download.generic2.FTK trojan

[aloholoh]

Hello

Hope you can help me solve this problem.

Ok. so every now and then I get a virus identified by AVG - downloader.generic2.FTK

but when I try to heal the virus I get an error message- error 0x8007007b
sorry can't remember the location although I think it is system32??

also, I use firefox but a few times a day I get a explorer browser opening for no reason with a antivirus download page announcement

log below, thanks


Logfile of HijackThis v1.99.1
Scan saved at 4:49:37 p.m., on 25/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\Archivos de programa\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Archivos de programa\ScanSoft\PaperPort\pptd40nt.exe
C:\Archivos de programa\Brother\ControlCenter2\brctrcen.exe
C:\Archivos de programa\Java\jre1.5.0_06\bin\jusched.exe
C:\Archivos de programa\iTunes\iTunesHelper.exe
C:\Archivos de programa\QuickTime\qttask.exe
C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe
C:\Archivos de programa\Windows Defender\MSASCui.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe
C:\ARCHIV~1\ALIBABA\TRADEM~1\TradeManager.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Archivos de programa\Skype\Phone\Skype.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Archivos de programa\Trend Micro\Tmas\Tmas.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Archivos de programa\MSN Messenger\msnmsgr.exe
C:\WINDOWS\explorer.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:4001
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
R3 - Default URLSearchHook is missing
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Archivos de programa\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\es\msntb.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Archivos de programa\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Archivos de programa\Archivos comunes\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Archivos de programa\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Archivos de programa\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Archivos de programa\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Archivos de programa\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows Defender] "C:\Archivos de programa\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [defender] C:\\dfndrb_3.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [TradeManager] C:\ARCHIV~1\ALIBABA\TRADEM~1\TradeManager -hideframe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Archivos de programa\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: Adobe Gamma.lnk = C:\Archivos de programa\Archivos comunes\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Inicio rápido de Adobe Reader.lnk = C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Archivos de programa\Trend Micro\Tmas\Tmas.exe
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.beep.es
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1153655572187
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...10/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{10B8D5D0-9C3D-42D8-BB71-3CD929CD4304}: NameServer = 212.145.4.97,212.145.4.98
O17 - HKLM\System\CS1\Services\Tcpip\..\{10B8D5D0-9C3D-42D8-BB71-3CD929CD4304}: NameServer = 212.145.4.97,212.145.4.98
O17 - HKLM\System\CS2\Services\Tcpip\..\{10B8D5D0-9C3D-42D8-BB71-3CD929CD4304}: NameServer = 212.145.4.97,212.145.4.98
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARCHIV~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARCHIV~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\smss.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Archivos de programa\Archivos comunes\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Archivos de programa\Archivos comunes\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Archivos de programa\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Archivos de programa\Archivos comunes\Macromedia Shared\Service\Macromedia Licensing.exe

[aloholoh]

ok it is back so here it is

C:\Windows\?racle\ping.exe

Trojan horse Downloader.generic2.FTK

Thanks

[Ried]

Hello aloholoh and welcome,

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out these instructions.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

******************************************

Please download Ewido anti-spyware 4.0 from HERE and save that file to your desktop.
This is a 30 trial of the program

1. Once you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
2. Once the setup is complete you will need run ewido and update the definition files.
3. On the main screen select the icon "Update" then select the "Update now" link.
   • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
4. Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
5. Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
6. Under "Reports"
   • Select "Automatically generate report after every scan"
   • Un-Select "Only if threats were found"

Close ewido anti-spyware, Do Not run a scan just yet, we will shortly.


Please download Brute Force Uninstaller to your desktop.

• Right click the BFU folder on your desktop, and choose Extract All
• Click "Next"
• In the box to choose where to extract the files to,
• Click "Browse"
• Click on the + sign next to "My Computer"
• Click on "Local Disk (C:) or whatever your primary drive is
• Click "Make New Folder"
• Type in BFU
• Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".

RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
Save it in the same folder you made earlier (c:BFU).

Do not do anything with these yet!

------------------------------------

Please disable the following program(s) as they may interfere with the fixes below. You may re-enable them when we are through:

Windows Defender:

• Open Windows Defender.
• Click on Tools, Options.
• Scroll down and uncheck Turn on real-time protection (recommended).
• After you uncheck this, click on the Save button and close Windows Defender.

------------------------------------

• First, click Start > Control Panel > Add/Remove Programs
• In the list of installed software, look for PuritySCAN By OIN, OuterInfo, OIN Snowballwars or similar
• If you find it:
• Click on it and click Remove.
• Reboot and delete the folder C:\Program Files\PurityScan and also delete the folders of any of the programs you found in the Add/Remove panel. These would be located in C:\Program Files.
• if not:
• Download and run the Oiuninstaller
  There is a tutorial for the uninstaller available
• When the uninstaller is done, reboot and delete the folder C:\Program Files\PurityScan (if it's still there)

------------------------------------

Reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Use the up arrow key to highlight Safe Mode and press Enter.
5) Login on your usual account. Make sure to close any open browsers.

-----------------------------------

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R3 - Default URLSearchHook is missing
O20 - AppInit_DLLs: C:\WINDOWS\system32\smss.dll


Click 'Fix Checked' and close HijackThis.

-----------------------------------

IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess:

• Lauch ewido-anti-spyware by double-clicking the icon on your desktop.
• Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
• ewido will now begin the scanning process, be patient this may take a little time.
  Once the scan is complete do the following:
• If you have any infections you will prompted, then select "Apply all actions"
• Next select the "Reports" icon at the top.
• Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
• Close ewido and reboot your system back into Normal Mode and post the results of the ewido report scan.

**Ewido is compatible with most AV and anti-spyware products, and the free version will continue to be useful as a second anti-malware scanner.

-----------------------------------

Now, please go to Start > My Computer and navigate to the C:BFU folder.

• Start the Brute Force Uninstaller by doubleclicking BFU.exe
• Beside the scriptline to execute field click the folder icon and select alcanshorty.bfu by double clicking on it.
• Press Execute and let it do it’s job. (You ought to see a blue progress bar if you did this correctly.)
• Wait for the complete script execution box to pop up and press OK.
• Press exit to terminate the BFU program.

-----------------------------------

Reboot into Normal Mode.

-----------------------------------

Perform an online scan using Internet Explorer with Panda ActiveScan
** click on "Free use ActiveScan" located on the top right hand corner

1. Click Check Now & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
2. Enter your e-mail address, country, and state & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls

Begin the scan by selecting My Computer

• If it finds any malware, it will offer you a report.
• Please ignore any entry it finds and wants you to buy the program for removal as we will address this later.
• Click on see report. Then click Save report

Please include the following in your next reply:

Ewido results
Panda results
New HijackThis log

[aloholoh]

Reports below - when I went to fix the RS as instructed above it was not there...

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 6:45:19 p.m. 26/07/2006

+ Scan result:



HKU\S-1-5-21-361383735-3539346156-3253858783-1005\Software\Classes\CLSID\{7916f057-223f-4612-ac84-e882cbe043d4} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-361383735-3539346156-3253858783-1005_Classes\CLSID\{7916f057-223f-4612-ac84-e882cbe043d4} -> Adware.Generic : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Clickspring -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\WINDOWS\system32\1024 -> Trojan.Small : Cleaned with backup (quarantined).


::Report end


Logfile of HijackThis v1.99.1
Scan saved at 9:55:39 a.m., on 27/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Archivos de programa\ScanSoft\PaperPort\pptd40nt.exe
C:\Archivos de programa\Brother\ControlCenter2\brctrcen.exe
C:\Archivos de programa\Java\jre1.5.0_06\bin\jusched.exe
C:\Archivos de programa\iTunes\iTunesHelper.exe
C:\Archivos de programa\QuickTime\qttask.exe
C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe
C:\Archivos de programa\Windows Defender\MSASCui.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\ARCHIV~1\ALIBABA\TRADEM~1\TradeManager.exe
C:\Archivos de programa\ewido anti-spyware 4.0\ewido.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\Archivos de programa\Skype\Phone\Skype.exe
C:\Archivos de programa\ewido anti-spyware 4.0\guard.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Archivos de programa\Trend Micro\Tmas\Tmas.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Archivos de programa\Internet Explorer\IEXPLORE.EXE
C:\Archivos de programa\MSN Messenger\msnmsgr.exe
C:\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:4001
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Archivos de programa\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\es\msntb.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Archivos de programa\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Archivos de programa\Archivos comunes\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Archivos de programa\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Archivos de programa\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Archivos de programa\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Archivos de programa\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows Defender] "C:\Archivos de programa\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVG7_CC] C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [TradeManager] C:\ARCHIV~1\ALIBABA\TRADEM~1\TradeManager -hideframe
O4 - HKLM\..\Run: [!ewido] "C:\Archivos de programa\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Archivos de programa\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: Adobe Gamma.lnk = C:\Archivos de programa\Archivos comunes\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Inicio rápido de Adobe Reader.lnk = C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Archivos de programa\Trend Micro\Tmas\Tmas.exe
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.beep.es
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1153655572187
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...10/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{10B8D5D0-9C3D-42D8-BB71-3CD929CD4304}: NameServer = 212.145.4.97,212.145.4.98
O17 - HKLM\System\CS1\Services\Tcpip\..\{10B8D5D0-9C3D-42D8-BB71-3CD929CD4304}: NameServer = 212.145.4.97,212.145.4.98
O17 - HKLM\System\CS2\Services\Tcpip\..\{10B8D5D0-9C3D-42D8-BB71-3CD929CD4304}: NameServer = 212.145.4.97,212.145.4.98
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARCHIV~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARCHIV~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Archivos de programa\Archivos comunes\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Archivos de programa\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Archivos de programa\Archivos comunes\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Archivos de programa\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Archivos de programa\Archivos comunes\Macromedia Shared\Service\Macromedia Licensing.exe

over to you
thanks

[aloholoh]

Panada scan

Incident Status Location

Adware:adware/securityerror Not disinfected c:\windows\system32\ot.ico
Adware:adware/swimsuitnetwork Not disinfected c:\windows\system32\MYDLL.dll
Adware:adware/qoologic Not disinfected c:\windows\downloaded program files\installer.exe
Hacktool:rootkit/zaqt.a Not disinfected hkey_local_machine\system\currentcontrolset\services\DP1112
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[~0000092.~]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[message.scr]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[document.txt .exe]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[letter43.pif]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[~0000194.~]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[message.scr]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[data.pif]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[~0000226.~]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[message.scr]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[datfiles.pif]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[document.zip][document.txt .exe]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[~0000256.~]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[message.scr]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[document.zip][document.txt .exe]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[~0000283.~]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[message.scr]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[game.txt.scr]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[~0000340.~]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[message.scr]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[pwd02.zip][data.rtf .scr]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[~0000395.~]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[message.scr]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[~0000436.~]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[~0000467.~]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[~0000545.~]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[~0000551.~]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[~0000584.~]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[~0000600.~]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[~0000610.~]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[~0000619.~]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[~0000621.~][~0000009.~]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[~0000621.~][~0000015.~]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[~0000621.~][~0000024.~]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[~0000637.~]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[~0000651.~][~0000006.~]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[~0000674.~]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[~0000710.~]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[~0000715.~][~0000006.~]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[~0000734.~]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[~0000748.~]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[~0000766.~]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[part6.pif]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[~0000816.~]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[message.scr]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[document_nathan.txt .scr]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[~0000833.~]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[message.scr]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[~0000839.~]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[message.scr]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[document43.pif]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[readme.txt .pif]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[message.scr]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[msg_nathan.pif]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[~0000869.~][~0000005.~]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[~0000869.~][message.scr]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[~0000869.~][document_nathan.txt .scr]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[~0000869.~][message.scr]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[~0000869.~][document43.pif]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[~0000869.~][readme.txt .pif]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[~0000869.~][~0000026.~]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[~0000869.~][message.scr]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[~0000869.~][msg_nathan.pif]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[details_nathan.pif]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[~0000887.~]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[message.scr]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[document.zip][data.rtf .scr]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[data.zip][document.txt .exe]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[~0000917.~]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[message.scr]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[datfiles.doc .pif]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[~0000961.~]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[message.scr]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[~0000977.~]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[message.scr]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[~0000981.~]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[message.scr]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[document05.zip][document.txt .exe]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[~0000996.~]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[message.scr]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[id43342.txt.pif]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[message.zip][document.txt .exe]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[~0001009.~]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[message.scr]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[document_with_notice.zip][document.txt .exe]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[~0001081.~]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[message.scr]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[text01.doc.scr]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[~0001088.~][word document.doc.pif]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[postcard.pif]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[~0001100.~]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[message.scr]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[~0001126.~]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[message.scr]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[data.zip][data.rtf .scr]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[~0001161.~]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[message.scr]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[website.zip][details.txt .pif]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[all_in_all.txt.scr]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[~0001201.~]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[message.scr]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[~0001228.~]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[message.scr]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[details_nathan.txt.exe]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[data.zip][data.rtf .scr]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[~0001248.~]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[message.scr]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[~0001252.~]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[message.scr]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[document342.pif]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[~0001257.~][~0000003.~]
Virus:W32/Netsky.P.worm Disinfected

[aloholoh]

C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[~0001257.~][message.scr]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[document07.zip][document.txt .exe]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[~0001286.~]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[message.scr]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[details.zip][details.txt .pif]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[~0001344.~]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[message.scr]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[priv.txt .pif]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[document.zip][details.txt .pif]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[~0001368.~]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[message.scr]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[file.zip][data.rtf .scr]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[~0001421.~]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[message.scr]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[detail3.pif]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[~0001451.~]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[message.scr]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[msg_nathan.zip][details.txt .pif]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[~0001468.~]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[message.scr]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[all_in_all.zip][document.txt .exe]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[~0001496.~]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[message.scr]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[bill.pif]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[~0001531.~]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[message.scr]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[~0001581.~]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[message.scr]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[readme_nathan.txt .exe]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[document_with_notice.pif]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[~0001638.~]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[message.scr]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[~0001645.~]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[message.scr]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[~0001678.~]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[message.scr]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[data.zip][document.txt .exe]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[~0001687.~]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[message.scr]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[doc_word3.doc .exe]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[~0001739.~]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[message.scr]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[~0001777.~]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[message.scr]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[readme.pif]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[~0001816.~]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[message.scr]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[details05.zip][document.txt .exe]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[~0001833.~]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\Local Folders\Inbox[message.scr]
Virus:W32/Netsky.AB.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Inbox[hurts.pif]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Junk[~0000017.~]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Junk[message.scr]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Junk[~0000021.~]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Junk[message.scr]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Junk[document05.zip][document.txt .exe]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Junk[~0000035.~]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Junk[message.scr]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Junk[id43342.txt.pif]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Junk[message.zip][document.txt .exe]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Junk[~0000043.~]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Junk[message.scr]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Junk[document_with_notice.zip][document.txt .exe]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Junk[~0000052.~]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Junk[message.scr]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Junk[text01.doc.scr]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Junk[~0000058.~]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Junk[message.scr]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Junk[~0000064.~]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Junk[message.scr]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Junk[data.zip][data.rtf .scr]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Junk[~0000072.~]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Junk[message.scr]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Junk[~0000078.~]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Junk[message.scr]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Junk[~0000082.~]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Junk[message.scr]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Junk[details_nathan.txt.exe]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Junk[data.zip][data.rtf .scr]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Junk[~0000090.~]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Junk[message.scr]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Junk[~0000094.~]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Junk[message.scr]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Junk[document342.pif]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Junk[~0000100.~]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Junk[message.scr]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Junk[~0000109.~]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Junk[message.scr]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Junk[document.zip][details.txt .pif]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Junk[~0000116.~]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Junk[message.scr]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Junk[file.zip][data.rtf .scr]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Junk[~0000123.~]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Junk[message.scr]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Junk[~0000128.~]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Junk[message.scr]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Junk[msg_nathan.zip][details.txt .pif]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Junk[~0000136.~]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Junk[message.scr]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Junk[~0000142.~]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Junk[message.scr]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Junk[bill.pif]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Junk[~0000149.~]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Junk[message.scr]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Junk[~0000154.~]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Junk[message.scr]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Junk[readme_nathan.txt .exe]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Junk[document_with_notice.pif]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Junk[~0000163.~]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Junk[message.scr]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Junk[~0000170.~]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Junk[message.scr]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Junk[~0000177.~]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Junk[message.scr]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Junk[data.zip][document.txt .exe]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Junk[~0000183.~]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Junk[message.scr]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Junk[~0000195.~]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Junk[message.scr]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Junk[~0000199.~]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Junk[message.scr]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Junk[readme.pif]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Junk[~0000208.~]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Junk[message.scr]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Junk[details05.zip][document.txt .exe]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Junk[~0000215.~]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Junk[message.scr]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Trash[~0000065.~]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Trash[message.scr]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Trash[~0000174.~]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Trash[message.scr]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Trash[document.zip][details.txt .pif]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Trash[~0000206.~]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Trash[message.scr]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Trash[file.zip][data.rtf .scr]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Trash[~0000225.~]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Trash[message.scr]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Trash[~0000253.~]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Trash[message.scr]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Trash[msg_nathan.zip][details.txt .pif]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Trash[~0000265.~]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Trash[message.scr]
Virus:W32/Netsky.AB.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Trash[hurts.pif]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Trash[~0000288.~]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Trash[message.scr]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Trash[bill.pif]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Trash[~0000313.~]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Trash[message.scr]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Trash[~0000438.~]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Trash[message.scr]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Trash[readme_nathan.txt .exe]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Trash[document_with_notice.pif]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Trash[~0000463.~]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Trash[message.scr]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Trash[~0000470.~]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Trash[message.scr]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Trash[~0000487.~]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Trash[message.scr]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Trash[data.zip][document.txt .exe]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Trash[~0000493.~]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Trash[message.scr]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Trash[~0000534.~]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Trash[message.scr]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Trash[~0000546.~]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Trash[message.scr]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Trash[readme.pif]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Trash[details05.zip][document.txt .exe]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Trash[~0000607.~]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Trash[message.scr]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Trash[~0000618.~]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\user\Datos de programa\Thunderbird\Profiles\3msgwrnn.default\Mail\pop3.maxnet.co.nz\Trash[message.scr]
Adware:Adware/DollarRevenue Not disinfected C:\Archivos de programa\Ace Utilities\Uninstall.exe[²ÜÇ\System.dll]
Potentially unwanted tool:Application/Zango Not disinfected C:\Archivos de programa\Mozilla Thunderbird\plugins\npclntax.dll
Potentially unwanted tool:Application/Zango Not disinfected C:\Archivos de programa\Mozilla Firefox\plugins\npclntax.dll
Virus:W32/Netsky.P.worm Disinfected Carpetas locales\Elementos eliminados\Mail Delivery (failure rdehaan@exportiberia.com)\message.scr
Virus:W32/Netsky.P.worm Disinfected [details.zip][document.txt .exe]
Virus:W32/Netsky.P.worm Disinfected Carpetas locales\Elementos eliminados\Mail Delivery (failure rdehaan@exportiberia.com)\message.scr

[aloholoh]

Sorry R3 was not there when I went to fix, the the others were there and were checked and fixed

Long post but had to break it up to fit
Thanks

[aloholoh]

ok re did it to reduce the content of the post... it was way too long and meesy before

so here goes

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 2:45:45 p.m. 27/07/2006

+ Scan result:



Nothing found.


::Report end

Panda

Incident Status Location

Adware:adware/securityerror Not disinfected c:\windows\system32\ot.ico
Adware:adware/swimsuitnetwork Not disinfected c:\windows\system32\MYDLL.dll
Adware:adware/qoologic Not disinfected c:\windows\downloaded program files\installer.exe
Hacktool:rootkit/zaqt.a Not disinfected hkey_local_machine\system\currentcontrolset\services\DP1112
Adware:Adware/DollarRevenue Not disinfected C:\Archivos de programa\Ace Utilities\Uninstall.exe[²ÜÇ\System.dll]
Potentially unwanted tool:Application/Zango Not disinfected C:\Archivos de programa\Mozilla Thunderbird\plugins\npclntax.dll
Potentially unwanted tool:Application/Zango Not disinfected C:\Archivos de programa\Mozilla Firefox\plugins\npclntax.dll


Logfile of HijackThis v1.99.1
Scan saved at 3:29:42 p.m., on 27/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Archivos de programa\ScanSoft\PaperPort\pptd40nt.exe
C:\Archivos de programa\Brother\ControlCenter2\brctrcen.exe
C:\Archivos de programa\Java\jre1.5.0_06\bin\jusched.exe
C:\Archivos de programa\iTunes\iTunesHelper.exe
C:\Archivos de programa\QuickTime\qttask.exe
C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe
C:\Archivos de programa\Windows Defender\MSASCui.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe
C:\ARCHIV~1\ALIBABA\TRADEM~1\TradeManager.exe
C:\Archivos de programa\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\Archivos de programa\Skype\Phone\Skype.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Archivos de programa\Trend Micro\Tmas\Tmas.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Archivos de programa\ewido anti-spyware 4.0\guard.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\HijackThis.exe
C:\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:4001
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Archivos de programa\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: (no name) - {96C264AD-D75E-47FA-9F3D-AA3A6A02F0F4} - C:\WINDOWS\system32\mljjh.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Archivos de programa\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\es\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Archivos de programa\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\es\msntb.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Archivos de programa\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Archivos de programa\Archivos comunes\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Archivos de programa\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Archivos de programa\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Archivos de programa\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Archivos de programa\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows Defender] "C:\Archivos de programa\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVG7_CC] C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [TradeManager] C:\ARCHIV~1\ALIBABA\TRADEM~1\TradeManager -hideframe
O4 - HKLM\..\Run: [!ewido] "C:\Archivos de programa\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Archivos de programa\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: Adobe Gamma.lnk = C:\Archivos de programa\Archivos comunes\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Inicio rápido de Adobe Reader.lnk = C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Archivos de programa\Trend Micro\Tmas\Tmas.exe
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.beep.es
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1153655572187
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...10/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{10B8D5D0-9C3D-42D8-BB71-3CD929CD4304}: NameServer = 212.145.4.97,212.145.4.98
O17 - HKLM\System\CS1\Services\Tcpip\..\{10B8D5D0-9C3D-42D8-BB71-3CD929CD4304}: NameServer = 212.145.4.97,212.145.4.98
O17 - HKLM\System\CS2\Services\Tcpip\..\{10B8D5D0-9C3D-42D8-BB71-3CD929CD4304}: NameServer = 212.145.4.97,212.145.4.98
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARCHIV~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARCHIV~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: mljjh - C:\WINDOWS\system32\mljjh.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winbue32 - winbue32.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Archivos de programa\Archivos comunes\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Archivos de programa\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Archivos de programa\Archivos comunes\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Archivos de programa\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Archivos de programa\Archivos comunes\Macromedia Shared\Service\Macromedia Licensing.exe

thanks

[Ried]

Hello aloholoh,

We have a bit more to do here.

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out these instructions.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

*********************************************

Please download SmitfraudFix (by S!Ri)

Extract the content (a folder named SmitfraudFix) to your Desktop. Do not run it yet.


Download the attached aloholoh.zip file to your desktop. Double click on the aloholoh.zip folder, then double click on the .reg file within. Click yes to allow it to merge into your registry.


Download combofix from one of these locations:

• http://www.techsupportforum.com/sectools/combofix.exe
• http://download.bleepingcomputer.com/sUBs/combofix.exe

Extract combofix & place it on the desktop.

Click Start>Run and copy/paste the following into the Run box:

"%userprofile%\desktop\combofix.exe" /v mljjh

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

-----------------------------------

Reboot into Safe Mode.

-----------------------------------

Open HijackThis and click on 'Do a System Scan Only'. Check the following entry:

O20 - Winlogon Notify: winbue32 - winbue32.dll (file missing)

Click 'Fix Checked' and close HijackThis.

-----------------------------------

Click Start>Run and copy/paste regsvr32 /u occache.dll and click OK.


Delete the following files:

c:\windows\system32\ ot.ico
c:\windows\system32\ MYDLL.dll
c:\windows\downloaded program files\ installer.exe
C:\Archivos de programa\Mozilla Thunderbird\plugins\ npclntax.dll
C:\Archivos de programa\Mozilla Firefox\plugins\ npclntax.dll

Now, click Start>Run and copy/paste regsvr32 occache.dll and click OK.

-----------------------------------

Reboot into Normal Mode.

-----------------------------------

Run another online scan at Panda and post the results here.

-----------------------------------

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"
and a text file will appear which lists infected files (if present).
Please copy/paste the content of that report into your next reply.


IMPORTANT: Do NOT run option #2 OR any other option until you are directed to do so!

-----------------------------------

Finally, double click on combofix.exe & follow the prompts.
When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Please include the following in your next reply:

C:\Combofix.previous.run.txt
Panda results
Smitfraud log
C:\Combofix.txt
HJT

[aloholoh]

tried clicking the blue part but nothing - is it somewhere else???

[Ried]

So sorry about that. Here's the link

[aloholoh]

Start Time= Fri 28/07/2006 11:29:37.01
Running from: C:\Documents and Settings\user\Escritorio

QuickScan did not find any signs of infected files

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-07-26 17:46:28 ( .D... ) "C:\Archivos de programa\ewido anti-spyware 4.0"
2006-07-25 12:59:30 65556 ( A.... ) "C:\WINDOWS\system32\jwefjibj.exe"
2006-07-25 0818 65556 ( A.... ) "C:\WINDOWS\system32\vdyuwtiv.exe"
2006-07-23 12:47:26 ( .D... ) "C:\Documents and Settings\user\Datos de programa\Lavasoft"
2006-07-23 12:47:16 ( .D... ) "C:\Archivos de programa\Lavasoft"
2006-07-23 11:45:14 ( .D... ) "C:\Archivos de programa\Trend Micro"
2006-07-20 10:32:40 ( .D... ) "C:\Documents and Settings\user\Datos de programa\Opera"
2006-07-07 19:50:00 ( .D... ) "C:\Archivos de programa\Archivos comunes\Adobe Systems Shared"
2006-07-06 15:11:24 ( .D... ) "C:\Archivos de programa\Alibaba"
2006-07-04 16:01:46 ( .D... ) "C:\Archivos de programa\Sophos"
2006-07-03 09:04:32 569396 ( ..... ) "C:\WINDOWS\system32\mljjh.dll"
2006-07-02 18:16:44 ( .D... ) "C:\Archivos de programa\Ace Utilities"
2006-07-02 17:37:50 ( .D... ) "C:\Archivos de programa\Spybot - Search & Destroy"
2006-07-02 15:58:54 ( .D... ) "C:\Documents and Settings\user\Datos de programa\Help"
2006-07-02 15:02:32 ( .D... ) "C:\Documents and Settings\user\Datos de programa\AVG7"
2006-07-02 15:02:18 ( .D... ) "C:\Archivos de programa\Grisoft"
2006-07-01 19:16:58 ( .D... ) "C:\Archivos de programa\Archivos comunes\Macromedia Shared"
2006-07-01 19:16:48 ( .D... ) "C:\Archivos de programa\Archivos comunes\Macromedia"
2006-07-01 19:16:24 ( .D... ) "C:\Archivos de programa\Macromedia"
2006-07-01 19:12:24 ( .D... ) "C:\Archivos de programa\WinAce"
2006-06-30 17:47:24 ( .D... ) "C:\Documents and Settings\user\Datos de programa\BitTorrent"
2006-06-22 09:36:28 ( .D... ) "C:\Archivos de programa\LeechFTP"
2006-06-19 16:20:42 702768 ( A.... ) "C:\WINDOWS\system32\WgaLogon.dll"
2006-06-16 14:34:44 48936 ( A.... ) "C:\WINDOWS\system32\sirenacm.dll"
2006-06-14 09:32:56 ( .D... ) "C:\Archivos de programa\Ipswitch"
2006-05-31 17:37:08 25132 ( A.... ) "C:\Documents and Settings\user\Datos de programa\Microsoft Excel.ADR"
2006-05-31 17:11:38 22424 ( A.... ) "C:\Documents and Settings\user\Datos de programa\Microsoft Access.ADR"
2006-05-29 17:29:58 ( .D... ) "C:\Archivos de programa\OfficeUpdate11"
2006-05-19 15:18:52 148480 ( A.... ) "C:\WINDOWS\system32\dnsapi.dll"
2006-05-19 15:18:52 111616 ( A.... ) "C:\WINDOWS\system32\dhcpcsvc.dll"
2006-05-19 15:18:52 95232 ( A.... ) "C:\WINDOWS\system32\iphlpapi.dll"


(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))

Panda

Incident Status Location

Hacktool:rootkit/zaqt.a Not disinfected hkey_local_machine\system\currentcontrolset\services\DP1112
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\user\Escritorio\Antivirus\SmitfraudFix.zip[SmitfraudFix/Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\user\Escritorio\SmitfraudFix\SmitfraudFix\Process.exe
Adware:Adware/DollarRevenue Not disinfected C:\Archivos de programa\Ace Utilities\Uninstall.exe[²ÜÇ\System.dll]

SmitFraudFix v2.76

Scan done at 12:14:39.54, Fri 28/07/2006
Run from C:\Documents and Settings\user\Escritorio\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Versi¢n 5.1.2600] - Windows_NT
Fix ran in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\user\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


Start Time= Fri 28/07/2006 12:15:31.70
Running from: C:\Documents and Settings\user\Escritorio

QuickScan did not find any signs of infected files

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-07-26 17:46:28 ( .D... ) "C:\Archivos de programa\ewido anti-spyware 4.0"
2006-07-25 12:59:30 65556 ( A.... ) "C:\WINDOWS\system32\jwefjibj.exe"
2006-07-25 0818 65556 ( A.... ) "C:\WINDOWS\system32\vdyuwtiv.exe"
2006-07-23 12:47:26 ( .D... ) "C:\Documents and Settings\user\Datos de programa\Lavasoft"
2006-07-23 12:47:16 ( .D... ) "C:\Archivos de programa\Lavasoft"
2006-07-23 11:45:14 ( .D... ) "C:\Archivos de programa\Trend Micro"
2006-07-20 10:32:40 ( .D... ) "C:\Documents and Settings\user\Datos de programa\Opera"
2006-07-07 19:50:00 ( .D... ) "C:\Archivos de programa\Archivos comunes\Adobe Systems Shared"
2006-07-06 15:11:24 ( .D... ) "C:\Archivos de programa\Alibaba"
2006-07-04 16:01:46 ( .D... ) "C:\Archivos de programa\Sophos"
2006-07-03 09:04:32 569396 ( ..... ) "C:\WINDOWS\system32\mljjh.dll"
2006-07-02 18:16:44 ( .D... ) "C:\Archivos de programa\Ace Utilities"
2006-07-02 17:37:50 ( .D... ) "C:\Archivos de programa\Spybot - Search & Destroy"
2006-07-02 15:58:54 ( .D... ) "C:\Documents and Settings\user\Datos de programa\Help"
2006-07-02 15:02:32 ( .D... ) "C:\Documents and Settings\user\Datos de programa\AVG7"
2006-07-02 15:02:18 ( .D... ) "C:\Archivos de programa\Grisoft"
2006-07-01 19:16:58 ( .D... ) "C:\Archivos de programa\Archivos comunes\Macromedia Shared"
2006-07-01 19:16:48 ( .D... ) "C:\Archivos de programa\Archivos comunes\Macromedia"
2006-07-01 19:16:24 ( .D... ) "C:\Archivos de programa\Macromedia"
2006-07-01 19:12:24 ( .D... ) "C:\Archivos de programa\WinAce"
2006-06-30 17:47:24 ( .D... ) "C:\Documents and Settings\user\Datos de programa\BitTorrent"
2006-06-22 09:36:28 ( .D... ) "C:\Archivos de programa\LeechFTP"
2006-06-19 16:20:42 702768 ( A.... ) "C:\WINDOWS\system32\WgaLogon.dll"
2006-06-16 14:34:44 48936 ( A.... ) "C:\WINDOWS\system32\sirenacm.dll"
2006-06-14 09:32:56 ( .D... ) "C:\Archivos de programa\Ipswitch"
2006-05-31 17:37:08 25132 ( A.... ) "C:\Documents and Settings\user\Datos de programa\Microsoft Excel.ADR"
2006-05-31 17:11:38 22424 ( A.... ) "C:\Documents and Settings\user\Datos de programa\Microsoft Access.ADR"
2006-05-29 17:29:58 ( .D... ) "C:\Archivos de programa\OfficeUpdate11"
2006-05-19 15:18:52 148480 ( A.... ) "C:\WINDOWS\system32\dnsapi.dll"
2006-05-19 15:18:52 111616 ( A.... ) "C:\WINDOWS\system32\dhcpcsvc.dll"
2006-05-19 15:18:52 95232 ( A.... ) "C:\WINDOWS\system32\iphlpapi.dll"


(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))


2006-07-28 12:14 53,248 C:\WINDOWS\system32\Process.exe
2006-07-28 12:14 42,496 C:\WINDOWS\system32\swreg.exe
2006-07-28 12:14 40,960 C:\WINDOWS\system32\swsc.exe
2006-07-28 12:14 288,417 C:\WINDOWS\system32\SrchSTS.exe
2006-07-28 11:38 1,072,156,672 C:\hiberfil.sys
2006-07-26 18:54 73,728 C:\WINDOWS\system32\asuninst.exe
2006-07-26 18:54 11,776 C:\WINDOWS\system32\ZPORT4AS.dll
2006-07-25 13:19 <DIR> C:\WINDOWS\McAfee.com
2006-07-25 12:59 65,556 C:\WINDOWS\system32\jwefjibj.exe
2006-07-25 08:06 65,556 C:\WINDOWS\system32\vdyuwtiv.exe
2006-07-23 11:36 218,112 C:\HijackThis.exe
2006-07-03 09:04 569,396 C:\WINDOWS\system32\mljjh.dll
2006-07-01 19:16 974,848 C:\WINDOWS\system32\mfc70.dll
2006-07-01 19:16 487,424 C:\WINDOWS\system32\msvcp70.dll
2006-07-01 19:16 344,064 C:\WINDOWS\system32\msvcr70.dll
2006-06-22 09:36 18,944 C:\WINDOWS\eraser.exe
2006-06-16 14:34 48,936 C:\WINDOWS\system32\sirenacm.dll
2006-06-14 09:32 50,688 C:\WINDOWS\system32\wbhelp2.dll
2006-06-14 09:32 1,060,864 C:\WINDOWS\system32\MFC71.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"RemoteControl"="\"C:\\Archivos de programa\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"SoundMan"="SOUNDMAN.EXE"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"SSBkgdUpdate"="\"C:\\Archivos de programa\\Archivos comunes\\Scansoft Shared\\SSBkgdUpdate\\SSBkgdupdate.exe\" -Embedding -boot"
"PaperPort PTD"="C:\\Archivos de programa\\ScanSoft\\PaperPort\\pptd40nt.exe"
"IndexSearch"="C:\\Archivos de programa\\ScanSoft\\PaperPort\\IndexSearch.exe"
"ControlCenter2.0"="C:\\Archivos de programa\\Brother\\ControlCenter2\\brctrcen.exe /autorun"
"SunJavaUpdateSched"="C:\\Archivos de programa\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"iTunesHelper"="\"C:\\Archivos de programa\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Archivos de programa\\QuickTime\\qttask.exe\" -atboottime"
"TkBellExe"="\"C:\\Archivos de programa\\Archivos comunes\\Real\\Update_OB\\realsched.exe\" -osboot"
"Windows Defender"="\"C:\\Archivos de programa\\Windows Defender\\MSASCui.exe\" -hide"
"AVG7_CC"="C:\\ARCHIV~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"TradeManager"="C:\\ARCHIV~1\\ALIBABA\\TRADEM~1\\TradeManager -hideframe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"MSMSGS"="\"C:\\Archivos de programa\\Messenger\\msmsgs.exe\" /background"
"Skype"="\"C:\\Archivos de programa\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="file:///C:/DOCUME~1/user/CONFIG~1/Temp/msohtml1/01/clip_image002.jpg"
"SubscribedURL"="file:///C:/DOCUME~1/user/CONFIG~1/Temp/msohtml1/01/clip_image002.jpg"
"FriendlyName"=""
"Flags"=dword:00002001
"Position"=hex:2c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,e8,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:40000001
"OriginalStateInfo"=hex:18,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:dc,ff,c0,03,f3,99,83,7c,70,9a,80,7c,ff,ff,ff,ff,66,9a,\
80,7c,66,9a,80,7c

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="Mi página de inicio actual"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,de,02,00,00,ea,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:40000004
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"
"AVG7_Run"="C:\\ARCHIV~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"
"AVG7_Run"="C:\\ARCHIV~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Precargador Browseui"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Demonio de caché de las categorías de componente"
"{7916f057-223f-4612-ac84-e882cbe043d4}"="bals"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"
"{03A80B1D-5C6A-42c2-9DFB-81B6005D8023}"="Trend Micro Anti-Spyware Shell Extension"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system
DisableRegistryTools REG_DWORD 0 (0x0)

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WinDefend


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\MP Scheduled Scan.job

Completion time: Fri 28/07/2006 12:15:56.82
ComboFix ver 06.07.15/28 - This logfile is located at C:\ComboFix.txt

ComboFix.2006-07-28.121531.txt

Logfile of HijackThis v1.99.1
Scan saved at 12:16:45 p.m., on 28/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Archivos de programa\ewido anti-spyware 4.0\guard.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Archivos de programa\ScanSoft\PaperPort\pptd40nt.exe
C:\Archivos de programa\Brother\ControlCenter2\brctrcen.exe
C:\Archivos de programa\Java\jre1.5.0_06\bin\jusched.exe
C:\Archivos de programa\iTunes\iTunesHelper.exe
C:\Archivos de programa\QuickTime\qttask.exe
C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe
C:\Archivos de programa\Windows Defender\MSASCui.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe
C:\ARCHIV~1\ALIBABA\TRADEM~1\TradeManager.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\Archivos de programa\Skype\Phone\Skype.exe
C:\Archivos de programa\iPod\bin\iPodService.exe
C:\Archivos de programa\Trend Micro\Tmas\Tmas.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Archivos de programa\Internet Explorer\IEXPLORE.EXE
C:\Archivos de programa\Archivos comunes\Microsoft Shared\Source Engine\OSE.EXE
C:\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:4001
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Archivos de programa\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\es\msntb.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Archivos de programa\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Archivos de programa\Archivos comunes\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Archivos de programa\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Archivos de programa\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Archivos de programa\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Archivos de programa\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows Defender] "C:\Archivos de programa\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVG7_CC] C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [TradeManager] C:\ARCHIV~1\ALIBABA\TRADEM~1\TradeManager -hideframe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Archivos de programa\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: Adobe Gamma.lnk = C:\Archivos de programa\Archivos comunes\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Inicio rápido de Adobe Reader.lnk = C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Archivos de programa\Trend Micro\Tmas\Tmas.exe
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.beep.es
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1153655572187
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...10/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{10B8D5D0-9C3D-42D8-BB71-3CD929CD4304}: NameServer = 212.145.4.97,212.145.4.98
O17 - HKLM\System\CS1\Services\Tcpip\..\{10B8D5D0-9C3D-42D8-BB71-3CD929CD4304}: NameServer = 212.145.4.97,212.145.4.98
O17 - HKLM\System\CS2\Services\Tcpip\..\{10B8D5D0-9C3D-42D8-BB71-3CD929CD4304}: NameServer = 212.145.4.97,212.145.4.98
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARCHIV~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARCHIV~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Archivos de programa\Archivos comunes\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Archivos de programa\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Archivos de programa\Archivos comunes\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Archivos de programa\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Archivos de programa\Archivos comunes\Macromedia Shared\Service\Macromedia Licensing.exe

Thanks

[Ried]

Hi aloholoh,

We're almost there.

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out these instructions.

As before, it is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

*************************************************

Download and install CleanUp! but do not run it yet. (Not Recommended for XP64).

*************************************************

Please disable the following program(s) as they may interfere with the fixes below. You may re-enable them when we are through:

Windows Defender:

• Open Windows Defender.
• Click on Tools, Options.
• Scroll down and uncheck Turn on real-time protection (recommended).
• After you uncheck this, click on the Save button and close Windows Defender.

Ewido Guard

• Open Ewido by double-clicking the orange icon in the system tray.
• In the 'Your Computer's Securitysection, toggle the Ewido Guard Resident Shield 'off' by clicking Change state which will then change the protection status to 'inactive'.

*************************************************

Reboot into Safe Mode.

-------------------------------------

Delete the following files:

C:\WINDOWS\system32\ mljjh.dll
C:\WINDOWS\system32\ jwefjibj.exe
C:\WINDOWS\system32\ vdyuwtiv.exe

-------------------------------------

Click START…RUN…Type in regedit. Make sure just "My Computer" is showing in the left pane and click..FILE….EXPORT…and save a copy some were in case you make a mistake.

• Now navigate to the following keys by clicking the + sign next to each category to expand them.
• Continue doing so until you've reached the file/folder/entry I highlighted in RED
• You will see the entry in the right hand panel. Right click the entry in that panel and select 'delete'.

hkey_local_machine\system\currentcontrolset\services\ DP1112


If the above registry key is giving you problems deleting:

• Right click on it and click on Permissions.
• Then click on the Advanced button. Make sure the first box (Inherit from parent...) is checked. Click OK and OK.
• Now try deleting the entry again.

Once you're done, close the Registry Editor.

-------------------------------------

Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool.
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : " Registry cleaning - Do you want to clean the registry?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question " Replace infected file?" by typing Y and hit Enter.


A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: (C:rapport.txt) or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
______________________________

Clean out your Temporary Internet files.

*WARNING* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp! or move them to a permanent location.

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:

• Empty Recycle Bins
• Delete Cookies
• Delete Prefetch files
• Cleanup! All Users
• Click on the "Temporary Files" and uncheck the box for "Scan drives for file matching" if it's checked.

Click OK
Press the CleanUp! button to start the program. Do NOT reboot/logoff when prompted.
---------------------------------------------------------------------------------------------

Next go to Control Panel click Display>Desktop>Customize Desktop>Web> Now, Uncheck Everything and delete if present:
· "Security Info"
· "Warning Message"
· "Security Desktop"
· "Warning Homepage"
· "Desktop Uninstall"

Also make sure the 'Lock desktop items' box is unticked. Click OK, and then Click Apply, then OK.

______________________________

Reboot into Normal Mode.

______________________________

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #3 - Delete Trusted zone by typing 3 and press Enter

Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.
______________________________

Once you reboot......I'd like to try a different online scanner as a second opinion.

Please perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.

• The program will then begin downloading the latest definition files.
• Once the files have been downloaded click on NEXT
• Locate the Scan Settings button & configure to:
  • Scan using the following Anti-Virus database:
    • Extended
  • Scan Options:
    • Scan Archives
    • Scan Mail Bases
• Click OK & have it scan My Computer
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

______________________________

Run combofix.exe again.


Question: Where did you download Ace Utilities from? It's showing as infected.

Please include the following in your next reply:

rapport.txt
Kaspersky results
combofix.log
New HijackThis log

[aloholoh]

I can't delete the mljjh file, box comes up say it in is use by another person or program, close all programs that are using.
Can't change name or move the file.

Uninstalled Ace Utiites - would have thought I donloaded it from here http://www.acelogix.com/

have not gone passed deleting files instructions yet

[Ried]

Hi,

Download and run this tool first then. Make sure the active protection by Ewido and Windows Defender are disabled before running the tool.

Please download VundoFix5.exe to your desktop.

• Double-click VundoFix.exe to run it.
• Put a check next to Run VundoFix as a task.
• You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
• When VundoFix re-opens, click the Scan for Vundo button.
• Once it's done scanning, click the Remove Vundo button.
• You will receive a prompt asking if you want to remove the files, click YES
• Once you click yes, your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will shutdown your computer, click OK.
• Turn your computer back on.
• Please post the contents of C:\vundofix.txt along with any other reports requested.

Boot into Safe Mode and continue with instructions previously posted. Do not be concerned if the mljjh.dll is not found as the tool above should have deleted it.

In your next reply, also please let me know if the registry entry was present on your system.

[aloholoh]

ok new reports - the mljjh file was not there after the Vundofix - the hkey_local...DP112 file was not there either, but I continued on with the instructions.

logs below

mitFraudFix v2.76

Scan done at 15:50:16.39, Sat 29/07/2006
Run from C:\Documents and Settings\user\Escritorio\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Versi¢n 5.1.2600] - Windows_NT
Fix ran in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{7916f057-223f-4612-ac84-e882cbe043d4}"="bals"


»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

Saturday, July 29, 2006 5:08:09 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 29/07/2006
Kaspersky Anti-Virus database records: 210696
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
C:\
D:\
E:\
G:\
H:\
I:\
J:\
Scan Statistics
Total number of scanned objects 46877
Number of viruses found 3
Number of infected objects 3 / 0
Number of suspicious objects 5
Duration of the scan process 00:56:31

Infected Object Name Virus Name Last Action
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{083539B9-2C3F-48AC-AAEE-BD894686FD54}.bin Object is locked skipped
C:\Documents and Settings\All Users\Datos de programa\Microsoft\Windows Defender\Support\WDLog-04152006-183921.log Object is locked skipped
C:\Documents and Settings\All Users\Datos de programa\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Datos de programa\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Datos de programa\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\NetworkService\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Configuración local\Historial\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Configuración local\Archivos temporales de Internet\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\user\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\user\Configuración local\Temp\~my2.tmp Object is locked skipped
C:\Documents and Settings\user\Configuración local\Temp\sqlite_04HWn3wy6iMMnFd Object is locked skipped
C:\Documents and Settings\user\Configuración local\Temp\~DFB817.tmp Object is locked skipped
C:\Documents and Settings\user\Configuración local\Temp\sqlite_KrkmofsJKOiNbQP Object is locked skipped
C:\Documents and Settings\user\Configuración local\Temp\sqlite_KDwKwcetBdv4VKE Object is locked skipped
C:\Documents and Settings\user\Configuración local\Temp\sqlite_6xvsNoWb0ae7Ycy Object is locked skipped
C:\Documents and Settings\user\Configuración local\Temp\Perflib_Perfdata_788.dat Object is locked skipped
C:\Documents and Settings\user\Configuración local\Historial\History.IE5\MSHist012006072920060730\index.dat Object is locked skipped
C:\Documents and Settings\user\Configuración local\Historial\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\user\Configuración local\Archivos temporales de Internet\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\user\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\user\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\user\Configuración local\Datos de programa\Identities\{423B6B9D-E224-4B6A-B6AF-CD3EB3C82066}\Microsoft\Outlook Express\Elementos eliminados.dbx/[From ][Date Thu, 29 Dec 2005 09:51:41 +0100]/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\user\Configuración local\Datos de programa\Identities\{423B6B9D-E224-4B6A-B6AF-CD3EB3C82066}\Microsoft\Outlook Express\Elementos eliminados.dbx/[From publicitat@ebredigital.com][Date Thu, 29 Dec 2005 11:00:34 +0100]/UNNAMED/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\user\Configuración local\Datos de programa\Identities\{423B6B9D-E224-4B6A-B6AF-CD3EB3C82066}\Microsoft\Outlook Express\Elementos eliminados.dbx/[From publicitat@ebredigital.com][Date Thu, 29 Dec 2005 11:00:34 +0100]/UNNAMED/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\user\Configuración local\Datos de programa\Identities\{423B6B9D-E224-4B6A-B6AF-CD3EB3C82066}\Microsoft\Outlook Express\Elementos eliminados.dbx/[From publicitat@ebredigital.com][Date Thu, 29 Dec 2005 11:00:34 +0100]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\user\Configuración local\Datos de programa\Identities\{423B6B9D-E224-4B6A-B6AF-CD3EB3C82066}\Microsoft\Outlook Express\Elementos eliminados.dbx Mail MS Outlook 5: suspicious - 4 skipped
C:\Documents and Settings\user\Escritorio\Antivirus\OiUninstaller.exe/data0003 Infected: not-a-virus:AdWare.Win32.PurityScan.bu skipped
C:\Documents and Settings\user\Escritorio\Antivirus\OiUninstaller.exe NSIS: infected - 1 skipped
C:\Documents and Settings\user\Datos de programa\Skype\nathanfoote\index2.dat Object is locked skipped
C:\Documents and Settings\user\Datos de programa\Skype\nathanfoote\contactgroup256.dbb Object is locked skipped
C:\Documents and Settings\user\Datos de programa\Skype\nathanfoote\user1024.dbb Object is locked skipped
C:\Documents and Settings\user\Datos de programa\Skype\nathanfoote\chat256.dbb Object is locked skipped
C:\Documents and Settings\user\Datos de programa\Skype\nathanfoote\chatmsg256.dbb Object is locked skipped
C:\Documents and Settings\user\Datos de programa\Skype\nathanfoote\chat512.dbb Object is locked skipped
C:\Documents and Settings\user\Datos de programa\Skype\nathanfoote\transfer256.dbb Object is locked skipped
C:\Documents and Settings\user\Datos de programa\Skype\nathanfoote\voicemail256.dbb Object is locked skipped
C:\Documents and Settings\user\Datos de programa\Skype\nathanfoote\user256.dbb Object is locked skipped
C:\Documents and Settings\user\Datos de programa\Skype\nathanfoote\call256.dbb Object is locked skipped
C:\Documents and Settings\user\Datos de programa\Skype\nathanfoote\profile4096.dbb Object is locked skipped
C:\Documents and Settings\user\Datos de programa\Skype\nathanfoote\user16384.dbb Object is locked skipped
C:\Documents and Settings\user\Datos de programa\Skype\nathanfoote\chatmsg512.dbb Object is locked skipped
C:\Documents and Settings\user\Datos de programa\Skype\nathanfoote\chatmsg4096.dbb Object is locked skipped
C:\Documents and Settings\user\Datos de programa\Mozilla\Firefox\Profiles\r1zq06qg.default\history.dat Object is locked skipped
C:\Documents and Settings\user\Datos de programa\Mozilla\Firefox\Profiles\r1zq06qg.default\cert8.db Object is locked skipped
C:\Documents and Settings\user\Datos de programa\Mozilla\Firefox\Profiles\r1zq06qg.default\key3.db Object is locked skipped
C:\Documents and Settings\user\Datos de programa\Mozilla\Firefox\Profiles\r1zq06qg.default\parent.lock Object is locked skipped
C:\Documents and Settings\user\UserData\index.dat Object is locked skipped
C:\Documents and Settings\user\ntuser.dat Object is locked skipped
C:\Documents and Settings\user\Cookies\index.dat Object is locked skipped
C:\Archivos de programa\Alibaba\TradeManager\users\system\Config.db Object is locked skipped
C:\Archivos de programa\Alibaba\TradeManager\users\enaliintexportiberia\CacheDB.db Object is locked skipped
C:\Archivos de programa\Alibaba\TradeManager\users\enaliintexportiberia\msglog.db Object is locked skipped
C:\Archivos de programa\Alibaba\TradeManager\users\enaliintexportiberia\Config.db Object is locked skipped
C:\VundoFix Backups\mljjh.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.cq skipped
Scan process completed.

Start Time= Sat 29/07/2006 17:10:03.51
Running from: C:\Documents and Settings\user\Escritorio

QuickScan did not find any signs of infected files

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-07-29 15:22:58 77312 ( A.... ) "C:\WINDOWS\system32\VundoFix.exe"
2006-07-29 14:59:36 ( .D... ) "C:\Archivos de programa\CleanUp!"
2006-07-26 17:46:28 ( .D... ) "C:\Archivos de programa\ewido anti-spyware 4.0"
2006-07-23 12:47:26 ( .D... ) "C:\Documents and Settings\user\Datos de programa\Lavasoft"
2006-07-23 12:47:16 ( .D... ) "C:\Archivos de programa\Lavasoft"
2006-07-23 11:45:14 ( .D... ) "C:\Archivos de programa\Trend Micro"
2006-07-20 10:32:40 ( .D... ) "C:\Documents and Settings\user\Datos de programa\Opera"
2006-07-07 19:50:00 ( .D... ) "C:\Archivos de programa\Archivos comunes\Adobe Systems Shared"
2006-07-06 15:11:24 ( .D... ) "C:\Archivos de programa\Alibaba"
2006-07-04 16:01:46 ( .D... ) "C:\Archivos de programa\Sophos"
2006-07-02 17:37:50 ( .D... ) "C:\Archivos de programa\Spybot - Search & Destroy"
2006-07-02 15:58:54 ( .D... ) "C:\Documents and Settings\user\Datos de programa\Help"
2006-07-02 15:02:32 ( .D... ) "C:\Documents and Settings\user\Datos de programa\AVG7"
2006-07-02 15:02:18 ( .D... ) "C:\Archivos de programa\Grisoft"
2006-07-01 19:16:58 ( .D... ) "C:\Archivos de programa\Archivos comunes\Macromedia Shared"
2006-07-01 19:16:48 ( .D... ) "C:\Archivos de programa\Archivos comunes\Macromedia"
2006-07-01 19:16:24 ( .D... ) "C:\Archivos de programa\Macromedia"
2006-07-01 19:12:24 ( .D... ) "C:\Archivos de programa\WinAce"
2006-06-30 17:47:24 ( .D... ) "C:\Documents and Settings\user\Datos de programa\BitTorrent"
2006-06-22 09:36:28 ( .D... ) "C:\Archivos de programa\LeechFTP"
2006-06-19 16:20:42 702768 ( A.... ) "C:\WINDOWS\system32\WgaLogon.dll"
2006-06-16 14:34:44 48936 ( A.... ) "C:\WINDOWS\system32\sirenacm.dll"
2006-06-14 09:32:56 ( .D... ) "C:\Archivos de programa\Ipswitch"
2006-05-31 17:37:08 25132 ( A.... ) "C:\Documents and Settings\user\Datos de programa\Microsoft Excel.ADR"
2006-05-31 17:11:38 22424 ( A.... ) "C:\Documents and Settings\user\Datos de programa\Microsoft Access.ADR"
2006-05-29 17:29:58 ( .D... ) "C:\Archivos de programa\OfficeUpdate11"
2006-05-19 15:18:52 148480 ( A.... ) "C:\WINDOWS\system32\dnsapi.dll"
2006-05-19 15:18:52 111616 ( A.... ) "C:\WINDOWS\system32\dhcpcsvc.dll"
2006-05-19 15:18:52 95232 ( A.... ) "C:\WINDOWS\system32\iphlpapi.dll"


(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))


2006-07-29 15:58 1,072,156,672 C:\hiberfil.sys
2006-07-29 15:50 53,248 C:\WINDOWS\system32\Process.exe
2006-07-29 15:50 42,496 C:\WINDOWS\system32\swreg.exe
2006-07-29 15:50 40,960 C:\WINDOWS\system32\swsc.exe
2006-07-29 15:50 288,417 C:\WINDOWS\system32\SrchSTS.exe
2006-07-29 15:22 77,312 C:\WINDOWS\system32\VundoFix.exe
2006-07-26 18:54 73,728 C:\WINDOWS\system32\asuninst.exe
2006-07-26 18:54 11,776 C:\WINDOWS\system32\ZPORT4AS.dll
2006-07-25 13:19 <DIR> C:\WINDOWS\McAfee.com
2006-07-23 11:36 218,112 C:\HijackThis.exe
2006-07-01 19:16 974,848 C:\WINDOWS\system32\mfc70.dll
2006-07-01 19:16 487,424 C:\WINDOWS\system32\msvcp70.dll
2006-07-01 19:16 344,064 C:\WINDOWS\system32\msvcr70.dll
2006-06-22 09:36 18,944 C:\WINDOWS\eraser.exe
2006-06-16 14:34 48,936 C:\WINDOWS\system32\sirenacm.dll
2006-06-14 09:32 50,688 C:\WINDOWS\system32\wbhelp2.dll
2006-06-14 09:32 1,060,864 C:\WINDOWS\system32\MFC71.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown
Logfile of HijackThis v1.99.1
Scan saved at 5:10:54 p.m., on 29/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Archivos de programa\ScanSoft\PaperPort\pptd40nt.exe
C:\Archivos de programa\Brother\ControlCenter2\brctrcen.exe
C:\Archivos de programa\Java\jre1.5.0_06\bin\jusched.exe
C:\Archivos de programa\iTunes\iTunesHelper.exe
C:\Archivos de programa\QuickTime\qttask.exe
C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe
C:\Archivos de programa\Windows Defender\MSASCui.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe
C:\ARCHIV~1\ALIBABA\TRADEM~1\TradeManager.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\Archivos de programa\Skype\Phone\Skype.exe
C:\Archivos de programa\Trend Micro\Tmas\Tmas.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Archivos de programa\ewido anti-spyware 4.0\guard.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\Source Engine\OSE.EXE
C:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:4001
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Archivos de programa\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Archivos de programa\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\es\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Archivos de programa\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\es\msntb.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Archivos de programa\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Archivos de programa\Archivos comunes\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Archivos de programa\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Archivos de programa\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Archivos de programa\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Archivos de programa\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows Defender] "C:\Archivos de programa\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVG7_CC] C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [TradeManager] C:\ARCHIV~1\ALIBABA\TRADEM~1\TradeManager -hideframe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Archivos de programa\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: Adobe Gamma.lnk = C:\Archivos de programa\Archivos comunes\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Inicio rápido de Adobe Reader.lnk = C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Archivos de programa\Trend Micro\Tmas\Tmas.exe
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.beep.es
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1153655572187
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...10/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{10B8D5D0-9C3D-42D8-BB71-3CD929CD4304}: NameServer = 212.145.4.97,212.145.4.98
O17 - HKLM\System\CS1\Services\Tcpip\..\{10B8D5D0-9C3D-42D8-BB71-3CD929CD4304}: NameServer = 212.145.4.97,212.145.4.98
O17 - HKLM\System\CS2\Services\Tcpip\..\{10B8D5D0-9C3D-42D8-BB71-3CD929CD4304}: NameServer = 212.145.4.97,212.145.4.98
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARCHIV~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARCHIV~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winbue32 - winbue32.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Archivos de programa\Archivos comunes\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Archivos de programa\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Archivos de programa\Archivos comunes\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Archivos de programa\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Archivos de programa\Archivos comunes\Macromedia Shared\Service\Macromedia Licensing.exe

is this a bit of a nasty one?

[Ried]

It's not as bad as it looks.

The combofix log appears to be cut off:

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

Would you please try posting that log again? I'd also like to see the C:\vundofix.txt

[aloholoh]

combofix

Start Time= Sat 29/07/2006 17:10:03.51
Running from: C:\Documents and Settings\user\Escritorio

QuickScan did not find any signs of infected files

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-07-29 15:22:58 77312 ( A.... ) "C:\WINDOWS\system32\VundoFix.exe"
2006-07-29 14:59:36 ( .D... ) "C:\Archivos de programa\CleanUp!"
2006-07-26 17:46:28 ( .D... ) "C:\Archivos de programa\ewido anti-spyware 4.0"
2006-07-23 12:47:26 ( .D... ) "C:\Documents and Settings\user\Datos de programa\Lavasoft"
2006-07-23 12:47:16 ( .D... ) "C:\Archivos de programa\Lavasoft"
2006-07-23 11:45:14 ( .D... ) "C:\Archivos de programa\Trend Micro"
2006-07-20 10:32:40 ( .D... ) "C:\Documents and Settings\user\Datos de programa\Opera"
2006-07-07 19:50:00 ( .D... ) "C:\Archivos de programa\Archivos comunes\Adobe Systems Shared"
2006-07-06 15:11:24 ( .D... ) "C:\Archivos de programa\Alibaba"
2006-07-04 16:01:46 ( .D... ) "C:\Archivos de programa\Sophos"
2006-07-02 17:37:50 ( .D... ) "C:\Archivos de programa\Spybot - Search & Destroy"
2006-07-02 15:58:54 ( .D... ) "C:\Documents and Settings\user\Datos de programa\Help"
2006-07-02 15:02:32 ( .D... ) "C:\Documents and Settings\user\Datos de programa\AVG7"
2006-07-02 15:02:18 ( .D... ) "C:\Archivos de programa\Grisoft"
2006-07-01 19:16:58 ( .D... ) "C:\Archivos de programa\Archivos comunes\Macromedia Shared"
2006-07-01 19:16:48 ( .D... ) "C:\Archivos de programa\Archivos comunes\Macromedia"
2006-07-01 19:16:24 ( .D... ) "C:\Archivos de programa\Macromedia"
2006-07-01 19:12:24 ( .D... ) "C:\Archivos de programa\WinAce"
2006-06-30 17:47:24 ( .D... ) "C:\Documents and Settings\user\Datos de programa\BitTorrent"
2006-06-22 09:36:28 ( .D... ) "C:\Archivos de programa\LeechFTP"
2006-06-19 16:20:42 702768 ( A.... ) "C:\WINDOWS\system32\WgaLogon.dll"
2006-06-16 14:34:44 48936 ( A.... ) "C:\WINDOWS\system32\sirenacm.dll"
2006-06-14 09:32:56 ( .D... ) "C:\Archivos de programa\Ipswitch"
2006-05-31 17:37:08 25132 ( A.... ) "C:\Documents and Settings\user\Datos de programa\Microsoft Excel.ADR"
2006-05-31 17:11:38 22424 ( A.... ) "C:\Documents and Settings\user\Datos de programa\Microsoft Access.ADR"
2006-05-29 17:29:58 ( .D... ) "C:\Archivos de programa\OfficeUpdate11"
2006-05-19 15:18:52 148480 ( A.... ) "C:\WINDOWS\system32\dnsapi.dll"
2006-05-19 15:18:52 111616 ( A.... ) "C:\WINDOWS\system32\dhcpcsvc.dll"
2006-05-19 15:18:52 95232 ( A.... ) "C:\WINDOWS\system32\iphlpapi.dll"


(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))


2006-07-29 15:58 1,072,156,672 C:\hiberfil.sys
2006-07-29 15:50 53,248 C:\WINDOWS\system32\Process.exe
2006-07-29 15:50 42,496 C:\WINDOWS\system32\swreg.exe
2006-07-29 15:50 40,960 C:\WINDOWS\system32\swsc.exe
2006-07-29 15:50 288,417 C:\WINDOWS\system32\SrchSTS.exe
2006-07-29 15:22 77,312 C:\WINDOWS\system32\VundoFix.exe
2006-07-26 18:54 73,728 C:\WINDOWS\system32\asuninst.exe
2006-07-26 18:54 11,776 C:\WINDOWS\system32\ZPORT4AS.dll
2006-07-25 13:19 <DIR> C:\WINDOWS\McAfee.com
2006-07-23 11:36 218,112 C:\HijackThis.exe
2006-07-01 19:16 974,848 C:\WINDOWS\system32\mfc70.dll
2006-07-01 19:16 487,424 C:\WINDOWS\system32\msvcp70.dll
2006-07-01 19:16 344,064 C:\WINDOWS\system32\msvcr70.dll
2006-06-22 09:36 18,944 C:\WINDOWS\eraser.exe
2006-06-16 14:34 48,936 C:\WINDOWS\system32\sirenacm.dll
2006-06-14 09:32 50,688 C:\WINDOWS\system32\wbhelp2.dll
2006-06-14 09:32 1,060,864 C:\WINDOWS\system32\MFC71.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"RemoteControl"="\"C:\\Archivos de programa\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"SoundMan"="SOUNDMAN.EXE"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"SSBkgdUpdate"="\"C:\\Archivos de programa\\Archivos comunes\\Scansoft Shared\\SSBkgdUpdate\\SSBkgdupdate.exe\" -Embedding -boot"
"PaperPort PTD"="C:\\Archivos de programa\\ScanSoft\\PaperPort\\pptd40nt.exe"
"IndexSearch"="C:\\Archivos de programa\\ScanSoft\\PaperPort\\IndexSearch.exe"
"ControlCenter2.0"="C:\\Archivos de programa\\Brother\\ControlCenter2\\brctrcen.exe /autorun"
"SunJavaUpdateSched"="C:\\Archivos de programa\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"iTunesHelper"="\"C:\\Archivos de programa\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Archivos de programa\\QuickTime\\qttask.exe\" -atboottime"
"TkBellExe"="\"C:\\Archivos de programa\\Archivos comunes\\Real\\Update_OB\\realsched.exe\" -osboot"
"Windows Defender"="\"C:\\Archivos de programa\\Windows Defender\\MSASCui.exe\" -hide"
"AVG7_CC"="C:\\ARCHIV~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"TradeManager"="C:\\ARCHIV~1\\ALIBABA\\TRADEM~1\\TradeManager -hideframe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"MSMSGS"="\"C:\\Archivos de programa\\Messenger\\msmsgs.exe\" /background"
"Skype"="\"C:\\Archivos de programa\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"
"AVG7_Run"="C:\\ARCHIV~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"
"AVG7_Run"="C:\\ARCHIV~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Precargador Browseui"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Demonio de caché de las categorías de componente"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"
"{03A80B1D-5C6A-42c2-9DFB-81B6005D8023}"="Trend Micro Anti-Spyware Shell Extension"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system
DisableRegistryTools REG_DWORD 0 (0x0)

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WinDefend


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\MP Scheduled Scan.job

Completion time: Sat 29/07/2006 17:10:18.92
ComboFix ver 06.07.15/28 - This logfile is located at C:\ComboFix.txt

ComboFix.2006-07-28.121531.txt
ComboFix.2006-07-29.171003.txt

Vundofix

VundoFix V5.1.5

Running as SYSTEM
from c:\windows\system32\VundoFix.exe

Checking Java version...

Sun Java not detected
Scan started at 15:23:54 29/07/2006

Listing files found while scanning....

C:\windows\system32\mljjh.dll
C:\windows\system32\hjjlm.ini
C:\windows\system32\hjjlm.bak1
C:\windows\system32\hjjlm.bak2
C:\windows\system32\hjjlm.ini2

Beginning removal...

The process smss.exe was successfully stopped

The process winlogon.exe was successfully stopped

The process explorer.exe was successfully stopped

The process iexplore.exe was successfully stopped

The process rundll32.exe was successfully stopped

Attempting to delete C:\windows\system32\mljjh.dll
C:\windows\system32\mljjh.dll Could not be deleted.

Attempting to delete C:\windows\system32\hjjlm.ini
C:\windows\system32\hjjlm.ini Has been deleted!

Attempting to delete C:\windows\system32\hjjlm.bak1
C:\windows\system32\hjjlm.bak1 Has been deleted!

Attempting to delete C:\windows\system32\hjjlm.bak2
C:\windows\system32\hjjlm.bak2 Has been deleted!

Attempting to delete C:\windows\system32\hjjlm.ini2
C:\windows\system32\hjjlm.ini2 Has been deleted!

Performing Repairs to the registry.
Done!


Thanks

[Ried]

Hi aloholoh,

Launch Outlook Express and empty your deleted mail--(Elementos eliminados.dbx)

Delete this file as we don't need it any longer and we want if off your system:

C:\Documents and Settings\user\Escritorio\Antivirus\OiUninstaller.exe

How is your system behaving now?

[aloholoh]

Much better now, noticed that yesterday everything was running smoother again..

Thanks for your help, such a great service for those of us without the knowledge to remove these nasty little programs..

Will certainly be back again if anything comes up in the future

Thank you
Aloholoh