C:\ARCHIV~1\EzButton\CPATR10.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Archivos de programa\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Archivos de programa\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Archivos de programa\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Archivos de programa\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Archivos de programa\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [CnxDslTaskBar] C:\Archivos de programa\STA Kit ADSL\CnxDslTb.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kav.exe" /minimize
O4 - HKLM\..\Run: [PrevxOne] C:\Archivos de programa\Prevx1\PXConsole.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background
O4 - Startup: SpywareGuard.lnk = C:\Archivos de programa\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.beep.es/
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1143556175876
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1143556129830
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D6E7F14B-578C-42DC-B427-468EAE38916F}: NameServer = 194.158.64.9 194.158.64.10
O17 - HKLM\System\CCS\Services\Tcpip\..\{F3EA66DF-AE4D-4865-8F7F-FF7A7CB59334}: NameServer = 194.158.88.2,194.158.64.7
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: ewido security suite control - ewido networks - C:\Archivos de programa\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Archivos de programa\ewido anti-malware\ewidoguard.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kavsvc.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Archivos de programa\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: TZZXJPPLMFAICFB - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Esfera\CONFIG~1\Temp\TZZXJPPLMFAICFB.exe
O23 - Service: UWCCMFXRQPO - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Esfera\CONFIG~1\Temp\UWCCMFXRQPO.exe
O23 - Service: VNKRUWT - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Esfera\CONFIG~1\Temp\VNKRUWT.exe
O23 - Service: YAQUVZ - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Esfera\CONFIG~1\Temp\YAQUVZ.exe
O23 - Service: ZXKWTMZMQLA - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Esfera\CONFIG~1\Temp\ZXKWTMZMQLA.exe


----------



## OxfordBarney (Dec 14, 2004)

Also, my system is running quite a bit slower.


----------



## Cookiegal (Aug 27, 2003)

You have two anti-virus programs and should remove one of them, probably PrevX, as they can cause conflicts. I think Kaspersky is a superior product.

If you install a firewall such as Zone Alarm free, those attacks should be kept at bay. Attacks are normal and as long as they are being repelled, then all is well.

What do you have in the way of resources? RAM? I'm sorry if this has already been asked but didn't read back through the entire thread.


----------



## OxfordBarney (Dec 14, 2004)

OK - I'll uninstall Prevx and add Zone Alarm. My RAM is 224 MB.


----------



## Cookiegal (Aug 27, 2003)

Thanks not much RAM to run XP on even though it meets minimum requirements. This started since you upgraded to SP2?

How much free hard disk space do you have?


----------



## OxfordBarney (Dec 14, 2004)

I have 19.3 GB out of a total of 27.9 GB available. After I installed SP2 the computer took quite a bit of time to increase virtual memory. I have also now uninstalled Ewido, figuring that ZoneAlarm and Kaspersky will be plenty. However, when Kaspersky expires, I may replace it with AVG Free Edition. What do you think? There is also the possibility of Microsoft Antispyware.


----------



## rainforest123 (Dec 29, 2004)

Microsoft AS has been replaced by Windows Defender, which I do not like.

Complete protection involves a firewall [ ZA ] , AV [ Kapersky or AVG ] & anti spyware. You may have to spend $20 or $30 for Spy Sweeper. SS had a $10 discount earlier this week, which may still be available. Try www.webroot.com .

I haven't read all 10 pages of this thread. Someone has probably recommended that, after you resolve these infections & infestations, upgrade to SP2 & all other critical XP updates. Also, use a browser, such as Firefox as much as possible. 
You can add some protection with SpywareGuard & SpywareBlaster [ www.javacoolosoftware.com ], and a modified hosts file . http://www.mvps.org/winhelp2002/hosts.htm

Even the OEM's, such as HP are recommending a minimum of 256 MB for XP SP2. The minimum requirments for a computer are like the vehicle meeting the minimum requirements to travel between Paris & Madrid, using a wheeled vehicle. A unicyle would do, but the journey would take a long time.

You might have 256 MB, 32 MB of which being used by your video card.

Add another 256 MB, if your budget permits.

RF123


----------



## Cookiegal (Aug 27, 2003)

I will say that Kaspersky is the superior product but if you want to go with AVG that would be fine.

You definitely need to add more RAM for better performance.

Do you defrag regularly?


----------



## OxfordBarney (Dec 14, 2004)

Thank you for all of that information. It's greatly appreciated.

I do defrag regularly, and so the problem may indeed be with the RAM being reduced by a video card or some other device. I think I'll live with the slower speed, since the computer is old and I definitely want SP2 for added security. I think I'll load ZoneAlarm free onto my other computers after this, in spite of the fact that SP2 has it's own firewall built in.


----------



## Cookiegal (Aug 27, 2003)

You're welcome. :up:

It is best to use a third party firewall like Zone Alarm as the XP firewall only blocks incoming packets.

Now you should turn system restore off to flush out all previous system restore points, then turn it back on and create a new restore point:

To turn off system restore, on the Desktop, right click on *My Computer* and click on *Properties.*
Click the *System Restore* tab.
Check *Turn off System Restore.*
Click Apply and then click OK.

Restart your computer, turn System Restore back on and create a restore point.

To create a new restore point, click on *Start*  *All Programs*  *Accessories*  *System Tools* and then select *System Restore*.

In the System Restore wizard, select *Create a restore point* and click the Next button.

Type a name for your new restore point then click on Create.

I also recommend downloading  *SPYWAREBLASTER* for added protection.

*Read here* for info on how to tighten your security.


----------



## rainforest123 (Dec 29, 2004)

I agree with all CG has noted. I suggested AVG Free because it is free. I have no experience with Kaspersky.

Use Firefox, as much as possible, instead of IE. Some pages, such as Microsoft's update site, won't display properly unless IE is used. At present IE has a large flaw, that may not be patched until 11 April 2006. http://news.zdnet.com/2100-1009_22-6052396.html

RF123


----------



## OxfordBarney (Dec 14, 2004)

OK - Once again thank you very much for all of your help.
OxfordBarney


----------



## Cookiegal (Aug 27, 2003)

It's our pleasure! :up:


----------



## Cookiegal (Aug 27, 2003)

*As this issue is resolved, I'm closing this thread. If you need it reopened, please contact me or one of the other Moderators.

Anyone else with a similar problem, please start a new thread.*


----------

