Hola a todos,
mi problema es el siguiente, espero no ponerme pesado pero a lo mejor os facilita la tarea: Hace unos días me entró el
Spysheriff maldito. Seguí vuestras indicaciones y conseguí arreglar el fondo
de escritorio, pero siguen apareciendo las aspas rojas y blancas, y además el pc va muuuy lento (ni es capaz de completar
una pasada de Adaware o de Spybot SD,asi que supongo que tendré mas basura). Lo peor es que si abro alguna carpeta
de C:/, al rato aparece un mensaje que me dice que se va a descargar "kernels32.exe". Yo cancelo la descarga, pero al
hacerlo desaparecen todos los iconos de escritorio e incluso el menú Inicio, así que no ppuedo hacer otra cosa que reiniciar. He probado a repetir vuestro método,
pero todo sigue igual...Mi problema añadido es que no puedo reiniciar en "modo seguro",al meter mi contraseña de cuenta
me dice que no la reconoce (es pc de empresa, así que me imagino que mi cuenta no tiene privilegios de administrador,
aunque sí puedo instalar programas, por ejemplo...)
Os mando mi log para ver si me podeis echar una mano...en cuanto a lo de modo seguro, no se si hay alguna manera de que
entre, o si es imprescindible para la reparación...
Muchas gracias adelantadas y a ver si me sacais del apuro!!

Logfile of HijackThis v1.99.1
Scan saved at 1:39:05, on 01/09/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\kernels32.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
c:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\epa.epa\EPASER~2.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\TpScrLk.exe
C:\WINDOWS\System32\TpShocks.exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\IAMAPP.EXE
C:\WINDOWS\system32\svcnt32.exe
C:\WINDOWS\System32\explorer6s4.exe
C:\WINDOWS\tool3.exe
C:\windows\system32\mdms.exe
C:\Program Files\myLearning_mobile\docentmobile.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\vxh8jkdq2.exe
C:\WINDOWS\System32\sysvcs.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\WINDOWS\system32\userinit.exe
C:\Program Files\HJT\HijackThis.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
c:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISUM.EXE
c:\Program Files\Symantec_Client_Security\Symantec Client Firewall\SymPxSvc.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdocvn.dll/blank.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://127.0.0.1:8624/docent/mobile/SQN%3D8274/?CMD=LOGIN&USER=Administrator&RETURN_URL=http%3A//127.0.0.1%3A8624/docent/mobile/SQN%253D8274/%3FCMD%3DLOGIN%26USER%3DAdministrator%26DEST%3D/_shared/mobile&DEST=/_shared/mobile
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,AutoConfigURL = http://uksetproxy.ggr.co.uk/proxy.pac
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\kernels32.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {B75F75B8-93F3-429D-FF34-660B206D897A} - C:\WINDOWS\System32\zolker010.dll
O2 - BHO: ZToolbar Activator Class - {FFF5092F-7172-4018-827B-FA5868FB0478} - C:\WINDOWS\System32\ztoolb010.dll
O3 - Toolbar: ZToolbar - {A6790AA5-C6C7-4BCF-A46D-0FDAC4EA90EB} - C:\WINDOWS\System32\ztoolb010.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPw rMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAuto nomicMonitor
O4 - HKLM\..\Run: [TPKBDLED] C:\WINDOWS\System32\TpScrLk.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [iamapp] c:\PROGRA~1\SYMANT~1\SYMANT~2\IAMAPP.EXE
O4 - HKLM\..\Run: [Start Page] C:\WINDOWS\system32\svcnt32.exe home
O4 - HKLM\..\Run: [Service] C:\WINDOWS\System32\service.exe
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels32.exe
O4 - HKLM\..\Run: [Explorer32] C:\WINDOWS\System32\explorer6s4.exe
O4 - HKLM\..\Run: [msresearch] C:\WINDOWS\tool3.exe
O4 - HKLM\..\Run: [SysMemory manager] c:\windows\system32\mdms.exe
O4 - HKLM\..\Run: [winsock32] msupdate32.exe
O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
O4 - HKCU\..\Run: [myLearningMobile] C:\Program Files\myLearning_mobile\docentmobile.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SNInstall] C:\WINDOWS\System32\vxh8jkdq2.exe
O4 - HKCU\..\Run: [aupd] C:\WINDOWS\System32\sysvcs.exe
O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\PLUGINS\NPDocBox.dll
O15 - Trusted Zone: *.asdbiz.biz
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: http://iwha.gsk.com
O15 - Trusted Zone: http://iwhsa.gsk.com
O15 - Trusted Zone: http://iwhta.gsk.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.asdbiz.biz (HKLM)
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted IP range: 67.19.178.84
O15 - Trusted IP range: 67.19.178.84 (HKLM)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = gweuame.corpnet1.com
O17 - HKLM\Software\..\Telephony: DomainName = gweuame.corpnet1.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = gweuame.corpnet1.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = spain.glaxo,ggr.co.uk,gsk.com,sb.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = spain.glaxo,ggr.co.uk,gsk.com,sb.com
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O21 - SSODL: hp print screen utility - {5E7CF01C-6CDF-50AA-547D-057D9086A211} - c:\program files\hewlett-packard\hp print screen utility\uninstall\wuucanj5.dll
O23 - Service: ACU Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\acs.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - c:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: EPAService - Unknown owner - C:\PROGRA~1\epa.epa\EPASER~2.EXE
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: Symantec Client Firewall Service (NISSERV) - Symantec Corporation - c:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISSERV.EXE
O23 - Service: Symantec Client Firewall Accounts Manager (NISUM) - Symantec Corporation - c:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISUM.EXE
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: OracleOraHome817ClientCache - Unknown owner - C:\ORACLE\ORA817\bin\ONRSD.EXE
O23 - Service: Symantec Client Firewall Proxy Service (SymPxSvc) - Symantec Corporation - c:\Program Files\Symantec_Client_Security\Symantec Client Firewall\SymPxSvc.exe

Hola , te doy la bienvenida al Foro de InfoSpyware.

Seguí estos pasos para: Eliminar SpySheriff

Tambien usa la herramienta TZ-Kill.inf

Después nos comentas los resultados en este mismo mensaje.

Salu2

Hola otra vez, y gracias por responder tan rápido!
He seguido tus indicaciones, al pasar el TzKill el log de Hijack ha cambiado, creo que para bien
(es el que adjunto al final). Lamentablemente, al seguir las instrucciones para eliminar el Spysheriff
no ha habido tanta suerte y todo sigue como estaba...o sea, muy mal. Espero que el log sirva de ayuda...

Por si es importante,te recuerdo mi dificultad para entrar en modo a prueba de fallos (ver primer mensaje)

Gracias de nuevo, cruzo los dedos!

PD. Ojeando vuestra pagina, encontré un caso parecido (http://www.forospyware.com/t9315.html), y hablabas de usar el "Ewido Security Suite).Lo digo por si te vale de inspiración...



Logfile of HijackThis v1.99.1
Scan saved at 18:27:18, on 01/09/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\epa.epa\EPASER~2.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISUM.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
c:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISSERV.EXE
c:\Program Files\Symantec_Client_Security\Symantec Client Firewall\SymPxSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\kernels32.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\System32\vxh8jkdq2.exe
C:\WINDOWS\System32\vxh8jkdq6.exe
C:\WINDOWS\System32\vxh8jkdq7.exe
C:\WINDOWS\System32\maxd1.exe
C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\TpShocks.exe
C:\WINDOWS\System32\TpScrLk.exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\IAMAPP.EXE
C:\WINDOWS\System32\explorer6s4.exe
C:\windows\system32\mdms.exe
C:\WINDOWS\system32\svcnt32.exe
C:\Program Files\myLearning_mobile\docentmobile.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\vxh8jkdq2.exe
C:\WINDOWS\System32\sysvcs.exe
C:\WINDOWS\system32\userinit.exe
C:\Program Files\esia\srmn.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\Program Files\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdocvn.dll/blank.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://127.0.0.1:8624/docent/mobile/SQN%3D8274/?CMD=LOGIN&USER=Administrator&RETURN_URL=http%3A//127.0.0.1%3A8624/docent/mobile/SQN%253D8274/%3FCMD%3DLOGIN%26USER%3DAdministrator%26DEST%3D/_shared/mobile&DEST=/_shared/mobile
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,AutoConfigURL = http://uksetproxy.ggr.co.uk/proxy.pac
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\kernels32.exe
O1 - Hosts: 213.222.11.6 auto.search.msn.com
O1 - Hosts: 213.222.11.6 ieautosearch
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {B75F75B8-93F3-429D-FF34-660B206D897A} - C:\WINDOWS\System32\zolker010.dll
O2 - BHO: ZToolbar Activator Class - {FFF5092F-7172-4018-827B-FA5868FB0478} - C:\WINDOWS\System32\ztoolb010.dll
O3 - Toolbar: ZToolbar - {A6790AA5-C6C7-4BCF-A46D-0FDAC4EA90EB} - C:\WINDOWS\System32\ztoolb010.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPw rMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAuto nomicMonitor
O4 - HKLM\..\Run: [TPKBDLED] C:\WINDOWS\System32\TpScrLk.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [iamapp] c:\PROGRA~1\SYMANT~1\SYMANT~2\IAMAPP.EXE
O4 - HKLM\..\Run: [Start Page] C:\WINDOWS\system32\svcnt32.exe home
O4 - HKLM\..\Run: [Service] C:\WINDOWS\System32\service.exe
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels32.exe
O4 - HKLM\..\Run: [Explorer32] C:\WINDOWS\System32\explorer6s4.exe
O4 - HKLM\..\Run: [msresearch] C:\WINDOWS\tool3.exe
O4 - HKLM\..\Run: [SysMemory manager] c:\windows\system32\mdms.exe
O4 - HKLM\..\Run: [winsock32] msupdate32.exe
O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
O4 - HKCU\..\Run: [myLearningMobile] C:\Program Files\myLearning_mobile\docentmobile.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SNInstall] C:\WINDOWS\System32\vxh8jkdq2.exe
O4 - HKCU\..\Run: [aupd] C:\WINDOWS\System32\sysvcs.exe
O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKCU\..\Run: [Dotc] C:\Program Files\esia\srmn.exe
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\PLUGINS\NPDocBox.dll
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab?refid=4725
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = gweuame.corpnet1.com
O17 - HKLM\Software\..\Telephony: DomainName = gweuame.corpnet1.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = gweuame.corpnet1.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = spain.glaxo,ggr.co.uk,gsk.com,sb.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = spain.glaxo,ggr.co.uk,gsk.com,sb.com
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O21 - SSODL: hp print screen utility - {5E7CF01C-6CDF-50AA-547D-057D9086A211} - c:\program files\hewlett-packard\hp print screen utility\uninstall\wuucanj5.dll
O23 - Service: ACU Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\acs.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - c:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: EPAService - Unknown owner - C:\PROGRA~1\epa.epa\EPASER~2.EXE
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: Symantec Client Firewall Service (NISSERV) - Symantec Corporation - c:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISSERV.EXE
O23 - Service: Symantec Client Firewall Accounts Manager (NISUM) - Symantec Corporation - c:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISUM.EXE
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: OracleOraHome817ClientCache - Unknown owner - C:\ORACLE\ORA817\bin\ONRSD.EXE
O23 - Service: Symantec Client Firewall Proxy Service (SymPxSvc) - Symantec Corporation - c:\Program Files\Symantec_Client_Security\Symantec Client Firewall\SymPxSvc.exe

Hola roofmelon, la cosa va mejorando pero aun tenes lo mas peligroso en el sistema.

Usastes la herrameinta DelSpySheriff.bat pasalo en modo normal, reinicia y nos contas los resultados junto a otro log de HJT.

Salu2

Bueeeno, algo ha mejorado la cosa, tras hacer lo que me decias, por fin he conseguido poder pasar el adaware, que me ha borrado muchas cosillas malas (por lo visto, tambien tenia el PSGuard). El problema gordo que se me ha quedado es que en cuanto abro C:/ DESAPARECEN TODOS LOS ICONOS DE ESCRITORIO E INCLUSO LA BARRA DE INICIO, asi que tengo que reiniciar. Tambien sigue la famosa cruz blanca sobre fondo rojo.
Otra cosa que he visto es que ya no se ejecuta el kernels 32...
Te mando el nuevo log, los O15 vuelven a aparecer...

Muuuchas gracias!!

Logfile of HijackThis v1.99.1
Scan saved at 2:51:35, on 02/09/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
c:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
C:\PROGRA~1\epa.epa\EPASER~2.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\TpScrLk.exe
C:\WINDOWS\System32\TpShocks.exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\IAMAPP.EXE
C:\WINDOWS\System32\explorer6s4.exe
C:\windows\system32\mdms.exe
C:\Program Files\myLearning_mobile\docentmobile.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\vxh8jkdq2.exe
C:\WINDOWS\System32\sysvcs.exe
C:\Program Files\esia\srmn.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\WINDOWS\system32\userinit.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
c:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISUM.EXE
c:\Program Files\Symantec_Client_Security\Symantec Client Firewall\SymPxSvc.exe
c:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISSERV.EXE
C:\Program Files\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://127.0.0.1:8624/docent/mobile/SQN%3D8274/?CMD=LOGIN&USER=Administrator&RETURN_URL=http%3A//127.0.0.1%3A8624/docent/mobile/SQN%253D8274/%3FCMD%3DLOGIN%26USER%3DAdministrator%26DEST%3D/_shared/mobile&DEST=/_shared/mobile
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,AutoConfigURL = http://uksetproxy.ggr.co.uk/proxy.pac
O1 - Hosts: 213.222.11.6 auto.search.msn.com
O1 - Hosts: 213.222.11.6 ieautosearch
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPw rMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAuto nomicMonitor
O4 - HKLM\..\Run: [TPKBDLED] C:\WINDOWS\System32\TpScrLk.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [iamapp] c:\PROGRA~1\SYMANT~1\SYMANT~2\IAMAPP.EXE
O4 - HKLM\..\Run: [Start Page] C:\WINDOWS\system32\svcnt32.exe home
O4 - HKLM\..\Run: [Service] C:\WINDOWS\System32\service.exe
O4 - HKLM\..\Run: [Explorer32] C:\WINDOWS\System32\explorer6s4.exe
O4 - HKLM\..\Run: [msresearch] C:\WINDOWS\tool3.exe
O4 - HKLM\..\Run: [SysMemory manager] c:\windows\system32\mdms.exe
O4 - HKLM\..\Run: [winsock32] msupdate32.exe
O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
O4 - HKCU\..\Run: [myLearningMobile] C:\Program Files\myLearning_mobile\docentmobile.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SNInstall] C:\WINDOWS\System32\vxh8jkdq2.exe
O4 - HKCU\..\Run: [aupd] C:\WINDOWS\System32\sysvcs.exe
O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKCU\..\Run: [Dotc] C:\Program Files\esia\srmn.exe
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\PLUGINS\NPDocBox.dll
O15 - Trusted Zone: *.asdbiz.biz
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.asdbiz.biz (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 67.19.178.84
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = gweuame.corpnet1.com
O17 - HKLM\Software\..\Telephony: DomainName = gweuame.corpnet1.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = gweuame.corpnet1.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = spain.glaxo,ggr.co.uk,gsk.com,sb.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = spain.glaxo,ggr.co.uk,gsk.com,sb.com
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O21 - SSODL: hp print screen utility - {5E7CF01C-6CDF-50AA-547D-057D9086A211} - c:\program files\hewlett-packard\hp print screen utility\uninstall\wuucanj5.dll
O23 - Service: ACU Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\acs.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - c:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: EPAService - Unknown owner - C:\PROGRA~1\epa.epa\EPASER~2.EXE
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: Symantec Client Firewall Service (NISSERV) - Symantec Corporation - c:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISSERV.EXE
O23 - Service: Symantec Client Firewall Accounts Manager (NISUM) - Symantec Corporation - c:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISUM.EXE
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: OracleOraHome817ClientCache - Unknown owner - C:\ORACLE\ORA817\bin\ONRSD.EXE
O23 - Service: Symantec Client Firewall Proxy Service (SymPxSvc) - Symantec Corporation - c:\Program Files\Symantec_Client_Security\Symantec Client Firewall\SymPxSvc.exe

En ningun momento eh mencionado el Ad-Aware te estaba preguntando si ya habias pasado el DelSpySheriff.bat y en todo caso que lo hagas nuevamente

Salu2

Me temo que no me he explicado bien...queria decir que si que hice lo que me recomendabas, y a posteriori, pasé el adaware,porque el pc iba algo mejor y conseguia terminar el analisis. El log que hice despues de eso y los sintomas que aun tiene el pc son los que pongo en mi anterior mensaje.

Espero no haber hecho mal al pasar por mi cuenta el adaware... auna si, como ves, sigo necesitando ayuda....

Gracias!

Bien dejanos un nuevo log de HijackThis y estamos trabajando en una nueva version de la herramienta para eliminar Spysheriff automaticamente.

Salu2

Hay que ver que trabajito os doy...a ver si ahora se limpia todo

Logfile of HijackThis v1.99.1
Scan saved at 23:08:55, on 05/09/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\epa.epa\EPASER~2.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISUM.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
c:\Program Files\Symantec_Client_Security\Symantec Client Firewall\SymPxSvc.exe
c:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISSERV.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\TpScrLk.exe
C:\WINDOWS\System32\TpShocks.exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\IAMAPP.EXE
C:\Program Files\myLearning_mobile\docentmobile.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\sysvcs.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
c:\windows\system32\mdms.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\tsc.exe
C:\Program Files\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.forospyware.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://127.0.0.1:8624/docent/mobile/SQN%3D8274/?CMD=LOGIN&USER=Administrator&RETURN_URL=http%3A//127.0.0.1%3A8624/docent/mobile/SQN%253D8274/%3FCMD%3DLOGIN%26USER%3DAdministrator%26DEST%3D/_shared/mobile&DEST=/_shared/mobile
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,AutoConfigURL = http://uksetproxy.ggr.co.uk/proxy.pac
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPw rMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAuto nomicMonitor
O4 - HKLM\..\Run: [TPKBDLED] C:\WINDOWS\System32\TpScrLk.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [iamapp] c:\PROGRA~1\SYMANT~1\SYMANT~2\IAMAPP.EXE
O4 - HKLM\..\Run: [Start Page] C:\WINDOWS\system32\svcnt32.exe home
O4 - HKLM\..\Run: [Service] C:\WINDOWS\System32\service.exe
O4 - HKLM\..\Run: [Explorer32] C:\WINDOWS\System32\explorer6s4.exe
O4 - HKLM\..\Run: [SysMemory manager] c:\windows\system32\mdms.exe
O4 - HKLM\..\Run: [winsock32] msupdate32.exe
O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
O4 - HKLM\..\Run: [Fast Search] C:\WINDOWS\system32\svcnv.exe home
O4 - HKCU\..\Run: [myLearningMobile] C:\Program Files\myLearning_mobile\docentmobile.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SNInstall] C:\WINDOWS\System32\vxh8jkdq2.exe
O4 - HKCU\..\Run: [aupd] C:\WINDOWS\System32\sysvcs.exe
O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKCU\..\Run: [Dotc] C:\Program Files\esia\srmn.exe
O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00003.exe"
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\PLUGINS\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = gweuame.corpnet1.com
O17 - HKLM\Software\..\Telephony: DomainName = gweuame.corpnet1.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = gweuame.corpnet1.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = spain.glaxo,ggr.co.uk,gsk.com,sb.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = spain.glaxo,ggr.co.uk,gsk.com,sb.com
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O21 - SSODL: hp print screen utility - {5E7CF01C-6CDF-50AA-547D-057D9086A211} - c:\program files\hewlett-packard\hp print screen utility\uninstall\wuucanj5.dll (file missing)
O21 - SSODL: System - {B5B88988-3B89-48FD-AEB4-7C9529CDDEF2} - ssmc.dll (file missing)
O23 - Service: ACU Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\acs.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - c:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: EPAService - Unknown owner - C:\PROGRA~1\epa.epa\EPASER~2.EXE
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: Symantec Client Firewall Service (NISSERV) - Symantec Corporation - c:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISSERV.EXE
O23 - Service: Symantec Client Firewall Accounts Manager (NISUM) - Symantec Corporation - c:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISUM.EXE
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: OracleOraHome817ClientCache - Unknown owner - C:\ORACLE\ORA817\bin\ONRSD.EXE
O23 - Service: Symantec Client Firewall Proxy Service (SymPxSvc) - Symantec Corporation - c:\Program Files\Symantec_Client_Security\Symantec Client Firewall\SymPxSvc.exe


Y una vez mas, GRACIAS!

Bien, seguí estos pasos.

Paso 1- Apaga el "Restaurar Sistema"

Paso 2- Descarga el programa Ewido Security Suite 3.5 , Actualízalo pero no lo ejecutes aun.

Paso 3- Con todos los programas cerrados ejecuta el HijackThis y dale a estas entradas:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.forospyware.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://127.0.0.1:8624/docent/mobile/SQN%3D8274/?CMD=LOGIN&USER=Administrator&RETURN_URL=http%3A//127.0.0.1%3A8624/docent/mobile/SQN%253D8274/%3FCMD%3DLOGIN%26USER%3DAdministrator%26DEST%3D/_shared/mobile&DEST=/_shared/mobile
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,AutoConfigURL = http://uksetproxy.ggr.co.uk/proxy.pac

O4 - HKLM\..\Run: [Start Page] C:\WINDOWS\system32\svcnt32.exe home O4 - HKLM\..\Run: [Explorer32] C:\WINDOWS\System32\explorer6s4.exe
O4 - HKLM\..\Run: [SysMemory manager] c:\windows\system32\mdms.exe O4 - HKLM\..\Run: [winsock32] msupdate32.exe
O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKLM\..\Run: [Fast Search] C:\WINDOWS\system32\svcnv.exe home

O4 - HKCU\..\Run: [SNInstall] C:\WINDOWS\System32\vxh8jkdq2.exe
O4 - HKCU\..\Run: [aupd] C:\WINDOWS\System32\sysvcs.exe
O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe


Paso 4- Sin reiniciar con el programa "KillBox" elimina estos archivos:

C:\WINDOWS\system32\svcnt32.exe home
C:\WINDOWS\System32\explorer6s4.exe
c:\windows\system32\mdms.exe
C:\WINDOWS\System32\paytime.exe
C:\WINDOWS\system32\svcnv.exe
C:\WINDOWS\System32\vxh8jkdq2.exe
C:\WINDOWS\System32\sysvcs.exe
C:\WINDOWS\System32\paytime.exe

Paso 5- Ejecuta Ewido Security Suite 3.5

Paso 6- Reinicia el sistema, descarga y ejecuta la nueva versión de SmitfraudFIX.bat

Paso 7- Usa el Disk Cleaner para limpiar cookies y temporales y RegSeeker para limpiar el registro de Win.

Reinicia y nos contas los resultados.

Salu2