Hi, and welcome to daniweb. Please run HJT again, and slelect Do system scan only. Then tick these items.
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Favoritos
O2 - BHO: Nothing - {b0398eca-0bcd-4645-8261-5e9dc70248d0} - C:\WINDOWS\system32\hp5EC.tmp
Click Fix Checked.
________________________________________________________
Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.
Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.
Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm
You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.
Next, please reboot your computer in Safe Mode by doing the following :- Restart your computer
- After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
- Instead of Windows loading as normal, a menu with options should appear;
- Select the first option, to run Windows in Safe Mode, then press "Enter".
- Choose your usual account.
Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".
The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt
_________________________________________________________
Please download Pocket Killbox by O^E.- Save it to your desktop.
- Please double-click Killbox.exe to run it.
- Select:
- Delete on Reboot
- then Click on the All Files button.
- Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
C:\WINDOWS\system32\hp5EC.tmp
- Return to Killbox, go to the File menu, and choose Paste from Clipboard.
- Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.
________________________________________________________
Please download ewido anti-malware it is a free version of the program.- Install ewido anti-malware
- When installing, under "Additional Options" uncheck..
- Install background guard
- Install scan via context menu
- Launch ewido, there should be an icon on your desktop, double-click it.
- The program will now open to the main screen.
- When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
- You will need to update ewido to the latest definition files.
- On the left hand side of the main screen click update.
- Then click on Start Update.
- The update will start and a progress bar will show the updates being installed.
(the status bar at the bottom will display ("Update successful" )
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates
Once the updates are installed do the following:- Open up Ewido
- Click on scanner
- Click on Complete System Scan and the scan will begin.
- You will be prompted to clean the first infection.
- Select "Perform action on all infections", then proceed.
- Once the scan has completed, there will be a button located on the bottom of the screen named Save report
- Click Save report.
- Save the report .txt file to your desktop or a location where you can find it easily.
- Close ewido anti-malware.
Reboot.
________________________________________________________
Post the smitfraudlog, the ewido log, and a new HJT log.
Thanks a lot, I think it worked.
On the Killbox I did get the "PendingFileRenameOperations" prompt.
Posting the Smitfraudlog, the ewido log and the new HJT log:
SmitFraudFix v2.44
Scan done at 13:36:58,45, 14/05/2006
Run from C:\Documents and Settings\Administrador\Escritorio\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Versi¢n 5.1.2600]
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
C:\WINDOWS\system32\atmclk.exe Deleted
C:\WINDOWS\system32\dcomcfg.exe Deleted
C:\WINDOWS\system32\hp????.tmp Deleted
C:\WINDOWS\system32\ld????.tmp Deleted
C:\WINDOWS\system32\ot.ico Deleted
C:\WINDOWS\system32\regperf.exe Deleted
C:\WINDOWS\system32\reglogs.dll Deleted
C:\WINDOWS\system32\simpole.tlb Deleted
C:\WINDOWS\system32\stdole3.tlb Deleted
C:\WINDOWS\system32\ts.ico Deleted
C:\WINDOWS\system32\1024\ Deleted
C:\DOCUME~1\ADMINI~1\FAVORI~1\Antivirus Test Online.url Deleted
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» End
---------------------------------------------------------
ewido anti-malware - Report de exploración
---------------------------------------------------------
+ Creado en: 05:12:39 p.m., 14/05/2006
+ Report-Checksum: BFCD395
+ Scan result:
C:\Documents and Settings\Administrador\Cookies\administrador@112.2o7[1].txt -> TrackingCookie.2o7 : Limpio con backup
C:\Documents and Settings\Administrador\Cookies\administrador@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Limpio con backup
C:\Documents and Settings\Administrador\Cookies\administrador@burstnet[2].txt -> TrackingCookie.Burstnet : Limpio con backup
C:\Documents and Settings\Administrador\Cookies\administrador@ivwbox[2].txt -> TrackingCookie.Ivwbox : Limpio con backup
C:\Documents and Settings\Administrador\Cookies\administrador@rotator.adjuggler[2].txt -> TrackingCookie.Adjuggler : Limpio con backup
C:\Documents and Settings\Administrador\Cookies\administrador@tacoda[1].txt -> TrackingCookie.Tacoda : Limpio con backup
C:\Documents and Settings\Administrador\Cookies\administrador@web-stat[2].txt -> TrackingCookie.Web-stat : Limpio con backup
C:\Documents and Settings\Administrador\Cookies\administrador@www.myaffiliateprogram[1].txt -> TrackingCookie.Myaffiliateprogram : Limpio con backup
::Fin Report
Logfile of HijackThis v1.99.1
Scan saved at 05:20:39 p.m., on 14/05/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Symantec AntiVirus\DefWatch.exe
C:\Archivos de programa\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\Symantec AntiVirus\Rtvscan.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe
C:\ARCHIV~1\SYMANT~1\VPTray.exe
C:\Archivos de programa\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\Archivos de programa\MSN Messenger\MSNMSGR.EXE
C:\Archivos de programa\Olympus\DeviceDetector\DevDtct2.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Archivos de programa\Internet Explorer\IEXPLORE.EXE
C:\Archivos de programa\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.yahoo.com/
O3 - Toolbar: PopUpCop - {DB43E4E6-FF8A-4018-8C8E-F68587A44A73} - C:\ARCHIV~1\PopUpCop\PopUpCop.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\archivos de programa\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ccApp] "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\ARCHIV~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [msnmsgr] "C:\Archivos de programa\MSN Messenger\MSNMSGR.EXE" /background
O4 - Global Startup: Device Detector 3.lnk = C:\Archivos de programa\Olympus\DeviceDetector\DevDtct2.exe
O8 - Extra context menu item: &Google Search - res://c:\archivos de programa\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\archivos de programa\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\archivos de programa\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\archivos de programa\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\archivos de programa\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\archivos de programa\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Archivos de programa\Internet Explorer\PLUGINS\nppdf32.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\ARCHIV~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Archivos de programa\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Archivos de programa\ewido anti-malware\ewidoctrl.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Archivos de programa\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Archivos de programa\Symantec AntiVirus\Rtvscan.exe
Thanks again.
Marked Solved 
Offline 
