Estimados todos,

como muchos tengo el problema del "RazeSpyware".

He seguido vuestros consejos y tengo los siguientes problemas:

- Durante la ejecución del AD-aware SE, éste deja de responder al detectar una infección.

- El Spy Bot se ejecuta correctamente aunque tarda muchas horas en terminar el análisis. Detecta posibles problemas y los soluciona.

- He pasado el Antivirus de Kapersky y también funcionó.

A todo esto, al volver a reiniciar a modo normal sigo con el ad de fondo en el escritorio.

Por favor, ¿alguien puede ayudarme?
Mil gracias.

Les dejo mi log:

Logfile of HijackThis v1.99.1
Scan saved at 13:07:30, on 7/27/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\SYSTEM32\DWRCS.EXE
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SYSTEM32\DWRCST.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.es/
R3 - URLSearchHook: (no name) - {33708439-B96B-59E5-1BCA-01682995DB14} - CToolBar.dll (file missing)
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: PDF de Adobe - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [U.S. Robotics Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [barint] scanSYS.exe
O4 - HKLM\..\Run: [abrek] srbho.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EXE32EXE] Trayz.exe
O4 - HKCU\..\Run: [wormexe] nmdllw.exe
O4 - HKCU\..\Run: [LOPTCON] powerdll.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {06BCB763-52AE-4D22-981F-B7379FC892DF} (Siebel Option Pack for IE 7.5.3) - http://siebel.bmc.com/sales_eme/16278/applets/SiebelOptionPack.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {253A9D23-F982-11D4-8BE4-00D0B7E61414} (SiebelHTMLApplication Class) - http://siebel.bmc.com/sales_eme/16168/applets/siebelhtml.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1119439238119
O16 - DPF: {8F4F3368-54CA-4268-8225-0F4367472CF4} (MailClient Class) - http://siebel.bmc.com/sales_eme/16168/applets/SiebExtMailClient.cab
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} - http://cww.bmc.com/internal/is/busapps/plas/doc/oajinit.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = adprod.bmc.com
O17 - HKLM\Software\..\Telephony: DomainName = adprod.bmc.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{07BA2998-8275-4FCA-81A7-D07F99411BD9}: NameServer = 85.255.116.59,85.255.112.188
O17 - HKLM\System\CCS\Services\Tcpip\..\{1A5F8E8E-4CE7-46C9-A028-40529DD6E162}: NameServer = 85.255.116.59,85.255.112.188
O17 - HKLM\System\CCS\Services\Tcpip\..\{543FF2D6-CE96-4D01-A206-1B8145DE123D}: NameServer = 85.255.116.59,85.255.112.188
O17 - HKLM\System\CCS\Services\Tcpip\..\{5856E1ED-D772-4A11-8884-B9BF279A8E2F}: NameServer = 85.255.116.59,85.255.112.188
O17 - HKLM\System\CCS\Services\Tcpip\..\{5CB4F071-1153-4EC7-B654-57B85C66DA52}: NameServer = 85.255.116.59,85.255.112.188
O17 - HKLM\System\CCS\Services\Tcpip\..\{A52E25BB-88AE-4F12-B7D2-00E9CB3F5713}: NameServer = 85.255.116.59,85.255.112.188
O17 - HKLM\System\CCS\Services\Tcpip\..\{B74545AF-F1E6-4823-9E32-3130644FE0D6}: NameServer = 85.255.116.59,85.255.112.188
O17 - HKLM\System\CCS\Services\Tcpip\..\{D76359BF-3BA6-4CAA-80AD-9FAD15B30089}: NameServer = 85.255.116.59,85.255.112.188
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = adprod.bmc.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.59 85.255.112.188
O17 - HKLM\System\CS1\Services\Tcpip\..\{07BA2998-8275-4FCA-81A7-D07F99411BD9}: NameServer = 85.255.116.59,85.255.112.188
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.59 85.255.112.188
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: BES Client (BESClient) - BigFix Inc. - C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINDOWS\SYSTEM32\DWRCS.EXE
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: U.S. Robotics Wireless LAN Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

Sigue estos pasos:

1) Apaga Restaurar Sistema

2) Ver archivos ocultos

3) Reinicia a prueba de fallos

4) Ejecuta HijackThis con todos los programas cerrados y dale Fix checked a:

R3 - URLSearchHook: (no name) - {33708439-B96B-59E5-1BCA-01682995DB14} - CToolBar.dll (file missing)

O1 - Hosts: localhost 127.0.0.1

O4 - HKLM\..\Run: [barint] scanSYS.exe

O4 - HKLM\..\Run: [abrek] srbho.exe

O4 - HKCU\..\Run: [EXE32EXE] Trayz.exe

O4 - HKCU\..\Run: [wormexe] nmdllw.exe

O4 - HKCU\..\Run: [LOPTCON] powerdll.exe

O16 - DPF: {06BCB763-52AE-4D22-981F-B7379FC892DF} (Siebel Option Pack for IE 7.5.3) - http://siebel.bmc.com/sales_eme/16278/applets/SiebelOptionPack.cab

O16 - DPF: {253A9D23-F982-11D4-8BE4-00D0B7E61414} (SiebelHTMLApplication Class) - http://siebel.bmc.com/sales_eme/16168/applets/siebelhtml.cab

O16 - DPF: {8F4F3368-54CA-4268-8225-0F4367472CF4} (MailClient Class) - http://siebel.bmc.com/sales_eme/16168/applets/SiebExtMailClient.cab

O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} - http://cww.bmc.com/internal/is/busapps/plas/doc/oajinit.exe

O17 - HKLM\System\CCS\Services\Tcpip\..\{07BA2998-8275-4FCA-81A7-D07F99411BD9}: NameServer = 85.255.116.59,85.255.112.188
O17 - HKLM\System\CCS\Services\Tcpip\..\{1A5F8E8E-4CE7-46C9-A028-40529DD6E162}: NameServer = 85.255.116.59,85.255.112.188
O17 - HKLM\System\CCS\Services\Tcpip\..\{543FF2D6-CE96-4D01-A206-1B8145DE123D}: NameServer = 85.255.116.59,85.255.112.188
O17 - HKLM\System\CCS\Services\Tcpip\..\{5856E1ED-D772-4A11-8884-B9BF279A8E2F}: NameServer = 85.255.116.59,85.255.112.188
O17 - HKLM\System\CCS\Services\Tcpip\..\{5CB4F071-1153-4EC7-B654-57B85C66DA52}: NameServer = 85.255.116.59,85.255.112.188
O17 - HKLM\System\CCS\Services\Tcpip\..\{A52E25BB-88AE-4F12-B7D2-00E9CB3F5713}: NameServer = 85.255.116.59,85.255.112.188
O17 - HKLM\System\CCS\Services\Tcpip\..\{B74545AF-F1E6-4823-9E32-3130644FE0D6}: NameServer = 85.255.116.59,85.255.112.188
O17 - HKLM\System\CCS\Services\Tcpip\..\{D76359BF-3BA6-4CAA-80AD-9FAD15B30089}: NameServer = 85.255.116.59,85.255.112.188
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = adprod.bmc.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.59 85.255.112.188
O17 - HKLM\System\CS1\Services\Tcpip\..\{07BA2998-8275-4FCA-81A7-D07F99411BD9}: NameServer = 85.255.116.59,85.255.112.188
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.59 85.255.112.188

5) Busca y elimina estos archivos y/o carpetas con todo su contenido:

CToolBar.dll
scanSYS.exe
srbho.exe
Trayz.exe
nmdllw.exe
powerdll.exe

Para archivos que no se dejen eliminar usa KillBox

6) Reinicia normal y finaliza con estos pasos:

• Haz un analisis con Ewido Online y Panda ActiveScan
• Limpia el registro con RegSeeker y pasa Ad-Aware actualizado.
• Elimina cookies y temporales con Disk Cleaner y vacía la papelera.

Vuelve a reiniciar, deshaz los cambios 1) y 2) y nos cuentas los resultados.

Saludos

PD// Es posible que tras dar fix a las entradas O17 no puedas conectar a internet, en ese caso ve a las propiedades de tu conexion y en las propiedades de Protocolo Internet (TCP/IP) configura las direcciones del servidor DNS.

Ante todo muchas gracias por tu atención.

He seguido los pasos que me indicaste y me encuentro con los siguientes problemas:

5) los archivos no existen o no se encuentran

6)
- Ewido me detecta varios intrusos pero es incapaz de borrarlos

- Panda Active Scan me detecta los siguientes:



Adware:adware/winprotect No desinfectado c:\windows\help\SPAlert.chm
Adware:adware/sbsoft No desinfectado c:\windows\rdt.ini
Adware:adware/cws No desinfectado c:\documents and settings\all users\favorites\Online Pharmacy
Herramienta potencialmente no deseada:application/kill&clean No desinfectado HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\extensions\CmdMapping\{BF69DF00-2734-477F-8257-27CD04F88779}
Spyware:Cookie/ademails No desinfectado C:\Documents and Settings\sayats\Cookies\sayats@www.ademails[1].txt


¿¿No se si debo descargarme la versión de evaluación para borrarlos??


- Al pasar el RegSeeker se me cuelga al encontrar varias claves de registro inválidas.
- Ad aware también deja de responder al encontrar el primer intruso.


Continua el problema, la pantalla sigue con el ad.Te cuelgo el log...

Logfile of HijackThis v1.99.1
Scan saved at 20:24:33, on 7/28/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\SYSTEM32\DWRCS.EXE
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SYSTEM32\DWRCST.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.es/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: PDF de Adobe - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [U.S. Robotics Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1119439238119
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = adprod.bmc.com
O17 - HKLM\Software\..\Telephony: DomainName = adprod.bmc.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = adprod.bmc.com
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: BES Client (BESClient) - BigFix Inc. - C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINDOWS\SYSTEM32\DWRCS.EXE
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: U.S. Robotics Wireless LAN Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

Saludos

Prende la opción de Ver archivos ocultos y busca y elimina estos archivos:

c:\windows\help\SPAlert.chm
c:\windows\rdt.ini
c:\documents and settings\all users\favorites\Online Pharmacy

Desde el regedit, elimina:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\extensions\CmdMapping\{BF69DF00-2734-477F-8257-27CD04F88779}

Descarga DelPSGuard v 4.1.3 y ejecutalo a prueba de fallos o en modo seguro.

Reinicia, nos dejas el reporte de DelPSGuard y nos cuentas los resultados.

Saludos

Nada..., sigo con el fondo del escritorio en blanco; el cursor se activa a "modo de enlace" al pasearlo por el escritorio.

El reporte del Delpsguard:
DelPSGuard v 4.1.3
Escaneo a las: 10:58:45,43, lun 07/31/2006
SO:


»»»»»»»»»»»» Carpetas y Archivos infectados »»»»»»»»»»»»


»»»»»»»»»»»» Programas Malwares »»»»»»»»»»»»



»»»»»»»»»»»» FIN »»»»»»»»»»»»

Por si te sirve de algo...el log del hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 11:42:38, on 7/31/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\SYSTEM32\DWRCS.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SYSTEM32\DWRCST.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.forospyware.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: PDF de Adobe - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [U.S. Robotics Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1119439238119
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {C1BAC744-8F0B-11D0-89E7-00C0A8295197} (Cameractl Class) - http://www.crtvg.es/camweb/camera.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = adprod.bmc.com
O17 - HKLM\Software\..\Telephony: DomainName = adprod.bmc.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = adprod.bmc.com
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: BES Client (BESClient) - BigFix Inc. - C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINDOWS\SYSTEM32\DWRCS.EXE
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: U.S. Robotics Wireless LAN Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE


Alguna sugerencia?

Gracias por lo ayuda!!

El log lo veo limpio.

Sobre el escritorio, da clic derecho en un lugar vacío del escritorio y selecciona Propiedades, ve a la pestaña Escritorio y pulsa en Personalizar escritorio, ve a la pestaña Web y asegurate de que esté desmarcada la casilla Mi pagina de inicio actual.

Haz un analisis con Ewido Online y Kaspersky Online y nos copias aca los reportes a ver qué muestran.

Saludos

Tienes razón, paree que tras seguir tus indicaciones todo marcha ok.

Ahí van los reportes de los antivirus:

ewido anti-spyware online scanner
http://www.ewido.net
__________________________________________________


Name: Downloader.Agent.uj
Path: [1756] VM_00D70000
Risk: High

Name: Downloader.Agent.uj
Path: [1780] VM_00B20000
Risk: High

Name: Downloader.Agent.uj
Path: [384] VM_00980000
Risk: High

Name: Downloader.Agent.uj
Path: [560] VM_00900000
Risk: High

Name: Downloader.Agent.uj
Path: [892] VM_003F0000
Risk: High

Name: Downloader.Agent.uj
Path: [3548] VM_00900000
Risk: High

Name: Downloader.Agent.uj
Path: [3596] VM_009B0000
Risk: High

Al desinfectar no puede con todos, según mensaje instantáneo. No se si es a propósito para que te descargues el programa de evaluación.

El del kaspersky:

Tuesday, August 01, 2006 10:36:34 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 1/08/2006
Kaspersky Anti-Virus database records: 198891


Scan Settings
Scan using the following antivirus database standard
Scan Archives true
Scan Mail Bases true

Scan Target Critical Areas
C:\WINDOWS
C:\DOCUME~1\sayats\LOCALS~1\Temp\

Scan Statistics
Total number of scanned objects 14092
Number of viruses found 0
Number of infected objects 0 / 0
Number of suspicious objects 0
Duration of the scan process 00:26:27

Infected Object Name Virus Name Last Action
C:\WINDOWS\CSC\00000001 Object is locked skipped

C:\WINDOWS\Debug\Netlogon.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.lo g Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MA P Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MA P Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DAT A Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\Temp\Perflib_Perfdata_108.dat Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

C:\DOCUME~1\sayats\LOCALS~1\Temp\hpodvd09.log Object is locked skipped

C:\DOCUME~1\sayats\LOCALS~1\Temp\Perflib_Perfdata_ dd8.dat Object is locked skipped

C:\DOCUME~1\sayats\LOCALS~1\Temp\~DFF217.tmp Object is locked skipped

Scan process completed.


Gracias de nuevo por tu trabajo.

saludos

Bueno, ewido no dice en que lugar detecto las infecciones, pero provablemente solo sean archivos temporales o falsos positivos, ya que Kaspersky no detectó nada.

Así que si todo marcha bien, damos el tema por solucionado.

Saludos

Solo agradecerte a ti y a éste foro la solución que se me fue dada.
Seguid así, cumpliendo con vuestra razón de ser

Un abrazo