Buenas,

El antivirus que tengo (McAfee) me ha detectado el virus Vundo.dll que cada vez que reinicio se regenera.

Buscando en forospyware los pasos a seguir para eliminarlo está en: http://www.forospyware.com/t14727.html . La duda que tengo es que una vez que he descargado los programas necesarios, comentan que no los ejecute y luego el paso 3 si que me dice que los intale, los actulice y ejecute. Perdonar mi ignorancia, pero el paso 3 habría que hacerlo una vez reiniciado en modo prueba de fallos el ordenador? Si es que si, en un portátil como se realiza el reinicio a modo de prueba de fallos?

Espero que me podrais resolver la duda.
Gracias.

Saludos.

hola buenas!!

hola Comotu bienvenido al foro

Descargalas y actualizalas en modo normal, ,para despues pasarlas en modo a prueba de fallos <-- aqui te indica como hacerlo (creo que te servira,,si no ejecutalas en modo normal ) , cualquier otra duda nos comentas,,cuando termines los pasos recuerda dejarnos los reportes,y comentarnos como sigues con el problema

Así lo haré... ahora empiezo los pasos a seguir... gracias por la bienvenida. Es el primer post que he puesto y espero que los siguientes sean para solucionar a los demás

Desearme suerte

Buenas otra vez,

Despues de muchos sudores al final lo he conseguido.

Tuve que pasar dos veces el SuperAntiSpyware para que me lo eliminase, porque los otros programas de la lista no encontraban nada y al reiniciar en modo normal volvía a resurgir.

El programa VirtumundoBeGone va bien? Me reiniciaba el windows siempre, y en modo de prueba de fallos me salio una bonita pantalla azul :)

Luego he ido navegando un rato a ver si me salía algún ventana de anuncio WinAntivirus Pro 2006 o un tal Doctor, pero ninguno por ahora.

Lo unico que me pasa dos cosas:
1 - Al utilizar el CCleaner, chequeé las opciones avanzadas de la pestaña de Windows y ahora los iconos del escritorio no se mantienen en la posición que le indico al realizar un F5 (refresco) o un reinicio.
2 - He pasado el Kaspersky on-line y me detecta esto:

C:\WINDOWS\system32\rqrstrr.dll.vir Infectados: not-a-virus:AdWare.Win32.Virtumonde.ij saltado

He pasado el McAfee pero na! Tendré que pensar en cambiar de antivirus.

Muchas gracias por la gran ayuda.

Saludos.

hola dejanos los reportes de las diferentes herramientas que pasaste,,
# DelPSGuard
# VundoFix.exe
# VirtumundoBeGone
#el reporte de Panda

,,descarga "FileASSASSIN"(con la opción "Use la función de borrado normal") y elimina ese archivo.

Te pasteo todo los reports aquí? Viva mi ignorancia.

sip asi pueden pasar a revisarlos

1º Pase SuperAntiSpyware
----------------------------------------------------
SUPERAntiSpyware Scan Log
Generated 04/10/2007 at 02:33 AM

Application Version : 3.6.1000

Core Rules Database Version : 3215
Trace Rules Database Version: 1225

Scan type : Complete Scan
Total Scan Time : 00:46:37

Memory items scanned : 489
Memory threats detected : 1
Registry items scanned : 5134
Registry threats detected : 9
File items scanned : 37404
File threats detected : 17

Unclassified.Unknown Origin/System
C:\WINDOWS\SYSTEM32\GEEBX.DLL
C:\WINDOWS\SYSTEM32\GEEBX.DLL
Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\geebx

Unclassified.Unknown Origin
HKLM\Software\Classes\CLSID\{57E218E6-5A80-4f0c-AB25-83598F25D7E9}
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{57E218E6-5A80-4f0c-AB25-83598F25D7E9}
HKCR\CLSID\{57E218E6-5A80-4F0C-AB25-83598F25D7E9}

Adware.Vundo Variant
HKLM\Software\Classes\CLSID\{A43008A6-3E80-4D5F-BDDF-8766DCA144B9}
HKCR\CLSID\{A43008A6-3E80-4D5F-BDDF-8766DCA144B9}
HKCR\CLSID\{A43008A6-3E80-4D5F-BDDF-8766DCA144B9}\InprocServer32
HKCR\CLSID\{A43008A6-3E80-4D5F-BDDF-8766DCA144B9}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{A43008A6-3E80-4D5F-BDDF-8766DCA144B9}

Adware.Tracking Cookie
C:\Documents and Settings\DJLG\Cookies\diego_jesús@mediaplex[1].txt
C:\Documents and Settings\DJLG\Cookies\diego_jesús@tradedoubler[2].txt
C:\Documents and Settings\DJLG\Cookies\diego_jesús@stats1.reliables tats[1].txt
C:\Documents and Settings\DJLG\Cookies\diego_jesús@msnportal.112.2o 7[1].txt
C:\Documents and Settings\DJLG\Cookies\diego_jesús@indexstats[2].txt
C:\Documents and Settings\DJLG\Cookies\diego_jesús@es.drivecleaner[2].txt
C:\Documents and Settings\DJLG\Cookies\diego_jesús@www.winantivirus[1].txt
C:\Documents and Settings\DJLG\Cookies\diego_jesús@drivecleaner[2].txt
C:\Documents and Settings\DJLG\Cookies\diego_jesús@login.tracking10 1[2].txt
C:\Documents and Settings\DJLG\Cookies\diego_jesús@cpvfeed[2].txt
C:\Documents and Settings\DJLG\Cookies\diego_jesús@es.winantivirus[1].txt
C:\Documents and Settings\DJLG\Cookies\diego_jesús@www.amaena[1].txt
C:\Documents and Settings\DJLG\Cookies\diego_jesús@www.etracker[1].txt
C:\Documents and Settings\DJLG\Cookies\diego_jesús@www.drivecleaner[2].txt
C:\Documents and Settings\DJLG\Cookies\diego_jesús@adopt.euroclick[2].txt
C:\Documents and Settings\DJLG\Cookies\diego_jesús@winantivirus[1].txt



2º Pase SuperAntiSpyware
----------------------------------------------------
SUPERAntiSpyware Scan Log
Generated 04/10/2007 at 12:51 PM

Application Version : 3.6.1000

Core Rules Database Version : 3215
Trace Rules Database Version: 1225

Scan type : Complete Scan
Total Scan Time : 00:12:21

Memory items scanned : 472
Memory threats detected : 4
Registry items scanned : 5135
Registry threats detected : 12
File items scanned : 3532
File threats detected : 12

Unclassified.Unknown Origin/System
C:\WINDOWS\SYSTEM32\MLJGF.DLL
C:\WINDOWS\SYSTEM32\MLJGF.DLL

Adware.Vundo Variant
C:\WINDOWS\SYSTEM32\AWTSR.DLL
C:\WINDOWS\SYSTEM32\AWTSR.DLL
HKLM\Software\Classes\CLSID\{8D0C1539-CFFE-4E48-8994-6E022EBB1055}
HKCR\CLSID\{8D0C1539-CFFE-4E48-8994-6E022EBB1055}
HKCR\CLSID\{8D0C1539-CFFE-4E48-8994-6E022EBB1055}\InprocServer32
HKCR\CLSID\{8D0C1539-CFFE-4E48-8994-6E022EBB1055}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{8D0C1539-CFFE-4E48-8994-6E022EBB1055}
Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\awtsr

Trojan.WinFixer
C:\WINDOWS\SYSTEM32\PMNLL.DLL
C:\WINDOWS\SYSTEM32\PMNLL.DLL

Trojan.Virtumonde/Resident
C:\WINDOWS\SYSTEM32\WPRAADQB.DLL
C:\WINDOWS\SYSTEM32\WPRAADQB.DLL

Unclassified.Unknown Origin
HKLM\Software\Classes\CLSID\{57E218E6-5A80-4f0c-AB25-83598F25D7E9}
HKCR\CLSID\{57E218E6-5A80-4F0C-AB25-83598F25D7E9}
HKCR\CLSID\{57E218E6-5A80-4F0C-AB25-83598F25D7E9}\InprocServer32
HKCR\CLSID\{57E218E6-5A80-4F0C-AB25-83598F25D7E9}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{57E218E6-5A80-4f0c-AB25-83598F25D7E9}
HKCR\CLSID\{57E218E6-5A80-4F0C-AB25-83598F25D7E9}

Adware.Tracking Cookie
C:\Documents and Settings\DJLG\Cookies\diego_jesús@go.drivecleaner[1].txt
C:\Documents and Settings\DJLG\Cookies\diego_jesús@mediaplex[1].txt
C:\Documents and Settings\DJLG\Cookies\diego_jesús@es.drivecleaner[1].txt
C:\Documents and Settings\DJLG\Cookies\diego_jesús@go.drivecleaner[3].txt
C:\Documents and Settings\DJLG\Cookies\diego_jesús@drivecleaner[2].txt
C:\Documents and Settings\DJLG\Cookies\diego_jesús@klik.klikadverti sing[1].txt
C:\Documents and Settings\DJLG\Cookies\diego_jesús@www.amaena[1].txt
C:\Documents and Settings\DJLG\Cookies\diego_jesús@www.drivecleaner[2].txt


3º Pase SuperAntiSpyware
----------------------------------------------------
SUPERAntiSpyware Scan Log
Generated 04/10/2007 at 03:02 PM

Application Version : 3.6.1000

Core Rules Database Version : 3215
Trace Rules Database Version: 1225

Scan type : Complete Scan
Total Scan Time : 00:33:53

Memory items scanned : 217
Memory threats detected : 0
Registry items scanned : 5130
Registry threats detected : 4
File items scanned : 37434
File threats detected : 2

Adware.Vundo Variant
HKLM\Software\Classes\CLSID\{3F20797C-E32F-4FEB-82BF-7920A15B25A4}
HKCR\CLSID\{3F20797C-E32F-4FEB-82BF-7920A15B25A4}
HKCR\CLSID\{3F20797C-E32F-4FEB-82BF-7920A15B25A4}\InprocServer32
HKCR\CLSID\{3F20797C-E32F-4FEB-82BF-7920A15B25A4}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\DDABA.DLL

Trojan.Downloader-Gen/LIB
C:\WINDOWS\SYSTEM32\QYYFSCJV.DLL

----------------------------------------------------


1º Pase KasperSky on-line
----------------------------------------------------
Estadísticas
Número de objeros analizados 54351
Virus encontrados 1
Objetos infectados 1 / 0
Objetos sospechosos 0
Duración del análisis 01:13:53

Bombre del objeto infectado Nombre del virus Última acción
C:\Documents and Settings\All Users\Datos de programa\McAfee\SpamKiller\Logs\Filtering.log Object is locked saltado

C:\Documents and Settings\All Users\Datos de programa\McAfee.com\Agent\Logs\TaskScheduler\McTsk shd001.log Object is locked saltado

C:\Documents and Settings\All Users\Datos de programa\McAfee.com\VSO\OASLogs\OAS.log Object is locked saltado

C:\Documents and Settings\All Users\Datos de programa\Microsoft\Network\Downloader\qmgr0.dat Object is locked saltado

C:\Documents and Settings\All Users\Datos de programa\Microsoft\Network\Downloader\qmgr1.dat Object is locked saltado

C:\Documents and Settings\DJLG\Configuración local\Archivos temporales de Internet\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked saltado

C:\Documents and Settings\DJLG\Configuración local\Archivos temporales de Internet\Content.IE5\index.dat Object is locked saltado

C:\Documents and Settings\DJLG\Configuración local\Datos de programa\Microsoft\Feeds Cache\index.dat Object is locked saltado

C:\Documents and Settings\DJLG\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat Object is locked saltado

C:\Documents and Settings\DJLG\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat.LOG Object is locked saltado

C:\Documents and Settings\DJLG\Configuración local\Historial\History.IE5\index.dat Object is locked saltado

C:\Documents and Settings\DJLG\Configuración local\Historial\History.IE5\MSHist0120070410200704 11\index.dat Object is locked saltado

C:\Documents and Settings\DJLG\Configuración local\Temp\nsp5.tmp Object is locked saltado

C:\Documents and Settings\DJLG\Cookies\index.dat Object is locked saltado

C:\Documents and Settings\DJLG\NTUSER.DAT Object is locked saltado

C:\Documents and Settings\DJLG\ntuser.dat.LOG Object is locked saltado

C:\Documents and Settings\DJLG\UserData\index.dat Object is locked saltado

C:\Documents and Settings\LocalService\Configuración local\Archivos temporales de Internet\Content.IE5\index.dat Object is locked saltado

C:\Documents and Settings\LocalService\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat Object is locked saltado

C:\Documents and Settings\LocalService\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat.LOG Object is locked saltado

C:\Documents and Settings\LocalService\Configuración local\Historial\History.IE5\index.dat Object is locked saltado

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked saltado

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked saltado

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked saltado

C:\Documents and Settings\NetworkService\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat Object is locked saltado

C:\Documents and Settings\NetworkService\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat.LOG Object is locked saltado

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked saltado

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked saltado

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked saltado

C:\System Volume Information\_restore{46C4F50D-0ECB-4B33-AFA1-AE1A6069AFA1}\RP1\change.log Object is locked saltado

C:\WINDOWS\Debug\PASSWD.LOG Object is locked saltado

C:\WINDOWS\SchedLgU.Txt Object is locked saltado

C:\WINDOWS\SoftwareDistribution\EventCache\{0BB305 78-53E2-4F56-B3F3-6C2BDA8B8D64}.bin Object is locked saltado

C:\WINDOWS\SoftwareDistribution\ReportingEvents.lo g Object is locked saltado

C:\WINDOWS\Sti_Trace.log Object is locked saltado

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked saltado

C:\WINDOWS\system32\config\default Object is locked saltado

C:\WINDOWS\system32\config\default.LOG Object is locked saltado

C:\WINDOWS\system32\config\Internet.evt Object is locked saltado

C:\WINDOWS\system32\config\SAM Object is locked saltado

C:\WINDOWS\system32\config\SAM.LOG Object is locked saltado

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked saltado

C:\WINDOWS\system32\config\SECURITY Object is locked saltado

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked saltado

C:\WINDOWS\system32\config\software Object is locked saltado

C:\WINDOWS\system32\config\software.LOG Object is locked saltado

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked saltado

C:\WINDOWS\system32\config\system Object is locked saltado

C:\WINDOWS\system32\config\system.LOG Object is locked saltado

C:\WINDOWS\system32\h323log.txt Object is locked saltado

C:\WINDOWS\system32\rqrstrr.dll.vir Infectados: not-a-virus:AdWare.Win32.Virtumonde.ij saltado

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked saltado

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked saltado

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked saltado

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MA P Object is locked saltado

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MA P Object is locked saltado

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DAT A Object is locked saltado

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked saltado

C:\WINDOWS\wiadebug.log Object is locked saltado

C:\WINDOWS\wiaservc.log Object is locked saltado

C:\WINDOWS\WindowsUpdate.log Object is locked saltado

Análisis completado.



2º Pase KasperSky on-line
----------------------------------------------------
Estadísticas
Número de objeros analizados 5412
Virus encontrados 1
Objetos infectados 1 / 0
Objetos sospechosos 0
Duración del análisis 00:05:11

Bombre del objeto infectado Nombre del virus Última acción
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked saltado

C:\WINDOWS\system32\config\default Object is locked saltado

C:\WINDOWS\system32\config\default.LOG Object is locked saltado

C:\WINDOWS\system32\config\Internet.evt Object is locked saltado

C:\WINDOWS\system32\config\SAM Object is locked saltado

C:\WINDOWS\system32\config\SAM.LOG Object is locked saltado

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked saltado

C:\WINDOWS\system32\config\SECURITY Object is locked saltado

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked saltado

C:\WINDOWS\system32\config\software Object is locked saltado

C:\WINDOWS\system32\config\software.LOG Object is locked saltado

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked saltado

C:\WINDOWS\system32\config\system Object is locked saltado

C:\WINDOWS\system32\config\system.LOG Object is locked saltado

C:\WINDOWS\system32\h323log.txt Object is locked saltado

C:\WINDOWS\system32\rqrstrr.dll.vir Infectados: not-a-virus:AdWare.Win32.Virtumonde.ij saltado

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked saltado

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked saltado

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked saltado

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MA P Object is locked saltado

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MA P Object is locked saltado

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DAT A Object is locked saltado

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked saltado

Análisis completado.




De los otros programas no ha habido logs que poner, ya que me indicaban que no habían encontrado ningún archivo o virus del Vundo.dll


Y sobre lo de los iconos del escritorio?

Muchas gracias ACSIS

como ves aun tienes ratros,,por lo que lo mejor seria que volvieses a realizar los pasos,,pero antes,elimina el archivo que te indique en el anterior post,,
y cuando hagas el scan usa
Panda ActiveScan + Manual de Panda ActiveScan Online y nos dejas ese reporte

Bueno, después de varios escaneos consecutivos a fondo incluyo los reports siguientes:

SuperAntiSpyware:
--------------------------
SUPERAntiSpyware Scan Log
Generated 04/11/2007 at 11:42 PM

Application Version : 3.6.1000

Core Rules Database Version : 3216
Trace Rules Database Version: 1226

Scan type : Complete Scan
Total Scan Time : 00:34:22

Memory items scanned : 218
Memory threats detected : 0
Registry items scanned : 5140
Registry threats detected : 1
File items scanned : 38022
File threats detected : 1

Adware.Vundo Variant
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellExecuteHooks#{483CC496-D041-4545-8D9E-2D64294F97B2}

Adware.Tracking Cookie
C:\Documents and Settings\DJLG\Cookies\d_j@msnportal.112.2o7[1].txt



VirtumundoBeGone (no ha encontrado nada, pero igualmente lo pongo)
---------------------------


[04/10/2007, 1:22:48] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\DJLG\Mis documentos\Programas\Programas para eliminar el virus Vundo\VirtumundoBeGone\VirtumundoBeGone.exe" )
[04/10/2007, 1:23:07] - User choose NOT to continue. Exiting...

[04/10/2007, 3:16:45] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\DJLG\Mis documentos\Programas\Programas para eliminar el virus Vundo\VirtumundoBeGone\VirtumundoBeGone.exe" )
[04/10/2007, 3:16:53] - Detected System Information:
[04/10/2007, 3:16:53] - Windows Version: 5.1.2600, Service Pack 2
[04/10/2007, 3:16:53] - Current Username: DJLG (Admin)
[04/10/2007, 3:16:53] - Windows is in NORMAL mode.
[04/10/2007, 3:16:53] - Searching for Browser Helper Objects:
[04/10/2007, 3:16:53] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[04/10/2007, 3:16:53] - BHO 2: {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} (McBrwHelper Class)
[04/10/2007, 3:16:53] - BHO 3: {3EC8255F-E043-4cae-8B3B-B191550C2A22} (McAfee Privacy Service Popup Blocker)
[04/10/2007, 3:16:53] - BHO 4: {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} (McAfee AntiPhishing Filter)
[04/10/2007, 3:16:53] - BHO 5: {483CC496-D041-4545-8D9E-2D64294F97B2} ()
[04/10/2007, 3:16:53] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/10/2007, 3:16:53] - Checking for HKLM\...\Winlogon\Notify\rqrstrr
[04/10/2007, 3:16:53] - Found: HKLM\...\Winlogon\Notify\rqrstrr - This is probably Virtumundo.
[04/10/2007, 3:16:53] - Assigning {483CC496-D041-4545-8D9E-2D64294F97B2} MSEvents Object
[04/10/2007, 3:16:53] - BHO list has been changed! Starting over...
[04/10/2007, 3:16:53] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[04/10/2007, 3:16:53] - BHO 2: {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} (McBrwHelper Class)
[04/10/2007, 3:16:53] - BHO 3: {3EC8255F-E043-4cae-8B3B-B191550C2A22} (McAfee Privacy Service Popup Blocker)
[04/10/2007, 3:16:53] - BHO 4: {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} (McAfee AntiPhishing Filter)
[04/10/2007, 3:16:53] - BHO 5: {483CC496-D041-4545-8D9E-2D64294F97B2} (MSEvents Object)
[04/10/2007, 3:16:53] - ALERT: Found MSEvents Object!
[04/10/2007, 3:16:53] - BHO 6: {5CA3D70E-1895-11CF-8E15-001234567890} (DriveLetterAccess)
[04/10/2007, 3:16:53] - BHO 7: {A43008A6-3E80-4D5F-BDDF-8766DCA144B9} ()
[04/10/2007, 3:16:53] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/10/2007, 3:16:53] - No filename found. Continuing.
[04/10/2007, 3:16:53] - Finished Searching Browser Helper Objects
[04/10/2007, 3:16:53] - *** Detected MSEvents Object
[04/10/2007, 3:16:53] - Trying to remove MSEvents Object...
[04/10/2007, 3:16:54] - Terminating Process: IEXPLORE.EXE
[04/10/2007, 3:16:54] - Terminating Process: RUNDLL32.EXE
[04/10/2007, 3:16:54] - Disabling Automatic Shell Restart
[04/10/2007, 3:16:54] - Terminating Process: EXPLORER.EXE
[04/10/2007, 3:16:54] - Suspending the NT Session Manager System Service
[04/10/2007, 3:16:54] - Terminating Windows NT Logon/Logoff Manager
[04/10/2007, 3:16:54] - Re-enabling Automatic Shell Restart
[04/10/2007, 3:16:55] - File to disable: C:\WINDOWS\system32\rqrstrr.dll
[04/10/2007, 3:16:55] - Renaming C:\WINDOWS\system32\rqrstrr.dll -> C:\WINDOWS\system32\rqrstrr.dll.vir
[04/10/2007, 3:16:55] - ! File rename was unsucessful.
[04/10/2007, 3:16:55] - Attempting to Deny Access to C:\WINDOWS\system32\rqrstrr.dll
[04/10/2007, 3:16:56] - *** IMPORTANT: Delete/Rename/Move on reboot (like Killbox) MAY NOT work.
[04/10/2007, 3:16:56] - ERROR: No se ha efectuado ninguna asignación entre los nombres de cuenta y los identificadores de seguridad.
[04/10/2007, 3:16:56] - *** IMPORTANT: The file is disabled and will need to be deleted by the user.
[04/10/2007, 3:16:56] - Removing HKLM\...\Browser Helper Objects\{483CC496-D041-4545-8D9E-2D64294F97B2}
[04/10/2007, 3:16:56] - Removing HKCR\CLSID\{483CC496-D041-4545-8D9E-2D64294F97B2}
[04/10/2007, 3:16:56] - Adding Kill Bit for ActiveX for GUID: {483CC496-D041-4545-8D9E-2D64294F97B2}
[04/10/2007, 3:16:56] - Deleting ATLEvents/MSEvents Registry entries
[04/10/2007, 3:16:56] - Removing HKLM\...\Winlogon\Notify\rqrstrr
[04/10/2007, 3:16:57] - Searching for Browser Helper Objects:
[04/10/2007, 3:16:57] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[04/10/2007, 3:16:57] - BHO 2: {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} (McBrwHelper Class)
[04/10/2007, 3:16:57] - BHO 3: {3EC8255F-E043-4cae-8B3B-B191550C2A22} (McAfee Privacy Service Popup Blocker)
[04/10/2007, 3:16:57] - BHO 4: {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} (McAfee AntiPhishing Filter)
[04/10/2007, 3:16:57] - BHO 5: {483CC496-D041-4545-8D9E-2D64294F97B2} ()
[04/10/2007, 3:16:57] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/10/2007, 3:16:57] - No filename found. Continuing.
[04/10/2007, 3:16:57] - BHO 6: {5CA3D70E-1895-11CF-8E15-001234567890} (DriveLetterAccess)
[04/10/2007, 3:16:57] - BHO 7: {A43008A6-3E80-4D5F-BDDF-8766DCA144B9} ()
[04/10/2007, 3:16:57] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/10/2007, 3:16:57] - No filename found. Continuing.
[04/10/2007, 3:16:57] - Finished Searching Browser Helper Objects
[04/10/2007, 3:16:57] - Finishing up...
[04/10/2007, 3:16:57] - A restart is needed.
[04/10/2007, 3:17:20] - Attempting to Restart via STOP error (Blue Screen!)

[04/10/2007, 15:13:37] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\DJLG\Mis documentos\Programas\Programas para eliminar el virus Vundo\VirtumundoBeGone\VirtumundoBeGone.exe" )
[04/10/2007, 15:13:55] - Detected System Information:
[04/10/2007, 15:13:55] - Windows Version: 5.1.2600, Service Pack 2
[04/10/2007, 15:13:55] - Current Username: DJLG (Admin)
[04/10/2007, 15:13:55] - Windows is in SAFE mode.
[04/10/2007, 15:13:55] - Searching for Browser Helper Objects:
[04/10/2007, 15:13:55] - BHO 1: {483CC496-D041-4545-8D9E-2D64294F97B2} ()
[04/10/2007, 15:13:55] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/10/2007, 15:13:55] - Checking for HKLM\...\Winlogon\Notify\rqrstrr
[04/10/2007, 15:13:55] - Found: HKLM\...\Winlogon\Notify\rqrstrr - This is probably Virtumundo.
[04/10/2007, 15:13:55] - Assigning {483CC496-D041-4545-8D9E-2D64294F97B2} MSEvents Object
[04/10/2007, 15:13:55] - BHO list has been changed! Starting over...
[04/10/2007, 15:13:55] - BHO 1: {483CC496-D041-4545-8D9E-2D64294F97B2} (MSEvents Object)
[04/10/2007, 15:13:55] - ALERT: Found MSEvents Object!
[04/10/2007, 15:13:55] - Finished Searching Browser Helper Objects
[04/10/2007, 15:13:55] - *** Detected MSEvents Object
[04/10/2007, 15:13:55] - Trying to remove MSEvents Object...
[04/10/2007, 15:13:56] - Terminating Process: IEXPLORE.EXE
[04/10/2007, 15:13:56] - Terminating Process: RUNDLL32.EXE
[04/10/2007, 15:13:56] - Disabling Automatic Shell Restart
[04/10/2007, 15:13:56] - Terminating Process: EXPLORER.EXE
[04/10/2007, 15:13:56] - Suspending the NT Session Manager System Service
[04/10/2007, 15:13:56] - Terminating Windows NT Logon/Logoff Manager
[04/10/2007, 15:13:56] - Re-enabling Automatic Shell Restart
[04/10/2007, 15:13:56] - File to disable: C:\WINDOWS\system32\rqrstrr.dll
[04/10/2007, 15:13:56] - Renaming C:\WINDOWS\system32\rqrstrr.dll -> C:\WINDOWS\system32\rqrstrr.dll.vir
[04/10/2007, 15:13:56] - File successfully renamed!
[04/10/2007, 15:13:56] - Removing HKLM\...\Browser Helper Objects\{483CC496-D041-4545-8D9E-2D64294F97B2}
[04/10/2007, 15:13:56] - Removing HKCR\CLSID\{483CC496-D041-4545-8D9E-2D64294F97B2}
[04/10/2007, 15:13:56] - Adding Kill Bit for ActiveX for GUID: {483CC496-D041-4545-8D9E-2D64294F97B2}
[04/10/2007, 15:13:56] - Deleting ATLEvents/MSEvents Registry entries
[04/10/2007, 15:13:56] - Removing HKLM\...\Winlogon\Notify\rqrstrr
[04/10/2007, 15:13:56] - Searching for Browser Helper Objects:
[04/10/2007, 15:13:56] - Finished Searching Browser Helper Objects
[04/10/2007, 15:13:56] - Finishing up...
[04/10/2007, 15:13:56] - A restart is needed.
[04/10/2007, 15:14:25] - Attempting to Restart via STOP error (Blue Screen!)

[04/12/2007, 0:05:13] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\DJLG\Mis documentos\Programas\Programas para eliminar el virus Vundo\VirtumundoBeGone\VirtumundoBeGone.exe" )
[04/12/2007, 0:05:17] - Detected System Information:
[04/12/2007, 0:05:17] - Windows Version: 5.1.2600, Service Pack 2
[04/12/2007, 0:05:17] - Current Username: DJLG (Admin)
[04/12/2007, 0:05:17] - Windows is in SAFE mode.
[04/12/2007, 0:05:17] - Searching for Browser Helper Objects:
[04/12/2007, 0:05:17] - Finished Searching Browser Helper Objects
[04/12/2007, 0:05:17] - Finishing up...
[04/12/2007, 0:05:17] - Nothing found! Exiting...



Panda:
--------------------------------


Incidencia Estado Elemento

Herramienta potencialmente no deseada:Application/Processor No desinfectado C:\Documents and Settings\DJLG\Configuración local\Temp\nsq6.tmp
Spyware:Cookie/ademails No desinfectado C:\Documents and Settings\DJLG\Cookies\d_j@www.ademails[1].txt
Herramienta potencialmente no deseada:Application/Processor No desinfectado C:\Documents and Settings\DJLG\Mis documentos\Programas\Programas para eliminar el virus Vundo\VirtumundoBeGone\VirtumundoBeGone.exe[²ƒÇ]

Mientras estaba realizando el escaneo con el panda, el McAfee Virus Scan ha detectado un PUP llamado PrcViewer... es un proceso de Windows?


Saludos