downloader.small.5.1

well, I¨ve done everything you say:
this is the hijackthis.logLogfile of HijackThis v1.97.7
Scan saved at 12:10:19 a.m., on 04/05/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWSN\SYSTEM\KERNEL32.DLL
C:\WINDOWSN\SYSTEM\MSGSRV32.EXE
C:\WINDOWSN\SYSTEM\MPREXE.EXE
C:\WINDOWSN\SYSTEM\mmtask.tsk
C:\ARCHIVOS DE PROGRAMA\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWSN\SYSTEM\MSTASK.EXE
C:\WINDOWSN\EXPLORER.EXE
C:\WINDOWSN\TASKMON.EXE
C:\WINDOWSN\SYSTEM\SYSTRAY.EXE
C:\WINDOWSN\LOADQM.EXE
C:\ARCHIVOS DE PROGRAMA\GRISOFT\AVG6\AVGCC32.EXE
C:\WINDOWSN\SYSTEM\MSHTA.EXE
C:\DISKSERV.EXE
C:\ARCHIVOS DE PROGRAMA\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\ARCHIVOS DE PROGRAMA\WINZIP\WZQKPICK.EXE
C:\WINDOWSN\SYSTEM\WMIEXE.EXE
C:\WINDOWSN\SYSTEM\RNAAPP.EXE
C:\WINDOWSN\SYSTEM\TAPISRV.EXE
C:\ARCHIVOS DE PROGRAMA\MSN MESSENGER\MSNMSGR.EXE
C:\ARCHIVOS DE PROGRAMA\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWSN\SYSTEM\DDHELP.EXE
C:\ARCHIVOS DE PROGRAMA\WINZIP\WINZIP32.EXE
C:\WINDOWSN\TEMP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.uolsinectis.com.ar:80
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000000} - C:\WINDOWSN\SYSTEM\MSXSLAB.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\archivos de programa\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWSN\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWSN\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWSN\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [AVG_CC] C:\ARCHIV~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [winmain] winmain.exe
O4 - HKLM\..\Run: [LoadFont1] C:\WINDOWSN\FONTS\Arial.vbs
O4 - HKLM\..\Run: [LoadFont2] C:\WINDOWSN\FONTS\Tahoma.vbs
O4 - HKLM\..\Run: [Power Scan] C:\Archivos de programa\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [Winhost] C:\WINDOWSN\winh.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\ARCHIV~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWSN\SYSTEM\mstask.exe
O4 - HKCU\..\Run: [Disk Master] C:\diskserv.exe
O4 - HKCU\..\Run: [Service Manager] C:\dxsound.exe
O4 - Startup: Inicio de Office.lnk = C:\Archivos de programa\Microsoft Office\Office\OSA.EXE
O4 - Startup: Búsqueda rápida de Microsoft.lnk = C:\Archivos de programa\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Archivos de programa\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\ARCHIVOS DE PROGRAMA\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\ARCHIVOS DE PROGRAMA\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\ARCHIVOS DE PROGRAMA\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\ARCHIVOS DE PROGRAMA\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Letras de canciones (HKLM)
O14 - IERESET.INF: SEARCH_PAGE_URL=
O14 - IERESET.INF: START_PAGE_URL=
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash4/cabs/swflash.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37901.5263541667
O16 - DPF: {2048B51E-8D74-4762-82CE-B48CF545EEEA} (CAX Object) - http://dl.dialerssolution.com/cax.cab
O16 - DPF: {73F0FD85-BD47-4A95-86D1-DE38860462C1} (PremiumHTML Class) - http://www.accesoplugin.com/dialercab/IberoDialerHTML.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {EFB22865-F3BC-4309-ADFA-C8E078A7F762} (SysWebTelecomInt Class) - http://www.sponsoradulto.com/es/SysWebTelecom.cab
O16 - DPF: {5F426A93-0821-47D2-A126-5A48A874B289} (DialerWeb Class) - http://212.145.159.194/251065/dialercab/WebRecomendada.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab

please, help me to get rid of this virus. i can´t enter to the hotmail page

 

please, tell me what to do to destroy this trojan horse virus...

 

Hi verorhcp,

Before you start, please unzip hijackthis to a separate folder. The program will make backups in the folder in the folder it's in.
These easily get lost in a Temp folder.

Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000000} - C:\WINDOWSN\SYSTEM\MSXSLAB.DLL

O4 - HKLM\..\Run: [winmain] winmain.exe
O4 - HKLM\..\Run: [LoadFont1] C:\WINDOWSN\FONTS\Arial.vbs
O4 - HKLM\..\Run: [LoadFont2] C:\WINDOWSN\FONTS\Tahoma.vbs
O4 - HKLM\..\Run: [Power Scan] C:\Archivos de programa\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [Winhost] C:\WINDOWSN\winh.exe

O16 - DPF: {2048B51E-8D74-4762-82CE-B48CF545EEEA} (CAX Object) - http://dl.dialerssolution.com/cax.cab
O16 - DPF: {73F0FD85-BD47-4A95-86D1-DE38860462C1} (PremiumHTML Class) - http://www.accesoplugin.com/dialercab/IberoDialerHTML.cab

O16 - DPF: {EFB22865-F3BC-4309-ADFA-C8E078A7F762} (SysWebTelecomInt Class) - http://www.sponsoradulto.com/es/SysWebTelecom.cab
O16 - DPF: {5F426A93-0821-47D2-A126-5A48A874B289} (DialerWeb Class) - http://212.145.159.194/251065/dialercab/WebRecomendada.cab

Then reboot into safe mode and delete:
winmain.exe
C:\Archivos de programa\Power Scan <= entire folder
C:\WINDOWSN\winh.exe

Also do an online virusscan, you will find several listed here: http://www.wilders.org/free_services.htm

Regards,

Pieter