unable to repair worm (merged)

worm? or spyware?

(Mod Note: Member has posted a more recent hijackthis log, which has been merged into this current thread (see post #16) - snap)


hey there:
Im having big trouble with a worm that displays a DOS window anytime that a program is started ,from the message displayed one would think it comes from my country (Peru)i dont like our president eithr but making a worm to criticize him wasnt between my plans:s...anyway heres the hijack this log, hope you can help me, because ive run avast and it detected something but wasnt able to erase anything, niether was panda online check...oh, BTW im having problems to visualize this site there are allmost no colors and most websites are shown in a bigger format than my monitor can show at once...that happened last time i had a malware problem also...why could that be?

tnx a lot for every helping hand

 

hijackthis log

sorry forgot to send this:
StartupList report, 11/07/04, 08:20:06 p.m.
StartupList version: 1.52.2
Started from : C:\ARCHIVOS DE PROGRAMA\HIJACKTHIS\HIJACKTHIS.EXE
Detected: Windows 98 SE (Win9x 4.10.2222A)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\ARCHIVOS DE PROGRAMA\ARCHIVOS COMUNES\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
C:\ARCHIVOS DE PROGRAMA\ARCHIVOS COMUNES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
C:\ARCHIVOS DE PROGRAMA\PERAV\PAV.EXE
C:\ARCHIVOS DE PROGRAMA\SYGATE\SPF\SMC.EXE
C:\ARCHIVOS DE PROGRAMA\ARCHIVOS COMUNES\EPSON\EBAPI\SAGENT2.EXE
D:\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\ARCHIVOS DE PROGRAMA\PERAV\PERVAC.EXE
C:\ARCHIVOS DE PROGRAMA\PERAV\PERTSK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\ISUNINST38.EXE
C:\WINDOWS\SYSTEM\IPCLEAN503.COM
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\PTSNOOP.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\MIXER.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\E_S10IC1.EXE
C:\WINDOWS\SVSHOTS.EXE
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\ARCHIVOS DE PROGRAMA\DESKTOP ARCHITECT\DATRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\ARCHIVOS DE PROGRAMA\MSN MESSENGER\MSNMSGR.EXE
C:\ARCHIVOS DE PROGRAMA\WEBWASHER\WWASHER.EXE
C:\ARCHIVOS DE PROGRAMA\WEBSHOTS\WEBSHOTSTRAY.EXE
C:\ARCHIVOS DE PROGRAMA\SPYWAREGUARD\SGMAIN.EXE
C:\ARCHIVOS DE PROGRAMA\SAMSUNG\DIGIMAX VIEWER 1.0\DIGIMAXVIEWER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\XPVIEWREP.PIF
C:\ARCHIVOS DE PROGRAMA\SPYWAREGUARD\SGBHP.EXE
C:\ARCHIVOS DE PROGRAMA\HIJACKTHIS\HIJACKTHIS.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\WINDOWS\Menú Inicio\Programas\Inicio]
Webshots.lnk = C:\Archivos de programa\Webshots\WebshotsTray.exe
Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
SpywareGuard.lnk = C:\Archivos de programa\SpywareGuard\sgmain.exe
PER Antivirus.lnk = C:\Archivos de programa\Perav\PAV.EXE
Digimax Viewer 1.0.lnk = C:\Archivos de programa\Samsung\Digimax Viewer 1.0\DigimaxViewer.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ScanRegistry = C:\WINDOWS\scanregw.exe /autorun
TaskMonitor = C:\WINDOWS\taskmon.exe
SystemTray = SysTray.Exe
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
C-Media Mixer = Mixer.exe /startup
CountrySelection = pctptt.exe
WinampAgent = "C:\ARCHIVOS DE PROGRAMA\WINAMP\WINAMPa.exe"
SmcService = C:\ARCHIV~1\SYGATE\SPF\SMC.EXE -startgui
LoadQM = loadqm.exe
EPSON Stylus C42 Series = C:\WINDOWS\SYSTEM\E_S10IC1.EXE /P23 "EPSON Stylus C42 Series" /O5 "LPT1:" /M "Stylus C42"
XPVIEWREP = C:\WINDOWS\SYSTEM\XPVIEWREP.PIF
svshots = C:\WINDOWS\svshots.exe
ashMaiSv = D:\ALWILS~1\AVAST4\ashmaisv.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
SchedulingAgent = mstask.exe
MOSearch = C:\ARCHIV~1\ARCHIV~1\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
MDM7 = "C:\ARCHIVOS DE PROGRAMA\ARCHIVOS COMUNES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE"
PAV.EXE = C:\ARCHIV~1\PERAV\PAV.EXE
SmcService = C:\ARCHIVOS DE PROGRAMA\SYGATE\SPF\SMC.EXE
SAgent2ExePath = C:\Archivos de programa\Archivos comunes\EPSON\EBAPI\SAgent2.exe
avast! = D:\Alwil Software\Avast4\ashServ.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Desktop Architect = "C:\ARCHIVOS DE PROGRAMA\DESKTOP ARCHITECT\DATRAY.EXE" -S
ctfmon.exe = ctfmon.exe
MsnMsgr = "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
WebWasher = C:\ARCHIVOS DE PROGRAMA\WEBWASHER\WWASHER.EXE

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = C:\WINDOWS\SYSTEM\XPVIEWREP.PIF "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = C:\WINDOWS\SYSTEM\XPVIEWREP.PIF "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = C:\WINDOWS\SYSTEM\XPVIEWREP.PIF "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = C:\WINDOWS\SYSTEM\XPVIEWREP.PIF "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = C:\WINDOWS\SYSTEM\XPVIEWREP.PIF "%1" /S

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = C:\WINDOWS\NOTEPAD.EXE %1

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=ptsnoop.exe
run=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=Explorer.exe
SCRNSAVE.EXE=
drivers=mmsystem.dll power.drv

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 10/7/2004, 11:25:32)

[rename]
nul=C:\WINDOWS\TEMP\~e5d141.tmp

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

C:\ARCHIV~1\PERAV\PERVACD.EXE /BOOT
mode con codepage prepare=((850) C:\WINDOWS\COMMAND\ega.cpi)
mode con codepage select=850
keyb la,,C:\WINDOWS\COMMAND\keyboard.sys
SET PATH=%PATH%;C:\ARCHIV~1\ARCHIV~1\AUTODE~1

--------------------------------------------------


Enumerating Browser Helper Objects:

SpywareGuard Download Protection - C:\ARCHIVOS DE PROGRAMA\SPYWAREGUARD\DLPROTECT.DLL - {4A368E80-174F-4872-96B5-0B27DDD11DB2}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Optimización del inicio de aplicaciones.job

--------------------------------------------------

Enumerating Download Program Files:

[Update Class]
InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38122.701724537

[MessengerStatsClient Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\MESSENGERSTATSCLIENT.DLL
CODEBASE = http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28177.cab

[FileSharingCtrl Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\FSMSNGR-ES.DLL
CODEBASE = http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/es/filesharingctrl.cab

[{0000000A-0000-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/download/d/4/4/d446e8a9-3a86-4b59-bb19-f5bd11b40367/wmavax.CAB

[MSN Photo Upload Tool]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\MSNPUPLD.DLL
CODEBASE = http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
CODEBASE = http://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab

[Solitaire Showdown Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\SOLITAIRESHOWDOWN.DLL
CODEBASE = http://messenger.zone.msn.com/binary/SolitaireShowdown.cab28578.cab

[ActiveScan Installer Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\ASINST.DLL
CODEBASE = http://www.pandasoftware.com/activescan/as5/asinst.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL

--------------------------------------------------
End of report, 8,863 bytes
Report generated in 0.246 seconds

 

Re: unable to repair worm

you might want to get the latest HJT at the link and repost your log with the newer version

 

Re: unable to repair worm

Hi melian

What u have posted is your Startup List.

The experts will need a HijackThis log.

Also i moved your thread to the appropriate forum.


snowbound

 

Re: unable to repair worm

oops, bigc beat me too it.



snowbound

 

hicjak this

sorry for the mistake...but ve just downloaded it btw tnx for the link.. and everything goes just fine till i click on scan after that the program wont aswer and i have to restart it...

 

Re: unable to repair worm

you might reboot your computer and then try.

 

hijackthis log (finally!!!!)

Ok, it finally answered, heres the log:
againm tnx for your help...That was FAST!!!

Logfile of HijackThis v1.97.7
Scan saved at 09:04:56 p.m., on 11/07/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\ARCHIVOS DE PROGRAMA\ARCHIVOS COMUNES\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
C:\ARCHIVOS DE PROGRAMA\ARCHIVOS COMUNES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
C:\ARCHIVOS DE PROGRAMA\PERAV\PAV.EXE
C:\ARCHIVOS DE PROGRAMA\SYGATE\SPF\SMC.EXE
C:\ARCHIVOS DE PROGRAMA\ARCHIVOS COMUNES\EPSON\EBAPI\SAGENT2.EXE
D:\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\ARCHIVOS DE PROGRAMA\PERAV\PERVAC.EXE
C:\ARCHIVOS DE PROGRAMA\PERAV\PERTSK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\ISUNINST38.EXE
C:\WINDOWS\SYSTEM\IPCLEAN503.COM
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\PTSNOOP.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\MIXER.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\E_S10IC1.EXE
C:\WINDOWS\SVSHOTS.EXE
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\ARCHIVOS DE PROGRAMA\DESKTOP ARCHITECT\DATRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\ARCHIVOS DE PROGRAMA\MSN MESSENGER\MSNMSGR.EXE
C:\ARCHIVOS DE PROGRAMA\WEBWASHER\WWASHER.EXE
C:\ARCHIVOS DE PROGRAMA\WEBSHOTS\WEBSHOTSTRAY.EXE
C:\ARCHIVOS DE PROGRAMA\SPYWAREGUARD\SGMAIN.EXE
C:\ARCHIVOS DE PROGRAMA\SAMSUNG\DIGIMAX VIEWER 1.0\DIGIMAXVIEWER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\XPVIEWREP.PIF
C:\ARCHIVOS DE PROGRAMA\SPYWAREGUARD\SGBHP.EXE
C:\ARCHIVOS DE PROGRAMA\INTERNET EXPLORER\IEXPLORE.EXE
D:\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.es/0SEESES/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
F1 - win.ini: load=ptsnoop.exe
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\ARCHIVOS DE PROGRAMA\SPYWAREGUARD\DLPROTECT.DLL
O3 - Toolbar: Barra de Herramientas MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN TOOLBAR\01.01.1629.0\ES\MSNTB.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\Archivos de programa\Copernic Agent\CopernicAgentExt.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\ARCHIVOS DE PROGRAMA\WINAMP\WINAMPa.exe"
O4 - HKLM\..\Run: [SmcService] C:\ARCHIV~1\SYGATE\SPF\SMC.EXE -startgui
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\SYSTEM\E_S10IC1.EXE /P23 "EPSON Stylus C42 Series" /O5 "LPT1:" /M "Stylus C42"
O4 - HKLM\..\Run: [XPVIEWREP] C:\WINDOWS\SYSTEM\XPVIEWREP.PIF
O4 - HKLM\..\Run: [svshots] C:\WINDOWS\svshots.exe
O4 - HKLM\..\Run: [ashMaiSv] D:\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [MOSearch] C:\ARCHIV~1\ARCHIV~1\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
O4 - HKLM\..\RunServices: [MDM7] "C:\ARCHIVOS DE PROGRAMA\ARCHIVOS COMUNES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE"
O4 - HKLM\..\RunServices: [PAV.EXE] C:\ARCHIV~1\PERAV\PAV.EXE
O4 - HKLM\..\RunServices: [SmcService] C:\ARCHIVOS DE PROGRAMA\SYGATE\SPF\SMC.EXE
O4 - HKLM\..\RunServices: [SAgent2ExePath] C:\Archivos de programa\Archivos comunes\EPSON\EBAPI\SAgent2.exe
O4 - HKLM\..\RunServices: [avast!] D:\Alwil Software\Avast4\ashServ.exe
O4 - HKCU\..\Run: [Desktop Architect] "C:\ARCHIVOS DE PROGRAMA\DESKTOP ARCHITECT\DATRAY.EXE" -S
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [WebWasher] C:\ARCHIVOS DE PROGRAMA\WEBWASHER\WWASHER.EXE
O4 - Startup: Webshots.lnk = C:\Archivos de programa\Webshots\WebshotsTray.exe
O4 - Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O4 - Startup: SpywareGuard.lnk = C:\Archivos de programa\SpywareGuard\sgmain.exe
O4 - Startup: PER Antivirus.lnk = C:\Archivos de programa\Perav\PAV.EXE
O4 - Startup: Digimax Viewer 1.0.lnk = C:\Archivos de programa\Samsung\Digimax Viewer 1.0\DigimaxViewer.exe
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
O8 - Extra context menu item: Realizar la búsqueda utilizando Copernic Agent - C:\Archivos de programa\Copernic Agent\Web\SearchExt.htm
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra 'Tools' menuitem: Ejecutar Copernic Agent (HKLM)
O9 - Extra button: Copernic Agent (HKLM)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38122.701724537
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28177.cab
O16 - DPF: {C4660846-8760-4852-8154-82438E33E383} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/es/filesharingctrl.cab
O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/d/4/4/d446e8a9-3a86-4b59-bb19-f5bd11b40367/wmavax.CAB
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab28578.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

 

its still here

Hi there:
I do understnd there are lots of requests for help here, so i ve been trying to fix this thing by myself, i downloaded spybot yesterday and it found some stuff, but im still having problems to use internet, allmost every site is shown with errors and i cant use online antivirus scanners because they are suddenly interrupted and if i try to visit their site again i get an error notice .
Its kind of mesy here...but ill keep waiting for advices
so tnx to all people giving time to this forum for helping computer illiterad people like me

 

no response since 9/7

Hi there:
i posted a request for help eleven days ago, but had no answer, i know that many people ask for help in this site, so im trying again, heres the hijackthis log:
tnx a lot!!!

Logfile of HijackThis v1.98.0
Scan saved at 11:23:09 a.m., on 20/07/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\ARCHIVOS DE PROGRAMA\ARCHIVOS COMUNES\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
C:\ARCHIVOS DE PROGRAMA\ARCHIVOS COMUNES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
C:\ARCHIVOS DE PROGRAMA\SYGATE\SPF\SMC.EXE
C:\ARCHIVOS DE PROGRAMA\ARCHIVOS COMUNES\EPSON\EBAPI\SAGENT2.EXE
D:\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\PTSNOOP.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\MIXER.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\E_S10IC1.EXE
C:\WINDOWS\SYSTEM\XPVIEWREP.PIF
C:\WINDOWS\SVSHOTS.EXE
D:\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
C:\ARCHIVOS DE PROGRAMA\DESKTOP ARCHITECT\DATRAY.EXE
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\ARCHIVOS DE PROGRAMA\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\ARCHIVOS DE PROGRAMA\WEBWASHER\WWASHER.EXE
C:\ARCHIVOS DE PROGRAMA\WEBSHOTS\WEBSHOTSTRAY.EXE
C:\ARCHIVOS DE PROGRAMA\SPYWAREGUARD\SGMAIN.EXE
C:\WINDOWS\SYSTEM\ISUNINST38.EXE
C:\WINDOWS\SYSTEM\IPCLEAN503.COM
C:\ARCHIVOS DE PROGRAMA\SPYWAREGUARD\SGBHP.EXE
C:\ARCHIVOS DE PROGRAMA\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.es/0SEESES/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
F1 - win.ini: load=ptsnoop.exe
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\ARCHIVOS DE PROGRAMA\SPYWAREGUARD\DLPROTECT.DLL
O3 - Toolbar: Barra de Herramientas MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN TOOLBAR\01.01.1629.0\ES\MSNTB.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\Archivos de programa\Copernic Agent\CopernicAgentExt.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\ARCHIVOS DE PROGRAMA\WINAMP\WINAMPa.exe"
O4 - HKLM\..\Run: [SmcService] C:\ARCHIV~1\SYGATE\SPF\SMC.EXE -startgui
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\SYSTEM\E_S10IC1.EXE /P23 "EPSON Stylus C42 Series" /O5 "LPT1:" /M "Stylus C42"
O4 - HKLM\..\Run: [XPVIEWREP] C:\WINDOWS\SYSTEM\XPVIEWREP.PIF
O4 - HKLM\..\Run: [svshots] C:\WINDOWS\svshots.exe
O4 - HKLM\..\Run: [ashMaiSv] D:\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [MOSearch] C:\ARCHIV~1\ARCHIV~1\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
O4 - HKLM\..\RunServices: [MDM7] "C:\ARCHIVOS DE PROGRAMA\ARCHIVOS COMUNES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE"
O4 - HKLM\..\RunServices: [PAV.EXE] C:\ARCHIV~1\PERAV\PAV.EXE
O4 - HKLM\..\RunServices: [SmcService] C:\ARCHIVOS DE PROGRAMA\SYGATE\SPF\SMC.EXE
O4 - HKLM\..\RunServices: [SAgent2ExePath] C:\Archivos de programa\Archivos comunes\EPSON\EBAPI\SAgent2.exe
O4 - HKLM\..\RunServices: [avast!] D:\Alwil Software\Avast4\ashServ.exe
O4 - HKCU\..\Run: [Desktop Architect] "C:\ARCHIVOS DE PROGRAMA\DESKTOP ARCHITECT\DATRAY.EXE" -S
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [WebWasher] C:\ARCHIVOS DE PROGRAMA\WEBWASHER\WWASHER.EXE
O4 - Startup: Webshots.lnk = C:\Archivos de programa\Webshots\WebshotsTray.exe
O4 - Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O4 - Startup: SpywareGuard.lnk = C:\Archivos de programa\SpywareGuard\sgmain.exe
O4 - Startup: PER Antivirus.lnk = C:\Archivos de programa\Perav\PAV.EXE
O4 - Startup: Digimax Viewer 1.0.pif = C:\ARCHIV~1\COMMIT.EXE
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
O8 - Extra context menu item: Realizar la búsqueda utilizando Copernic Agent - C:\Archivos de programa\Copernic Agent\Web\SearchExt.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\ARCHIVOS DE PROGRAMA\COPERNIC AGENT\COPERNICAGENT.EXE
O9 - Extra 'Tools' menuitem: Ejecutar Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\ARCHIVOS DE PROGRAMA\COPERNIC AGENT\COPERNICAGENT.EXE
O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\ARCHIVOS DE PROGRAMA\COPERNIC AGENT\COPERNICAGENT.EXE
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28177.cab
O16 - DPF: {C4660846-8760-4852-8154-82438E33E383} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/es/filesharingctrl.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab28578.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.alken.nl/scan/Msie/bitdefender.cab

 

Hi Melian,

The reason for no responses may be due to the fact there has been several posts in your thread already, and it may have looked like someone was working on your log.

Is this the new reformatted computer? I'm noticing a few different entries than the last time you had problems. But there is one entry in particular I am suspicious of.

Can you locate this file in the Windows folder, and upload it to Kaspersky for a scan.

C:\WINDOWS\svshots.exe

Let me know what the Kaspersky scan says about it, please.

Also, can you zip up a copy of it and email it to submit@diamondcs.com.au for analysis. Please include a link to this thread in the email message.

Regards,

snap

 

this one from your first log has me curious as well
XPVIEWREP.PIF

 

done!

Hey there:
Thanks a lot for answering,I know that there are many many many requests for help here I guess thats why you arent receiving hijack this logs anymore, it must be a huge job, so I wanted to thank you for taking time to answer mine
BTW Snap, yes this is the computer i got reformated last time
well, i did what u told me to, and this is what kaspersky said:

Scanned file: svshots.exe

svshots.exe - packed with UPX
svshots.exe - infected by Backdoor.VB.rj


Statistics:
Known viruses: 93589 Updated: 21-07-2004
File size (Kb): 18 Virus bodies: 1
Files: 2 Warnings: 0
Archives: 0 Suspicious: 0


Scanned file: XPVIEWREP.PIF

XPVIEWREP.PIF - packed with UPX
XPVIEWREP.PIF - infected by Worm.P2P.Capside.c


Statistics:
Known viruses: 93589 Updated: 21-07-2004
File size (Kb): 41 Virus bodies: 1
Files: 2 Warnings: 0
Archives: 0 Suspicious: 0

 

Hi melian,

IMM, yep, I was wondering about that XPVIEWREP.PIF too.

The 'XPVIEWREP.PIF' looks like it could be a new variant of Worm.P2P.Capside. Could you also submit a zipped copy of the "XPVIEWREP.PIF" file to the email address I mentioned in my earlier post.

These were the others that I wasn't find any information on. Do you recognize them? If not, can you go to the files and right-click on them, choose "Properties" and under the tabs check and see what information is there to help identify what they are for. If there is nothing under their Properties to identify them, then include them (zipped) also for submission.

C:\WINDOWS\SYSTEM\ISUNINST38.EXE
C:\WINDOWS\SYSTEM\IPCLEAN503.COM
O4 - Startup: Digimax Viewer 1.0.pif = C:\ARCHIV~1\COMMIT.EXE <--this one is probably in the C:\ARCHIVOS DE PROGRAMA folder.


Bring up your TaskManager (ctrl+alt+del keys) and end the running process for 'svshots.exe' and 'XPVIEWREP.PIF'.

Then in HijackThis, place a check beside the following items.
Close ALL browsers and any open programs/windows, except HijackThis, and click *Fix checked:

O4 - HKLM\..\Run: [XPVIEWREP] C:\WINDOWS\SYSTEM\XPVIEWREP.PIF
O4 - HKLM\..\Run: [svshots] C:\WINDOWS\svshots.exe

Reboot your computer into Safe Mode by tapping the F8 key just before windows begins to load.

Then find and delete the following file:
C:\WINDOWS\svshots.exe

At the moment, I don't want to say delete the XPVIEWREP.PIF file since it shows file associations in the AdAware scan. It may not have any effect, and the on-line scan may remove it cleanly.

Reboot your computer back into normal mode, and do a full system scan at http://housecall.trendmicro.com/

You should be able to get to an on-line scan site now.

Then post a new Hijackthis log here in your next reply.

Regards,

snap

 

Hi Snap:
Sorry it took so long,i had flu adn couldnt reach the computer...
i´ve been trying to run hijackthis for the las two hours but it doesnt work, it opens normally but after i click on Scan button, it gets stuck on "015 Trusted Zone enumeration" and doesnt asnwer after that. :s is there any other way to make it work?maybe, run it from DOS or something alike...
Btw i checked the properties tab of the items u told me and there was nothing about them, im sending them to diamonts right away.

Tnx 4 everything

Melian

 

Hi Melian,

Try and run Hijackthis while in Safe Mode.

Regards,

snap