19 replies to this topic

[nesmofalcon]

Hello all,

I have got this trojan in my computer:
Trojan.Downloader.Small.CML (detected with SpywareDoctor), called as well Trojan.Win32.Agent.q.t

when I run SpywareDoctor it says that it is eliminated but when I reboot my PC the trojan is back!!

I have been looking for a solution in Google, no success.

Could anybody give me some clues about how to detect and remove this trojan?

Thanks in advance!

[hazelnut]

hello nesmofalcon and welcome to the forum

It would be a good idea to post a hijackthis log. Instructions can be found here

http://forum.ccleane...?showtopic=1720

Paste it into a post in this thread and someone will advise you.

[Eldmannen]

Try HijackThis.

[nesmofalcon]

Hello Hazelnut and Eldmannen,

thank you for your quick answer.
I have run Spyware Doctor in safe mode and return this:

Trojan.Downloader.Small.CML (Troj/BckDr-DKG [Sophos]
Trojan.Win32.Agent.qt [Kaspersky]
Backdoor.Sualimpo.E [BitDefender]
Trojan.Click.1210 [Dr Web])

it also finds the next keys related to this trojan:

HKLM\SOFTWARE\Microsoft\MSSMGR
HKLM\SOFTWARE\Microsoft\MSSMGR##
HKLM\SOFTWARE\Microsoft\MSSMGR##Brnd
HKLM\SOFTWARE\Microsoft\MSSMGR##BSTV
HKLM\SOFTWARE\Microsoft\MSSMGR##SCLIST
HKLM\SOFTWARE\Microsoft\MSSMGR##SSLIST
HKLM\SOFTWARE\Microsoft\MSSMGR##SSTV


Finally here you can find the log of hijackthis:



Logfile of HijackThis v1.99.1
Scan saved at 18:26:28, on 07/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Intel\Wireless\Bin\EvtEng.exe
C:\Archivos de programa\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\ARCHIV~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
C:\Archivos de programa\Norton Personal Firewall\NISUM.EXE
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Archivos de programa\Norton Personal Firewall\ccPxySvc.exe
C:\Archivos de programa\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
C:\Archivos de programa\Norton AntiVirus\navapsvc.exe
C:\Archivos de programa\Intel\Wireless\Bin\OProtSvc.exe
C:\Archivos de programa\Intel\Wireless\Bin\RegSrvc.exe
C:\Archivos de programa\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\alg.exe
C:\Archivos de programa\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Archivos de programa\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Archivos de programa\SigmaTel\Controladores de sonido SigmaTel AC97\stacmon.exe
C:\Archivos de programa\Apoint2K\Apoint.exe
C:\Archivos de programa\TOSHIBA\TouchED\TouchED.Exe
C:\Archivos de programa\TOSHIBA\PadTouch\PadExe.exe
C:\WINDOWS\LTSMMSG.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Archivos de programa\Intel\Wireless\Bin\ifrmewrk.exe
C:\Archivos de programa\Intel\Wireless\Bin\EOUWiz.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe
C:\Archivos de programa\Archivos comunes\{B8E41C29-05D8-3082-0428-041212200022}\Update.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Archivos de programa\Apoint2K\Apntex.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\Documents and Settings\Nesmo\Escritorio\kk\hijackthis\HijackThis.exe
C:\Archivos de programa\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.es/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file:///C:\Archivos de programa\TOSHIBA\Free Update Service\splash.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Archivos de programa\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [SmoothView] C:\Archivos de programa\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Archivos de programa\SigmaTel\Controladores de sonido SigmaTel AC97\stacmon.exe
O4 - HKLM\..\Run: [Apoint] C:\Archivos de programa\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TouchED] C:\Archivos de programa\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [PadTouch] "C:\Archivos de programa\TOSHIBA\PadTouch\PadExe.exe
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb11.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Archivos de programa\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] C:\Archivos de programa\Intel\Wireless\Bin\EOUWiz.exe
O4 - HKLM\..\Run: [ccApp] "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\ARCHIV~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Archivos de programa\Ahead\Nero BackItUp\NBJ.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Clean Traces - C:\Archivos de programa\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Archivos de programa\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Archivos de programa\DAP\dapextie2.htm
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\ARCHIV~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=file:///C:\Archivos de programa\TOSHIBA\Free Update Service\splash.html
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Archivos de programa\Norton Personal Firewall\ccPxySvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Archivos de programa\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: EvtEng - Intel Corporation - C:\Archivos de programa\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Archivos de programa\Archivos comunes\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Servicio del iPod (iPodService) - Apple Computer, Inc. - C:\Archivos de programa\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Archivos de programa\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - C:\Archivos de programa\Norton Personal Firewall\NISUM.EXE
O23 - Service: OwnershipProtocol - Intel Corporation - C:\Archivos de programa\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Archivos de programa\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Archivos de programa\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\ARCHIV~1\ARCHIV~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Archivos de programa\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\Security Center\SymWSC.exe


I will be really grateful if anybody can give me some clues about strange entries in this log.

Thanks in advance.

[AndyManchesta]

Hi nesmofalcon, Welcome

I get the feeling we are not seeing everything in that log so can you please rename it and post a new log, right click HijackThis.exe and choose Rename, name it anything you choose except HijackThis such as HJT.exe or TEST.exe

run the renamed version and then post a new log

Thanks Andy

[nesmofalcon]

Hello Andy,

I have renamed the program and here it is the new log:

Logfile of HijackThis v1.99.1
Scan saved at 12:35:13, on 08/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Intel\Wireless\Bin\EvtEng.exe
C:\Archivos de programa\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\ARCHIV~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
C:\Archivos de programa\Norton Personal Firewall\NISUM.EXE
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Archivos de programa\Norton Personal Firewall\ccPxySvc.exe
C:\Archivos de programa\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
C:\Archivos de programa\Norton AntiVirus\navapsvc.exe
C:\Archivos de programa\Intel\Wireless\Bin\OProtSvc.exe
C:\Archivos de programa\Intel\Wireless\Bin\RegSrvc.exe
C:\Archivos de programa\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\ishost.exe
C:\Archivos de programa\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\system32\ismini.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Archivos de programa\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Archivos de programa\SigmaTel\Controladores de sonido SigmaTel AC97\stacmon.exe
C:\Archivos de programa\Apoint2K\Apoint.exe
C:\Archivos de programa\TOSHIBA\TouchED\TouchED.Exe
C:\Archivos de programa\TOSHIBA\PadTouch\PadExe.exe
C:\WINDOWS\LTSMMSG.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Archivos de programa\Intel\Wireless\Bin\ifrmewrk.exe
C:\Archivos de programa\Intel\Wireless\Bin\EOUWiz.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Archivos de programa\Apoint2K\Apntex.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Documents and Settings\Nesmo\Escritorio\kk\hijackthis\HjackT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.es/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file:///C:\Archivos de programa\TOSHIBA\Free Update Service\splash.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1F640627-A204-4C3C-8022-FB7432F8300F} - C:\WINDOWS\system32\vtsro.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\ARCHIV~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\ARCHIV~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Archivos de programa\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {D3B3C51E-8D11-4667-85B9-0930F519BED7} - C:\WINDOWS\system32\rqrpopn.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Archivos de programa\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [SmoothView] C:\Archivos de programa\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Archivos de programa\SigmaTel\Controladores de sonido SigmaTel AC97\stacmon.exe
O4 - HKLM\..\Run: [Apoint] C:\Archivos de programa\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TouchED] C:\Archivos de programa\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [PadTouch] "C:\Archivos de programa\TOSHIBA\PadTouch\PadExe.exe
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb11.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Archivos de programa\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] C:\Archivos de programa\Intel\Wireless\Bin\EOUWiz.exe
O4 - HKLM\..\Run: [ccApp] "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\ARCHIV~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Archivos de programa\Ahead\Nero BackItUp\NBJ.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Clean Traces - C:\Archivos de programa\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Archivos de programa\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Archivos de programa\DAP\dapextie2.htm
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\ARCHIV~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=file:///C:\Archivos de programa\TOSHIBA\Free Update Service\splash.html
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: IntelWireless - C:\Archivos de programa\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: rqrpopn - C:\WINDOWS\SYSTEM32\rqrpopn.dll
O20 - Winlogon Notify: vtsro - C:\WINDOWS\system32\vtsro.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winrir32 - C:\WINDOWS\SYSTEM32\winrir32.dll
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Archivos de programa\Norton Personal Firewall\ccPxySvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Archivos de programa\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: EvtEng - Intel Corporation - C:\Archivos de programa\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Archivos de programa\Archivos comunes\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Servicio del iPod (iPodService) - Apple Computer, Inc. - C:\Archivos de programa\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Archivos de programa\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - C:\Archivos de programa\Norton Personal Firewall\NISUM.EXE
O23 - Service: OwnershipProtocol - Intel Corporation - C:\Archivos de programa\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Archivos de programa\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Archivos de programa\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\ARCHIV~1\ARCHIV~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Archivos de programa\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\Security Center\SymWSC.exe


I hope that this log is better and I would love that somebody help me to understand how to detect abnormal entries in it...

I wonder the next: If we detect any strange entry in this log and we delete it, does it mean that the virus or spyware will be gone the next reboot of my computer??

Thanks in advance,
nesmofalcon

[AndyManchesta]

Hi nesmofalcon

You now have 02 (BHO) and 020 (Winlogon) entries showing which were missing in the first log because of Trojan Vundo hiding them from the name HijackThis, you also have a Trojan Agent variant hooked to Winlogon and some Smitfraud junk so let's start with getting them removed then take it from there.

I can give a couple of links to sites that help people read HijackThis logs and offer training once we get the malware removed if you are interested in that as they will help you spot the baddies

Open hijackthis and click Open the Misc Tools section

Then click Delete a file on reboot

In the File Name field, copy and paste this:

C:\WINDOWS\SYSTEM32\winrir32.dll

Then click Open

Hijackthis will tell you that this file will be deleted when the system reboots and ask you if you want to reboot now. Click Yes

Your system should then reboot

Please download VundoFix.exe
to your desktop.

• Double-click VundoFix.exe to run it.
  
• Click the Scan for Vundo button.
  
• Once it's done scanning, click the Remove Vundo button.
  
• You will receive a prompt asking if you want to remove the files, click YES
  
• Once you click yes, your desktop will go blank as it starts removing Vundo.
  
• When completed, it will prompt that it will reboot your computer, click OK.
  
• Please post the contents of C:\vundofix.txt into your next reply

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above
instructions starting from "Click the Scan for Vundo button." when
VundoFix appears at reboot.

Next please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Please then post back the Vundofix log, the SmitfraudFix scan log and a new HijackThis log

Let us know if you have any problems

Thanks

Andy

[nesmofalcon]

Hello Andy,
thanks for your advices, I really appreciate them (and learn from them!)

1. C:\WINDOWS\SYSTEM32\winrir32.dll ==> Deleted (after the reboot, a program called "update.exe" was missing a file called msvcr71.dll)

2. VundoFix.exe ==> OK (File rqrpopn.dll needed an extra reboot to be eliminated)

Vundofix log here:


VundoFix V6.1.4

Checking Java version...

Sun Java not detected
Scan started at 19:56:08 08/09/2006

Listing files found while scanning....

C:\WINDOWS\system32\nnnnopo.dll
C:\WINDOWS\system32\rqrpopn.dll
C:\WINDOWS\system32\urqnkii.dll
C:\WINDOWS\system32\vtsro.dll
C:\WINDOWS\system32\orstv.ini
C:\WINDOWS\system32\orstv.bak1
C:\WINDOWS\system32\orstv.bak2
C:\WINDOWS\system32\orstv.ini2
C:\WINDOWS\system32\orstv.tmp
C:\Archivos de programa\Archivos comunes\{B8E41C29-05D8-3082-0428-041212200022}\services.dll
C:\Archivos de programa\Archivos comunes\{B8E41C29-05D8-3082-0428-041212200022}\Update.exe

Beginning removal...

Attempting to delete C:\WINDOWS\system32\nnnnopo.dll
C:\WINDOWS\system32\nnnnopo.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\rqrpopn.dll
C:\WINDOWS\system32\rqrpopn.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\urqnkii.dll
C:\WINDOWS\system32\urqnkii.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\vtsro.dll
C:\WINDOWS\system32\vtsro.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\orstv.ini
C:\WINDOWS\system32\orstv.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\orstv.bak1
C:\WINDOWS\system32\orstv.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\orstv.bak2
C:\WINDOWS\system32\orstv.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\orstv.ini2
C:\WINDOWS\system32\orstv.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\orstv.tmp
C:\WINDOWS\system32\orstv.tmp Has been deleted!

Attempting to delete C:\Archivos de programa\Archivos comunes\{B8E41C29-05D8-3082-0428-041212200022}\services.dll
C:\Archivos de programa\Archivos comunes\{B8E41C29-05D8-3082-0428-041212200022}\services.dll Has been deleted!

Attempting to delete C:\Archivos de programa\Archivos comunes\{B8E41C29-05D8-3082-0428-041212200022}\Update.exe
C:\Archivos de programa\Archivos comunes\{B8E41C29-05D8-3082-0428-041212200022}\Update.exe Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.1.4

Checking Java version...

Sun Java not detected
Scan started at 20:07:12 08/09/2006

Listing files found while scanning....

C:\WINDOWS\system32\rqrpopn.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\rqrpopn.dll
C:\WINDOWS\system32\rqrpopn.dll Has been deleted!

Performing Repairs to the registry.
Done!


3. SmitfraudFix ==> OK (Norton did not like it so much)

SmitfraudFix log here:

SmitFraudFix v2.84

Scan done at 20:18:32,17, 08/09/2006
Run from C:\Documents and Settings\Nesmo\Escritorio\SmitfraudFix
OS: Microsoft Windows XP [Versi¢n 5.1.2600] - Windows_NT
Fix ran in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\ishost.exe FOUND !
C:\WINDOWS\system32\ismini.exe FOUND !
C:\WINDOWS\system32\components\flx?.dll FOUND !
C:\WINDOWS\system32\components\flx??.dll FOUND !
C:\WINDOWS\system32\components\flx???.dll FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Nesmo\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Nesmo\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Archivos de programa


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="Mi p gina de inicio actual"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"incestuously"="{03413bf7-e34c-445b-bfc0-a2b127255871}"



»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End


4. new HijackThis log ==> OK




Logfile of HijackThis v1.99.1
Scan saved at 20:20:13, on 08/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Intel\Wireless\Bin\EvtEng.exe
C:\Archivos de programa\Intel\Wireless\Bin\S24EvMon.exe
C:\Archivos de programa\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
C:\Archivos de programa\Norton Personal Firewall\NISUM.EXE
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Archivos de programa\Norton Personal Firewall\ccPxySvc.exe
C:\Archivos de programa\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
C:\Archivos de programa\Norton AntiVirus\navapsvc.exe
C:\Archivos de programa\Intel\Wireless\Bin\OProtSvc.exe
C:\Archivos de programa\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\Security Center\SymWSC.exe
C:\ARCHIV~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\ishost.exe
C:\Archivos de programa\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\system32\ismini.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Archivos de programa\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Archivos de programa\SigmaTel\Controladores de sonido SigmaTel AC97\stacmon.exe
C:\Archivos de programa\Apoint2K\Apoint.exe
C:\Archivos de programa\TOSHIBA\TouchED\TouchED.Exe
C:\Archivos de programa\TOSHIBA\PadTouch\PadExe.exe
C:\WINDOWS\LTSMMSG.exe
C:\WINDOWS\system32\TPSMain.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Archivos de programa\Intel\Wireless\Bin\ifrmewrk.exe
C:\Archivos de programa\Intel\Wireless\Bin\EOUWiz.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe
C:\Archivos de programa\Apoint2K\Apntex.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\Documents and Settings\Nesmo\Escritorio\kk\hijackthis\HjackT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.es/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file:///C:\Archivos de programa\TOSHIBA\Free Update Service\splash.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5F2463FE-0C01-4B2B-A68D-63D3A290C5F9} - C:\WINDOWS\system32\vtsro.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Archivos de programa\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {D3B3C51E-8D11-4667-85B9-0930F519BED7} - C:\WINDOWS\system32\rqrpopn.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Archivos de programa\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [SmoothView] C:\Archivos de programa\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Archivos de programa\SigmaTel\Controladores de sonido SigmaTel AC97\stacmon.exe
O4 - HKLM\..\Run: [Apoint] C:\Archivos de programa\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TouchED] C:\Archivos de programa\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [PadTouch] "C:\Archivos de programa\TOSHIBA\PadTouch\PadExe.exe
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb11.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Archivos de programa\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] C:\Archivos de programa\Intel\Wireless\Bin\EOUWiz.exe
O4 - HKLM\..\Run: [ccApp] "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\ARCHIV~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Archivos de programa\Ahead\Nero BackItUp\NBJ.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Clean Traces - C:\Archivos de programa\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Archivos de programa\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Archivos de programa\DAP\dapextie2.htm
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O14 - IERESET.INF: START_PAGE_URL=file:///C:\Archivos de programa\TOSHIBA\Free Update Service\splash.html
O15 - Trusted Zone: http://acs.pandasoftware.com
O15 - Trusted Zone: http://activescan.pandasoftware.com
O15 - Trusted Zone: http://www.pandasoftware.com
O15 - Trusted Zone: http://www.pandasoftware.es
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: IntelWireless - C:\Archivos de programa\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winrir32 - winrir32.dll (file missing)
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Archivos de programa\Norton Personal Firewall\ccPxySvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Archivos de programa\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: EvtEng - Intel Corporation - C:\Archivos de programa\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Archivos de programa\Archivos comunes\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Servicio del iPod (iPodService) - Apple Computer, Inc. - C:\Archivos de programa\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Archivos de programa\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - C:\Archivos de programa\Norton Personal Firewall\NISUM.EXE
O23 - Service: OwnershipProtocol - Intel Corporation - C:\Archivos de programa\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Archivos de programa\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Archivos de programa\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\ARCHIV~1\ARCHIV~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\Security Center\SymWSC.exe



That is all, just some comments:
- My computer goes much faster now just after reboot.
- If this virus "downloader" download more spyware and malware everytime I connect...is it really possible to clean my computer??
- Now entries 02 and 20 displays "file missing" I guess that some malware has been deleted, right?

Thanks again Andy. This log analysis forum is really interesting!!

[AndyManchesta]

Hey nesmofalcon,

Nice work, that's looking alot better

Update.exe is a Trojan Downloader that can install Trojan Vundo so I wouldnt worry about error's regarding that file, VundoFix is showing it removed it so that should of solved that issue,

Im not sure why Norton has a problem with SmitfraudFix, It does use process killers to allow it to stop malware files before removing them so maybe Norton is detecting this process killer and alerting that its a risk, it would be if it was added by malware but its fine when its in trusted programs

SmitfraudFix does need running again to remove the files it found and clean up a couple of entries from the registry. You do not have a Virus on the PC (or no signs of one in the log) but you do have a few different infections such as Vundo, Trojan Agent and Smitfraud but we have removed most of it and the next part will remove the Smitfraud files and reg entries, while its active it is possible that they can download more malware but there isnt anything showing that would cause you any long term problems, we can easily clean up whats remaining and then use programs like ComboFix and Ewido to make sure there is no remaining problems. Your right about the 02 and 020 entries, the files have been removed but its left some reg entries in place so we can fix them using HijackThis but they cannot cause you any more problems now as the files have been removed.

Run Hijack This and choose Do A System Scan then place a check next to these entries

O2 - BHO: (no name) - {5F2463FE-0C01-4B2B-A68D-63D3A290C5F9} - C:\WINDOWS\system32\vtsro.dll (file missing)
O2 - BHO: (no name) - {D3B3C51E-8D11-4667-85B9-0930F519BED7} - C:\WINDOWS\system32\rqrpopn.dll (file missing)
O20 - Winlogon Notify: winrir32 - winrir32.dll (file missing)

Close all open browser and other windows except for Hijack This and press the Fix Checked button


You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please reboot your computer in Safe Mode by doing the following :

• Restart your computer
  
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  
• Instead of Windows loading as normal, a menu with options should appear;
  
• Select the first option, to run Windows in Safe Mode, then press "Enter".
  
• Choose your usual account.

Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".


The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 will remove your Desktop background as some variants of this infection can change the wallpaper and set restrictions to prevent it being removed, once the pc reboots you can then restore the wallpaper you want to use.


Next download this file - combofix.exe and save it to your desktop.
Double click combofix.exe & follow the prompts.
When it's finished, it will produce a log of what it found. Please post the contents of that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running as it may cause it to stall


Finally generate a report of the Add/Remove screen entries:
Open Hijackthis, and click the Misc Tools button.
Then click the Open Uninstall Manager... button.
The Add/Remove Programs Manager panel should appear.
In this panel click the Save list button.
Save the uninstall_list.txt file to your desktop and copy and paste the contents back in your next reply.

Please then post back the Uninstall list, the Combofix report and the SmitfraudFix report

Let us know if you have any problems

Thanks

Andy

[nesmofalcon]

Hi Andy,

thanks again, yes, my computer is really getting better (no pop-up windows, faster,...)

Here I post the results:

1. Hijack Fix OK

2. SmitfraudFix OK Find here the log:

SmitFraudFix v2.84

Scan done at 14:12:59,26, 10/09/2006
Run from C:\Documents and Settings\Nesmo\Escritorio\SmitfraudFix
OS: Microsoft Windows XP [Versi¢n 5.1.2600] - Windows_NT
Fix ran in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"incestuously"="{03413bf7-e34c-445b-bfc0-a2b127255871}"


»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\system32\ishost.exe Deleted
C:\WINDOWS\system32\ismini.exe Deleted
C:\WINDOWS\system32\components\flx?.dll Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End


3. Combofix.exe OK


Nesmo - 06-09-10 14:19:36,64
ComboFix 06.09.07 - Running from: C:\Documents and Settings\Nesmo\Escritorio\kk

Microsoft Windows XP [Versi¢n 5.1.2600]

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Archivos de programa\ToolBar888
C:\WINDOWS\system32\components
C:\Archivos de programa\Archivos comunes\{B8E41C29-05D8-3082-0428-041212200022}


((((((((((((((((((((((((((((((( Files Created from 2006-08-10 to 2006-09-10 ))))))))))))))))))))))))))))))))))


2006-09-10 14:12 53,248 --a------ C:\WINDOWS\system32\Process.exe
2006-09-10 14:12 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2006-09-10 14:12 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2006-09-10 14:12 135,168 --a------ C:\WINDOWS\system32\swreg.exe
2006-09-06 21:08 381,637 --a------ C:\WINDOWS\system32\awvuv.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-09-10 14:20 -------- d-------- C:\Archivos de programa\Archivos comunes
2006-09-10 14:17 -------- d-------- C:\Archivos de programa\Archivos comunes\Symantec Shared
2006-09-08 13:32 -------- d-------- C:\Documents and Settings\Nesmo\Datos de programa\Skype
2006-09-07 22:28 -------- d-------- C:\Archivos de programa\Norton Personal Firewall
2006-09-07 22:28 -------- d-------- C:\Archivos de programa\Norton AntiVirus
2006-09-07 22:26 -------- d-------- C:\Archivos de programa\Messenger
2006-09-07 22:22 -------- d-------- C:\Archivos de programa\Internet Explorer
2006-09-07 22:20 -------- d-------- C:\Archivos de programa\DAP
2006-09-07 22:19 -------- d-------- C:\Archivos de programa\Apoint2K
2006-09-07 20:52 -------- d-------- C:\Archivos de programa\123 Flash Menu
2006-09-07 12:46 -------- d-------- C:\Documents and Settings\Nesmo\Datos de programa\PC Tools
2006-09-07 12:39 -------- d-------- C:\Archivos de programa\eMule
2006-09-06 23:06 -------- d-------- C:\Documents and Settings\Nesmo\Datos de programa\Lavasoft
2006-09-06 23:05 -------- d-------- C:\Archivos de programa\Lavasoft
2006-09-03 19:34 -------- d-------- C:\Documents and Settings\Nesmo\Datos de programa\Macromedia
2006-09-03 18:58 -------- d-------- C:\Archivos de programa\Macromedia
2006-09-03 18:58 -------- d-------- C:\Archivos de programa\Archivos comunes\Macromedia
2006-08-18 12:55 -------- d---s---- C:\Documents and Settings\Nesmo\Datos de programa\Microsoft
2006-08-14 21:51 -------- d-------- C:\Archivos de programa\Symantec
2006-07-27 15:26 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-21 10:28 72704 --a------ C:\WINDOWS\system32\hlink.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\\Archivos de programa\\Java\\jre1.5.0_04\\bin\\jusched.exe"
"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"00THotkey"="C:\\WINDOWS\\System32\\00THotkey.exe"
"000StTHK"="000StTHK.exe"
"TFNF5"="TFNF5.exe"
"SmoothView"="C:\\Archivos de programa\\TOSHIBA\\TOSHIBA Zooming Utility\\SmoothView.exe"
"SigmaTel StacMon"="C:\\Archivos de programa\\SigmaTel\\Controladores de sonido SigmaTel AC97\\stacmon.exe"
"Apoint"="C:\\Archivos de programa\\Apoint2K\\Apoint.exe"
"TouchED"="C:\\Archivos de programa\\TOSHIBA\\TouchED\\TouchED.Exe"
"PadTouch"="\"C:\\Archivos de programa\\TOSHIBA\\PadTouch\\PadExe.exe"
"LTSMMSG"="LTSMMSG.exe"
"TPSMain"="TPSMain.exe"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb11.exe"
@=""
"IntelWireless"="C:\\Archivos de programa\\Intel\\Wireless\\Bin\\ifrmewrk.exe /tf Intel PROSet/Wireless"
"EOUApp"="C:\\Archivos de programa\\Intel\\Wireless\\Bin\\EOUWiz.exe"
"ccApp"="\"C:\\Archivos de programa\\Archivos comunes\\Symantec Shared\\ccApp.exe\""
"ccRegVfy"="\"C:\\Archivos de programa\\Archivos comunes\\Symantec Shared\\ccRegVfy.exe\""
"Symantec NetDriver Monitor"="C:\\ARCHIV~1\\SYMNET~1\\SNDMon.exe /Consumer"
"QuickTime Task"="\"C:\\Archivos de programa\\QuickTime\\qttask.exe\" -atboottime"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"NBJ"="\"C:\\Archivos de programa\\Ahead\\Nero BackItUp\\NBJ.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"Symantec NetDriver Warning"="C:\\ARCHIV~1\\SYMNET~1\\SNDWarn.exe"

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"Symantec NetDriver Warning"="C:\\ARCHIV~1\\SYMNET~1\\SNDWarn.exe"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{D3B3C51E-8D11-4667-85B9-0930F519BED7}"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^HP Digital Imaging Monitor.lnk]
"path"="C:\\Documents and Settings\\All Users\\Menú Inicio\\Programas\\Inicio\\HP Digital Imaging Monitor.lnk"
"backup"="C:\\WINDOWS\\pss\\HP Digital Imaging Monitor.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\ARCHIV~1\\HP\\DIGITA~1\\bin\\hpqtra08.exe "
"item"="HP Digital Imaging Monitor"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^Inicio rápido de HP Image Zone.lnk]
"path"="C:\\Documents and Settings\\All Users\\Menú Inicio\\Programas\\Inicio\\Inicio rápido de HP Image Zone.lnk"
"backup"="C:\\WINDOWS\\pss\\Inicio rápido de HP Image Zone.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\ARCHIV~1\\HP\\DIGITA~1\\bin\\hpqthb08.exe -s"
"item"="Inicio rápido de HP Image Zone"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^Inicio rápido de Microsoft Office OneNote 2003.lnk]
"path"="C:\\Documents and Settings\\All Users\\Menú Inicio\\Programas\\Inicio\\Inicio rápido de Microsoft Office OneNote 2003.lnk"
"backup"="C:\\WINDOWS\\pss\\Inicio rápido de Microsoft Office OneNote 2003.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\ARCHIV~1\\MICROS~2\\OFFICE11\\ONENOTEM.EXE /tsr"
"item"="Inicio rápido de Microsoft Office OneNote 2003"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^Logitech Desktop Messenger.lnk]
"path"="C:\\Documents and Settings\\All Users\\Menú Inicio\\Programas\\Inicio\\Logitech Desktop Messenger.lnk"
"backup"="C:\\WINDOWS\\pss\\Logitech Desktop Messenger.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\ARCHIV~1\\Logitech\\DESKTO~1\\8876480\\Program\\LDMConf.exe /start"
"item"="Logitech Desktop Messenger"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\HP Component Manager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hpcmpmgr"
"hkey"="HKLM"
"command"="\"C:\\Archivos de programa\\HP\\hpcoretech\\hpcmpmgr.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\HP Software Update]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="HPWuSchd2"
"hkey"="HKLM"
"command"="C:\\Archivos de programa\\HP\\HP Software Update\\HPWuSchd2.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\HPHmon06]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hphmon06"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\HPHUPD06]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hphupd06"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="C:\\Archivos de programa\\iTunes\\iTunesHelper.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\LogitechVideoRepair]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ISStart"
"hkey"="HKLM"
"command"="C:\\Archivos de programa\\Logitech\\Video\\ISStart.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\LogitechVideoTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="LogiTray"
"hkey"="HKLM"
"command"="C:\\Archivos de programa\\Logitech\\Video\\LogiTray.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Archivos de programa\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Skype]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Skype"
"hkey"="HKCU"
"command"="\"C:\\Archivos de programa\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\SpyBrowser]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SpyBro"
"hkey"="HKCU"
"command"="\"C:\\Archivos de programa\\SpyBro\\SpyBro.exe\" /autostart"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\SpywareTerminator]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SpywareTerminatorShield"
"hkey"="HKLM"
"command"="\"C:\\Archivos de programa\\Spyware Terminator\\SpywareTerminatorShield.exe\""
"inimapping"="0"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\HP Usg Daily.job
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: 10/09/2006 14:20:41.31
ComboFix.txt

4 Uninstall list OK




123 Flash Menu v1.7.0
ACDSee 8
ACE-HIGH Text To Speech Reader V1.30 Build 030220
Actualización de seguridad para el Reproductor de Windows Media (KB911564)
Actualización de seguridad para el Reproductor de Windows Media 9 (KB911565)
Actualización de seguridad para el Reproductor de Windows Media 9 (KB917734)
Actualización de seguridad para Step by Step Interactive Training (KB898458)
Actualización de seguridad para Windows XP (KB883939)
Actualización de seguridad para Windows XP (KB890046)
Actualización de seguridad para Windows XP (KB893756)
Actualización de seguridad para Windows XP (KB896358)
Actualización de seguridad para Windows XP (KB896422)
Actualización de seguridad para Windows XP (KB896423)
Actualización de seguridad para Windows XP (KB896424)
Actualización de seguridad para Windows XP (KB896428)
Actualización de seguridad para Windows XP (KB896688)
Actualización de seguridad para Windows XP (KB899587)
Actualización de seguridad para Windows XP (KB899588)
Actualización de seguridad para Windows XP (KB899591)
Actualización de seguridad para Windows XP (KB900725)
Actualización de seguridad para Windows XP (KB901017)
Actualización de seguridad para Windows XP (KB901214)
Actualización de seguridad para Windows XP (KB902400)
Actualización de seguridad para Windows XP (KB903235)
Actualización de seguridad para Windows XP (KB904706)
Actualización de seguridad para Windows XP (KB905414)
Actualización de seguridad para Windows XP (KB905749)
Actualización de seguridad para Windows XP (KB905915)
Actualización de seguridad para Windows XP (KB908519)
Actualización de seguridad para Windows XP (KB908531)
Actualización de seguridad para Windows XP (KB911280)
Actualización de seguridad para Windows XP (KB911562)
Actualización de seguridad para Windows XP (KB911567)
Actualización de seguridad para Windows XP (KB911927)
Actualización de seguridad para Windows XP (KB912812)
Actualización de seguridad para Windows XP (KB912919)
Actualización de seguridad para Windows XP (KB913446)
Actualización de seguridad para Windows XP (KB913580)
Actualización de seguridad para Windows XP (KB914388)
Actualización de seguridad para Windows XP (KB914389)
Actualización de seguridad para Windows XP (KB916281)
Actualización de seguridad para Windows XP (KB917159)
Actualización de seguridad para Windows XP (KB917344)
Actualización de seguridad para Windows XP (KB917422)
Actualización de seguridad para Windows XP (KB917953)
Actualización de seguridad para Windows XP (KB918439)
Actualización de seguridad para Windows XP (KB918899)
Actualización de seguridad para Windows XP (KB920214)
Actualización de seguridad para Windows XP (KB920670)
Actualización de seguridad para Windows XP (KB920683)
Actualización de seguridad para Windows XP (KB921398)
Actualización de seguridad para Windows XP (KB921883)
Actualización de seguridad para Windows XP (KB922616)
Actualización para Windows XP (KB894391)
Actualización para Windows XP (KB896727)
Actualización para Windows XP (KB898461)
Actualización para Windows XP (KB900485)
Actualización para Windows XP (KB910437)
Actualización para Windows XP (KB916595)
Ad-Aware SE Personal
Adobe Reader 6.0.1 - Español
Ahorro de energía de TOSHIBA
ALPS Touch Pad Driver
Codec Pack - All In 1 6.0.2.9
Compresor WinRAR
Consola de Toshiba
Controlador de Logitech® Camera
Controladores de sonido SigmaTel AC97
Dev-C++ 5 beta 9 release (4.9.9.1)
Download Accelerator Plus (DAP)
eMule
FotoSlate 4
Google Earth
Herramienta de diagnóstico de PC de TOSHIBA
HijackThis 1.99.1
HP Software Update
Intel® Extreme Graphics 2 Driver
Intel® PRO Network Adapters and Drivers
Intel® PROSet/Wireless Software
InterVideo WinDVD for Toshiba
iTunes
J2SE Runtime Environment 5.0 Update 4
Java 2 Runtime Environment, SE v1.4.2_03
K-Lite Codec Pack 2.35 Full
L&H TTS3000 Español
L&H TTS3000 Français
Lernout & Hauspie TruVoice American English TTS Engine
LiveReg (Symantec Corporation)
LiveUpdate 2.5 (Symantec Corporation)
Logitech Desktop Messenger
Logitech QuickCam
Macromedia Dreamweaver 8
Macromedia Extension Manager
Macromedia Fireworks 8
Macromedia Flash 8
Macromedia Flash 8 Video Encoder
Macromedia Flash Player 8
Macromedia Flash Player 8
Macromedia Flash Player 8 Plugin
Macromedia Shockwave Player
Manuales de TOSHIBA
mCore
mDriver
mDrWiFi
mEoU.msi
mHelp
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Spanish Language Pack
Microsoft Office OneNote 2003
Microsoft Office XP Professional con FrontPage
mIWA
mIWCA
mLogView
mMHouse
mPfMgr
mPfWiz
mProSafe
MSN Messenger 7.0
MSXML 4.0 SP2 Parser and SDK
mWlsSafe
mXML
mZConfig
Nero 6 Ultra Edition
Norton AntiVirus 2003
Norton Personal Firewall
Norton WMI Update
Port Royale 2
QuickTime
RENTA 2005
Revisión de Windows XP - KB867282
Revisión de Windows XP - KB873333
Revisión de Windows XP - KB873339
Revisión de Windows XP - KB885250
Revisión de Windows XP - KB885835
Revisión de Windows XP - KB885836
Revisión de Windows XP - KB885884
Revisión de Windows XP - KB886185
Revisión de Windows XP - KB887472
Revisión de Windows XP - KB887742
Revisión de Windows XP - KB888113
Revisión de Windows XP - KB888302
Revisión de Windows XP - KB890047
Revisión de Windows XP - KB890175
Revisión de Windows XP - KB890859
Revisión de Windows XP - KB890923
Revisión de Windows XP - KB891781
Revisión de Windows XP - KB893066
Revisión de Windows XP - KB893086
SafeCast Shared Components
Silenciador de unidad de CD/DVD
Skype 2.5
TeLL me More
TOSHIBA ConfigFree
TOSHIBA Controls
TOSHIBA Software Modem
TOSHIBA Utilities
TOSHIBA Zooming Utility
Touch and Launch
Utilidad de activación/desactivación de panel táctil de TOSHIBA V2.05.00
Utilidad de tecla directa TOSHIBA para dispositivos de pantalla
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows XP Service Pack 2
Zuma Deluxe RA




Alright, I hope this is getting cleaner. What do you think?
- SmitfraudFix in safe mode started the tool to free space in disk :S but it seemed to work fine.
- I was not prompted to replace wininet.dll by SmitfraudFix and it did not need to reboot my computer either, so I rebooted it by myself.


I am really learning a lot from this, but I wonder how do you know which program to use according to what you see in my logs. ??

Thanks Andy

[AndyManchesta]

Thanks for the logs, they look fine

Regarding the question on what tools to use, that is really just based on what infections are present, there is alot of developers who create fixtools for specific infections and they are usually a better option that just relying on Anti-malware programs as we can be sure all the reg changes are reversed and any files are removed as some programs would just detect the files and not repair any registry damage, with you having Vundo then Vundofix was used, with you having ishost.exe & ismini.exe in your running processes at the start then SmitfraudFix was used as that targets that infection, ComboFix is an excellent program as its capable of removing alot of different infections like dollarrevenue, look2me, surfsidekick, qoologic, purityscan and various other adware thats associated with those infections, the report it generates also shows alot of area's of the registry that HijackThis doesnt check so its a very useful tool when cleaning malware.

The results look ok but there's a few things left to clean up then we can run a malware scan to make sure there isnt any remaining issues

Delete this file

C:\WINDOWS\system32\awvuv.dll

Goto your Add/Remove screen (Start menu > Control Panel > Add or Remove Programs) and remove:

Java 2 Runtime Environment, SE v1.4.2_03

That version of Java is very old and vulnerable to some infections (mainly Trojan Vundo) so it should be removed from the PC, your other version of Java is also abit out of date (J2SE Runtime Environment 5.0 Update 4) and it's common for them to leave older versions on the PC when it upgrades so you could remove them both then upgrade to the latest version (5.0 Update 6) using Sun's website Here

Finally download Ewido Anti-Spyware

• Load Ewido and then click the Update tab at the top. Under Manual Update click Start update.
  
• After the update finishes (the status bar at the bottom will display "Update successful")
  
• Click on the Scanner tab at the top and then click on Complete System Scan
  
• Ewido will list any infections found on the left, when the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. Ewido will then display "All actions have been applied" on the right.
  
• Click on "Save Report", then "Save Report As". This will create a text file which you can then save to the Desktop and post back

Please then post back the Ewido report and a final HijackThis log

Cheers

Andy

[nesmofalcon]

Hi Andy,

thanks one more time for your "diagnosis and medicines"

Ok, find here the log from Ewido:

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 12:28:33 11/09/2006

+ Scan result:



C:\VundoFix Backups\nnnnopo.dll -> Adware.Virtumionde : Cleaned with backup (quarantined).
C:\VundoFix Backups\rqrpopn.dll -> Adware.Virtumionde : Cleaned with backup (quarantined).
C:\VundoFix Backups\urqnkii.dll -> Adware.Virtumionde : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UWA6PY_0001_N91M2107NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Ignored.
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\UWA6PY_0001_N91M2107NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Ignored.
C:\WINDOWS\Downloaded Program Files\CONFLICT.3\UWA6PY_0001_N91M2107NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Ignored.
C:\WINDOWS\Downloaded Program Files\UWA6PY_0001_N91M2107NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Ignored.
C:\Documents and Settings\Nesmo\Cookies\nesmo@2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\VundoFix Backups\Update.exe -> Trojan.Starter.65 : Cleaned with backup (quarantined).


::Report end


And the HiJack Report here:


Logfile of HijackThis v1.99.1
Scan saved at 12:30:54, on 11/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Intel\Wireless\Bin\EvtEng.exe
C:\Archivos de programa\Intel\Wireless\Bin\S24EvMon.exe
C:\Archivos de programa\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
C:\Archivos de programa\Norton Personal Firewall\NISUM.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Archivos de programa\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Archivos de programa\SigmaTel\Controladores de sonido SigmaTel AC97\stacmon.exe
C:\Archivos de programa\Apoint2K\Apoint.exe
C:\Archivos de programa\TOSHIBA\TouchED\TouchED.Exe
C:\Archivos de programa\TOSHIBA\PadTouch\PadExe.exe
C:\WINDOWS\LTSMMSG.exe
C:\WINDOWS\system32\TPSMain.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Archivos de programa\Intel\Wireless\Bin\ifrmewrk.exe
C:\Archivos de programa\Norton Personal Firewall\ccPxySvc.exe
C:\Archivos de programa\Intel\Wireless\Bin\EOUWiz.exe
C:\Archivos de programa\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
C:\Archivos de programa\Apoint2K\Apntex.exe
C:\Archivos de programa\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Intel\Wireless\Bin\OProtSvc.exe
C:\Archivos de programa\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\Security Center\SymWSC.exe
C:\ARCHIV~1\Intel\Wireless\Bin\1XConfig.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\Archivos de programa\Java\jre1.5.0_04\bin\jusched.exe
C:\Archivos de programa\ewido anti-spyware 4.0\guard.exe
C:\Archivos de programa\ewido anti-spyware 4.0\ewido.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\Documents and Settings\Nesmo\Escritorio\kk\hijackthis\HjackT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.es/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Archivos de programa\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [SmoothView] C:\Archivos de programa\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Archivos de programa\SigmaTel\Controladores de sonido SigmaTel AC97\stacmon.exe
O4 - HKLM\..\Run: [Apoint] C:\Archivos de programa\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TouchED] C:\Archivos de programa\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [PadTouch] "C:\Archivos de programa\TOSHIBA\PadTouch\PadExe.exe
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb11.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Archivos de programa\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] C:\Archivos de programa\Intel\Wireless\Bin\EOUWiz.exe
O4 - HKLM\..\Run: [ccApp] "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\ARCHIV~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [!ewido] "C:\Archivos de programa\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Archivos de programa\Ahead\Nero BackItUp\NBJ.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Clean Traces - C:\Archivos de programa\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Archivos de programa\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Archivos de programa\DAP\dapextie2.htm
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O14 - IERESET.INF: START_PAGE_URL=file:///C:\Archivos de programa\TOSHIBA\Free Update Service\splash.html
O15 - Trusted Zone: http://acs.pandasoftware.com
O15 - Trusted Zone: http://activescan.pandasoftware.com
O15 - Trusted Zone: http://www.pandasoftware.com
O15 - Trusted Zone: http://www.pandasoftware.es
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: IntelWireless - C:\Archivos de programa\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Archivos de programa\Norton Personal Firewall\ccPxySvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Archivos de programa\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: EvtEng - Intel Corporation - C:\Archivos de programa\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Archivos de programa\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Archivos de programa\Archivos comunes\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Servicio del iPod (iPodService) - Apple Computer, Inc. - C:\Archivos de programa\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Archivos de programa\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - C:\Archivos de programa\Norton Personal Firewall\NISUM.EXE
O23 - Service: OwnershipProtocol - Intel Corporation - C:\Archivos de programa\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Archivos de programa\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Archivos de programa\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\ARCHIV~1\ARCHIV~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\Security Center\SymWSC.exe


Thanks for your other answers but I still feel really interested about this...
- Is there any list to use to identify malware in the Hijack log? how can I spot the "baddies" by myself?
- Now that the computer is getting clean (thanks to your advices)...is there any recommended configuration (specific antivirus + firewall + antispyware) efficient to protect my pc??


Regards,
Nestor

[AndyManchesta]

Hi Nestor

Nice to see Ewido didnt find too many problems, most are in the VundoFix backups folder so we can remove that and then remove the Winfixer entry from the Downloaded program files folder

Delete this folder:

C:\VundoFix Backups

The next file is in the Downloaded Program Files folder so you will need to unregister the following file to be able to view the folder contents, then once its removed register the file again:

Goto Start Menu > Run > and copy and paste

regsvr32 /u occache.dll

Then click OK,

Next delete this file

C:\WINDOWS\Downloaded Program Files\UWA6PY_0001_N91M2107NetInstaller.exe

After the file is removed go back to Start Menu > Run > and copy and paste

regsvr32 occache.dll

And Press OK

Quote

- Is there any list to use to identify malware in the Hijack log? how can I spot the "baddies" by myself?

If you wanted to receive training for reading HijackThis logs and be able to help others then its worth considering joining a training school for HJT. Here's some of the main sites that offer Training

SpywareInfo

http://www.spywareinfo.com/

HijackThis training provided in the Boot Camp:

Apply Here


TomCoyote.org

http://www.tomcoyote.org/

HijackThis training in the "Classroom".

Apply Here


Geekstogo.com

http://www.geekstogo.com/

The Geek University provides HijackThis training.

Apply Here


MalWare Removal.com

Malware Removal University

http://www.malwareremoval.com/


For researching entries in your own log then there is sites that keep a database of HJT entries such as CastleCops where you can find information about filenames, CLSID's etc..

http://www.castlecops.com/

If you open the above site then you will see a black drop down menu on the top right named CastleCops Network

If you left click this drop down menu to expand it, you will see the part at the bottom is for researching HijackThis entries, (02/03 BHO's/Toolbars, 04 Startups, 09 Internet Explorer Buttons, 010 LSPs, 016 ActiveX etc...)

if you click one of them (example 04 Startup) it will open the Startup Index and show an area where you can type a filename to search their database, you only need to enter the filename or the run value and not the full path so for an entry in your log

O4 - HKLM\..\Run: [TouchED] C:\Archivos de programa\TOSHIBA\TouchED\TouchED.Exe

I would type in TouchED.Exe and click search

which brings back this result

http://www.castlecop...09-TouchED.html

or you can do it with the run value

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb11.exe

there is no match for hpztsb11.exe in their list but if you enter HPDJ Taskbar Utility it brings back this result so we know its legit

http://www.castlecop...ar_Utility.html


For some entries you can use the CLSID to search for info, if you click 02/03 BHO's/Toolbars

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Archivos de programa\Norton AntiVirus\NavShExt.dll

You can search for NavShExt.dll which will bring back afew choices but this is the one thats showing

http://www.castlecops.com/tk516-CNavExtBho...Nav_Helper.html

or you can search for BDF3E430-B101-42AD-A544-FADC6B084872

which will just show the above link.

Not all entries will be listed in the database but they have alot of dedicated helpers who keep it updated so its an excellent site to use and store in the favorites If you do not find information then I find google very useful using the same method (entering the CLSID or Filename) and if its a group of words then place them inside quotes "" and that usually gives alot of information about the file or program, alot of malware uses genuine filenames but in the wrong location or with a slight difference in the spelling so you should always be cautious of removing anything unless you can be sure its malware related. If you did find a file that you found suspicious then upload it at VirusTotal or Jotti's site which uses alot of different AntiVirus scanners to check the file.

http://www.virustota...h/index_en.html

http://virusscan.jotti.org/

Quote

Now that the computer is getting clean (thanks to your advices)...is there any recommended configuration (specific antivirus + firewall + antispyware) efficient to protect my pc??

I can see you have Norton AntiVirus and Firewall running and its not recommended to have more than one AntiVirus program installed as they can use alot of system resources and if they conflict with each other they can make the system less secure, same for Firewall, there should only be one installed so that part is fine, I can see Ad-Aware SE is installed which is another excellent program but you should maybe consider adding Spybot and SpywareBlaster as Spybot may find parts of infections that others miss and SpywareBlaster will help to prevent future infections, Ewido should also be kept on the system as it performs fine after the trial has expired,

Here's afew prevention steps to help you stay clean :

Keep Ewido on the system as it shows its a 30 day trial but it works fine after that has expired as a "On-Demand" scanner and remover which you can manually update and use anytime.

In order to protect yourself against spyware, you should consider installing and running the following free programs:

Spybot-Search & Destroy
A tutorial on using Spybot can be found here. Please also remember to enable Spybot's "Immunize" feature.

Spywareblaster
SpywareBlaster doesn`t scan and clean spyware, but prevents it from being installed in the first place. It blocks the popular spyware ActiveX controls, and also prevents the installation of any of them via webpages.
A tutorial on using SpywareBlaster may be found here.

• Avoid illegal sites, because that's where most malware is present.
  
• Don't click on links inside popups, Messenger programs or spam email messages.
  
• Download free software only from sites you know and trust.

Please make sure to run your Antivirus software regularly, and to keep it up-to-date and also make sure your windows has the latest updates: http://windowsupdate.microsoft.com/

More information on how to prevent malware and to explain how you got infected can be found Here (By Tony Klein)

Regards

Andy

[nesmofalcon]

Hello Andy,

one more time.....thanks!
I am going to try to summarize here your last post:

C:\WINDOWS\Downloaded Program Files\UWA6PY_0001_N91M2107NetInstaller.exe ==> Deleted

Can I consider my system clean now? I hope so since I do not see more strange entries in the logs...

I have got also the info about how to read HijackThis logs

http://www.castlecops.com/ ==> As you said, this site is excellent to identify all the entries in the HijackThis logs. I think it should be a FAQ in this forum with the links you have provided me.

Recommended programs:
- Ad-Aware SE (to clean)
- SpywareBlaster (to prevent infections)
- Spybot - Search & Destroy (to clean)
- Ewido (clean and protect)


And finally, I have heard that Norton takes a lot of resources and is not as efficient as another anti-virus?
Any particular suggestion for antivirus + firewall? After all what you have helped me I am sure you will give me an excellent advice.

Thanks a lot for all,
Nestor

[AndyManchesta]

Hey Nestor

Glad it helped

Regarding Norton, If you have a subscription for their programs then you may as well use it and then if you wanted to change after it expires rather than renew the subscription, there is alot of excellent free alternatives, I use CA's EZ AntiVirus and ZoneAlarm on my machines as Ive never liked to pay to remove junk CA is free for MS users for 1 year and ZoneAlarm is also free and offers great protection. AVG, AntiVir and Avast are also good free AV programs and Sygate or Sunbelt Kerio are good alternative free Firewall programs.

Here's some links if you ever need them:

CA's one year trial:

http://www.my-etrust...ft/Default.aspx

Zone Alarm

http://www.zonelabs.com/store/content/comp...eeDownload2.jsp?

AVG, Avast & AntiVir (and others)

http://www.filehippo...ware/antivirus/

Sygate & Kerio (and others)

http://www.filehippo...ware/firewalls/

Regarding your system, you could run Ad-Aware and Spybot to make sure there is no remaining Adware leftovers and then run a scan with Kaspersky's online scanner as their detection rate is excellent so if there is any remaining files its very likely their scanner will find them,

Run Kaspersky WebScanner

• Please go HERE and click Kaspersky Online Scanner
  
• Read and Accept the Agreement
  
• You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  
• If you see a Windows dialog asking if you want to install this software, click the Install button.
  
• The program will launch and then begin downloading the latest definition files,
  
• When the "Update progress" line changes to "Ready" and the "NEXT ->" button becomes available, please click on it.
  
• Click on the Scan Settings button, and in the next window select the Extended database, and click Ok.
  
• Under "Please select a target to scan:", click My Computer to start the scan.
  
• When the scan is finished, click the "Save as Text" button, and save the file as kavscan.txt to your Desktop, close the Kaspersky On-line Scanner window.

If any infected items are found by Kaspersky, please post back the scan log

Thanks

Andy

[nesmofalcon]

Hi Andy, sorry for the delay...

here I post the report fro kaspersky
It seems that I have some rests in the computer....?
(i have already run spybot and Ad-aware)

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, September 14, 2006 6:02:45 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 14/09/2006
Kaspersky Anti-Virus database records: 223281
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 64473
Number of viruses found: 8
Number of infected objects: 35 / 0
Number of suspicious objects: 0
Duration of the scan process: 01:10:32

Infected Object Name / Virus Name / Last Action
C:\Archivos de programa\Archivos comunes\Symantec Shared\SNDALRT.log Object is locked skipped
C:\Archivos de programa\Archivos comunes\Symantec Shared\SNDCON.log Object is locked skipped
C:\Archivos de programa\Archivos comunes\Symantec Shared\SNDDBG.log Object is locked skipped
C:\Archivos de programa\Archivos comunes\Symantec Shared\SNDFW.log Object is locked skipped
C:\Archivos de programa\Archivos comunes\Symantec Shared\SNDIDS.log Object is locked skipped
C:\Archivos de programa\Archivos comunes\Symantec Shared\SNDSYS.log Object is locked skipped
C:\Archivos de programa\Norton AntiVirus\AVApp.log Object is locked skipped
C:\Archivos de programa\Norton AntiVirus\AVError.log Object is locked skipped
C:\Archivos de programa\Norton AntiVirus\AVVirus.log Object is locked skipped
C:\Archivos de programa\Norton AntiVirus\Quarantine\01B862C6.tmp Infected: Trojan.Win32.Pakes skipped
C:\Archivos de programa\Norton AntiVirus\Quarantine\050945FA.tmp Infected: Trojan.Win32.Pakes skipped
C:\Archivos de programa\Norton AntiVirus\Quarantine\33442D1D.tmp Infected: Trojan.Win32.Pakes skipped
C:\Archivos de programa\Norton AntiVirus\Quarantine\5FF400C9.tmp Infected: Trojan.Win32.Pakes skipped
C:\Archivos de programa\Norton AntiVirus\Quarantine\679E7AA4.tmp Infected: Trojan.Win32.Pakes skipped
C:\Archivos de programa\Norton AntiVirus\Quarantine\74290BB2.tmp Infected: Trojan.Win32.Pakes skipped
C:\Documents and Settings\All Users\Datos de programa\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Datos de programa\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Configuración local\Archivos temporales de Internet\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Configuración local\Historial\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Nesmo\Configuración local\Archivos temporales de Internet\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Nesmo\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Nesmo\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Nesmo\Configuración local\Historial\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Nesmo\Configuración local\Temp\~DF513A.tmp Object is locked skipped
C:\Documents and Settings\Nesmo\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Nesmo\Mis documentos\Programas\Trojan utilities\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Nesmo\Mis documentos\Programas\Trojan utilities\SmitfraudFix.zip/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Nesmo\Mis documentos\Programas\Trojan utilities\SmitfraudFix.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Nesmo\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Nesmo\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{837698BD-DDF5-417B-A39E-81147F1AE21D}\RP1\A0000026.exe Infected: Trojan-Downloader.Win32.Zlob.adt skipped
C:\System Volume Information\_restore{837698BD-DDF5-417B-A39E-81147F1AE21D}\RP1\A0000055.exe Infected: Trojan-Downloader.Win32.Zlob.adt skipped
C:\System Volume Information\_restore{837698BD-DDF5-417B-A39E-81147F1AE21D}\RP1\A0000065.exe Infected: Trojan-Downloader.Win32.Zlob.adt skipped
C:\System Volume Information\_restore{837698BD-DDF5-417B-A39E-81147F1AE21D}\RP1\A0000070.exe Infected: Trojan-Downloader.Win32.Zlob.adt skipped
C:\System Volume Information\_restore{837698BD-DDF5-417B-A39E-81147F1AE21D}\RP1\A0000081.exe Infected: Trojan-Downloader.Win32.Zlob.adt skipped
C:\System Volume Information\_restore{837698BD-DDF5-417B-A39E-81147F1AE21D}\RP1\A0000089.exe Infected: Trojan-Downloader.Win32.Zlob.adt skipped
C:\System Volume Information\_restore{837698BD-DDF5-417B-A39E-81147F1AE21D}\RP1\A0000824.dll Infected: Trojan-Downloader.Win32.Zlob.ajg skipped
C:\System Volume Information\_restore{837698BD-DDF5-417B-A39E-81147F1AE21D}\RP1\A0000829.dll Infected: Packed.Win32.Klone.g skipped
C:\System Volume Information\_restore{837698BD-DDF5-417B-A39E-81147F1AE21D}\RP1\A0000835.exe Infected: Trojan-Downloader.Win32.Zlob.adt skipped
C:\System Volume Information\_restore{837698BD-DDF5-417B-A39E-81147F1AE21D}\RP1\A0000837.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dt skipped
C:\System Volume Information\_restore{837698BD-DDF5-417B-A39E-81147F1AE21D}\RP1\A0000838.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dt skipped
C:\System Volume Information\_restore{837698BD-DDF5-417B-A39E-81147F1AE21D}\RP1\A0000841.exe Infected: not-a-virus:AdWare.Win32.Agent.y skipped
C:\System Volume Information\_restore{837698BD-DDF5-417B-A39E-81147F1AE21D}\RP1\A0000846.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dt skipped
C:\System Volume Information\_restore{837698BD-DDF5-417B-A39E-81147F1AE21D}\RP1\A0000847.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dt skipped
C:\System Volume Information\_restore{837698BD-DDF5-417B-A39E-81147F1AE21D}\RP1\A0000851.exe Infected: Trojan-Downloader.Win32.Zlob.adt skipped
C:\System Volume Information\_restore{837698BD-DDF5-417B-A39E-81147F1AE21D}\RP11\change.log Object is locked skipped
C:\System Volume Information\_restore{837698BD-DDF5-417B-A39E-81147F1AE21D}\RP2\A0000894.exe Infected: Trojan-Downloader.Win32.Zlob.adt skipped
C:\System Volume Information\_restore{837698BD-DDF5-417B-A39E-81147F1AE21D}\RP2\A0000895.exe Infected: Trojan-Downloader.Win32.Zlob.adt skipped
C:\System Volume Information\_restore{837698BD-DDF5-417B-A39E-81147F1AE21D}\RP5\A0001220.exe Infected: not-a-virus:AdWare.Win32.Agent.y skipped
C:\System Volume Information\_restore{837698BD-DDF5-417B-A39E-81147F1AE21D}\RP5\A0001221.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dt skipped
C:\System Volume Information\_restore{837698BD-DDF5-417B-A39E-81147F1AE21D}\RP5\A0001222.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dt skipped
C:\System Volume Information\_restore{837698BD-DDF5-417B-A39E-81147F1AE21D}\RP5\A0001223.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dt skipped
C:\System Volume Information\_restore{837698BD-DDF5-417B-A39E-81147F1AE21D}\RP6\A0001401.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\System Volume Information\_restore{837698BD-DDF5-417B-A39E-81147F1AE21D}\RP6\A0001412.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\WINDOWS\$NtUninstallKB824141$\user32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB824141$\win32k.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\accwiz.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\crypt32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\cryptsvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\hh.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\hhctrl.ocx Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\hhsetup.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\html32.cnv Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\itss.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\locator.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\magnify.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\migwiz.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\mrxsmb.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\msconv97.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\narrator.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\newdev.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\ntdll.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\ole32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\osk.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\pchshell.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\raspptp.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\rpcrt4.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\rpcss.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\shell32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\shmedia.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\srrstr.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\srv.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\winsrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\zipfldr.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826942$\dhcpcsvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826942$\ndis.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826942$\ndisuio.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826942$\netshell.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826942$\wzcdlg.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826942$\wzcsapi.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826942$\wzcsvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828028$\msasn1.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828035$\msgsvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828035$\wkssvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB830680$\keymgr.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB831905$\ntkrnlmp.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB831905$\ntkrnlpa.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB831905$\ntkrpamp.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB831905$\ntoskrnl.exe Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UWA6PY_0001_N91M2107NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\UWA6PY_0001_N91M2107NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.3\UWA6PY_0001_N91M2107NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\NESTOR.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\atapi.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\ZLT07f83.TMP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.


What do you think? Is kaspersky reporting about items already deleted? or are they active?

Best regards and thanks one more time,
Nestor

[AndyManchesta]

Hi Nestor

That looks ok, just a few entries to mention

The locked items are all fine to ignore but there's still some Winfixer junk in the Downloaded Program Files folder so please unregister the following file again:

Goto Start Menu > Run > and copy and paste

regsvr32 /u occache.dll

Then click OK,

Next open the C:\WINDOWS\Downloaded Program Files folder

Then delete these Folders:

CONFLICT.1
CONFLICT.2
CONFLICT.3


After they are removed go back to Start Menu > Run > and copy and paste

regsvr32 occache.dll

And Press OK

C:\Archivos de programa\Norton AntiVirus\Quarantine\050945FA.tmp Infected: Trojan.Win32.Pakes skipped

These infections have already been removed by Norton so you just need to clear the Norton Quarantine area, instructions for that can be found Here

C:\Documents and Settings\Nesmo\Mis documentos\Programas\Trojan utilities\SmitfraudFix.zip/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

This is fine to ignore, it's probably why Norton had a problem with the file when you downloaded it earlier but that could of also been because of the process killer that SmitfraudFix uses. The above detection is just for a Reboot utility to allow the fixtool to reboot the machine if there is a variant it cannot remove on the first attempt, its not a risk with it being in a trusted tool but could be if it was added by malware so its fine to ignore.

C:\System Volume Information\_restore{837698BD-DDF5-417B-A39E-81147F1AE21D}\RP1\A0000026.exe Infected: Trojan-Downloader.Win32.Zlob.adt skipped

These are just infected System Restore points which is to be expected after having malware on your machine, we can clear them out now the system is clean and start a fresh restore point

Remove the Winfixer files and the contents of Nortons Quarantine then:

Click Start Menu > All Programs > Accessories > System Tools > SystemRestore

Choose Create a Restore Point then click Next. Name it and click Create, when the confirmation screen shows the restore point has been created click Close.

Next goto Start Menu > Run > type

cleanmgr

Click OK, Disk Cleanup will open and start calculating the amount of space that can be freed, Once thats finished it will open the Disk Cleanup options screen, click the More Options tab then click Clean up on the system restore area and choose Yes at the confirmation window which will remove all the restore points except the one we just created. Then press OK to clear the temp files found in the initial scan and close Disk Cleanup.

Let us know if you have any problems with the above steps but everything else looks great, nice work

Regards

Andy

[nesmofalcon]

Hello Andy,

I have followed your instruccions, I am going to run a last Kaspersky scan I will let you know if there is something else.
My computer is now smooth and fast like never before.

It has been a pleasure to read all your posts, they are been really efficient. Thanks a lot for all the guidelines & explications you gave me.

I will keep learning about Log Analysis.

THANKS for everything.
Nestor

[AndyManchesta]

Hey Nestor

Your Welcome, I'm glad I could help,

Let us know if you have any more questions or problems anytime

Happy Surfing

Andy

[hcussigh]

AndyManchesta, on Sep 15 2006, 07:54 PM, said:

Hey Nestor

Your Welcome, I'm glad I could help,

Let us know if you have any more questions or problems anytime

Happy Surfing

Andy

Thx VERY MUCH!
was VERY HELPFULL!
I was very desperate till I found your comments.