1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: remove ADWARE-VIRTUMUNDO found ina a .dll file

Discussion in 'Virus & Other Malware Removal' started by Newnewone, Jan 20, 2006.

Thread Status:
Not open for further replies.
Advertisement
  1. Newnewone

    Newnewone Thread Starter

    Joined:
    Jan 20, 2006
    Messages:
    13
    Im running McFee Managed VirusScan that detects adware-virumundo in Ddaby.dll at C:/Windows/System32. I can't remove it. I have loked at the Threads relating to this problem, but having run HijackThis ithe file doesn't appear in the log, as in other enquiries at techguy forum.


    Logfile of HijackThis v1.99.1
    Scan saved at 17:52:54, on 20/01/2006
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Archivos de programa\McAfee\Managed Firewall\MpfService.exe
    C:\Archivos de programa\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
    C:\Archivos de programa\Network Monitor\netmon.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\snmp.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\Explorer.EXE
    C:\windows\system\hpsysdrv.exe
    C:\HP\KBD\KBD.EXE
    C:\Archivos de programa\Archivos comunes\Microsoft Shared\Works Shared\WkUFind.exe
    C:\Archivos de programa\QuickTime\qttask.exe
    C:\Archivos de programa\McAfee\Managed VirusScan\Agent\myagttry.exe
    C:\ARCHIV~1\McAfee\MANAGE~1\VScan\McShield.exe
    C:\Archivos de programa\McAfee\Managed Firewall\MpfTray.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\Archivos de programa\McAfee\Managed VirusScan\Agent\HtmlDlg.Exe
    C:\Archivos de programa\Internet Explorer\iexplore.exe
    C:\Documents and Settings\BUHO.PATA-BUHO\Configuración local\Temp\Directorio temporal 1 para hijackthis[1].zip\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.telefonica.net/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.es
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-es7.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-es7.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://es7.hpwis.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
    O2 - BHO: ATLDistrib Object - {83A5F7B7-DC75-44CE-9195-264F41709FA9} - C:\WINDOWS\System32\ddaby.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [StorageGuard] "C:\Archivos de programa\VERITAS Software\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Archivos de programa\Archivos comunes\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [enewsletterpro] C:\windows\enewsletterpro.exe
    O4 - HKLM\..\Run: [ccRegVfy] C:\Archivos de programa\Archivos comunes\Symantec Shared\ccRegVfy.exe
    O4 - HKLM\..\Run: [McAfee Managed Services Tray] "C:\Archivos de programa\McAfee\Managed VirusScan\Agent\myagttry.exe"
    O4 - HKLM\..\Run: [MVS Splash] C:\ARCHIV~1\McAfee\MANAGE~1\VScan\Splash.exe
    O4 - HKLM\..\Run: [MpfTray] C:\Archivos de programa\McAfee\Managed Firewall\MpfTray.exe
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Sygate Personal Firewall] Slinder.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.es
    O16 - DPF: {40C83AF8-FEA7-4A6A-A470-431EE84A0886} (SecureObjectFactory Class) - http://descargaseguridad.telefonica.terra.es/VS2/bin/myCioAgt.20051213115437.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1137628905328
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4672/mcfscan.cab
    O16 - DPF: {FAACB119-D8DD-4F91-9AE9-9CDE6FD230DB} (CentroSeguridad Class) - https://centroseguridad.telefonica.terra.es/central/CentroSeguridad.cab
    O18 - Protocol: myrm - {4D034FC3-013F-4B95-B544-44D49ABE3E76} - C:\Archivos de programa\McAfee\Managed VirusScan\Agent\MyRmProt3.5.0.478.dll
    O20 - Winlogon Notify: ddaby - C:\WINDOWS\System32\ddaby.dll
    O20 - Winlogon Notify: Syncmgr - C:\WINDOWS\system32\lvlm0931e.dll
    O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\R29uemFsbyBDZWJhbGxvcyBXYXRsaW5n\command.exe (file missing)
    O23 - Service: McShield - McAfee Inc. - C:\ARCHIV~1\McAfee\MANAGE~1\VScan\McShield.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\Archivos de programa\McAfee\Managed Firewall\MpfService.exe
    O23 - Service: McAfee Managed Services Agent (myAgtSvc) - McAfee, Inc. - C:\Archivos de programa\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
    O23 - Service: Network Monitor - Unknown owner - C:\Archivos de programa\Network Monitor\netmon.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
     
  2. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    Please download http://www.atribune.org/ccount/click.php?id=4 to your desktop.
    · Double-click VundoFix.exe to run it.
    · Click the Scan for Vundo button.
    · Once it's done scanning, click the Remove Vundo button.
    · You will receive a prompt asking if you want to remove the files, click YES
    · Once you click yes, your desktop will go blank as it starts removing Vundo.
    · When completed, it will prompt that it will shutdown your computer, click OK.
    · Turn your computer back on.



    Download L2mfix from one of these two locations:


    http://www.atribune.org/downloads/l2mfix.exe
    http://www.downloads.subratam.org/l2mfix.exe


    Save the file to your desktop and double click l2mfix.exe. Click the Install
    button to extract the files and follow the prompts, then open the newly added
    l2mfix folder on your desktop. Double click l2mfix.bat and select option #1
    for Run Find Log by typing 1 and then pressing enter. This will scan your
    computer and it may appear nothing is happening, then, after a minute or 2,
    notepad will open with a log. Copy the contents of that log and paste it into
    this thread.


    IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!


    if you receive, while running option #1, an error similar like: ''C:\windows\system32\cmd.exe
    C:\windows\system32\autoexec.nt the system file is not suitable for running ms-dos and Microsoft windows applications. choose "close to terminate the application".....then please use option 5 or the web page link in the l2mfix folder to solve this error condition. Do not run the fix portion without fixing this first.



    · Please post the contents of C:\vundofix.txt and a new HiJackThis log and the l2me log.
     
  3. Newnewone

    Newnewone Thread Starter

    Joined:
    Jan 20, 2006
    Messages:
    13
    I think i've done as instructed. Here is the log file.
    Thanks
    L2MFIX find log 010406
    These are the registry keys present
    **********************************************************************************
    Winlogon/notify:
    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
    "Asynchronous"=dword:00000000
    "DllName"=""
    "Impersonate"=dword:00000000
    "Logon"="WinLogon"
    "Logoff"="WinLogoff"
    "Shutdown"="WinShutdown"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Applets]
    "Asynchronous"=dword:00000000
    "DllName"="C:\\WINDOWS\\system32\\lvlm0931e.dll"
    "Impersonate"=dword:00000000
    "Logon"="WinLogon"
    "Logoff"="WinLogoff"
    "Shutdown"="WinShutdown"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ddaby]
    "Asynchronous"=dword:00000001
    "DllName"="C:\\WINDOWS\\System32\\ddaby.dll"
    "Impersonate"=dword:00000000
    "Startup"="SysLogon"
    "Logoff"="SysLogoff"

    **********************************************************************************
    useragent:
    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
    "{B5C0879F-9D3B-01F8-7CD2-B40DFAADB3AD}"=""

    **********************************************************************************
    Shell Extension key:
    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
    "{00022613-0000-0000-C000-000000000046}"="Hoja de propiedades de archivos multimedia"
    "{176d6597-26d3-11d1-b350-080036a75b03}"="Administraci¢n de esc*ner ICM"
    "{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="P*gina de seguridad NTFS"
    "{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="P*gina de propiedades del archivo de documentos OLE"
    "{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Extensiones de interfaz para uso compartido"
    "{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
    "{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Extensi¢n CPL del adaptador de pantalla"
    "{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Extensi¢n CPL del monitor de pantalla"
    "{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Extensi¢n de paneo de pantalla del Panel de control"
    "{4E40F770-369C-11d0-8922-00A024AB2DBB}"="P*gina de seguridad DS"
    "{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="P*gina de compatibilidad"
    "{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
    "{59099400-57FF-11CE-BD94-0020AF85B590}"="Extensi¢n de copia de discos"
    "{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Extensiones del shell para objetos de la red de Microsoft Windows"
    "{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="Administraci¢n de monitor ICM"
    "{675F097E-4C4D-11D0-B6C1-0800091AA605}"="Administraci¢n de impresora ICM"
    "{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Extensiones del shell para compresi¢n de archivos"
    "{77597368-7b15-11d0-a0c2-080036af3f03}"="Extensi¢n del shell de impresora en Web"
    "{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
    "{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Men£ de contexto de cifrado"
    "{85BBD920-42A0-1069-A2E4-08002B30309D}"="Malet¡n"
    "{88895560-9AA2-1069-930E-00AA0030EBC8}"="Extensi¢n de icono de HyperTerminal"
    "{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fuentes"
    "{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="Perfil de ICC"
    "{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="P*gina de seguridad de impresoras"
    "{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Extensiones de interfaz para uso compartido"
    "{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
    "{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Extensi¢n PKO cifrada"
    "{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Extensi¢n de firma cifrada"
    "{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Conexiones de red"
    "{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Conexiones de red"
    "{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="&C*maras y esc*neres"
    "{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="&C*maras y esc*neres"
    "{905667aa-acd6-11d2-8080-00805f6596d2}"="&C*maras y esc*neres"
    "{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="&C*maras y esc*neres"
    "{83bbcbf3-b28a-4919-a5aa-73027445d672}"="&C*maras y esc*neres"
    "{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
    "{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
    "{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Extensiones del shell para Windows Script Host"
    "{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="V¡nculos a datos de Microsoft"
    "{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
    "{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
    "{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Tareas programadas"
    "{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Barra de tareas y men£ Inicio"
    "{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Buscar"
    "{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Ayuda y soporte t‚cnico"
    "{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Ayuda y soporte t‚cnico"
    "{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Ejecutar..."
    "{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
    "{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="Correo electr¢nico"
    "{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fuentes"
    "{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Herramientas administrativas"
    "{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
    "{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
    "{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
    "{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
    "{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
    "{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
    "{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Barra de herramientas de Microsoft Internet"
    "{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Estado de la descarga"
    "{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Carpeta Shell aumentada"
    "{6413BA2C-B461-11d1-A18A-080036B11A03}"="Carpeta 2 Shell aumentada"
    "{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
    "{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Banda del explorador de Microsoft"
    "{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Banda de b£squeda"
    "{32683183-48a0-441b-a342-7c2a440a9478}"="Banda multimedia"
    "{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="B£squeda en panel"
    "{07798131-AF23-11d1-9111-00A0C98BA67D}"="B£squeda Web"
    "{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Utilidad de opciones del *rbol de Registro"
    "{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Direcci¢n"
    "{A08C11D2-A228-11d0-825B-00AA005B4383}"="Cuadro de la direcci¢n"
    "{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Autocompletar de Microsoft"
    "{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
    "{6756A641-DE71-11d0-831B-00AA005B4383}"="Lista autocompleta MRU"
    "{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Lista autocompleta MRU personalizada"
    "{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
    "{acf35015-526e-4230-9596-becbe19f0ac9}"="Barra de progreso emergente"
    "{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Analizador de Barra de direcciones"
    "{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Lista autocompleta de la historia de Microsoft"
    "{03C036F1-A186-11D0-824A-00AA005B4383}"="Lista autocompleta de la carpeta Shell de Microsoft"
    "{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Contenedor de la Lista m£ltiple de Microsoft"
    "{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Men£ de sitio de bandas Shell"
    "{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
    "{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Barra de escritorio Shell"
    "{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
    "{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="Asistencia al usuario"
    "{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Configuraci¢n de carpeta global"
    "{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
    "{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
    "{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
    "{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
    "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
    "{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Servicio de Historial de las direcciones URL de Microsoft"
    "{FF393560-C2A7-11CF-BFF4-444553540000}"="Historial"
    "{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Archivos temporales de Internet"
    "{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Archivos temporales de Internet"
    "{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Hook de b£squeda de direcciones URL de Microsoft"
    "{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="Pantalla de bienvenida de IE4 Suite"
    "{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
    "{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
    "{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
    "{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="Internet"
    "{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
    "{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Banda de Explorador"
    "{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
    "{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
    "{88C6C381-2E85-11D0-94DE-444553540000}"="Carpeta del cach‚ de ActiveX"
    "{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
    "{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
    "{F5175861-2688-11d0-9C5E-00AA00A45957}"="Carpeta de suscripciones"
    "{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
    "{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
    "{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
    "{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
    "{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
    "{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
    "{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
    "{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Administrador de aplicaciones de Shell"
    "{0B124F8F-91F0-11D1-B8B5-006008059382}"="Enumerador de aplicaciones instaladas"
    "{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
    "{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
    "{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
    "{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="Extractor de vistas en miniatura de archivos GDI+"
    "{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Controlador de la informaci¢n de resumen para vistas en miniatura (DOCFILES)"
    "{EAB841A0-9550-11cf-8C16-00805F1408F3}"="Extractor de vistas en miniatura HTML"
    "{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
    "{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Asistente para la publicaci¢n en Web"
    "{add36aa8-751a-4579-a266-d66f5202ccbb}"="Pedido de impresiones v¡a web"
    "{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Objeto de Asistente de publicaci¢n de shell"
    "{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Asistente para obtener pasaporte"
    "{7A9D77BD-5403-11d2-8785-2E0420524153}"="Cuentas de usuario"
    "{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
    "{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
    "{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Archivo de canal"
    "{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Acceso directo al canal"
    "{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Objeto de control de canal"
    "{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
    "{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
    "{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
    "{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
    "{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
    "{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
    "{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
    "{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
    "{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
    "{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
    "{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
    "{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
    "{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
    "{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
    "{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
    "{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
    "{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
    "{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
    "{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
    "{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
    "{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Carpeta de archivos sin conexi¢n"
    "{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
    "{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
    "{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
    "{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
    "{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
    "{32714800-2E5F-11d0-8B85-00AA0044F941}"="&Personas..."
    "{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
    "{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
    "{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
    "{7F67036B-66F1-411A-AD85-759FB9C5B0DB}"="SampleView"
    "{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
    "{1CDB2949-8F65-4355-8456-263E7C208A5D}"="Explorador de escritorios"
    "{1E9B04FB-F9E5-4718-997B-B8DA88302A47}"="Desktop Explorer Menu"
    "{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Carpetas Web"
    "{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
    "{6605DBB1-2D82-4128-B988-C7DF230C78B6}"=""
    "{07E82CFC-10B4-44EA-899D-8F5B522604D8}"=""
    "{9FF77852-C0D5-46CA-AD63-5F7A478B73A5}"=""
    "{B963291B-595F-4B4A-BBDF-F22773C11191}"=""
    "{218A684B-B3CC-434B-B85B-D1B55E69B300}"=""
    "{3A9F36A4-7930-4C8B-AA48-BD9BAF41FBCF}"=""
    "{23FBD0F0-C0FF-4B11-9354-E4B50F81537B}"=""
    "{8DF24105-CFCC-4A2D-83E5-9B0B86ED8557}"=""
    "{F4B9BAAD-7D8D-4640-B553-8C663D3CFF81}"=""

    **********************************************************************************
    HKEY ROOT CLASSIDS:
    Windows Registry Editor Version 5.00

    [HKEY_CLASSES_ROOT\CLSID\{6605DBB1-2D82-4128-B988-C7DF230C78B6}]
    @=""
    "IDEx"="ADDR"

    [HKEY_CLASSES_ROOT\CLSID\{6605DBB1-2D82-4128-B988-C7DF230C78B6}\Implemented Categories]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{6605DBB1-2D82-4128-B988-C7DF230C78B6}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{6605DBB1-2D82-4128-B988-C7DF230C78B6}\InprocServer32]
    @="C:\\WINDOWS\\system32\\DfskIO.dll"
    "ThreadingModel"="Apartment"

    Windows Registry Editor Version 5.00

    [HKEY_CLASSES_ROOT\CLSID\{07E82CFC-10B4-44EA-899D-8F5B522604D8}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{07E82CFC-10B4-44EA-899D-8F5B522604D8}\Implemented Categories]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{07E82CFC-10B4-44EA-899D-8F5B522604D8}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{07E82CFC-10B4-44EA-899D-8F5B522604D8}\InprocServer32]
    @="C:\\WINDOWS\\system32\\trd32.dll"
    "ThreadingModel"="Apartment"

    Windows Registry Editor Version 5.00

    [HKEY_CLASSES_ROOT\CLSID\{9FF77852-C0D5-46CA-AD63-5F7A478B73A5}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{9FF77852-C0D5-46CA-AD63-5F7A478B73A5}\Implemented Categories]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{9FF77852-C0D5-46CA-AD63-5F7A478B73A5}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{9FF77852-C0D5-46CA-AD63-5F7A478B73A5}\InprocServer32]
    @="C:\\WINDOWS\\system32\\iqwphbk.dll"
    "ThreadingModel"="Apartment"

    Windows Registry Editor Version 5.00

    [HKEY_CLASSES_ROOT\CLSID\{B963291B-595F-4B4A-BBDF-F22773C11191}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{B963291B-595F-4B4A-BBDF-F22773C11191}\Implemented Categories]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{B963291B-595F-4B4A-BBDF-F22773C11191}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{B963291B-595F-4B4A-BBDF-F22773C11191}\InprocServer32]
    @="C:\\WINDOWS\\system32\\wcsapi32.dll"
    "ThreadingModel"="Apartment"

    Windows Registry Editor Version 5.00

    [HKEY_CLASSES_ROOT\CLSID\{218A684B-B3CC-434B-B85B-D1B55E69B300}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{218A684B-B3CC-434B-B85B-D1B55E69B300}\Implemented Categories]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{218A684B-B3CC-434B-B85B-D1B55E69B300}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{218A684B-B3CC-434B-B85B-D1B55E69B300}\InprocServer32]
    @="C:\\WINDOWS\\system32\\cOtsrv.dll"
    "ThreadingModel"="Apartment"

    Windows Registry Editor Version 5.00

    [HKEY_CLASSES_ROOT\CLSID\{3A9F36A4-7930-4C8B-AA48-BD9BAF41FBCF}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{3A9F36A4-7930-4C8B-AA48-BD9BAF41FBCF}\Implemented Categories]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{3A9F36A4-7930-4C8B-AA48-BD9BAF41FBCF}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{3A9F36A4-7930-4C8B-AA48-BD9BAF41FBCF}\InprocServer32]
    @="C:\\WINDOWS\\system32\\uqrfaxa.dll"
    "ThreadingModel"="Apartment"

    Windows Registry Editor Version 5.00

    [HKEY_CLASSES_ROOT\CLSID\{23FBD0F0-C0FF-4B11-9354-E4B50F81537B}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{23FBD0F0-C0FF-4B11-9354-E4B50F81537B}\Implemented Categories]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{23FBD0F0-C0FF-4B11-9354-E4B50F81537B}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{23FBD0F0-C0FF-4B11-9354-E4B50F81537B}\InprocServer32]
    @="C:\\WINDOWS\\system32\\mxdrv.dll"
    "ThreadingModel"="Apartment"

    Windows Registry Editor Version 5.00

    [HKEY_CLASSES_ROOT\CLSID\{8DF24105-CFCC-4A2D-83E5-9B0B86ED8557}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{8DF24105-CFCC-4A2D-83E5-9B0B86ED8557}\Implemented Categories]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{8DF24105-CFCC-4A2D-83E5-9B0B86ED8557}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{8DF24105-CFCC-4A2D-83E5-9B0B86ED8557}\InprocServer32]
    @="C:\\WINDOWS\\system32\\nntfxperf.dll"
    "ThreadingModel"="Apartment"

    Windows Registry Editor Version 5.00

    [HKEY_CLASSES_ROOT\CLSID\{F4B9BAAD-7D8D-4640-B553-8C663D3CFF81}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{F4B9BAAD-7D8D-4640-B553-8C663D3CFF81}\Implemented Categories]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{F4B9BAAD-7D8D-4640-B553-8C663D3CFF81}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{F4B9BAAD-7D8D-4640-B553-8C663D3CFF81}\InprocServer32]
    @="C:\\WINDOWS\\system32\\qqv.dll"
    "ThreadingModel"="Apartment"

    **********************************************************************************
    Files Found are not all bad files:

    C:\WINDOWS\SYSTEM32\
    aemfd.dll Fri 20 Jan 2006 17:25:10 ..S.R 237.002 231,45 K
    atmtd.dll Fri 13 Jan 2006 18:47:34 A.... 687.592 671,48 K
    ddaby.dll Sat 14 Jan 2006 20:46:30 ..... 565.300 552,05 K
    entapi.dll Tue 13 Dec 2005 11:26:12 A.... 41.018 40,05 K
    fpr403~1.dll Fri 20 Jan 2006 14:59:00 ..S.R 236.863 231,31 K
    i8nmli~1.dll Wed 18 Jan 2006 15:22:14 ..S.R 234.405 228,91 K
    irfgnt5.dll Fri 20 Jan 2006 1:33:50 ..S.R 233.913 228,43 K
    lvl809~1.dll Tue 17 Jan 2006 15:33:42 ..S.R 234.405 228,91 K
    lvlm09~1.dll Fri 20 Jan 2006 14:41:00 ..S.R 237.002 231,45 K
    moorcl32.dll Fri 20 Jan 2006 12:07:36 ..S.R 235.382 229,86 K
    mpwsock.dll Fri 20 Jan 2006 10:38:44 ..S.R 233.913 228,43 K
    mxdrv.dll Fri 20 Jan 2006 14:41:00 ..S.R 236.863 231,31 K
    n84s0i~1.dll Fri 20 Jan 2006 18:33:10 ..S.R 237.002 231,45 K
    nntfxp~1.dll Thu 19 Jan 2006 23:09:18 ..S.R 236.535 230,99 K
    nzptools.dll Fri 20 Jan 2006 9:00:08 ..S.R 235.382 229,86 K
    nzwrsnl.dll Fri 20 Jan 2006 13:05:58 ..S.R 236.365 230,82 K
    oefox32.dll Thu 19 Jan 2006 13:31:26 ..S.R 235.783 230,25 K
    qqv.dll Fri 20 Jan 2006 18:34:14 ..S.R 237.002 231,45 K
    sbcfiles.dll Thu 19 Jan 2006 23:03:50 ..S.R 235.783 230,25 K
    uqrfaxa.dll Thu 19 Jan 2006 0:26:36 ..S.R 235.783 230,25 K

    20 items found: 20 files (17 H/S), 0 directories.
    Total of file sizes: 5.303.293 bytes 5,05 M
    Locate .tmp files:

    C:\WINDOWS\SYSTEM32\
    mcrh.tmp Thu 19 Jan 2006 22:36:46 A.... 0 0,00 K

    1 item found: 1 file, 0 directories.
    Total of file sizes: 0 bytes 0,00 K
    **********************************************************************************
    Directory Listing of system files:
    El volumen de la unidad C es HP_PAVILION
    El n£mero de serie del volumen es: 9801-73B0

    Directorio de C:\WINDOWS\System32

    20/01/2006 18:39 387.412 ybadd.ini
    20/01/2006 18:34 386.912 ybadd.bak1
    20/01/2006 18:34 237.002 qqv.dll
    20/01/2006 18:33 237.002 n84s0ih7e84.dll
    20/01/2006 17:25 237.002 aemfd.dll
    20/01/2006 14:58 236.863 fpr4039qe.dll
    20/01/2006 14:40 236.863 mxdrv.dll
    20/01/2006 14:40 237.002 lvlm0931e.dll
    20/01/2006 13:05 236.365 nzwrsnl.dll
    20/01/2006 12:07 235.382 moorcl32.dll
    20/01/2006 10:38 233.913 mpwsock.dll
    20/01/2006 09:00 235.382 nzptools.dll
    20/01/2006 01:33 233.913 irfgnt5.dll
    19/01/2006 23:09 236.535 nntfxperf.dll
    19/01/2006 23:03 235.783 sbcfiles.dll
    19/01/2006 13:31 235.783 oefox32.dll
    19/01/2006 01:19 <DIR> dllcache
    19/01/2006 00:26 235.783 uqrfaxa.dll
    18/01/2006 15:22 234.405 i8nmli5118.dll
    17/01/2006 15:33 234.405 lvl8093ue.dll
    27/11/2005 20:16 <DIR> Microsoft
    22/03/2003 00:08 32 {584D0B34-551E-4D27-BBF4-C405B2DE4343}.dat
    05/01/2002 11:40 487.424 msvcp70.dll
    21 archivos 5.271.163 bytes
    2 dirs 100.211.654.656 bytes libres
     
  4. Newnewone

    Newnewone Thread Starter

    Joined:
    Jan 20, 2006
    Messages:
    13
    Sorry here's the new HijackThis log file


    Logfile of HijackThis v1.99.1
    Scan saved at 18:46:10, on 20/01/2006
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\Explorer.EXE
    C:\windows\system\hpsysdrv.exe
    C:\HP\KBD\KBD.EXE
    C:\Archivos de programa\Archivos comunes\Microsoft Shared\Works Shared\WkUFind.exe
    C:\Archivos de programa\QuickTime\qttask.exe
    C:\Archivos de programa\McAfee\Managed VirusScan\Agent\myagttry.exe
    C:\Archivos de programa\McAfee\Managed Firewall\MpfTray.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\Archivos de programa\McAfee\Managed Firewall\MpfService.exe
    C:\Archivos de programa\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
    C:\Archivos de programa\Network Monitor\netmon.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\snmp.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Archivos de programa\Internet Explorer\iexplore.exe
    C:\ARCHIV~1\McAfee\MANAGE~1\VScan\McShield.exe
    C:\Archivos de programa\McAfee\Managed VirusScan\Agent\HtmlDlg.Exe
    C:\WINDOWS\System32\cmd.exe
    C:\WINDOWS\system32\ntvdm.exe
    C:\Documents and Settings\BUHO.PATA-BUHO\Configuración local\Temp\Directorio temporal 2 para hijackthis[1].zip\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.telefonica.net/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.es
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-es7.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-es7.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://es7.hpwis.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
    O2 - BHO: ATLDistrib Object - {83A5F7B7-DC75-44CE-9195-264F41709FA9} - C:\WINDOWS\System32\ddaby.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [StorageGuard] "C:\Archivos de programa\VERITAS Software\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Archivos de programa\Archivos comunes\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [enewsletterpro] C:\windows\enewsletterpro.exe
    O4 - HKLM\..\Run: [ccRegVfy] C:\Archivos de programa\Archivos comunes\Symantec Shared\ccRegVfy.exe
    O4 - HKLM\..\Run: [McAfee Managed Services Tray] "C:\Archivos de programa\McAfee\Managed VirusScan\Agent\myagttry.exe"
    O4 - HKLM\..\Run: [MVS Splash] C:\ARCHIV~1\McAfee\MANAGE~1\VScan\Splash.exe
    O4 - HKLM\..\Run: [MpfTray] C:\Archivos de programa\McAfee\Managed Firewall\MpfTray.exe
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Sygate Personal Firewall] Slinder.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.es
    O16 - DPF: {40C83AF8-FEA7-4A6A-A470-431EE84A0886} (SecureObjectFactory Class) - http://descargaseguridad.telefonica.terra.es/VS2/bin/myCioAgt.20051213115437.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1137628905328
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4672/mcfscan.cab
    O16 - DPF: {FAACB119-D8DD-4F91-9AE9-9CDE6FD230DB} (CentroSeguridad Class) - https://centroseguridad.telefonica.terra.es/central/CentroSeguridad.cab
    O18 - Protocol: myrm - {4D034FC3-013F-4B95-B544-44D49ABE3E76} - C:\Archivos de programa\McAfee\Managed VirusScan\Agent\MyRmProt3.5.0.478.dll
    O20 - Winlogon Notify: Applets - C:\WINDOWS\system32\lvlm0931e.dll
    O20 - Winlogon Notify: ddaby - C:\WINDOWS\System32\ddaby.dll
    O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\R29uemFsbyBDZWJhbGxvcyBXYXRsaW5n\command.exe (file missing)
    O23 - Service: McShield - McAfee Inc. - C:\ARCHIV~1\McAfee\MANAGE~1\VScan\McShield.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\Archivos de programa\McAfee\Managed Firewall\MpfService.exe
    O23 - Service: McAfee Managed Services Agent (myAgtSvc) - McAfee, Inc. - C:\Archivos de programa\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
    O23 - Service: Network Monitor - Unknown owner - C:\Archivos de programa\Network Monitor\netmon.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
     
  5. Newnewone

    Newnewone Thread Starter

    Joined:
    Jan 20, 2006
    Messages:
    13
    This is the C:\vundofix.txt


    Listing files found while scanning....

    C:\WINDOWS\System32\ddaby.dll
    C:\WINDOWS\System32\ybadd.ini
    C:\WINDOWS\System32\ybadd.bak1
    C:\WINDOWS\System32\ybadd.bak2
    C:\WINDOWS\System32\ybadd.ini2
    C:\WINDOWS\System32\ybadd.tmp

    C:\WINDOWS\system32\ybadd.bak1
    C:\WINDOWS\system32\ybadd.bak2
    C:\WINDOWS\system32\ybadd.tmp
    C:\WINDOWS\system32\ybadd.ini
    C:\WINDOWS\system32\ybadd.ini2
    C:\WINDOWS\system32\ddaby.dll
    Attempting to delete C:\WINDOWS\System32\ddaby.dll
    C:\WINDOWS\System32\ddaby.dll Could not be deleted.

    Attempting to delete C:\WINDOWS\System32\ybadd.ini
    C:\WINDOWS\System32\ybadd.ini Has been deleted!

    Attempting to delete C:\WINDOWS\System32\ybadd.bak1
    C:\WINDOWS\System32\ybadd.bak1 Has been deleted!

    Attempting to delete C:\WINDOWS\System32\ybadd.bak2
    C:\WINDOWS\System32\ybadd.bak2 Has been deleted!

    Attempting to delete C:\WINDOWS\System32\ybadd.ini2
    C:\WINDOWS\System32\ybadd.ini2 Has been deleted!

    Attempting to delete C:\WINDOWS\System32\ybadd.tmp
    C:\WINDOWS\System32\ybadd.tmp Has been deleted!

    Attempting to delete C:\WINDOWS\system32\ddaby.dll
    C:\WINDOWS\system32\ddaby.dll Could not be deleted.

    Performing Repairs to the registry.
    Done!
     
  6. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    ok, run the vundo fix again, it looks like you had two doses of it, then run this below, post all logs again!


    Close any programs you have open since this step requires a reboot.

    From the l2mfix folder on your desktop, double click l2mfix.bat and select
    option #2 for Run Fix by typing 2 and then pressing enter, then it will ask
    for a password enter bye (lowercase) then hit enter. Your desktop and icons
    will disappear (this is normal). L2mfix will continue to scan your computer
    and when it's finished, it will be ready for a reboot. Press any key to
    reboot. After the reboot notepad will open with a log. Copy the contents of
    that log and paste it back into this thread, along with a new HijackThis log.

    IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are
    asked to do so!

    If after the reboot the log does not open double click on it in the l2mfix folder.
     
  7. Newnewone

    Newnewone Thread Starter

    Joined:
    Jan 20, 2006
    Messages:
    13
    I think Iv run Vundofix a couple of times:
    here is the last log:
    undoFix V4.0

    Listing files found while scanning....

    C:\WINDOWS\System32\ddaby.dll
    C:\WINDOWS\System32\ybadd.ini
    C:\WINDOWS\System32\ybadd.bak1
    C:\WINDOWS\System32\ybadd.bak2
    C:\WINDOWS\System32\ybadd.ini2
    C:\WINDOWS\System32\ybadd.tmp

    C:\WINDOWS\system32\ybadd.bak1
    C:\WINDOWS\system32\ybadd.bak2
    C:\WINDOWS\system32\ybadd.tmp
    C:\WINDOWS\system32\ybadd.ini
    C:\WINDOWS\system32\ybadd.ini2
    C:\WINDOWS\system32\ddaby.dll
    Attempting to delete C:\WINDOWS\System32\ddaby.dll
    C:\WINDOWS\System32\ddaby.dll Could not be deleted.

    Attempting to delete C:\WINDOWS\System32\ybadd.ini
    C:\WINDOWS\System32\ybadd.ini Has been deleted!

    Attempting to delete C:\WINDOWS\System32\ybadd.bak1
    C:\WINDOWS\System32\ybadd.bak1 Has been deleted!

    Attempting to delete C:\WINDOWS\System32\ybadd.bak2
    C:\WINDOWS\System32\ybadd.bak2 Has been deleted!

    Attempting to delete C:\WINDOWS\System32\ybadd.ini2
    C:\WINDOWS\System32\ybadd.ini2 Has been deleted!

    Attempting to delete C:\WINDOWS\System32\ybadd.tmp
    C:\WINDOWS\System32\ybadd.tmp Has been deleted!

    Attempting to delete C:\WINDOWS\system32\ddaby.dll
    C:\WINDOWS\system32\ddaby.dll Could not be deleted.

    Performing Repairs to the registry.
    Done!
    VundoFix V4.0

    Listing files found while scanning....

    C:\WINDOWS\System32\ddaby.dll
    C:\WINDOWS\System32\ybadd.ini
    C:\WINDOWS\System32\ybadd.bak1

    C:\WINDOWS\system32\ybadd.bak1
    C:\WINDOWS\system32\ybadd.ini
    C:\WINDOWS\system32\ddaby.dll
    VundoFix V4.0

    Listing files found while scanning....

    C:\WINDOWS\System32\ddaby.dll
    C:\WINDOWS\System32\ybadd.ini
    C:\WINDOWS\System32\ybadd.bak1

    C:\WINDOWS\system32\ybadd.bak1
    C:\WINDOWS\system32\ybadd.ini
    C:\WINDOWS\system32\ddaby.dll
    Attempting to delete C:\WINDOWS\System32\ddaby.dll
    C:\WINDOWS\System32\ddaby.dll Could not be deleted.

    Attempting to delete C:\WINDOWS\System32\ybadd.ini
    C:\WINDOWS\System32\ybadd.ini Has been deleted!

    Attempting to delete C:\WINDOWS\System32\ybadd.bak1
    C:\WINDOWS\System32\ybadd.bak1 Has been deleted!

    Attempting to delete C:\WINDOWS\system32\ddaby.dll
    C:\WINDOWS\system32\ddaby.dll Could not be deleted.

    Performing Repairs to the registry.
    Done!
    VundoFix V4.0

    Listing files found while scanning....

    C:\WINDOWS\System32\ddaby.dll
    C:\WINDOWS\System32\ybadd.ini
    C:\WINDOWS\System32\ybadd.bak1

    C:\WINDOWS\system32\ybadd.bak1
    C:\WINDOWS\system32\ybadd.ini
    C:\WINDOWS\system32\ddaby.dll
    Attempting to delete C:\WINDOWS\System32\ddaby.dll
    C:\WINDOWS\System32\ddaby.dll Has been deleted!

    Attempting to delete C:\WINDOWS\System32\ybadd.ini
    C:\WINDOWS\System32\ybadd.ini Has been deleted!

    Attempting to delete C:\WINDOWS\System32\ybadd.bak1
    C:\WINDOWS\System32\ybadd.bak1 Has been deleted!

    Performing Repairs to the registry.
    Done!

    And the L2mfix log, after running option 2:
    L2mfix 010406
    Creating Account.
    Se ha completado el comando correctamente.

    Adding Administrative privleges.
    Checking for L2MFix account(0=no 1=yes):
    1
    Granting SeDebugPrivilege to L2MFIX ... successful

    Running From:
    C:\WINDOWS\system32

    Killing Processes!
    Restoring Sedebugprivilege:

    Scanning First Pass. Please Wait!

    First Pass Completed

    Second Pass Scanning

    Second pass Completed!



    Restoring Windows Update Certificates.:

    The following Is the Current Export of the Winlogon notify key:
    ****************************************************************************
    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
    "Asynchronous"=dword:00000000
    "Impersonate"=dword:00000000
    "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
    6c,00,00,00
    "Logoff"="ChainWlxLogoffEvent"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
    "Asynchronous"=dword:00000000
    "Impersonate"=dword:00000000
    "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
    6c,00,6c,00,00,00
    "Logoff"="CryptnetWlxLogoffEvent"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
    "DLLName"="cscdll.dll"
    "Logon"="WinlogonLogonEvent"
    "Logoff"="WinlogonLogoffEvent"
    "ScreenSaver"="WinlogonScreenSaverEvent"
    "Startup"="WinlogonStartupEvent"
    "Shutdown"="WinlogonShutdownEvent"
    "StartShell"="WinlogonStartShellEvent"
    "Impersonate"=dword:00000000
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ddaby]
    "Asynchronous"=dword:00000001
    "DllName"="C:\\WINDOWS\\System32\\ddaby.dll"
    "Impersonate"=dword:00000000
    "Startup"="SysLogon"
    "Logoff"="SysLogoff"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
    "DLLName"="wlnotify.dll"
    "Logon"="SCardStartCertProp"
    "Logoff"="SCardStopCertProp"
    "Lock"="SCardSuspendCertProp"
    "Unlock"="SCardResumeCertProp"
    "Enabled"=dword:00000001
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
    "Asynchronous"=dword:00000000
    "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
    6c,00,6c,00,00,00
    "Impersonate"=dword:00000000
    "StartShell"="SchedStartShell"
    "Logoff"="SchedEventLogOff"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
    "Logoff"="WLEventLogoff"
    "Impersonate"=dword:00000000
    "Asynchronous"=dword:00000001
    "DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
    6c,00,6c,00,00,00

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
    "DLLName"="WlNotify.dll"
    "Lock"="SensLockEvent"
    "Logon"="SensLogonEvent"
    "Logoff"="SensLogoffEvent"
    "Safe"=dword:00000001
    "MaxWait"=dword:00000258
    "StartScreenSaver"="SensStartScreenSaverEvent"
    "StopScreenSaver"="SensStopScreenSaverEvent"
    "Startup"="SensStartupEvent"
    "Shutdown"="SensShutdownEvent"
    "StartShell"="SensStartShellEvent"
    "PostShell"="SensPostShellEvent"
    "Disconnect"="SensDisconnectEvent"
    "Reconnect"="SensReconnectEvent"
    "Unlock"="SensUnlockEvent"
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
    "Asynchronous"=dword:00000000
    "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
    6c,00,6c,00,00,00
    "Impersonate"=dword:00000000
    "Logoff"="TSEventLogoff"
    "Logon"="TSEventLogon"
    "PostShell"="TSEventPostShell"
    "Shutdown"="TSEventShutdown"
    "StartShell"="TSEventStartShell"
    "Startup"="TSEventStartup"
    "MaxWait"=dword:00000258
    "Reconnect"="TSEventReconnect"
    "Disconnect"="TSEventDisconnect"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\URL]
    "Asynchronous"=dword:00000000
    "DllName"="C:\\WINDOWS\\system32\\lvlm0931e.dll"
    "Impersonate"=dword:00000000
    "Logon"="WinLogon"
    "Logoff"="WinLogoff"
    "Shutdown"="WinShutdown"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
    "DLLName"="wlnotify.dll"
    "Logon"="RegisterTicketExpiredNotificationEvent"
    "Logoff"="UnregisterTicketExpiredNotificationEvent"
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001


    The following are the files found:
    ****************************************************************************

    Registry Entries that were Deleted:
    Please verify that the listing looks ok.
    If there was something deleted wrongly there are backups in the backreg folder.
    ****************************************************************************
    Windows Registry Editor Version 5.00

    [HKEY_CLASSES_ROOT\CLSID\{6605DBB1-2D82-4128-B988-C7DF230C78B6}]
    @=""
    "IDEx"="ADDR"

    [HKEY_CLASSES_ROOT\CLSID\{6605DBB1-2D82-4128-B988-C7DF230C78B6}\Implemented Categories]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{6605DBB1-2D82-4128-B988-C7DF230C78B6}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{6605DBB1-2D82-4128-B988-C7DF230C78B6}\InprocServer32]
    @="C:\\WINDOWS\\system32\\DfskIO.dll"
    "ThreadingModel"="Apartment"

    Windows Registry Editor Version 5.00

    [HKEY_CLASSES_ROOT\CLSID\{07E82CFC-10B4-44EA-899D-8F5B522604D8}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{07E82CFC-10B4-44EA-899D-8F5B522604D8}\Implemented Categories]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{07E82CFC-10B4-44EA-899D-8F5B522604D8}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{07E82CFC-10B4-44EA-899D-8F5B522604D8}\InprocServer32]
    @="C:\\WINDOWS\\system32\\trd32.dll"
    "ThreadingModel"="Apartment"

    Windows Registry Editor Version 5.00

    [HKEY_CLASSES_ROOT\CLSID\{9FF77852-C0D5-46CA-AD63-5F7A478B73A5}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{9FF77852-C0D5-46CA-AD63-5F7A478B73A5}\Implemented Categories]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{9FF77852-C0D5-46CA-AD63-5F7A478B73A5}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{9FF77852-C0D5-46CA-AD63-5F7A478B73A5}\InprocServer32]
    @="C:\\WINDOWS\\system32\\iqwphbk.dll"
    "ThreadingModel"="Apartment"

    Windows Registry Editor Version 5.00

    [HKEY_CLASSES_ROOT\CLSID\{B963291B-595F-4B4A-BBDF-F22773C11191}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{B963291B-595F-4B4A-BBDF-F22773C11191}\Implemented Categories]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{B963291B-595F-4B4A-BBDF-F22773C11191}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{B963291B-595F-4B4A-BBDF-F22773C11191}\InprocServer32]
    @="C:\\WINDOWS\\system32\\wcsapi32.dll"
    "ThreadingModel"="Apartment"

    Windows Registry Editor Version 5.00

    [HKEY_CLASSES_ROOT\CLSID\{218A684B-B3CC-434B-B85B-D1B55E69B300}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{218A684B-B3CC-434B-B85B-D1B55E69B300}\Implemented Categories]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{218A684B-B3CC-434B-B85B-D1B55E69B300}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{218A684B-B3CC-434B-B85B-D1B55E69B300}\InprocServer32]
    @="C:\\WINDOWS\\system32\\cOtsrv.dll"
    "ThreadingModel"="Apartment"

    Windows Registry Editor Version 5.00

    [HKEY_CLASSES_ROOT\CLSID\{3A9F36A4-7930-4C8B-AA48-BD9BAF41FBCF}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{3A9F36A4-7930-4C8B-AA48-BD9BAF41FBCF}\Implemented Categories]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{3A9F36A4-7930-4C8B-AA48-BD9BAF41FBCF}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{3A9F36A4-7930-4C8B-AA48-BD9BAF41FBCF}\InprocServer32]
    @="C:\\WINDOWS\\system32\\uqrfaxa.dll"
    "ThreadingModel"="Apartment"

    Windows Registry Editor Version 5.00

    [HKEY_CLASSES_ROOT\CLSID\{23FBD0F0-C0FF-4B11-9354-E4B50F81537B}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{23FBD0F0-C0FF-4B11-9354-E4B50F81537B}\Implemented Categories]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{23FBD0F0-C0FF-4B11-9354-E4B50F81537B}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{23FBD0F0-C0FF-4B11-9354-E4B50F81537B}\InprocServer32]
    @="C:\\WINDOWS\\system32\\mxdrv.dll"
    "ThreadingModel"="Apartment"

    Windows Registry Editor Version 5.00

    [HKEY_CLASSES_ROOT\CLSID\{8DF24105-CFCC-4A2D-83E5-9B0B86ED8557}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{8DF24105-CFCC-4A2D-83E5-9B0B86ED8557}\Implemented Categories]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{8DF24105-CFCC-4A2D-83E5-9B0B86ED8557}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{8DF24105-CFCC-4A2D-83E5-9B0B86ED8557}\InprocServer32]
    @="C:\\WINDOWS\\system32\\nntfxperf.dll"
    "ThreadingModel"="Apartment"

    Windows Registry Editor Version 5.00

    [HKEY_CLASSES_ROOT\CLSID\{F4B9BAAD-7D8D-4640-B553-8C663D3CFF81}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{F4B9BAAD-7D8D-4640-B553-8C663D3CFF81}\Implemented Categories]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{F4B9BAAD-7D8D-4640-B553-8C663D3CFF81}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{F4B9BAAD-7D8D-4640-B553-8C663D3CFF81}\InprocServer32]
    @="C:\\WINDOWS\\system32\\rapwsx.dll"
    "ThreadingModel"="Apartment"

    REGEDIT4

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
    "{6605DBB1-2D82-4128-B988-C7DF230C78B6}"=-
    "{07E82CFC-10B4-44EA-899D-8F5B522604D8}"=-
    "{9FF77852-C0D5-46CA-AD63-5F7A478B73A5}"=-
    "{B963291B-595F-4B4A-BBDF-F22773C11191}"=-
    "{218A684B-B3CC-434B-B85B-D1B55E69B300}"=-
    "{3A9F36A4-7930-4C8B-AA48-BD9BAF41FBCF}"=-
    "{23FBD0F0-C0FF-4B11-9354-E4B50F81537B}"=-
    "{8DF24105-CFCC-4A2D-83E5-9B0B86ED8557}"=-
    "{F4B9BAAD-7D8D-4640-B553-8C663D3CFF81}"=-
    [-HKEY_CLASSES_ROOT\CLSID\{6605DBB1-2D82-4128-B988-C7DF230C78B6}]
    [-HKEY_CLASSES_ROOT\CLSID\{07E82CFC-10B4-44EA-899D-8F5B522604D8}]
    [-HKEY_CLASSES_ROOT\CLSID\{9FF77852-C0D5-46CA-AD63-5F7A478B73A5}]
    [-HKEY_CLASSES_ROOT\CLSID\{B963291B-595F-4B4A-BBDF-F22773C11191}]
    [-HKEY_CLASSES_ROOT\CLSID\{218A684B-B3CC-434B-B85B-D1B55E69B300}]
    [-HKEY_CLASSES_ROOT\CLSID\{3A9F36A4-7930-4C8B-AA48-BD9BAF41FBCF}]
    [-HKEY_CLASSES_ROOT\CLSID\{23FBD0F0-C0FF-4B11-9354-E4B50F81537B}]
    [-HKEY_CLASSES_ROOT\CLSID\{8DF24105-CFCC-4A2D-83E5-9B0B86ED8557}]
    [-HKEY_CLASSES_ROOT\CLSID\{F4B9BAAD-7D8D-4640-B553-8C663D3CFF81}]
    REGEDIT4

    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
    ****************************************************************************
    Desktop.ini Contents:
    ****************************************************************************

    ****************************************************************************
    Checking for L2MFix account(0=no 1=yes):
    0
    Zipping up files for submission:
    zip warning: name not matched: dlls\*.*

    zip error: Nothing to do! (backup.zip)
    adding: backregs/07E82CFC-10B4-44EA-899D-8F5B522604D8.reg (188 bytes security) (deflated 70%)
    adding: backregs/218A684B-B3CC-434B-B85B-D1B55E69B300.reg (188 bytes security) (deflated 70%)
    adding: backregs/23FBD0F0-C0FF-4B11-9354-E4B50F81537B.reg (188 bytes security) (deflated 70%)
    adding: backregs/3A9F36A4-7930-4C8B-AA48-BD9BAF41FBCF.reg (188 bytes security) (deflated 70%)
    adding: backregs/6605DBB1-2D82-4128-B988-C7DF230C78B6.reg (188 bytes security) (deflated 69%)
    adding: backregs/8DF24105-CFCC-4A2D-83E5-9B0B86ED8557.reg (188 bytes security) (deflated 69%)
    adding: backregs/9FF77852-C0D5-46CA-AD63-5F7A478B73A5.reg (188 bytes security) (deflated 70%)
    adding: backregs/B963291B-595F-4B4A-BBDF-F22773C11191.reg (188 bytes security) (deflated 70%)
    adding: backregs/F4B9BAAD-7D8D-4640-B553-8C663D3CFF81.reg (188 bytes security) (deflated 70%)
    adding: backregs/notibac.reg (164 bytes security) (deflated 78%)
    adding: backregs/shell.reg (164 bytes security) (deflated 73%)

    And the HijackThis log file after the L2mfix programme

    Logfile of HijackThis v1.99.1
    Scan saved at 19:35:41, on 20/01/2006
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Archivos de programa\McAfee\Managed Firewall\MpfService.exe
    C:\Archivos de programa\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
    C:\Archivos de programa\Network Monitor\netmon.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\snmp.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\windows\system\hpsysdrv.exe
    C:\HP\KBD\KBD.EXE
    C:\Archivos de programa\Archivos comunes\Microsoft Shared\Works Shared\WkUFind.exe
    C:\Archivos de programa\QuickTime\qttask.exe
    C:\Archivos de programa\McAfee\Managed VirusScan\Agent\myagttry.exe
    C:\Archivos de programa\McAfee\Managed Firewall\MpfTray.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\ARCHIV~1\McAfee\MANAGE~1\VScan\McShield.exe
    C:\Archivos de programa\McAfee\Managed VirusScan\Agent\HtmlDlg.Exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Archivos de programa\Internet Explorer\iexplore.exe
    C:\Documents and Settings\BUHO.PATA-BUHO\Mis documentos\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.telefonica.net/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.es
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-es7.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-es7.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://es7.hpwis.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
    O2 - BHO: ATLDistrib Object - {83A5F7B7-DC75-44CE-9195-264F41709FA9} - C:\WINDOWS\System32\ddaby.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [StorageGuard] "C:\Archivos de programa\VERITAS Software\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Archivos de programa\Archivos comunes\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [enewsletterpro] C:\windows\enewsletterpro.exe
    O4 - HKLM\..\Run: [ccRegVfy] C:\Archivos de programa\Archivos comunes\Symantec Shared\ccRegVfy.exe
    O4 - HKLM\..\Run: [McAfee Managed Services Tray] "C:\Archivos de programa\McAfee\Managed VirusScan\Agent\myagttry.exe"
    O4 - HKLM\..\Run: [MVS Splash] C:\ARCHIV~1\McAfee\MANAGE~1\VScan\Splash.exe
    O4 - HKLM\..\Run: [MpfTray] C:\Archivos de programa\McAfee\Managed Firewall\MpfTray.exe
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Sygate Personal Firewall] Slinder.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.es
    O16 - DPF: {40C83AF8-FEA7-4A6A-A470-431EE84A0886} (SecureObjectFactory Class) - http://descargaseguridad.telefonica.terra.es/VS2/bin/myCioAgt.20051213115437.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1137628905328
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4672/mcfscan.cab
    O16 - DPF: {FAACB119-D8DD-4F91-9AE9-9CDE6FD230DB} (CentroSeguridad Class) - https://centroseguridad.telefonica.terra.es/central/CentroSeguridad.cab
    O18 - Protocol: myrm - {4D034FC3-013F-4B95-B544-44D49ABE3E76} - C:\Archivos de programa\McAfee\Managed VirusScan\Agent\MyRmProt3.5.0.478.dll
    O20 - Winlogon Notify: ddaby - C:\WINDOWS\System32\ddaby.dll
    O20 - Winlogon Notify: Explorer - C:\WINDOWS\system32\lvlm0931e.dll
    O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\R29uemFsbyBDZWJhbGxvcyBXYXRsaW5n\command.exe (file missing)
    O23 - Service: McShield - McAfee Inc. - C:\ARCHIV~1\McAfee\MANAGE~1\VScan\McShield.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\Archivos de programa\McAfee\Managed Firewall\MpfService.exe
    O23 - Service: McAfee Managed Services Agent (myAgtSvc) - McAfee, Inc. - C:\Archivos de programa\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
    O23 - Service: Network Monitor - Unknown owner - C:\Archivos de programa\Network Monitor\netmon.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

    Is it done, the Managed VirusScan doen't alert about Ddaby any longer. I do have a process.exe aletr related to L2mfix
     
  8. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    Nope, they are still showing up.

    Disable the Mcafee shield and disable it's real time protection!

    Run L2me fix again from the last post and also the vundo fix! If that fails to shift the vundo do the manual method which I'll post for you after the spysweeper instructions!



    Click Start > Run > and type in:

    services.msc

    Click OK.

    In the services window find Command Service (cmdService)
    Right click and choose "Properties". On the "General" tab under "Service
    Status" click the "Stop" button to stop the service. Beside "Startup Type"
    in the dropdown menu select "Disabled". Click Apply then OK. Exit the
    Services utility.



    Note: You may get an error here when trying to access the properties of the
    service. If you do get an error, just select the service and look there in
    the top left of the main service window and click "Stop" to stop the service. If that gives an error or it is already stopped, just skip this step and proceed with the rest.



    Please download WebRoot SpySweeper from HERE (It's a 2 week trial):

    http://www.webroot.com/consumer/products/spysweeper/index.html?acode=af1&rc=4129


    * Click the Free Trial link under "Downloads/SpySweeper" to download the program.
    * Install it. Once the program is installed, it will open.
    * It will prompt you to update to the latest definitions, click Yes.
    * Once the definitions are installed, click Options on the left side.
    * Click the Sweep Options tab.
    * Under What to Sweep please put a check next to the following:
    o
    o Sweep Memory
    o Sweep Registry
    o Sweep Cookies
    o Sweep All User Accounts
    o Enable Direct Disk Sweeping
    o Sweep Contents of Compressed Files
    o Sweep for Rootkits
    o Please UNCHECK Do not Sweep System Restore Folder.
    * Click Sweep Now on the left side.
    * Click the Start button.
    * When it's done scanning, click the Next button.
    * Make sure everything has a check next to it, then click the Next button.
    * It will remove all of the items found.
    * Click Session Log in the upper right corner, copy everything in that window.
    * Click the Summary tab and click Finish.
    * Paste the contents of the session log you copied into your next reply.


    Run this fix if this entry below is still in your hijack this log!


    C:\WINDOWS\System32\ddaby.dll



    Please download VundoFix.exe to your desktop.


    http://www.atribune.org/downloads/VundoFix.exe



    * Double-click VundoFix.exe to extract the files
    * This will create a VundoFix folder on your desktop.
    * After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
    * Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
    * You will first be presented with a warning and a list of forums to seek help at.
    it should look like this


    * At this point press enter one time.
    * Next you will see:


    * At this point please type the following file path (make sure to enter it exactly as below!):
    o C:\WINDOWS\System32\ddaby.dll
    * Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
    * Next you will see:

    * At this point please type the following file path (make sure to enter it exactly as below!):

    o C:\WINDOWS\System32\ybadd.*

    * Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
    * If you have a script blocker running, you may get a warning about a malicious script. Allow the script to run. It is not malicious.
    * The fix will run then HijackThis will open.
    * In HiJackThis, please place a check next to the following items and click FIX CHECKED:


    o O2 - BHO: ATLDistrib Object - {83A5F7B7-DC75-44CE-9195-264F41709FA9} - C:\WINDOWS\System32\ddaby.dll
    oO20 - Winlogon Notify: ddaby - C:\WINDOWS\System32\ddaby.dll
    O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\R29uemFsbyBDZWJhbGxvcyBXYXRsaW5n\command.exe (file missing)


    * After you have fixed these items, close Hijackthis and Press any key to Force a reboot of your computer.
    * Pressing any key will cause a "Blue Screen of Death" this is normal, do not worry!
    * Once your machine reboots please continue with the instructions below.

    Download and install CleanUp!

    http://www.stevengould.org/software...p/download.html



    Open Cleanup! by double-clicking the icon on your desktop (or from the Start >
    All Programs menu).
    Set the program up as follows:
    Click "Options..."
    Move the arrow down to "Custom CleanUp!"
    Put a check next to the following (Make sure nothing else is checked!):

    * Empty Recycle Bins
    * Delete Cookies
    * Delete Prefetch files
    * Cleanup! All Users

    Click OK
    Press the CleanUp! button to start the program.

    It may ask you to reboot at the end, click NO.



    Run an online antivirus check from

    http://www.kaspersky.com/virusscanner



    Then, please run this online virus scan: ActiveScan

    http://www.pandasoftware.com/products/activescan.htm


    Copy the results of the ActiveScan and paste them here along with a new
    HiJackThis log and the vundofix.txt file from the vundofix folder into this
    topic. And post the spysweeper log!
     
  9. Newnewone

    Newnewone Thread Starter

    Joined:
    Jan 20, 2006
    Messages:
    13
    I ran HIjackthis ( without disabiling McAfee) and i don't see a trace of Ddaby.dll, I then ran Vundo and it didn't find anythin whan scanning, and remove Vundo pop up window couldn't delete anything.
     
  10. Newnewone

    Newnewone Thread Starter

    Joined:
    Jan 20, 2006
    Messages:
    13
    Logfile of HijackThis v1.99.1
    Scan saved at 20:29:45, on 20/01/2006
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Archivos de programa\McAfee\Managed Firewall\MpfService.exe
    C:\Archivos de programa\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
    C:\Archivos de programa\Network Monitor\netmon.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\snmp.exe
    C:\WINDOWS\System32\svchost.exe
    C:\ARCHIV~1\McAfee\MANAGE~1\VScan\McShield.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\Explorer.EXE
    C:\windows\system\hpsysdrv.exe
    C:\HP\KBD\KBD.EXE
    C:\Archivos de programa\Archivos comunes\Microsoft Shared\Works Shared\WkUFind.exe
    C:\Archivos de programa\QuickTime\qttask.exe
    C:\Archivos de programa\McAfee\Managed VirusScan\Agent\myagttry.exe
    C:\Archivos de programa\McAfee\Managed Firewall\MpfTray.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Archivos de programa\Internet Explorer\iexplore.exe
    C:\ARCHIV~1\McAfee\MANAGE~2\MpfConsole.exe
    C:\Archivos de programa\Outlook Express\msimn.exe
    C:\Archivos de programa\Messenger\msmsgs.exe
    C:\Documents and Settings\BUHO.PATA-BUHO\Mis documentos\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.telefonica.net/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.es
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-es7.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-es7.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://es7.hpwis.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [StorageGuard] "C:\Archivos de programa\VERITAS Software\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Archivos de programa\Archivos comunes\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [enewsletterpro] C:\windows\enewsletterpro.exe
    O4 - HKLM\..\Run: [ccRegVfy] C:\Archivos de programa\Archivos comunes\Symantec Shared\ccRegVfy.exe
    O4 - HKLM\..\Run: [McAfee Managed Services Tray] "C:\Archivos de programa\McAfee\Managed VirusScan\Agent\myagttry.exe"
    O4 - HKLM\..\Run: [MVS Splash] C:\ARCHIV~1\McAfee\MANAGE~1\VScan\Splash.exe
    O4 - HKLM\..\Run: [MpfTray] C:\Archivos de programa\McAfee\Managed Firewall\MpfTray.exe
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Sygate Personal Firewall] Slinder.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.es
    O16 - DPF: {40C83AF8-FEA7-4A6A-A470-431EE84A0886} (SecureObjectFactory Class) - http://descargaseguridad.telefonica.terra.es/VS2/bin/myCioAgt.20051213115437.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1137628905328
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4672/mcfscan.cab
    O16 - DPF: {FAACB119-D8DD-4F91-9AE9-9CDE6FD230DB} (CentroSeguridad Class) - https://centroseguridad.telefonica.terra.es/central/CentroSeguridad.cab
    O18 - Protocol: myrm - {4D034FC3-013F-4B95-B544-44D49ABE3E76} - C:\Archivos de programa\McAfee\Managed VirusScan\Agent\MyRmProt3.5.0.478.dll
    O20 - Winlogon Notify: ModuleUsage - C:\WINDOWS\system32\fp4803hue.dll
    O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\R29uemFsbyBDZWJhbGxvcyBXYXRsaW5n\command.exe (file missing)
    O23 - Service: McShield - McAfee Inc. - C:\ARCHIV~1\McAfee\MANAGE~1\VScan\McShield.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\Archivos de programa\McAfee\Managed Firewall\MpfService.exe
    O23 - Service: McAfee Managed Services Agent (myAgtSvc) - McAfee, Inc. - C:\Archivos de programa\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
    O23 - Service: Network Monitor - Unknown owner - C:\Archivos de programa\Network Monitor\netmon.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

    *******************************************************************
    VundoFix V4.0

    Listing files found while scanning....
     
  11. Newnewone

    Newnewone Thread Starter

    Joined:
    Jan 20, 2006
    Messages:
    13
    Thank's Khazars. Should I do anything else.???
     
  12. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    yes, you still have l2me, run the l2me fix bat and also run spysweeper and disable Mcafee? The file has changed in your log the 020 entry so it might be a new variant?


    you may have to run this two to three times to get rid of it!


    Close any programs you have open since this step requires a reboot.

    From the l2mfix folder on your desktop, double click l2mfix.bat and select
    option #2 for Run Fix by typing 2 and then pressing enter, then it will ask
    for a password enter bye (lowercase) then hit enter. Your desktop and icons
    will disappear (this is normal). L2mfix will continue to scan your computer
    and when it's finished, it will be ready for a reboot. Press any key to
    reboot. After the reboot notepad will open with a log. Copy the contents of
    that log and paste it back into this thread, along with a new HijackThis log.

    IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are
    asked to do so!

    If after the reboot the log does not open double click on it in the l2mfix folder.


    post another log, the spysweeper log and the l2me log!
     
  13. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    did you do this?


    Click Start > Run > and type in:

    services.msc

    Click OK.

    In the services window find Command Service (cmdService)
    Right click and choose "Properties". On the "General" tab under "Service
    Status" click the "Stop" button to stop the service. Beside "Startup Type"
    in the dropdown menu select "Disabled". Click Apply then OK. Exit the
    Services utility.



    Note: You may get an error here when trying to access the properties of the
    service. If you do get an error, just select the service and look there in
    the top left of the main service window and click "Stop" to stop the service. If that gives an error or it is already stopped, just skip this step and proceed with the rest.



    have hijack this fix these entries.


    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\R29uemFsbyBDZWJhbGxvcyBXYXRsaW5n\command.exe (file missing)
     
  14. Newnewone

    Newnewone Thread Starter

    Joined:
    Jan 20, 2006
    Messages:
    13
    This is the L2m fix log file:
    L2mfix 010406
    Creating Account.
    Se ha completado el comando correctamente.

    Adding Administrative privleges.
    Checking for L2MFix account(0=no 1=yes):
    1
    Granting SeDebugPrivilege to L2MFIX ... successful
    Checking for L2MFix account(0=no 1=yes):
    0
    Zipping up files for submission:
    zip warning: name not matched: dlls\*.*

    zip error: Nothing to do! (backup.zip)
    updating: backregs/07E82CFC-10B4-44EA-899D-8F5B522604D8.reg (188 bytes security) (deflated 70%)
    updating: backregs/218A684B-B3CC-434B-B85B-D1B55E69B300.reg (188 bytes security) (deflated 70%)
    updating: backregs/23FBD0F0-C0FF-4B11-9354-E4B50F81537B.reg (188 bytes security) (deflated 70%)
    updating: backregs/3A9F36A4-7930-4C8B-AA48-BD9BAF41FBCF.reg (188 bytes security) (deflated 70%)
    updating: backregs/6605DBB1-2D82-4128-B988-C7DF230C78B6.reg (188 bytes security) (deflated 69%)
    updating: backregs/8DF24105-CFCC-4A2D-83E5-9B0B86ED8557.reg (188 bytes security) (deflated 69%)
    updating: backregs/9FF77852-C0D5-46CA-AD63-5F7A478B73A5.reg (188 bytes security) (deflated 70%)
    updating: backregs/B963291B-595F-4B4A-BBDF-F22773C11191.reg (188 bytes security) (deflated 70%)
    updating: backregs/F4B9BAAD-7D8D-4640-B553-8C663D3CFF81.reg (188 bytes security) (deflated 70%)
    updating: backregs/notibac.reg (164 bytes security) (deflated 87%)
    updating: backregs/shell.reg (164 bytes security) (deflated 73%)
    adding: backregs/BC8793CA-AEB7-4763-9125-ADB6212E34D2.reg (188 bytes security) (deflated 70%)
    ***************************************************************************
    ********
    2:03: | Start of Session, sábado, 21 de enero de 2006 |
    2:03: Spy Sweeper started
    2:03: Sweep initiated using definitions version 604
    2:03: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    2:03: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    2:03: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    2:03: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    2:03: Starting Memory Sweep
    2:04: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    2:04: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    2:04: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    2:04: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    2:04: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    2:04: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    2:04: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    2:04: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    2:05: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    2:05: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    2:05: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    2:05: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    2:05: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    2:05: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    2:05: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    2:05: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    2:06: Found Adware: command
    2:06: Detected running threat: C:\Archivos de programa\Network Monitor\netmon.exe (ID = 231443)
    2:06: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    2:06: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    2:06: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    2:06: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    2:06: Memory Sweep Complete, Elapsed Time: 00:03:25
    2:06: Starting Registry Sweep
    2:06: Found Adware: findthewebsiteyouneed hijack
    2:06: HKLM\software\microsoft\internet explorer\main\ || search page (ID = 125241)
    2:06: HKLM\software\microsoft\internet explorer\search\ || searchassistant (ID = 125242)
    2:07: Found Adware: targetsaver
    2:07: HKLM\software\microsoft\windows\currentversion\uninstall\tsa\ (2 subtraces) (ID = 143607)
    2:07: HKU\.default\software\microsoft\internet explorer\search\searchassistant explorer\main\ || default_search_url (ID = 555438)
    2:07: HKLM\software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920}\ (7 subtraces) (ID = 892523)
    2:07: Found Adware: dollarrevenue
    2:07: HKLM\software\microsoft\drsmartload\ (1 subtraces) (ID = 916795)
    2:07: HKLM\system\currentcontrolset\services\cmdservice\ (12 subtraces) (ID = 958670)
    2:07: HKLM\system\currentcontrolset\enum\root\legacy_cmdservice\0000\ (6 subtraces) (ID = 1016064)
    2:07: HKLM\system\currentcontrolset\enum\root\legacy_cmdservice\ (8 subtraces) (ID = 1016072)
    2:07: HKLM\software\microsoft\windows\currentversion\run\ || enewsletterpro (ID = 1108480)
    2:07: HKLM\software\microsoft\windows\currentversion\uninstall\{a394e835-c8d6-4b4b-884b-d2709059f3be}\ (7 subtraces) (ID = 1110756)
    2:07: Found Adware: cws-aboutblank
    2:07: HKU\S-1-5-21-3330936777-1069917521-2066355643-1006\software\microsoft\internet explorer\main\ || homeoldsp (ID = 115923)
    2:07: Found Trojan Horse: trojan_backdoor_irc_spybot
    2:07: HKU\S-1-5-21-3330936777-1069917521-2066355643-1006\software\microsoft\windows\currentversion\run\ || sygate personal firewall (ID = 144991)
    2:07: HKU\S-1-5-21-3330936777-1069917521-2066355643-1006\software\microsoft\internet explorer\search\searchassistant explorer\main\ || default_search_url (ID = 555437)
    2:07: HKU\WRSS_Profile_S-1-5-21-3330936777-1069917521-2066355643-1003\software\microsoft\windows\currentversion\run\ || sygate personal firewall (ID = 144991)
    2:07: HKU\S-1-5-18\software\microsoft\internet explorer\main\ || default_search_url (ID = 125236)
    2:07: HKU\S-1-5-18\software\microsoft\internet explorer\main\ || search bar (ID = 125237)
    2:07: HKU\S-1-5-18\software\microsoft\internet explorer\main\ || search page (ID = 125238)
    2:07: HKU\S-1-5-18\software\microsoft\internet explorer\main\ || start page (ID = 125239)
    2:07: HKU\S-1-5-18\software\microsoft\internet explorer\search\searchassistant explorer\main\ || default_search_url (ID = 555437)
    2:07: HKU\S-1-5-18\software\microsoft\internet explorer\main\ || search bar (ID = 790268)
    2:07: HKU\S-1-5-18\software\microsoft\internet explorer\main\ || default_search_url (ID = 790269)
    2:07: Registry Sweep Complete, Elapsed Time:00:00:18
    2:07: Starting Cookie Sweep
    2:07: Found Spy Cookie: statcounter cookie
    2:07: [email protected][1].txt (ID = 3447)
    2:07: Found Spy Cookie: yieldmanager cookie
    2:07: [email protected][1].txt (ID = 3751)
    2:07: Found Spy Cookie: falkag cookie
    2:07: [email protected][2].txt (ID = 2650)
    2:07: Found Spy Cookie: azjmp cookie
    2:07: [email protected][1].txt (ID = 2270)
    2:07: Found Spy Cookie: belnk cookie
    2:07: [email protected][1].txt (ID = 2292)
    2:07: Found Spy Cookie: hitslink cookie
    2:07: [email protected][2].txt (ID = 2790)
    2:07: Found Spy Cookie: directtrack cookie
    2:07: [email protected][1].txt (ID = 2527)
    2:07: [email protected][2].txt (ID = 2293)
    2:07: Found Spy Cookie: maxserving cookie
    2:07: [email protected][1].txt (ID = 2966)
    2:07: Found Spy Cookie: overture cookie
    2:07: [email protected][2].txt (ID = 3105)
    2:07: Found Spy Cookie: paypopup cookie
    2:07: [email protected][1].txt (ID = 3119)
    2:07: [email protected][1].txt (ID = 3106)
    2:07: [email protected][2].txt (ID = 2528)
    2:07: Found Spy Cookie: reliablestats cookie
    2:07: [email protected][1].txt (ID = 3254)
    2:07: Found Spy Cookie: tradedoubler cookie
    2:07: [email protected][2].txt (ID = 3575)
    2:07: Found Spy Cookie: epilot cookie
    2:07: [email protected][1].txt (ID = 2622)
    2:07: Found Spy Cookie: screensavers.com cookie
    2:07: [email protected][2].txt (ID = 3298)
    2:07: Found Spy Cookie: winantiviruspro cookie
    2:07: [email protected][1].txt (ID = 3690)
    2:07: Cookie Sweep Complete, Elapsed Time: 00:00:01
    2:07: Starting File Sweep
    2:07: c:\archivos de programa\network monitor (1 subtraces) (ID = -2147459771)
    2:07: Found Adware: look2me
    2:07: installer[2].exe (ID = 168558)
    2:07: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    2:07: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    2:07: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    2:07: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    2:07: tsupdate2[2].ini (ID = 193498)
    2:07: tsuninst.exe (ID = 193501)
    2:07: class-barrel (ID = 78229)
    2:07: vocabulary (ID = 78283)
    2:07: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    2:07: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    2:07: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    2:07: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    2:08: Found Adware: ps2
    2:08: ps2.bat (ID = 72826)
    2:08: ps2.exe (ID = 72826)
    2:08: ps2.bat (ID = 72826)
    2:08: ps2.bat (ID = 72826)
    2:08: ps2.bat (ID = 72826)
    2:08: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    2:08: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    2:08: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    2:08: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    2:09: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    2:09: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    2:09: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    2:09: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    2:09: nzptools.dll (ID = 159)
    2:09: irfgnt5.dll (ID = 159)
    2:09: fp0203doe.dll (ID = 159)
    2:09: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    2:09: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    2:09: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    2:09: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    2:10: cufview.dll (ID = 159)
    2:10: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    2:10: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    2:10: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    2:10: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    2:11: uninstall_nmon.vbs (ID = 231442)
    2:11: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    2:11: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    2:11: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    2:11: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    2:11: mxdrv.dll (ID = 159)
    2:11: nzwrsnl.dll (ID = 159)
    2:11: drsmartload[1].exe (ID = 208539)
    2:11: stub_113_4_0_4_0[1].exe (ID = 193995)
    2:11: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    2:11: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    2:11: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    2:11: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    2:11: mte3ndi6odoxng[1].exe (ID = 185985)
    2:11: installer[1].exe (ID = 230778)
    2:12: ps2.bat (ID = 72826)
    2:12: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    2:12: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    2:12: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    2:12: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    2:12: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    2:12: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    2:12: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    2:12: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    2:12: oceprn.dll (ID = 159)
    2:12: aemfd.dll (ID = 159)
    2:13: l62s0gf7e62.dll (ID = 159)
    2:13: enpol1731.dll (ID = 159)
    2:13: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    2:13: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    2:13: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    2:13: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    2:13: sbcfiles.dll (ID = 159)
    2:14: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    2:14: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    2:14: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    2:14: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    2:14: rapwsx.dll (ID = 159)
    2:14: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    2:14: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    2:14: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    2:14: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    2:14: ps2.bat (ID = 72826)
    2:15: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    2:15: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    2:15: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    2:15: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    2:15: k0lq0a35ed.dll (ID = 159)
    2:15: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    2:15: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    2:15: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    2:15: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    2:16: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    2:16: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    2:16: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    2:16: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    2:17: moorcl32.dll (ID = 159)
    2:17: mpwsock.dll (ID = 159)
    2:17: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    2:17: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    2:17: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    2:17: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    2:17: i8nmli5118.dll (ID = 159)
    2:17: uqrfaxa.dll (ID = 159)
    2:17: ps2.bat (ID = 72826)
    2:18: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    2:18: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    2:18: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    2:18: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    2:18: qjery.dll (ID = 159)
    2:18: nntfxperf.dll (ID = 159)
    2:18: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    2:18: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    2:18: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    2:18: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    2:18: fpr4039qe.dll (ID = 159)
    2:19: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    2:19: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    2:19: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    2:19: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    2:19: Found Adware: apropos
    2:19: atmtd.dll._ (ID = 166754)
    2:19: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    2:19: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    2:19: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    2:19: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    2:19: bw2.com (ID = 65721)
    2:20: qqv.dll (ID = 159)
    2:20: n84s0ih7e84.dll (ID = 159)
    2:20: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    2:20: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    2:20: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    2:20: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    2:20: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    2:20: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    2:20: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    2:20: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    2:21: oefox32.dll (ID = 159)
    2:22: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    2:22: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    2:22: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    2:22: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    2:22: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    2:22: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    2:22: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    2:22: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    2:22: mqricons.dll (ID = 159)
    2:23: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    2:23: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    2:23: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    2:23: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    2:23: ps2.exe (ID = 72826)
    2:23: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || PS2 (ID = 0)
    2:23: netmon.exe (ID = 231443)
    2:23: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    2:23: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    2:23: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    2:23: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    2:23: lvl8093ue.dll (ID = 159)
    2:23: atmtd.dll (ID = 166754)
    2:23: lz6ryaipvv1gtql1v3uswv1rsrlpuqcb.vbs (ID = 185675)
    2:23: donotdelete[1].htm (ID = 198788)
    2:23: drsmartload.dat (ID = 198788)
    2:24: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    2:24: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    2:24: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    2:24: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    2:24: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    2:24: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    2:24: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    2:24: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    2:25: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    2:25: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    2:25: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    2:25: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    2:25: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    2:25: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    2:25: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    2:25: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    2:26: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    2:26: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    2:26: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    2:26: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    2:27: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    2:27: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    2:27: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    2:27: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    2:27: File Sweep Complete, Elapsed Time: 00:20:02
    2:27: Full Sweep has completed. Elapsed time 00:23:50
    2:27: Traces Found: 138
    2:27: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    2:27: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    2:27: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    2:27: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    2:27: Removal process initiated
    2:28: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    2:28: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    2:28: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    2:28: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    2:28: Quarantining All Traces: cws-aboutblank
    2:28: Quarantining All Traces: look2me
    2:28: look2me is in use. It will be removed on reboot.
    2:28: fp0203doe.dll is in use. It will be removed on reboot.
    2:28: cufview.dll is in use. It will be removed on reboot.
    2:28: k0lq0a35ed.dll is in use. It will be removed on reboot.
    2:28: Quarantining All Traces: apropos
    2:28: Quarantining All Traces: dollarrevenue
    2:28: Quarantining All Traces: trojan_backdoor_irc_spybot
    2:28: Quarantining All Traces: command
    2:29: command is in use. It will be removed on reboot.
    2:29: c:\archivos de programa\network monitor is in use. It will be removed on reboot.
    2:29: netmon.exe is in use. It will be removed on reboot.
    2:29: C:\Archivos de programa\Network Monitor\netmon.exe is in use. It will be removed on reboot.
    2:29: Quarantining All Traces: findthewebsiteyouneed hijack
    2:29: Quarantining All Traces: ps2
    2:29: Quarantining All Traces: targetsaver
    2:29: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    2:29: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    2:29: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    2:29: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    2:29: Quarantining All Traces: azjmp cookie
    2:29: Quarantining All Traces: belnk cookie
    2:29: Quarantining All Traces: directtrack cookie
    2:29: Quarantining All Traces: epilot cookie
    2:29: Quarantining All Traces: falkag cookie
    2:29: Quarantining All Traces: hitslink cookie
    2:29: Quarantining All Traces: maxserving cookie
    2:29: Quarantining All Traces: overture cookie
    2:29: Quarantining All Traces: paypopup cookie
    2:29: Quarantining All Traces: reliablestats cookie
    2:29: Quarantining All Traces: screensavers.com cookie
    2:29: Quarantining All Traces: statcounter cookie
    2:29: Quarantining All Traces: tradedoubler cookie
    2:29: Quarantining All Traces: winantiviruspro cookie
    2:29: Quarantining All Traces: yieldmanager cookie
    2:29: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    2:29: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    2:29: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    2:29: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    2:30: Removal process completed. Elapsed time 00:02:04
    ********
    2:01: | Start of Session, sábado, 21 de enero de 2006 |
    2:01: Spy Sweeper started
    2:02: Your spyware definitions have been updated.
    2:03: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    2:03: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    2:03: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    2:03: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    2:03: | End of Session, sábado, 21 de enero de 2006 |
     
  15. Newnewone

    Newnewone Thread Starter

    Joined:
    Jan 20, 2006
    Messages:
    13
    *****************************************************************************
    Logfile of HijackThis v1.99.1
    Scan saved at 2:31:14, on 21/01/2006
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\Explorer.EXE
    C:\windows\system\hpsysdrv.exe
    C:\HP\KBD\KBD.EXE
    C:\Archivos de programa\Archivos comunes\Microsoft Shared\Works Shared\WkUFind.exe
    C:\Archivos de programa\QuickTime\qttask.exe
    C:\Archivos de programa\McAfee\Managed VirusScan\Agent\myagttry.exe
    C:\Archivos de programa\McAfee\Managed Firewall\MpfTray.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\Archivos de programa\McAfee\Managed Firewall\MpfService.exe
    C:\Archivos de programa\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\snmp.exe
    C:\WINDOWS\System32\svchost.exe
    C:\ARCHIV~1\McAfee\MANAGE~1\VScan\McShield.exe
    C:\Archivos de programa\Internet Explorer\iexplore.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Archivos de programa\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Archivos de programa\Webroot\Spy Sweeper\WRSSSDK.exe
    C:\Archivos de programa\McAfee\Managed VirusScan\Agent\HtmlDlg.Exe
    C:\Documents and Settings\BUHO.PATA-BUHO\Mis documentos\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.telefonica.net/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.es
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-es7.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-es7.hpwis.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://es7.hpwis.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [StorageGuard] "C:\Archivos de programa\VERITAS Software\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Archivos de programa\Archivos comunes\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ccRegVfy] C:\Archivos de programa\Archivos comunes\Symantec Shared\ccRegVfy.exe
    O4 - HKLM\..\Run: [McAfee Managed Services Tray] "C:\Archivos de programa\McAfee\Managed VirusScan\Agent\myagttry.exe"
    O4 - HKLM\..\Run: [MVS Splash] C:\ARCHIV~1\McAfee\MANAGE~1\VScan\Splash.exe
    O4 - HKLM\..\Run: [MpfTray] C:\Archivos de programa\McAfee\Managed Firewall\MpfTray.exe
    O4 - HKLM\..\Run: [SpySweeper] "C:\Archivos de programa\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background
    O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.es
    O16 - DPF: {40C83AF8-FEA7-4A6A-A470-431EE84A0886} (SecureObjectFactory Class) - http://descargaseguridad.telefonica.terra.es/VS2/bin/myCioAgt.20051213115437.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1137628905328
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4672/mcfscan.cab
    O16 - DPF: {FAACB119-D8DD-4F91-9AE9-9CDE6FD230DB} (CentroSeguridad Class) - https://centroseguridad.telefonica.terra.es/central/CentroSeguridad.cab
    O18 - Protocol: myrm - {4D034FC3-013F-4B95-B544-44D49ABE3E76} - C:\Archivos de programa\McAfee\Managed VirusScan\Agent\MyRmProt3.5.0.478.dll
    O20 - Winlogon Notify: App Management - C:\WINDOWS\system32\k0lq0a35ed.dll
    O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
    O23 - Service: McShield - McAfee Inc. - C:\ARCHIV~1\McAfee\MANAGE~1\VScan\McShield.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\Archivos de programa\McAfee\Managed Firewall\MpfService.exe
    O23 - Service: McAfee Managed Services Agent (myAgtSvc) - McAfee, Inc. - C:\Archivos de programa\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
    O23 - Service: Network Monitor - Unknown owner - C:\Archivos de programa\Network Monitor\netmon.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Archivos de programa\Webroot\Spy Sweeper\WRSSSDK.exe
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/435687

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice