15 replies to this topic

[Diego]

Hi,

I'm a new user of HijackThis, please let me know if I am doing something wrong.
Below I have copied my log
Many thanks in advance.

Logfile of HijackThis v1.99.1
Scan saved at 18:10:31, on 05/07/2007
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Archivos de programa\Intel\ASF Agent\ASFAgent.exe
C:\Archivos de programa\Cisco Systems\VPN Client\cvpnd.exe
C:\ARCHIV~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Archivos de programa\Dell\OpenManage\Client\Iap.exe
C:\ARCHIV~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Archivos de programa\RealVNC\VNC4\WinVNC4.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\hkcmd.exe
C:\Archivos de programa\Microsoft Hardware\Mouse\point32.exe
C:\Archivos de programa\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
C:\Archivos de programa\MSN Apps\Updater1.03.0000.1005\es\msnappau.exe
C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe
C:\Archivos de programa\Spyware Doctor\swdoctor.exe
C:\Archivos de programa\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
C:\Archivos de programa\Citrix\ICA Client\pnagent.exe
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\WINNT\system32\u.exe
C:\WINNT\TIREMOTE\TIRemoteService.exe
C:\WINNT\TIREMOTE\wuser32.exe
C:\WINNT\system32\taskmgr.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.es/0SEESES/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.videojet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = squid.videojet.com:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = m*.videojet.com;a*.videojet.com

;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Archivos de programa\MSN Apps\ST1.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Archivos de programa\MSN Apps\MSN Toolbar1.02.5000.1021\es\msntb.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Archivos de programa\MSN Apps\MSN Toolbar1.02.5000.1021\es\msntb.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Archivos de programa\ORL\VNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [vptray] C:\Archivos de programa\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Archivos de programa\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
O4 - HKLM\..\Run: [msnappau] "C:\Archivos de programa\MSN Apps\Updater1.03.0000.1005\es\msnappau.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Office Monitor Word Exel R] C:\WINNT\system32\u.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Archivos de programa\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: Acceso directo a logon.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Photo Express Calendar Checker SE.lnk = C:\Archivos de programa\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
O4 - Global Startup: VPN Client.lnk = C:\Archivos de programa\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Program Neighborhood Agent.lnk = C:\Archivos de programa\Citrix\ICA Client\pnagent.exe
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O12 - Plugin for .spop: C:\Archivos de programa\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by20fd.bay20....es/MsnPUpld.cab
O16 - DPF: {5DF6FB84-749D-4AAE-AE37-708DE09B0588} - http://213.229.160.2...ers/dialnew.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O16 - DPF: {F11BFF96-CC7A-4482-819B-91EAE4C454EF} (NTR ActiveX 1.1.6) - http://www.inquiero....tivex116_14.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = vti.pidnet.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = vti.pidnet.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = vti.pidnet.net
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Archivos de programa\Intel\ASF Agent\ASFAgent.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Archivos de programa\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\ARCHIV~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Servicio del administrador de discos lógicos (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Archivos de programa\Dell\OpenManage\Client\Iap.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Archivos de programa\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\ARCHIV~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: Track-It! Remote Control (TIRmtCtl) - Intuit Track-It! - C:\WINNT\TIREMOTE\wuser32.exe
O23 - Service: Track-It! Workstation Manager (TIRmtSvc) - Numara Software, Inc. - C:\WINNT\TIREMOTE\TIRemoteService.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Archivos de programa\ORL\VNC\WinVNC.exe" -service (file missing)
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Archivos de programa\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

[Simon V.]

• Hello, and welcome to the forum.
  
  My name is Simon V., and I'll be glad to help you with your computer problems.
  
  HijackThis logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happens.
  I am currently looking over your log. As I am a trainee, everything that I post to you must be checked by an Admin or Moderator. Thus, there may be a tiny bit of a delay between posts, but it shouldn't be too long. I will post back shortly with a potential fix.
  
  Please be patient and I'd be grateful if you would note the following:
  
• I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
• The fixes are specific to your problem and should only be used for this issue on this machine.
• Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
• It's often worth reading through these instructions and printing them for ease of reference.
• If you don't know or understand something, please don't hesitate to say or ask! It's better to be sure and safe than sorry.
• Please reply to this thread. Do not start a new topic.

[Simon V.]

• Hi,
  
  Identity Theft
  
• I'm afraid I have unpleasant news for you. You have a Very Dangerous infection on this machine.
  The infection is delivered by a Backdoor Trojan.
  It allows outsiders COMPLETE access to every keystroke, account, and password you use while on this machine, and complete access to any other data present...
  
  IF this computer has been used for any kind of important data, my best recommendation is to disconnect from the internet, reformat the entire drive and re-install your operating system and applications.
  
  We can likely clean the infected files off the computer, and if you wish we will attempt to do so, but we cannot be sure that the infection didn't do something to your system to reduce the system security. In that instance, even after removal of the infection, you could be subject to another attack or takeover as soon as you re-connect to the internet.
  
  The decision whether to reformat or not should be based on:
• The use of the computer - this is the primary factor in the decision whether to reformat and re-install, or just disinfect.
• The variety of malware - this influences the decision on whether to re-format and re-install, or just disinfect. IN THIS CASE we have a backdoor worm, the worst kind.

If the computer has been used for any important data, you are strongly advised to do the following, immediately:

• Disconnect the infected computer from the internet and from any networked computers until the computer can be cleaned.
• Back up all important data on the machine. Do not back up any Applications (programs). Those should be re-installed from the original source CDs or websites.
• If you have ever used this computer for shopping, banking, or any transactions relating to your financial well being:
  Call all of your banks, credit card companies, and financial institutions, informing them that you may be a victim of identity theft, and to put a watch on your accounts or change all your account numbers.
• From a clean computer, change ALL your online passwords -- for ISP login, email, banks, financial accounts, PayPal, eBay, online companies, and any online forums or groups you belong to.
• DO NOT change passwords or do any transactions while using the infected computer because the attacker will get the new password and transaction information.
• Take any other steps you think appropriate for an attempted identity theft.

While you are deciding whether to reformat and re-install, this can be a useful link.

Please let me know what you decide.

[Diego]

Hi Simon V, First of all, many thanks for your help it is very appreciated by me. I have been reading your reply carefully and I prefer to try disinfecting this computer. One more time many thanks for your help! Diego

[Simon V.]

• Hi Diego,
  
  Let’s get to work then
  
  SDFix
  
• Please download SDFix and save it to your Desktop.
  
  Double click SDFix.exe and it will extract the files to %systemdrive%
  (Drive that contains the Windows Directory, typically C:\SDFix)
  • Print these instructions or copy them to Notepad and save it to your Desktop, as you won't be able to access internet in Safe Mode.
  • Please reboot into Safe Mode. To do this, go to Start>Turn off Computer, and select Restart. Rapidly tap F8 just before Windows starts to load. In the menu that appears, select Safe Mode (Without Networking)
    
    Once in Safe Mode, do the following:
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to reboot.
  • Press any key and it will restart the PC.
  • When the PC restarts the fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load, the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to clipboard ready for posting back on the forum).
  Make an Uninstall List
  
• To access the Uninstall Manager you would do the following:
  
  1. Start HijackThis
  2. Click on the Config button
  3. Click on the Misc Tools button
  4. Click on the Open Uninstall Manager button.
  5. Click on the Save list... button and save the file to a convenient location. When you press Save, Notepad will open with the contents of that file. Please post the Uninstall List, the report from SDFix (Report.txt), and a new HijackThis log in your next reply.

[Diego]

Hi Simon V, I run two or three times SDFix.exe in save mode as you told me and I have installed Windows patch Windows2000-KB824146-x86-ESN.exe to protect the operating system against this virus and now everything is ok. SDFix tells me that I’m clean. Do you still need I copy my log files? Thanks a lot for your help and best Regards!! Diego

[Simon V.]

Yes, please post the requested logs Absence of symptoms doesn't always mean you're fully clean!

[Diego]

Hi Simon V,

Below you will find the logs you asked me for

Uninstall List

Adobe Acrobat 5.0
Adobe Flash Player 9 ActiveX
Barra de Herramientas MSN
Cisco Systems VPN Client 4.0.1 (Rel)
Desinstalador de hp LaserJet 2300
Guías del usuario
HijackThis 1.99.1
HP RecordNow
Intel ® Pro Alerting Agent
Intel® Extreme Graphics 2 Driver
Intel® PRO Network Adapters and Drivers
Intel® PROSet
Kaspersky Online Scanner
KM-2050TWAIN
LiveUpdate 1.80 (Symantec Corporation)
MetaFrame Presentation Server Client
Microsoft Data Access Components KB870669
Microsoft IntelliPoint
Microsoft Internet Explorer 6 SP1
Microsoft Office 2000 SR-1 Premium
Microsoft Office Professional Edition 2003
Microsoft VGX Q833989
MSN Messenger 7.0
Nero Suite
OMCI
PDFCreator 0.8.0
QuoteWerks 3.0 Node
Revisión de Windows 2000 - KB822831
Revisión de Windows 2000 - KB823182
Revisión de Windows 2000 - KB823559
Revisión de Windows 2000 - KB823980
Revisión de Windows 2000 - KB824105
Revisión de Windows 2000 - KB824146
Revisión de Windows 2000 - KB825119
Revisión de Windows 2000 - KB826232
Revisión de Windows 2000 - KB828035
Revisión de Windows 2000 - KB828741
Revisión de Windows 2000 - KB828749
Revisión de Windows 2000 - KB834707
Revisión de Windows 2000 - KB835732
Revisión de Windows 2000 - KB837001
Revisión de Windows 2000 - KB839645
Revisión de Windows 2000 - KB840315
Revisión de Windows 2000 - KB840987
Revisión de Windows 2000 - KB841356
Revisión de Windows 2000 - KB841533
Revisión de Windows 2000 - KB841872
Revisión de Windows 2000 - KB841873
Revisión de Windows 2000 - KB842526
Revisión de Windows 2000 - KB842773
Revisión de Windows 2000 - KB867282
Revisión de Windows 2000 - KB871250
Revisión de Windows 2000 - KB873333
Revisión de Windows 2000 - KB873339
Revisión de Windows 2000 - KB883939
Revisión de Windows 2000 - KB885250
Revisión de Windows 2000 - KB885835
Revisión de Windows 2000 - KB885836
Revisión de Windows 2000 - KB887797
Revisión de Windows 2000 - KB888113
Revisión de Windows 2000 - KB889293
Revisión de Windows 2000 - KB890046
Revisión de Windows 2000 - KB890047
Revisión de Windows 2000 - KB890175
Revisión de Windows 2000 - KB890859
Revisión de Windows 2000 - KB891711
Revisión de Windows 2000 - KB891781
Revisión de Windows 2000 - KB893066
Revisión de Windows 2000 - KB893086
Revisión de Windows 2000 - KB894320
Revisión de Windows 2000 - KB896358
Revisión de Windows 2000 - KB896422
Revisión de Windows 2000 - KB897715
Revisión de Windows 2000 (SP4) KB810217
Revisión de Windows 2000 (SP4) KB817606
Revisión de Windows 2000 (SP4) Q329553
Revisión de Windows 2000 (sp4) Q814033
Revisión de Windows 2000 (SP5) KB820888
Revisión de Windows 2000 (SP5) Q818043
Revisión del DirectX 9 - KB839643
Revisión del Reproductor de Windows Media [consulte Q828026 para obtener más información]
Spybot - Search & Destroy 1.4
Spyware Doctor 3.0
Symantec AntiVirus Client
Ulead Photo Express 2.0 SE
VNC Free Edition 4.1.2
Windows 2000 Hotfix (Pre-SP4) [See Q322842 for more information]
Windows 2000 Hotfix (Pre-SP4) [See Q322913 for more information]
Windows 2000 Hotfix (Pre-SP4) [See Q326886 for more information]
Windows 2000 Hotfix (Pre-SP4) [See Q327269 for more information]
Windows 2000 Hotfix (Pre-SP4) [See Q329115 for more information]
Windows 2000 Hotfix (Pre-SP4) [See Q329834 for more information]
Windows 2000 Hotfix (Pre-SP4) Q329170
Windows 2000 Hotfix (Pre-SP4) Q810833
Windows Installer 3.1 (KB893803)
WinZip



SDFix log


SDFix: Version 1.90

Run by Administrador on Fri 06/07/2007 at 18:22

Microsoft Windows 2000 [Versi¢n 5.00.2195]

Running From: C:\SDFix

Safe Mode:
Checking Services:






Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\WINNT\system32\u.exe - Deleted



Removing Temp Files...

ADS Check:

Checking C:\WINNT
C:\WINNT
No streams found.

Checking C:\WINNT\system32
C:\WINNT\system32
No streams found.

Checking C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
No streams found.

Checking C:\WINNT\system32\ntoskrnl.exe
C:\WINNT\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------



Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

C:\Documents and Settings\delarotta_marta\Configuraci¢n local\Archivos temporales de Internet\OLK4\~WRL1837.tmp
C:\Documents and Settings\delarotta_marta\Configuraci¢n local\Archivos temporales de Internet\OLK4\~WRL0001.tmp
C:\Documents and Settings\delarotta_marta\Configuraci¢n local\Archivos temporales de Internet\OLK472\~WRL3373.tmp
C:\Documents and Settings\delarotta_marta\Mis documentos\Datos\Varios\WORD\~WRL2408.tmp
C:\Documents and Settings\delarotta_marta\Mis documentos\Datos\Varios\Ofertas Videojet\~WRL1716.tmp
C:\Documents and Settings\delarotta_marta\Mis documentos\Datos\DC Fernando L¢pez\~WRL0004.tmp
C:\Documents and Settings\delarotta_marta\Mis documentos\Datos\DC Fernando L¢pez\~WRL0683.tmp
C:\Documents and Settings\delarotta_marta\Mis documentos\Datos\Documentaci¢n Delegados\~WRL0001.tmp
C:\Documents and Settings\delarotta_marta\Mis documentos\Datos\Documentaci¢n Delegados\~WRL0003.tmp
C:\Documents and Settings\delarotta_marta\Mis documentos\Datos\Documentaci¢n Delegados\~WRL0004.tmp
C:\Documents and Settings\delarotta_marta\Mis documentos\Datos\Documentaci¢n Delegados\~WRL1208.tmp
C:\Documents and Settings\delarotta_marta\Mis documentos\Datos\Documentaci¢n Delegados\~WRL2031.tmp
C:\Documents and Settings\delarotta_marta\Mis documentos\Datos\Etiquetas\~WRL2408.tmp
C:\Documents and Settings\delarotta_marta\Mis documentos\Datos\Diasa Industrial\~WRL0935.tmp
C:\Documents and Settings\delarotta_marta\Mis documentos\Datos\Diasa Industrial\~WRL3924.tmp
C:\Documents and Settings\delarotta_marta\Mis documentos\Datos\MINUTAS\~WRL0015.tmp
C:\Documents and Settings\delarotta_marta\Mis documentos\Datos\MINUTAS\~WRL0858.tmp
C:\Documents and Settings\delarotta_marta\Mis documentos\Datos\MINUTAS\~WRL1635.tmp
C:\Documents and Settings\delarotta_marta\Mis documentos\Datos\MINUTAS\~WRL3070.tmp
C:\Documents and Settings\delarotta_marta\Mis documentos\Datos\MINUTAS\~WRL3295.tmp
C:\Documents and Settings\delarotta_marta\Mis documentos\Datos\Ofertas Videojet\~WRL1716.tmp
C:\Documents and Settings\delarotta_marta\Mis documentos\Datos\Facturas Proformas\~WRL1180.tmp
C:\Documents and Settings\delarotta_marta\Mis documentos\Datos\Facturas Proformas\~WRL0123.tmp
C:\Documents and Settings\delarotta_marta\Mis documentos\Datos\Facturas Proformas\~WRL2173.tmp
C:\Documents and Settings\delarotta_marta\Mis documentos\Datos\Movimientos 2003\~WRL0906.tmp
C:\Documents and Settings\delarotta_marta\Escritorio\~WRL1920.tmp
C:\Documents and Settings\delarotta_marta\Datos de programa\Microsoft\Word\~WRL0602.tmp
C:\Documents and Settings\delarotta_marta\Datos de programa\Microsoft\Word\~WRL0003.tmp
C:\Documents and Settings\delarotta_marta\Datos de programa\Microsoft\Word\~WRL1305.tmp
C:\Documents and Settings\aragon_ricardo\Configuraci¢n local\Temp\ZTR1F.tmp
C:\Documents and Settings\aragon_ricardo\Configuraci¢n local\Temp\FOR20.tmp
C:\Documents and Settings\aragon_ricardo\Configuraci¢n local\Temp\ZTR20.tmp
C:\Documents and Settings\aragon_ricardo\Configuraci¢n local\Temp\FOR21.tmp
C:\Documents and Settings\aragon_ricardo\Configuraci¢n local\Temp\ZTR21.tmp
C:\Documents and Settings\aragon_ricardo\Configuraci¢n local\Temp\FOR22.tmp
C:\Documents and Settings\aragon_ricardo\Configuraci¢n local\Temp\ZTR22.tmp
C:\Documents and Settings\aragon_ricardo\Configuraci¢n local\Temp\FOR23.tmp
C:\Documents and Settings\aragon_ricardo\Configuraci¢n local\Temp\ZTR23.tmp
C:\Documents and Settings\aragon_ricardo\Configuraci¢n local\Temp\FOR24.tmp
C:\Documents and Settings\aragon_ricardo\Configuraci¢n local\Temp\ZTR24.tmp
C:\Documents and Settings\aragon_ricardo\Configuraci¢n local\Temp\FOR25.tmp
C:\Documents and Settings\aragon_ricardo\Configuraci¢n local\Temp\ZTR25.tmp
C:\Documents and Settings\aragon_ricardo\Configuraci¢n local\Temp\FOR26.tmp
C:\Documents and Settings\aragon_ricardo\Configuraci¢n local\Temp\ZTR26.tmp
C:\Documents and Settings\aragon_ricardo\Configuraci¢n local\Temp\FOR27.tmp
C:\Documents and Settings\aragon_ricardo\Configuraci¢n local\Temp\ZTR27.tmp
C:\Documents and Settings\aragon_ricardo\Configuraci¢n local\Temp\FOR28.tmp
C:\Documents and Settings\aragon_ricardo\Configuraci¢n local\Temp\ZTR28.tmp
C:\Documents and Settings\aragon_ricardo\Configuraci¢n local\Temp\FOR29.tmp

Finished

HijackThis log:


Logfile of HijackThis v1.99.1
Scan saved at 16:13:56, on 12/07/2007
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Archivos de programa\Intel\ASF Agent\ASFAgent.exe
C:\Archivos de programa\Cisco Systems\VPN Client\cvpnd.exe
C:\ARCHIV~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Archivos de programa\Dell\OpenManage\Client\Iap.exe
C:\WINNT\system32\msiexec.exe
C:\ARCHIV~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Archivos de programa\RealVNC\VNC4\WinVNC4.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\Archivos de programa\Microsoft Hardware\Mouse\point32.exe
C:\Archivos de programa\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
C:\Archivos de programa\MSN Apps\Updater1.03.0000.1005\es\msnappau.exe
C:\WINNT\system32\hkcmd.exe
C:\WINNT\system32\igfxpers.exe
C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe
C:\WINNT\system32\wuauclt.exe
C:\Archivos de programa\Spyware Doctor\swdoctor.exe
C:\Archivos de programa\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
C:\Archivos de programa\Citrix\ICA Client\pnagent.exe
C:\WINNT\System32\SCardSvr.exe
C:\Archivos de programa\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Archivos de programa\Microsoft Office\Office\WINWORD.EXE
C:\Archivos de programa\Internet Explorer\IEXPLORE.EXE
C:\Archivos de programa\Citrix\ICA Client\Wfcrun32.exe
C:\ARCHIV~1\Citrix\ICACLI~1\WFICA32.EXE
J:\QuoteWerks\qw30.exe
C:\Archivos de programa\Microsoft Office\Office\EXCEL.EXE
C:\Archivos de programa\Adobe\Acrobat 5.0\Reader\AcroRd32.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.es/0SEESES/SAOS01
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = squid.videojet.com:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = m*.videojet.com;a*.videojet.com

;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Archivos de programa\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Archivos de programa\MSN Apps\ST1.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Archivos de programa\MSN Apps\MSN Toolbar1.02.5000.1021\es\msntb.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Archivos de programa\MSN Apps\MSN Toolbar1.02.5000.1021\es\msntb.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Archivos de programa\ORL\VNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [vptray] C:\Archivos de programa\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Archivos de programa\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
O4 - HKLM\..\Run: [msnappau] "C:\Archivos de programa\MSN Apps\Updater1.03.0000.1005\es\msnappau.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINNT\system32\igfxpers.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Archivos de programa\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [Office Monitor Word Exel R] C:\WINNT\system32\u.exe
O4 - Startup: Acceso directo a logon.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Photo Express Calendar Checker SE.lnk = C:\Archivos de programa\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
O4 - Global Startup: VPN Client.lnk = C:\Archivos de programa\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Program Neighborhood Agent.lnk = C:\Archivos de programa\Citrix\ICA Client\pnagent.exe
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O12 - Plugin for .spop: C:\Archivos de programa\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by20fd.bay20....es/MsnPUpld.cab
O16 - DPF: {5DF6FB84-749D-4AAE-AE37-708DE09B0588} - http://213.229.160.2...ers/dialnew.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O16 - DPF: {F11BFF96-CC7A-4482-819B-91EAE4C454EF} (NTR ActiveX 1.1.6) - http://www.inquiero....tivex116_14.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = vti.pidnet.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = vti.pidnet.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = vti.pidnet.net
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Archivos de programa\Intel\ASF Agent\ASFAgent.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Archivos de programa\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\ARCHIV~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Servicio del administrador de discos lógicos (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Archivos de programa\Dell\OpenManage\Client\Iap.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Archivos de programa\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\ARCHIV~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Archivos de programa\ORL\VNC\WinVNC.exe" -service (file missing)
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Archivos de programa\RealVNC\VNC4\WinVNC4.exe" -service (file missing)


this is all.

Regards,
Diego

[Simon V.]

• Hi
  
  That's looking better, still some things left to do though.
  
  Fix Entries with HijackThis
  
• Open HijackThis, perform a scan and put a check next to the following items (if present):
  
  R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
  O4 - HKCU\..\Run: [Office Monitor Word Exel R] C:\WINNT\system32\u.exe
  O4 - Startup: Acceso directo a logon.lnk = ?
  O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
  O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
  O16 - DPF: {5DF6FB84-749D-4AAE-AE37-708DE09B0588} - http://213.229.160.2...ers/dialnew.cab
  O16 - DPF: {F11BFF96-CC7A-4482-819B-91EAE4C454EF} (NTR ActiveX 1.1.6) - http://www.inquiero....tivex116_14.cab
  
  Close all programs except HijackThis and click on Fix checked.
  
  Run Kaspersky Online Scan
  (Note: I see you have already run the Kaspersky Online Scan. If you have saved the report, please post that one. Otherwise, proceed with the instructions below.)
  
  
• Please do an online scan with Kaspersky WebScanner
  
  Click on Kaspersky Online Scanner
  
  You will be promted to install an ActiveX component from Kaspersky,
  Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    
    • Scan Options:
    Scan Archives Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • The program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  Report Back
  
• Please post the reports from the Kaspersky Online Scanner, along with a new HijackThis log in your next reply.

[Simon V.]

Diego, I want you to know I'm away for the weekend, and I will be able to respond to you on Monday.

[Diego]

No problem! Have a nice weekend. I will wait for you on monday Regards, Diego

[Simon V.]

Hi,

You have made a topic here, where you are being helped by Blade81. Is that another computer or the same one we are working on?

[Diego]

Hi Simon, sorry for my late response I have had a very big problem in my network. I have checking with blade81 another computer, I didn't want disturb you with more problems. I have read the rules and I know that we can not do this. Of course, I thank for your help and I’m going to follow your rules without discursions. Regards, Diego

Edited by Diego, 18 July 2007 - 08:28 AM.

[Simon V.]

Hi, Please carry on with my previous instructions then (Fix Entries with HijackThis and Run Kaspersky Online Scan), so we can get this computer fixed

[Simon V.]

Are you still with me Diego? If my instructions are unclear to you, please say so