I have a big suspicious of virus on my pc

osmunar

thank you for your help, i tread to wiew and acces to my pc on our network and i can't thank very much for your time here is my hijacklog file, i run spybot search & destroy an ad aware first to all:

Logfile of HijackThis v1.99.1
Scan saved at 11:34:59 a.m., on 26/02/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\ARCHIV~1\Grisoft\AVG6\avgserv.exe
C:\WINNT\system32\dxdllsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\ciclient.exe
C:\WINNT\System32\llssrv.exe
C:\WINNT\system32\wsdde32.exe
C:\WINNT\a65d.exe
C:\WINNT\system32\msgfix32.exe
C:\WINNT\tmgyap.exe
C:\WINNT\nvsvca32.exe
C:\WINNT\winagent.exe
C:\WINNT\system32\internat.exe
C:\WINNT\system32\msgfix32.exe
C:\WINNT\system32\soundblaster.exe
C:\WINNT\system32\soundblaster.exe
C:\Archivos de programa\WinZip\WZQKPICK.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\r_server.exe
C:\WINNT\system32\MSTask.exe
C:\Archivos de programa\Sophos SWEEP for NT\SWNETSUP.EXE
C:\Archivos de programa\Sophos SWEEP for NT\SWEEPSRV.SYS
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\Archivos de programa\Archivos comunes\System\MSSearch\Bin\mssearch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\dllhost.exe
C:\WINNT\system32\dllhost.exe
C:\WINNT\system32\mdm.exe
C:\winnt\system32\cgzmlorj.exe
C:\winnt\system32\calc.exe
C:\WINNT\explorer.exe
C:\Archivos de programa\ISTsvc\istsvc.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ger.com.pe/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.0.0.2:80
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINNT\Ceres.dll
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O4 - HKLM\..\Run: [Micr Update] soundblaster.exe
O4 - HKLM\..\Run: [antiware] C:\winnt\system32\elitezzl32.exe
O4 - HKLM\..\Run: [popuppers65] C:\WINNT\a65d.exe
O4 - HKLM\..\Run: [WinDDE] wsdde32.exe
O4 - HKLM\..\Run: [WylJ8] C:\WINNT\tmgyap.exe
O4 - HKLM\..\Run: [IST Service] C:\Archivos de programa\ISTsvc\istsvc.exe
O4 - HKLM\..\RunServices: [Micr Update] soundblaster.exe
O4 - HKLM\..\RunServices: [Configuration Firewall Loader] msgfix32.exe
O4 - HKLM\..\RunServices: [WinDDE] wsdde32.exe
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Archivos de programa\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [AAW] "C:\ARCHIV~1\Lavasoft\AD-AWA~1\Ad-Aware.exe" "+b1"
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [Configuration Firewall Loader] msgfix32.exe
O4 - HKCU\..\Run: [WinDDE] wsdde32.exe
O4 - HKCU\..\Run: [Micr Update] soundblaster.exe
O4 - HKCU\..\RunServices: [WinDDE] wsdde32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Archivos de programa\WinZip\WZQKPICK.EXE
O12 - Plugin for .spop: C:\Archivos de programa\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ger.com.pe
O17 - HKLM\System\CCS\Services\Tcpip\..\{13A63227-D1E2-423A-A7E1-5F5755E7A278}: NameServer = 200.48.0.37,200.48.0.38
O17 - HKLM\System\CCS\Services\Tcpip\..\{692C746D-026B-404F-B475-79F0203CA39A}: NameServer = 10.0.0.253
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ger.com.pe
O17 - HKLM\System\CS1\Services\Tcpip\..\{13A63227-D1E2-423A-A7E1-5F5755E7A278}: NameServer = 200.48.0.37,200.48.0.38
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ger.com.pe
O17 - HKLM\System\CS2\Services\Tcpip\..\{13A63227-D1E2-423A-A7E1-5F5755E7A278}: NameServer = 200.48.0.37,200.48.0.38
O23 - Service: AVG6 Service (AvgServ) - GRISOFT s.r.o - C:\ARCHIV~1\Grisoft\AVG6\avgserv.exe
O23 - Service: DirectX DLL Register Support Service (DirectX DLL) - Unknown owner - C:\WINNT\system32\dxdllsvc.exe
O23 - Service: Servicio del administrador de discos lógicos (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Indexing The System Files (Indexing Service) - Unknown owner - C:\WINNT\system32\ciclient.exe
O23 - Service: PER Antivirus (pav_service) - PER Systems S.A. - C:\Archivos de programa\Persystems\Perav\PERVAC.EXE
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINNT\system32\r_server.exe" /service (file missing)
O23 - Service: Sophos Anti-Virus Network (SweepNet) - Sophos Plc - C:\Archivos de programa\Sophos SWEEP for NT\SWNETSUP.EXE
O23 - Service: Sophos Anti-Virus (SWEEPSRV.SYS) - Sophos Plc - C:\Archivos de programa\Sophos SWEEP for NT\SWEEPSRV.SYS

Buckeye_Sam

Please run these two online scans.
Make sure they are set to clean automatically:

http://www.bitdefender.com/scan/licence.php

http://www.pandasoftware.com/activescan/com/activescan_principal.htm

If there are files that can not be removed by the scans please include that information in your next post.



Reboot and post a new hijackthis log.

osmunar

I have to re-install my windows2000server after your advises and now my pc works good, thank you for your advise, I put another disk (i think was infected) and works very well. Thank you a lot people