Hi, i have the trojan backdoor-bdd and McAfee Antivirus can't delet it. Here is my log.

Logfile of HijackThis v1.99.0
Scan saved at 11:27:11 a.m., on 08/01/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv
C:\Archivos de programa\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\MSN Apps\Updater\01.02.3000.1001\es\msnappau.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\tаskmgr.exe
C:\Archivos de programa\Yahoo!\Messenger\ypage
C:\WINDOWS\System32\wuauclt.exe
C:\Archivos de programa\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\Archivos de programa\Babylon\Babylon.exe
C:\WINDOWS\explorer.exe
C:\Archivos de programa\MYIE2\MyIE.exe
C:\ARCHIV~1\DAP\DAP.EXE
C:\PROGRAM FILES\mIRC\mirc.exe
C:\Archivos de programa\McAfee\McAfee VirusScan\VsStat.exe
C:\Archivos de programa\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Archivos de programa\Archivos comunes\Network Associates\McShield\Mcshield.exe
C:\Archivos de programa\McAfee\McAfee VirusScan\Avconsol.exe
C:\WINDOWS\System32\taskmgr.exe
C:\ARCHIV~1\WINZIP\winzip32.exe
C:\ARCHIV~1\WINZIP\winzip32.exe
C:\Documents and Settings\Gabi\Configuracion local\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.popupsearches.com/s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.popupsearches.com/sidesearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.popupsearches.com/sidesearch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\wqytw.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\wqytw.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.popupsearches.com/sidesearch.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.popupsearches.com/sidesearch.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.1:4480
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vinculos
O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINDOWS\BTGrab.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Fizzlebar.clsFwBar - {9056A11F-5EA6-4A67-BDE9-8D3C7C453DAC} - c:\sysfwb\1278578313\iefwbar.dl
O2 - BHO: (no name) - {C0D6E167-F604-CDF7-7A32-C71266D013DD} - C:\WINDOWS\system32\atlhz32.dll (file missing)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Archivos de programa\MSN Apps\MSN Toolbar\01.02.3000.1001\es\msntb.dll (file missing)
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Archivos de programa\DAP\DAPIEBar.dll
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Archivos de programa\McAfee\McAfee VirusScan\VSCShellExtension.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [REGSHAVE] C:\Archivos de programa\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [msnappau] "C:\Archivos de programa\MSN Apps\Updater\01.02.3000.1001\es\msnappau.exe"
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [hvspspcfx] C:\WINDOWS\System32\qaafxlug.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Noat] C:\Documents and Settings\Gabi\Datos de programa\otcr.exe
O4 - HKCU\..\Run: [Vewvmj] C:\WINDOWS\System32\taskmgr.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Archivos de programa\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Archivos de programa\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - HKCU\..\Run: [Babylon Translator] C:\Archivos de programa\Babylon\Babylon.exe
O8 - Extra context menu item: &Download with &DAP - C:\ARCHIV~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\ARCHIV~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\ARCHIV~1\DAP\DAP.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted IP range: (HKLM)
O16 - DPF: {22222222-2222-2222-2222-222222222222} - file://c:\x.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by15fd.bay15.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1104041447438
O16 - DPF: {9076A11F-5EA6-4A67-BDE9-8D3C7C453DAC} - http://www.thecoolbar.com/installfiles/coolbar.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O21 - SSODL: System - {9EF347D7-4F30-4A3A-ADCD-A26725F17AD5} - C:\WINDOWS\system32\system32.dll (file missing)
O23 - Service: AVSync Manager - Network Associates, Inc. - C:\Archivos de programa\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: Servicio del administrador de discos logicos - Unknown - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Registro de sucesos - Unknown - C:\WINDOWS\system32\services.exe
O23 - Service: Servicio COM de grabacion de CD de IMAPI - Unknown - C:\WINDOWS\System32\imapi.exe
O23 - Service: McAfee Firewall - Network Associates, Inc. - C:\Archivos de programa\McAfee\McAfee Firewall\CPD.EXE
O23 - Service: McShield - Unknown - C:\Archivos de programa\Archivos comunes\Network Associates\McShield\Mcshield.exe
O23 - Service: Escritorio remoto compartido de NetMeeting - Unknown - C:\WINDOWS\System32\mnmsrvc.exe
O23 - Service: DDE de red - Unknown - C:\WINDOWS\system32\netdde.exe
O23 - Service: DSDM de DDE de red - Unknown - C:\WINDOWS\system32\netdde.exe
O23 - Service: Plug and Play - Unknown - C:\WINDOWS\system32\services.exe
O23 - Service: Administrador de sesion de Ayuda de escritorio remoto - Unknown - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Tarjeta inteligente - Unknown - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: Registros y alertas de rendimiento - Unknown - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: Telnet - Unknown - C:\WINDOWS\System32\tlntsvr.exe
O23 - Service: Instantaneas de volumen - Unknown - C:\WINDOWS\System32\vssvc.exe
O23 - Service: Adaptador de rendimiento de WMI - Unknown - C:\WINDOWS\System32\wbem\wmiapsrv.exe

Hi D4RKW4R,

Please move HijackThis to another location, preferably c:\Program Files\HijackThis. Anywhere is fine, other than your Desktop or a Temp folder. If HijackThis is in a temporary folder you run the risk of accidentally deleting the backups or it clutters your desktop with all the backups.
If you use Windows XP it might be that you just double clicked on the file HijackThis.exe, but that only extracts the file to a temporary folder. Please select the file and Extract it to a folder.

How do you make a permanent folder:

Click "My Computer", then "C:\" and then on "Program Files".
In the menu bar, "File"->"New"->"Folder".
That will create a folder named "New Folder", which you can rename to "HJT" or "HijackThis".
Now you have "C:\Program Files\HijackThis". Put your HijackThis.exe there.

1. Download AboutBuster
   
   Unzip it to your desktop but don't run it yet we'll do that later on down in this list in SAFE MODE.
   
2. Print out these instructions so you have them handy as some of the steps need to be done in safe mode and you may not be able to go online. We need IE to remain closed throughout the process.
   
3. Make sure your PC is configured to show hidden files.How do I show hidden files?
   
4. Restart your computer in Safe Mode. How do I Safe Boot my computer?
   
5. Scan with Hijack This and put check the following:
   
   R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.popupsearches.com/s
   R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html
   R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.popupsearches.com/sidesearch.html
   R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.popupsearches.com/sidesearch.html
   R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
   R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\wqytw.dll/sp.html#29126
   R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\wqytw.dll/sp.html#29126
   R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.popupsearches.com/sidesearch.html
   R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.popupsearches.com/sidesearch.html
   R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html
   
   O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINDOWS\BTGrab.dll
   O2 - BHO: Fizzlebar.clsFwBar - {9056A11F-5EA6-4A67-BDE9-8D3C7C453DAC} - c:\sysfwb\1278578313\iefwbar.dl
   O2 - BHO: (no name) - {C0D6E167-F604-CDF7-7A32-C71266D013DD} - C:\WINDOWS\system32\atlhz32.dll (file missing)
   
   O4 - HKLM\..\Run: [hvspspcfx] C:\WINDOWS\System32\qaafxlug.exe
   O4 - HKCU\..\Run: [Noat] C:\Documents and Settings\Gabi\Datos de programa\otcr.exe
   
   O15 - Trusted Zone: *.skoobidoo.com
   O15 - Trusted Zone: *.skoobidoo.com (HKLM)
   O15 - Trusted IP range: (HKLM)
   
   O16 - DPF: {22222222-2222-2222-2222-222222222222} - file://c:\x.cab
   
   O21 - SSODL: System - {9EF347D7-4F30-4A3A-ADCD-A26725F17AD5} - C:\WINDOWS\system32\system32.dll (file missing)
   
   Then close all windows, and browsers, except HijackThis. Tell HijackThis to "Fix checked".
   
   Delete the following files in red (it could be that they are deleted already):
   
   C:\WINDOWS\secure.html
   C:\WINDOWS\system32\wqytw.dll
   C:\WINDOWS\BTGrab.dll
   C:\WINDOWS\system32\atlhz32.dll
   C:\WINDOWS\System32\qaafxlug.exe
   C:\Documents and Settings\Gabi\Datos de programa\otcr.exe
   c:\x.cab
   C:\WINDOWS\system32\system32.dll
   
   Delete the following folders in red (it could be that they are deleted already):
   
   c:\sysfwb
   
6. Double click on the AboutBuster tool you downloaded earlier. Follow the instruction prompts to use the program and let it do two scans (it will ask). When finished, press the "Save log" button. I will want a copy of that log after all steps are completed here.
   
7. Scan with Adaware and let it remove any bad files found.
   
8. Clean out temporary and tif files. Go to "Start" -> "Run" and type in the box: "cleanmgr". Let it scan your system for files to remove. Make sure these 3 are checked and then press "Ok" to remove:
   
   Temporary Files
   Temporary Internet Files
   Recycle Bin
   
9. Restart in normal mode.
   
10. NOTE: Two possibly three or four files may have been deleted from your computer by the hijacker and may need to be replaced.
    
    Control.exe
    Shell.dll
    SDHelper.dll (if you are using Spybot Search & Destroy)
    Hosts file (no extension)
    
    If control.exe, shell.dll or SDHelper is missing
    Go here: http://spywareinfo.com/~merijn/winfiles.html and download the needed file.
    
    For a missing Hosts file:
    Download Hoster
    Press "Restore Original Hosts" and press "OK"
    Exit Program.
    Note: if you were using a custom Hosts file you will need to replace any of those entries yourself!
    
    If you have Spybot S&D installed and SDHelper.dll is missing, replace it here:
    http://www.spywareinfo.com/~merijn/winfiles.html#sdhelper and download SDHelper.dll. Copy the file to the folder containing your Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)
    
11. Additional: Check your ActiveX security settings. They may have been changed by this CWS variant to allow ALL ActiveX!! If they have been changed, reset your ActiveX security settings in Internet Explorer as recommended.
    
    ActiveX controls and plug-ins:
    • Download signed ActiveX controls (Prompt)
    • Download unsigned ActiveX controls (Disable)
    • Initialize and script ActiveX controls not marked as safe (Disable)
    • Run ActiveX controls and plug-ins (Enabled) (This actually refers to Java and Flash, not ActiveX)
    • Script ActiveX controls marked safe for scripting (Prompt)
    
    Do an online scan at the following site. Let it remove any infected files found.
    Trend Micro (PC-Cillin) - Free On-line Scan

When you are all done, post the new HijackThis log and the AboutBuster log here for review.

Open Windows Explorer, navigate to the folder "C:\WINDOWS\System32" and find the file "taskmgr.exe". Right click on the file and select "Properties" from the menu. Select the "Version" tab and copy the information it gives here.