PDA

View Full Version : Problems removing Win32.TDSS.rtk and other malware



Latrodectus
2009-05-29, 21:40
Hi, I write to you because my MSN Messenger has been shutting down and sending compulsivelly some kind of malware to all my contacts. Plus my Internet Explorer and Firefox have been working terribly, especially Internet Explorer. I have ESET's free trial, Lavasoft's Ad-Aware free edition and Spybot Search & Destroy, they all have found and cleaned different malware, but only Spybot recognizes "Win32.TDSS.rtk", detailed as

Win32.TDSS.rtk: [SBI $DB1744B9] File (Archivo, nothing done)
C:\WINDOWS\system32\drivers\ovfsthxtpkbmqrm.sys
Properties.size=0
Properties.md5=16E1C9E1417E38B4A6EC73C8C3C19240

Win32.TDSS.rtk: [SBI $531954CE] File (Archivo, nothing done)
C:\WINDOWS\system32\ovfsthxeroprvvp.dat
Properties.size=0
Properties.md5=DEBFCCA461C0A48D56C24902798A56DE


--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

2007-05-25 unins000.exe (51.41.0.0)
2008-01-28 SDDelFile.exe (1.0.2.4)
2008-08-14 SDWinSec.exe (1.0.0.12)
2009-03-05 TeaTimer.exe (1.6.6.32)
2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 Update.exe (1.6.0.7)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-04-19 unins001.exe (51.49.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2008-06-19 sqlite3.dll
2009-01-26 advcheck.dll (1.6.2.15)
2009-01-16 UninsSrv.dll (1.0.0.0)
2009-01-26 SDHelper.dll (1.6.2.14)
2009-01-26 Tools.dll (2.1.6.10)
2004-11-29 Includes\LSP.sbi (*)
2009-03-25 Includes\PUPS.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2009-05-06 Includes\Keyloggers.sbi (*)
2009-05-12 Includes\Malware.sbi (*)
2009-05-12 Includes\Trojans.sbi (*)
2009-05-19 Includes\Dialer.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2009-04-07 Includes\Spyware.sbi (*)
2009-05-19 Includes\Adware.sbi (*)
2009-05-26 Includes\Hijackers.sbi (*)
2009-01-22 Includes\Cookies.sbi (*)
2009-01-22 Includes\Revision.sbi (*)
2009-04-07 Includes\Tracks.uti
2009-05-26 Includes\TrojansC.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2009-05-26 Includes\SecurityC.sbi (*)
2009-05-26 Includes\PUPSC.sbi (*)
2009-05-26 Includes\MalwareC.sbi (*)
2009-05-26 Includes\KeyloggersC.sbi (*)
2009-05-26 Includes\HijackersC.sbi (*)
2009-05-26 Includes\DialerC.sbi (*)
2009-01-22 Includes\HeavyDuty.sbi (*)
2009-05-26 Includes\AdwareC.sbi (*)
2009-05-26 Includes\SpywareC.sbi (*)
2007-12-24 Plugins\TCPIPAddress.dll
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll


Spybot supposedly eliminates it, but then I check the system again and the malware is still there -and my MSN keeps shutting down and sending the link to my contacts-. It's also frequent that a malware called "Virtumonde.sci" appear in the list, despite my antivirus and antispyware! And I don't want to think how many unrecognized malware I have. I would appreciate very much if you recommended a good combination of antivirus + firewall + antispyware, because I really don't know which are GOOD and work well together. Oh, and they must be freeware, due to my financial situation is pretty delicate. Thank you very much for your time, and I'm looking forward to hearing from you. Ah! Just in case I paste you the result of HiJackThis -I already saved the registry with ERUNT-:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:27:37 p.m., on 29/05/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\crypserv.exe
C:\Archivos de programa\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Archivos de programa\Java\jre6\bin\jqs.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\ARCHIV~1\LAVASOFT\AD-AWA~1\Ad-Watch.exe
C:\WINDOWS\system32\msg32.exe
C:\Archivos de programa\Java\jre6\bin\jusched.exe
C:\Archivos de programa\ESET\ESET NOD32 Antivirus\egui.exe
C:\Archivos de programa\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Lavasoft\Ad-Aware\AAWTray.exe
C:\Archivos de programa\Mozilla Firefox\firefox.exe
C:\Archivos de programa\Google\Gmail Notifier\gnotify.exe
C:\Archivos de programa\Opera\opera.exe
C:\Archivos de programa\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pagina12.com.ar/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: (no name) - {00802B89-BE50-47A6-833D-ECD330BB73A7} - C:\WINDOWS\system32\nwapi16d.dll (file missing)
O2 - BHO: (no name) - {2CAD3E0B-045B-41C8-8C35-34298F279365} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: LuckyTender - {5E2402A0-5F99-4188-B30D-D8743996B340} - C:\Archivos de programa\LuckyTender\1.3.1\LuckyTender.dll (file missing)
O2 - BHO: (no name) - {68866312-bd50-4056-b439-26a821a2b770} - C:\WINDOWS\system32\furihepi.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: precisead - {83267afa-c1c3-0ae2-5b51-ceab693a8517} - C:\WINDOWS\system32\nsnCC83.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\ARCHIV~1\AVG\AVG8\AVGTOO~1.DLL (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Archivos de programa\Norton SystemWorks\Norton Antivirus\NavShExt.dll (file missing)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Archivos de programa\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Archivos de programa\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: (no name) - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Archivos de programa\Norton SystemWorks\Norton Antivirus\NavShExt.dll (file missing)
O4 - HKLM\..\Run: [AWMON] "C:\ARCHIV~1\LAVASOFT\AD-AWA~1\Ad-Watch.exe"
O4 - HKLM\..\Run: [EW Message Server] msg32.exe
O4 - HKLM\..\Run: [EPSON Stylus CX1500 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4V1.EXE /P26 "EPSON Stylus CX1500 Series" /O5 "LPT1:" /M "Stylus CX1500"
O4 - HKLM\..\Run: [EPSON Stylus CX1500 Series (Copiar 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4V1.EXE /P37 "EPSON Stylus CX1500 Series (Copiar 1)" /O6 "USB001" /M "Stylus CX1500"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\ARCHIV~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Logon Applicationedc] C:\Documents and Settings\Usuario\winlogon.exe
O4 - HKLM\..\Run: [egui] "C:\Archivos de programa\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Archivos de programa\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [adware_free_soft] C:\WINDOWS\promofreesoft.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Servicio de red')
O4 - HKUS\S-1-5-21-725345543-1979792683-2147208981-500\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Administrador')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Archivos de programa\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk.disabled
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan.com/as/v1/cabs/ascstubie.cab
O16 - DPF: {8436FE12-31DB-48BF-83BF-FE682F9160B4} -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Archivos de programa\AVG\AVG8\avgpp.dll (file missing)
O20 - AppInit_DLLs: C:\WINDOWS\system32\levunana.dll c:\windows\system32\,c:\progra~1\ThunMail\testabd.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - (no file)
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Archivos de programa\Ares\chatServer.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - Unknown owner - C:\ARCHIV~1\AVG\AVG8\avgemc.exe (file missing)
O23 - Service: AVG Free8 WatchDog (avg8wd) - Unknown owner - C:\ARCHIV~1\AVG\AVG8\avgwdsvc.exe (file missing)
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Archivos de programa\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Archivos de programa\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Archivos de programa\Archivos comunes\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Archivos de programa\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Archivos de programa\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Servicio Auto-Protect de Norton AntiVirus (navapsvc) - Unknown owner - C:\Archivos de programa\Norton SystemWorks\Norton Antivirus\navapsvc.exe (file missing)
O23 - Service: SAVScan - Unknown owner - C:\Archivos de programa\Norton SystemWorks\Norton Antivirus\SAVScan.exe (file missing)
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Archivos de programa\Archivos comunes\Symantec Shared\SNDSrvc.exe (file missing)
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe (file missing)

--
End of file - 9142 bytes

ken545
2009-05-30, 03:58
Hello Latrodectus

Welcome to Safer Networking.

Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
That said, All advice given by anyone volunteering here, is taken at your own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.


You have a variety of malware on this system. :red:



Do this first...Important

Disable the TeaTimer, leave it disabled, do not turn it back on until we're done or it will prevent fixes from taking

Run Spybot-S&D in Advanced Mode.
If it is not already set to do this Go to the Mode menu select "Advanced Mode"
On the left hand side, Click on Tools
Then click on the Resident Icon in the List
Uncheck "Resident TeaTimer" and OK any prompts.
Restart your computer.<--You need to do this for it to take effect

Please do not proceed until the TeaTimer is disabled






This tool needs to be run from Safemode to be effective so download it to your desktop then boot to Safemode to run it



To Enter Safemode

Go to Start> Shut off your Computer> Restart
As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,
this will bring up a menu.
Use the Up and Down Arrow Keys to scroll up to Safemode
Then press the Enter Key on your Keyboard

Tutorial if you need it How to boot into Safemode (http://www.bleepingcomputer.com/tutorials/tutorial61.html)

Download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.exe) and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

Latrodectus
2009-05-31, 13:37
It seems it couldn't clean the infected files! The lsasss.exe has been on my computer for years, I have already had problems with it. And the ovfsthxtpkbmqrm.sys family is still there too. =(

SDFix: Version 1.240
Run by Usuario on 31/05/2009 at 04:16 a.m.

Microsoft Windows XP [Versi¢n 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:



Could Not Remove C:\WINDOWS\system32\lsasss.exe



Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-31 05:00:00
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden services ...

HKLM\SYSTEM\CurrentControlSet\Services\Parportnspoixdk

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\drivers\ovfsthxtpkbmqrm.sys 98304 bytes
C:\WINDOWS\system32\ovfsthxftjcbfoo.dll 65536 bytes
C:\WINDOWS\system32\ovfsthxeroprvvp.dat 32768 bytes
C:\WINDOWS\system32\ovfsthxymdbnpil.dll 32768 bytes
C:\WINDOWS\system32\ovfsthxkogmedvg.dll 32768 bytes

scan completed successfully
hidden processes: 0
hidden services: 1
hidden files: 5


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Archivos de programa\\MSN Messenger\\msncall.exe"="C:\\Archivos de programa\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Documents and Settings\\Usuario\\Escritorio\\utorrent.exe"="C:\\Documents and Settings\\Usuario\\Escritorio\\utorrent.exe:*:Disabled:æTorrent"
"C:\\Archivos de programa\\Ares\\Ares.exe"="C:\\Archivos de programa\\Ares\\Ares.exe:*:Disabled:Ares"
"C:\\Archivos de programa\\eMule\\emule.exe"="C:\\Archivos de programa\\eMule\\emule.exe:*:Disabled:eMule"
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\\Archivos de programa\\NetMeeting\\conf.exe"="C:\\Archivos de programa\\NetMeeting\\conf.exe:*:Disabled:Windows© NetMeeting©"
"C:\\WINDOWS\\System32\\ZoneLabs\\vsmon.exe"="C:\\WINDOWS\\System32\\ZoneLabs\\vsmon.exe:*:Enabled:TrueVector Service"
"C:\\Archivos de programa\\Soulseek-Test\\slsk.exe"="C:\\Archivos de programa\\Soulseek-Test\\slsk.exe:*:Enabled:SoulSeek"
"C:\\WINDOWS\\PCHEALTH\\HELPCTR\\BINARIES\\HelpCtr.exe"="C:\\WINDOWS\\PCHEALTH\\HELPCTR\\BINARIES\\HelpCtr.exe:*:Enabled:Asistencia remota - Windows Messenger and Voice"
"C:\\Archivos de programa\\Messenger\\MSMSGS.EXE"="C:\\Archivos de programa\\Messenger\\MSMSGS.EXE:*:Enabled:Windows Messenger"
"C:\\Archivos de programa\\uTorrent\\uTorrent.exe"="C:\\Archivos de programa\\uTorrent\\uTorrent.exe:*:Enabled:æTorrent"
"C:\\Archivos de programa\\Grisoft\\AVG7\\avginet.exe"="C:\\Archivos de programa\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Archivos de programa\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Archivos de programa\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Archivos de programa\\Grisoft\\AVG7\\avgcc.exe"="C:\\Archivos de programa\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\WINDOWS\\System32\\ftp.exe"="C:\\WINDOWS\\System32\\ftp.exe:*:Enabled:Programa de transferencia de archivos"
"C:\\mIRC\\mirc.exe"="C:\\mIRC\\mirc.exe:*:Enabled:mIRC"
"C:\\Archivos de programa\\AVG\\AVG8\\avgemc.exe"="C:\\Archivos de programa\\AVG\\AVG8\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Archivos de programa\\AVG\\AVG8\\avgupd.exe"="C:\\Archivos de programa\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"
"C:\\WINDOWS\\System32\\WINLOGON.EXE"="C:\\WINDOWS\\System32\\WINLOGON.EXE:*:Enabled:winlogon"
"C:\\Archivos de programa\\MSN Messenger\\msnmsgr.exe"="C:\\Archivos de programa\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Archivos de programa\\MSN Messenger\\livecall.exe"="C:\\Archivos de programa\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Archivos de programa\\MSN Messenger\\msncall.exe"="C:\\Archivos de programa\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Archivos de programa\\MSN Messenger\\msnmsgr.exe"="C:\\Archivos de programa\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Archivos de programa\\MSN Messenger\\livecall.exe"="C:\\Archivos de programa\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

Remaining Files :

C:\WINDOWS\system32\lsasss.exe Found

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Mon 3 Mar 2008 5,702 A..H. --- "C:\WINDOWS\nod32restoretemdono.reg"
Mon 26 Jan 2009 1,740,632 A.SHR --- "C:\Archivos de programa\Spybot - Search & Destroy\is-23BT1.tmp"
Mon 26 Jan 2009 5,365,592 A.SHR --- "C:\Archivos de programa\Spybot - Search & Destroy\is-FA09I.tmp"
Mon 26 Jan 2009 1,740,632 A.SHR --- "C:\Archivos de programa\Spybot - Search & Destroy\SDUpdate.exe"
Mon 26 Jan 2009 5,365,592 A.SHR --- "C:\Archivos de programa\Spybot - Search & Destroy\SpybotSD.exe"
Fri 11 Aug 2006 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Fri 27 Feb 2004 233,472 A..H. --- "C:\Archivos de programa\Image-Line\FL Studio 7\REX Shared Library.dll"
Mon 3 Mar 2008 568 A..H. --- "C:\System Volume Information\_restore{5950D50D-200B-4DB6-B90D-3AD995F33F63}\RP901\A0126225.reg"
Mon 3 Mar 2008 5,702 A..H. --- "C:\System Volume Information\_restore{5950D50D-200B-4DB6-B90D-3AD995F33F63}\RP901\A0126226.reg"
Fri 31 Oct 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Wed 21 Feb 2007 444 ...HR --- "C:\Documents and Settings\Usuario\Datos de programa\SecuROM\UserData\securom_v7_01.bak"
Wed 3 Mar 2004 22,016 A..H. --- "C:\Documents and Settings\Usuario\Escritorio\Nino\Textos\Poes¡as\~WRL0001.tmp"
Sat 17 Apr 2004 23,552 A..H. --- "C:\Documents and Settings\Usuario\Escritorio\Nino\Textos\Poes¡as\~WRL0003.tmp"

Finished!

Latrodectus
2009-05-31, 14:16
Sorry, this is the HiJackThis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:13:25 a.m., on 31/05/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Avira\AntiVir Desktop\sched.exe
C:\Archivos de programa\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\system32\crypserv.exe
C:\Archivos de programa\Java\jre6\bin\jqs.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\msg32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4V1.EXE
C:\Archivos de programa\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\avast!Antivirus.exe
C:\Archivos de programa\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Archivos de programa\Spybot - Search & Destroy\SpybotSD.exe
C:\Archivos de programa\Spybot - Search & Destroy\TeaTimer.exe
C:\Archivos de programa\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Archivos de programa\Mozilla Firefox\firefox.exe
C:\Archivos de programa\Opera\opera.exe
C:\Archivos de programa\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pagina12.com.ar/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: (no name) - {00802B89-BE50-47A6-833D-ECD330BB73A7} - C:\WINDOWS\system32\nwapi16d.dll (file missing)
O2 - BHO: (no name) - {2CAD3E0B-045B-41C8-8C35-34298F279365} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: LuckyTender - {5E2402A0-5F99-4188-B30D-D8743996B340} - C:\Archivos de programa\LuckyTender\1.3.1\LuckyTender.dll (file missing)
O2 - BHO: (no name) - {68866312-bd50-4056-b439-26a821a2b770} - C:\WINDOWS\system32\furihepi.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: precisead - {83267afa-c1c3-0ae2-5b51-ceab693a8517} - C:\WINDOWS\system32\nsnCC83.dll (file missing)
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\ARCHIV~1\AVG\AVG8\AVGTOO~1.DLL (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Archivos de programa\Norton SystemWorks\Norton Antivirus\NavShExt.dll (file missing)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Archivos de programa\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Archivos de programa\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: (no name) - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Archivos de programa\Norton SystemWorks\Norton Antivirus\NavShExt.dll (file missing)
O4 - HKLM\..\Run: [AWMON] "C:\ARCHIV~1\LAVASOFT\AD-AWA~1\Ad-Watch.exe"
O4 - HKLM\..\Run: [EW Message Server] msg32.exe
O4 - HKLM\..\Run: [EPSON Stylus CX1500 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4V1.EXE /P26 "EPSON Stylus CX1500 Series" /O5 "LPT1:" /M "Stylus CX1500"
O4 - HKLM\..\Run: [EPSON Stylus CX1500 Series (Copiar 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4V1.EXE /P37 "EPSON Stylus CX1500 Series (Copiar 1)" /O6 "USB001" /M "Stylus CX1500"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\ARCHIV~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [egui] "C:\Archivos de programa\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [adware_free_soft] C:\WINDOWS\promofreesoft.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Archivos de programa\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Servicio de red')
O4 - HKUS\S-1-5-21-725345543-1979792683-2147208981-500\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Administrador')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Archivos de programa\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan.com/as/v1/cabs/ascstubie.cab
O16 - DPF: {8436FE12-31DB-48BF-83BF-FE682F9160B4} -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Archivos de programa\AVG\AVG8\avgpp.dll (file missing)
O20 - AppInit_DLLs: C:\WINDOWS\system32\levunana.dll c:\windows\system32\,c:\progra~1\ThunMail\testabd.dll C:\WINDOWS\system32\cssdll32.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - (no file)
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Archivos de programa\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Archivos de programa\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Archivos de programa\Ares\chatServer.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: avast!Antivirus - Unknown owner - C:\WINDOWS\System32\avast!Antivirus.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - Unknown owner - C:\ARCHIV~1\AVG\AVG8\avgemc.exe (file missing)
O23 - Service: AVG Free8 WatchDog (avg8wd) - Unknown owner - C:\ARCHIV~1\AVG\AVG8\avgwdsvc.exe (file missing)
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Archivos de programa\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Archivos de programa\Archivos comunes\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Archivos de programa\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Archivos de programa\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Servicio Auto-Protect de Norton AntiVirus (navapsvc) - Unknown owner - C:\Archivos de programa\Norton SystemWorks\Norton Antivirus\navapsvc.exe (file missing)
O23 - Service: SAVScan - Unknown owner - C:\Archivos de programa\Norton SystemWorks\Norton Antivirus\SAVScan.exe (file missing)
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Archivos de programa\Archivos comunes\Symantec Shared\SNDSrvc.exe (file missing)
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe (file missing)

--
End of file - 9639 bytes

ken545
2009-05-31, 14:21
Hi,

This is some nasty stuff you have, its going to take a some work to remove it.


Download ComboFix from one of these locations:

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)

* IMPORTANT !!! Save ComboFix.exe to your Desktop


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.


Double click on ComboFix.exe & follow the prompts.


As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.


Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



http://i24.photobucket.com/albums/c30/ken545/RcAuto1.gif


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://i24.photobucket.com/albums/c30/ken545/whatnext.jpg

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

Latrodectus
2009-06-01, 00:24
I can't use ComboFix because there's an old AVG free scan running and I don't know how to stop it. I thought I had uninstalled it long time ago, but ComboFix tells me this file still remains: avgrrstx.dll and it's impossible to eliminate! I also have problems deactivating Ad-Aware, it doesn't exit even if I click the option!

Latrodectus
2009-06-01, 00:26
Sorry, the files is avgrsstx.dll

ken545
2009-06-01, 00:32
Do this

Do this first...Important

Disable the TeaTimer, leave it disabled, do not turn it back on until we're done or it will prevent fixes from taking

Run Spybot-S&D in Advanced Mode.
If it is not already set to do this Go to the Mode menu select "Advanced Mode"
On the left hand side, Click on Tools
Then click on the Resident Icon in the List
Uncheck "Resident TeaTimer" and OK any prompts.
Restart your computer.<--You need to do this for it to take effect

Please do not proceed until the TeaTimer is disabled



Run Combofix in Safemode

To Enter Safemode

Go to Start> Shut off your Computer> Restart
As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,
this will bring up a menu.
Use the Up and Down Arrow Keys to scroll up to Safemode
Then press the Enter Key on your Keyboard

Tutorial if you need it How to boot into Safemode (http://www.bleepingcomputer.com/tutorials/tutorial61.html)

Latrodectus
2009-06-01, 01:10
The teatimer is disabled, but even in Safemode ComboFix keeps saying that AVG FREE scan is on!

ken545
2009-06-01, 01:14
You can still run it

Latrodectus
2009-06-01, 02:43
Here are the results of the ComboFix:

ComboFix 09-05-31.02 - Usuario 31/05/2009 20:18.1 - FAT32x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.34.3082.18.1535.1269 [GMT -3:00]
Running from: c:\documents and settings\Usuario\Escritorio\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\ovfsthxtpkbmqrm.sys
c:\windows\system32\ftp_non_crp.exe
c:\windows\system32\ovfsthxeroprvvp.dat
c:\windows\system32\ovfsthxftjcbfoo.dll
c:\windows\system32\ovfsthxkogmedvg.dll
c:\windows\system32\ovfsthxsxbuqynq.dat
c:\windows\system32\ovfsthxymdbnpil.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AVAST!ANTIVIRUS
-------\Service_avast!Antivirus


((((((((((((((((((((((((( Files Created from 2009-04-28 to 2009-05-31 )))))))))))))))))))))))))))))))
.

2009-05-31 23:15 . 2009-05-31 23:15 -------- d-sh--w- C:\FOUND.019
2009-05-31 07:12 . 2009-05-31 07:12 -------- d-----w- c:\windows\ERUNT
2009-05-31 07:05 . 2008-11-06 05:03 -------- d-----w- C:\SDFix
2009-05-30 08:54 . 2009-05-30 08:54 -------- d--h--w- c:\windows\PIF
2009-05-30 06:45 . 2009-05-30 06:45 -------- d-----w- c:\documents and settings\NetworkService\Escritorio
2009-05-30 00:43 . 2009-05-30 00:43 -------- d-----r- c:\documents and settings\LocalService\Favoritos
2009-05-29 23:05 . 2009-05-29 23:05 253688 ----a-w- c:\windows\system32\cssdll32.dll
2009-05-29 22:57 . 2009-05-29 22:57 -------- d-----w- c:\documents and settings\All Users\Datos de programa\Comodo
2009-05-29 22:57 . 2009-05-29 22:57 82080 ----a-w- c:\windows\system32\drivers\inspect.sys
2009-05-29 22:57 . 2009-05-29 22:57 24096 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2009-05-29 22:57 . 2009-05-29 22:57 168208 ----a-w- c:\windows\system32\guard32.dll
2009-05-29 22:57 . 2009-05-29 22:57 132640 ----a-w- c:\windows\system32\drivers\cmdguard.sys
2009-05-29 22:57 . 2009-05-29 22:57 -------- d-----w- c:\archivos de programa\COMODO
2009-05-29 22:43 . 2009-05-29 22:43 -------- d-----w- c:\documents and settings\All Users\Datos de programa\TEMP
2009-05-29 22:43 . 2009-05-29 22:43 -------- d-----w- c:\archivos de programa\SpywareBlaster
2009-05-29 22:18 . 2009-03-30 13:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-05-29 22:18 . 2009-03-24 19:08 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-05-29 22:18 . 2009-02-13 15:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-05-29 22:18 . 2009-02-13 15:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-05-29 22:17 . 2009-05-29 22:18 -------- d-----w- c:\documents and settings\All Users\Datos de programa\Avira
2009-05-29 22:17 . 2009-05-29 22:18 -------- d-----w- c:\archivos de programa\Avira
2009-05-29 16:10 . 2009-05-29 16:10 -------- d-----w- c:\archivos de programa\Trend Micro
2009-05-29 16:01 . 2009-05-29 16:01 -------- d-----w- c:\archivos de programa\ERUNT
2009-05-29 00:45 . 2009-05-29 00:45 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-05-28 03:52 . 2009-05-28 03:52 -------- d-----w- c:\archivos de programa\Opera
2009-05-27 22:09 . 2009-05-27 22:09 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-05-27 20:49 . 2009-05-27 20:05 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-05-27 20:17 . 2009-05-27 20:18 -------- d-----w- c:\documents and settings\LocalService\Escritorio
2009-05-27 20:05 . 2009-05-27 20:03 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-05-27 20:05 . 2009-05-27 20:05 314200 ----a-w- c:\documents and settings\All Users\Datos de programa\Lavasoft\Ad-Aware\Update\threatwork.exe
2009-05-27 20:05 . 2009-05-27 20:05 25440 ----a-w- c:\documents and settings\All Users\Datos de programa\Lavasoft\Ad-Aware\Update\savapibridge.dll
2009-05-27 20:04 . 2009-05-27 20:05 169312 ----a-w- c:\documents and settings\All Users\Datos de programa\Lavasoft\Ad-Aware\Update\lavamessage.dll
2009-05-27 20:04 . 2009-05-27 20:05 15688 ----a-w- c:\documents and settings\All Users\Datos de programa\Lavasoft\Ad-Aware\Update\lsdelete.exe
2009-05-27 20:04 . 2009-05-27 20:04 348496 ----a-w- c:\documents and settings\All Users\Datos de programa\Lavasoft\Ad-Aware\Update\lavalicense.dll
2009-05-27 20:04 . 2009-05-27 20:04 294240 ----a-w- c:\documents and settings\All Users\Datos de programa\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2009-05-27 20:04 . 2009-05-27 20:04 83808 ----a-w- c:\documents and settings\All Users\Datos de programa\Lavasoft\Ad-Aware\Update\ShellExt.dll
2009-05-27 20:04 . 2009-05-27 20:04 1630048 ----a-w- c:\documents and settings\All Users\Datos de programa\Lavasoft\Ad-Aware\Update\Resources.dll
2009-05-27 20:03 . 2009-05-27 20:03 212848 ----a-w- c:\documents and settings\All Users\Datos de programa\Lavasoft\Ad-Aware\Update\RPAPI.dll
2009-05-27 20:03 . 2009-05-27 20:03 40288 ----a-w- c:\documents and settings\All Users\Datos de programa\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2009-05-27 20:03 . 2009-05-27 20:03 64160 ----a-w- c:\documents and settings\All Users\Datos de programa\Lavasoft\Ad-Aware\Update\Drivers\32\lbd.sys
2009-05-27 20:03 . 2009-05-27 20:03 640360 ----a-w- c:\documents and settings\All Users\Datos de programa\Lavasoft\Ad-Aware\Update\CEAPI.dll
2009-05-27 20:03 . 2009-05-27 20:03 540536 ----a-w- c:\documents and settings\All Users\Datos de programa\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2009-05-27 20:03 . 2009-05-27 20:03 559464 ----a-w- c:\documents and settings\All Users\Datos de programa\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2009-05-27 20:03 . 2009-05-27 20:03 2352456 ----a-w- c:\documents and settings\All Users\Datos de programa\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-05-27 20:03 . 2009-05-27 20:03 627536 ----a-w- c:\documents and settings\All Users\Datos de programa\Lavasoft\Ad-Aware\Update\AAWWSC.exe
2009-05-27 20:02 . 2009-05-27 20:03 518488 ----a-w- c:\documents and settings\All Users\Datos de programa\Lavasoft\Ad-Aware\Update\AAWTray.exe
2009-05-27 20:02 . 2009-05-27 20:02 1005904 ----a-w- c:\documents and settings\All Users\Datos de programa\Lavasoft\Ad-Aware\Update\AAWService.exe
2009-05-27 19:51 . 2009-05-27 19:51 -------- d--h--w- c:\documents and settings\All Users\Datos de programa\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-05-27 19:51 . 2009-03-12 08:17 2902048 ----a-w- c:\documents and settings\All Users\Datos de programa\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.exe
2009-05-27 19:51 . 2009-05-27 19:51 -------- d-----w- c:\documents and settings\All Users\Datos de programa\Lavasoft
2009-05-27 18:46 . 2009-05-27 18:46 -------- d-----w- c:\documents and settings\Administrador\Datos de programa\Lavasoft
2009-05-27 18:45 . 2009-05-27 18:45 -------- d-sh--w- c:\documents and settings\Administrador\IETldCache
2009-05-26 09:44 . 2009-05-26 09:44 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2009-05-25 01:19 . 2009-05-25 01:19 -------- d-----w- c:\documents and settings\Usuario\Datos de programa\Apple Computer
2009-05-20 17:11 . 2009-05-20 17:11 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-05-18 05:19 . 2009-05-18 05:19 -------- d-sh--w- c:\documents and settings\Usuario\PrivacIE
2009-05-18 05:17 . 2009-05-18 05:17 -------- d-sh--w- c:\documents and settings\Usuario\IETldCache
2009-05-18 05:00 . 2009-05-18 05:00 -------- d--h--w- c:\windows\ie8
2009-05-18 04:58 . 2009-05-18 04:58 -------- d--h--w- c:\windows\msdownld.tmp
2009-05-17 08:46 . 2009-05-17 08:46 -------- d-----w- C:\program Files
2009-05-16 22:31 . 2009-05-16 22:31 -------- d-----w- c:\documents and settings\Usuario\Tracing
2009-05-16 22:22 . 2009-05-16 22:22 -------- d-----w- c:\archivos de programa\Archivos comunes\Windows Live
2009-05-06 14:31 . 2009-05-06 14:31 -------- d-----w- c:\documents and settings\All Users\Datos de programa\Adobe Systems
2009-05-06 14:30 . 2009-05-07 12:50 85728 ----a-w- c:\windows\system32\2062c6b9-9015-34e4-2f08-63dae0dcf2d0.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-30 02:00 . 2001-08-24 15:00 66780 ----a-w- c:\windows\system32\perfc00A.dat
2009-05-30 02:00 . 2001-08-24 15:00 390786 ----a-w- c:\windows\system32\perfh00A.dat
2009-03-08 07:34 . 2004-08-19 21:42 914944 ----a-w- c:\windows\system32\wininet.dll
2009-03-08 07:34 . 2004-08-19 21:42 43008 ----a-w- c:\windows\system32\licmgr10.dll
2009-03-08 07:33 . 2004-08-19 21:41 18944 ----a-w- c:\windows\system32\corpol.dll
2009-03-08 07:33 . 2004-08-19 21:42 420352 ----a-w- c:\windows\system32\vbscript.dll
2009-03-08 07:32 . 2004-08-19 21:41 72704 ----a-w- c:\windows\system32\admparse.dll
2009-03-08 07:32 . 2004-08-19 21:42 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-03-08 07:31 . 2004-08-19 21:42 34816 ----a-w- c:\windows\system32\imgutil.dll
2009-03-08 07:31 . 2004-08-19 21:39 48128 ----a-w- c:\windows\system32\mshtmler.dll
2009-03-08 07:31 . 2004-08-19 21:42 45568 ----a-w- c:\windows\system32\mshta.exe
2009-03-08 07:22 . 2001-08-24 15:00 156160 ----a-w- c:\windows\system32\msls31.dll
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2006-08-20 17:12 . 2004-06-10 14:54 286720 c:\windows\bak\vsnpstd2.exe

2004-05-31 08:49 . 2004-05-31 08:49 99840 c:\windows\system32\spool\drivers\w32x86\3\bak\E_S4I4V1.EXE
2004-05-31 08:49 . 2004-03-22 15:00 99840 c:\windows\system32\spool\drivers\w32x86\3\E_S4I4V1.EXE

2006-09-02 04:25 . 2005-11-10 16:03 36975 c:\archivos de programa\Java\jre1.5.0_06\bin\bak\jusched.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-19 15360]
"adware_free_soft"="c:\windows\promofreesoft.exe" [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AWMON"="c:\archiv~1\LAVASOFT\AD-AWA~1\Ad-Watch.exe" [N/A]
"EPSON Stylus CX1500 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I4V1.EXE" [2004-03-22 99840]
"EPSON Stylus CX1500 Series (Copiar 1)"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I4V1.EXE" [2004-03-22 99840]
"AVG8_TRAY"="c:\archiv~1\AVG\AVG8\avgtray.exe" [N/A]
"SunJavaUpdateSched"="c:\archivos de programa\Java\jre6\bin\jusched.exe" [2008-12-04 136600]
"QuickTime Task"="c:\archivos de programa\QuickTime\qttask.exe" [2009-01-05 413696]
"egui"="c:\archivos de programa\ESET\ESET NOD32 Antivirus\egui.exe" [N/A]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-19 159744]
"EW Message Server"="msg32.exe" - c:\windows\system32\msg32.exe [2005-06-17 45056]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-19 15360]
"ALUAlert"="c:\archivos de programa\Symantec\LiveUpdate\ALUNotify.exe" [N/A]

c:\documents and settings\Usuario\Men£ Inicio\Programas\Inicio\
ERUNT AutoBackup.lnk - c:\archivos de programa\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Men£ Inicio\Programas\Inicio\
Adobe Gamma Loader.lnk.disabled [2007-3-11 1921]
Microsoft Office.lnk - c:\archivos de programa\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-02-02 11:13 10520 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\cssdll32.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"midi"= gmidi.dll
"wave1"= serwvdrv.dll
"wave3"= serwvdrv.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="c:\archivos de programa\Messenger\msmsgs.exe" /background
"CTFMON.EXE"=c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"ccApp"="c:\archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe"
"EPSON Stylus CX1500 Series (Copiar 1)"=c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I4V1.EXE /P37 "EPSON Stylus CX1500 Series (Copiar 1)" /O6 "USB002" /M "Stylus CX1500"
"EPSON Stylus CX1500 Series"=c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I4V1.EXE /P26 "EPSON Stylus CX1500 Series" /O6 "USB001" /M "Stylus CX1500"
"GhostStartTrayApp"=c:\archivos de programa\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
"Zone Labs Client"="c:\archivos de programa\Zone Labs\ZoneAlarm\zlclient.exe"
"Symantec NetDriver Monitor"=c:\archiv~1\SYMNET~1\SNDMon.exe
"QuickTime Task"="c:\archivos de programa\QuickTime\qttask.exe" -atboottime
"SunJavaUpdateSched"="c:\archivos de programa\Java\jre1.6.0_02\bin\jusched.exe"
"SNPSTD2"=c:\windows\vsnpstd2.exe
"Lexmark_X79-55"=c:\windows\system32\lsasss.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Archivos de programa\\Ares\\Ares.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Archivos de programa\\NetMeeting\\conf.exe"=
"c:\\WINDOWS\\PCHEALTH\\HELPCTR\\BINARIES\\HelpCtr.exe"=
"c:\\Archivos de programa\\Messenger\\MSMSGS.EXE"=
"c:\\Archivos de programa\\uTorrent\\uTorrent.exe"=
"c:\\WINDOWS\\System32\\ftp.exe"=
"c:\\mIRC\\mirc.exe"=
"c:\\Archivos de programa\\MSN Messenger\\msnmsgr.exe"=
"c:\\Archivos de programa\\MSN Messenger\\livecall.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [27/05/2009 05:05 p.m. 64160]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys --> c:\windows\system32\Drivers\avgldx86.sys [?]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys --> c:\windows\system32\Drivers\avgtdix.sys [?]
S1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [29/05/2009 07:57 p.m. 132640]
S1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [29/05/2009 07:57 p.m. 24096]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\archivos de programa\Avira\AntiVir Desktop\sched.exe [29/05/2009 07:18 p.m. 108289]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\archiv~1\AVG\AVG8\avgemc.exe --> c:\archiv~1\AVG\AVG8\avgemc.exe [?]
S2 avg8wd;AVG Free8 WatchDog;c:\archiv~1\AVG\AVG8\avgwdsvc.exe --> c:\archiv~1\AVG\AVG8\avgwdsvc.exe [?]
S3 epflt15;epflt15;c:\windows\system32\DRIVERS\epflt15.SYS --> c:\windows\system32\DRIVERS\epflt15.SYS [?]
S3 EWAVE;EWAVE;c:\windows\system32\drivers\ew.sys [30/08/2007 08:54 p.m. 1706784]
S3 FILESPY;FILESPY;c:\windows\system32\drivers\FileSpy.sys [30/08/2007 08:54 p.m. 26992]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\archivos de programa\Lavasoft\Ad-Aware\AAWService.exe [09/03/2009 04:06 p.m. 1005904]
S3 NMUSB;NMUSB;c:\windows\system32\drivers\nmusb.sys [16/05/2006 08:22 p.m. 23520]
S3 NSTATION;NSTATION;c:\windows\system32\drivers\NSTATION.sys [30/08/2007 08:54 p.m. 18912]
.
Contents of the 'Scheduled Tasks' folder

2009-05-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\archivos de programa\Apple Software Update\SoftwareUpdate.exe [2008-07-30 15:34]

2009-05-16 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\archivos de programa\Spybot - Search & Destroy\SpybotSD.exe [2007-05-25 18:31]

2009-05-27 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\archivos de programa\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 20:03]
.
- - - - ORPHANS REMOVED - - - -

BHO-{00802B89-BE50-47A6-833D-ECD330BB73A7} - c:\windows\system32\nwapi16d.dll
BHO-{2CAD3E0B-045B-41C8-8C35-34298F279365} - (no file)
BHO-{68866312-bd50-4056-b439-26a821a2b770} - c:\windows\system32\furihepi.dll
BHO-{83267afa-c1c3-0ae2-5b51-ceab693a8517} - c:\windows\system32\nsnCC83.dll
Notify-WgaLogon - (no file)
SafeBoot-procexp90.Sys


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.pagina12.com.ar/
uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
FF - ProfilePath - c:\documents and settings\Usuario\Datos de programa\Mozilla\Firefox\Profiles\8wxzlq4z.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www7.yoog.com/search.php?q=
FF - prefs.js: browser.search.selectedEngine - Yoog Search
FF - prefs.js: browser.startup.homepage - hxxp://www.pagina12.com.ar/
FF - prefs.js: keyword.URL - hxxp://www7.yoog.com/search.php?q=
FF - plugin: c:\archivos de programa\QuickTime\Plugins\npqtplugin8.dll

---- FIREFOX POLICIES ----
FF - user.js: google.toolbar.linkdoctor.enabled - false
FF - user.js: browser.search.defaultenginename - Yoog Search
FF - user.js: browser.search.defaulturl - hxxp://www7.yoog.com/search.php?q=
FF - user.js: browser.search.selectedEngine - Yoog Search
FF - user.js: keyword.URL - hxxp://www7.yoog.com/search.php?q=
FF - user.js: keyword.enabled - true
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-31 20:24
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø•€|ÿÿÿÿ•€|ù•9~*]
"5E7CEC10DF0760D4F8DAFB12FDC06CCD"="02:\\Software\\Adobe\\FeatureSubscriptions\\DVAAdobeDocMeta\\{01CEC7E5-70FD-4D06-8FAD-BF21DF0CC6DC}\\Registered"
"AB141C35E9F4BF344B9FC010BB17F68A"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(272)
c:\windows\system32\l3codecx.acm
c:\windows\system32\vorbis.acm

- - - - - - - > 'explorer.exe'(1404)
c:\windows\system32\ieframe.dll
.
Completion time: 2009-05-31 20:27 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-31 23:27

Pre-Run: 40.602.501.120 bytes libres
Post-Run: 41.177.219.072 bytes libres

Current=2 Default=2 Failed=1 LastKnownGood=3 Sets=,1,2,3,4,5,6,7,8,9
251 --- E O F --- 2009-01-27 23:15





And here are the results of the HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:41:09 p.m., on 31/05/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Avira\AntiVir Desktop\sched.exe
C:\Archivos de programa\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\system32\msg32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4V1.EXE
C:\Archivos de programa\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Java\jre6\bin\jqs.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Archivos de programa\Spybot - Search & Destroy\TeaTimer.exe
C:\Archivos de programa\COMODO\COMODO Internet Security\cfp.exe
C:\Archivos de programa\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Archivos de programa\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pagina12.com.ar/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: (no name) - {00802B89-BE50-47A6-833D-ECD330BB73A7} - (no file)
O2 - BHO: (no name) - {2CAD3E0B-045B-41C8-8C35-34298F279365} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5E2402A0-5F99-4188-B30D-D8743996B340} - (no file)
O2 - BHO: (no name) - {68866312-bd50-4056-b439-26a821a2b770} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {83267afa-c1c3-0ae2-5b51-ceab693a8517} - (no file)
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\ARCHIV~1\AVG\AVG8\AVGTOO~1.DLL (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Archivos de programa\Norton SystemWorks\Norton Antivirus\NavShExt.dll (file missing)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Archivos de programa\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Archivos de programa\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: (no name) - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Archivos de programa\Norton SystemWorks\Norton Antivirus\NavShExt.dll (file missing)
O4 - HKLM\..\Run: [AWMON] "C:\ARCHIV~1\LAVASOFT\AD-AWA~1\Ad-Watch.exe"
O4 - HKLM\..\Run: [EW Message Server] msg32.exe
O4 - HKLM\..\Run: [EPSON Stylus CX1500 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4V1.EXE /P26 "EPSON Stylus CX1500 Series" /O5 "LPT1:" /M "Stylus CX1500"
O4 - HKLM\..\Run: [EPSON Stylus CX1500 Series (Copiar 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4V1.EXE /P37 "EPSON Stylus CX1500 Series (Copiar 1)" /O6 "USB001" /M "Stylus CX1500"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\ARCHIV~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [egui] "C:\Archivos de programa\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [adware_free_soft] C:\WINDOWS\promofreesoft.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Archivos de programa\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Archivos de programa\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan.com/as/v1/cabs/ascstubie.cab
O16 - DPF: {8436FE12-31DB-48BF-83BF-FE682F9160B4} -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Archivos de programa\AVG\AVG8\avgpp.dll (file missing)
O20 - AppInit_DLLs: C:\WINDOWS\system32\cssdll32.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Archivos de programa\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Archivos de programa\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Archivos de programa\Ares\chatServer.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - Unknown owner - C:\ARCHIV~1\AVG\AVG8\avgemc.exe (file missing)
O23 - Service: AVG Free8 WatchDog (avg8wd) - Unknown owner - C:\ARCHIV~1\AVG\AVG8\avgwdsvc.exe (file missing)
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Archivos de programa\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Archivos de programa\Archivos comunes\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Archivos de programa\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Archivos de programa\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Servicio Auto-Protect de Norton AntiVirus (navapsvc) - Unknown owner - C:\Archivos de programa\Norton SystemWorks\Norton Antivirus\navapsvc.exe (file missing)
O23 - Service: SAVScan - Unknown owner - C:\Archivos de programa\Norton SystemWorks\Norton Antivirus\SAVScan.exe (file missing)
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Archivos de programa\Archivos comunes\Symantec Shared\SNDSrvc.exe (file missing)
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe (file missing)

--
End of file - 8653 bytes

ken545
2009-06-01, 03:22
Hello,

I knew you could do it :bigthumb: Combofix removed the TDSS rootkit, but it also found other nasty programs that we need to remove.

uTorrent <-- If your using programs like this your going to keep getting infected, read this please.



We have noticed that many people seeking help from us are coming with infections contracted from the use of P2P programs.

Because of this, we changed our malware forum's policy on the use of P2P file sharing programs.


If your helper detects the presence of such programs on your computer he/she will ask you to remove them. Help will be withdrawn should you not agree to their removal.
If we clean your computer of infection, and you return to us a short time later with an infection contracted by the use of P2P programs, volunteer analysts will refuse their help.


We do not ask you to do this without reason.


P2P (File Sharing ) programs form a direct conduit onto your computer, their security measures are easily circumvented, and Malware writers are increasingly exploiting them to spread their wares onto your computer. Further to that, if your P2P program is not configured correctly you may be sharing more files than you realize. There have been cases where people's Passwords, Address Books and other personal, private, and financial details have been exposed to the file sharing network by a badly configured program.

Many of the programs come bundled with other unwanted programs, but even the ones free of any bundled software are not safe to use.

This article from InfoWorld illustrates the dangers of a poorly configured P2P program.
http://www.infoworld.com/article/07/09/06/...ID-theft_1.html (http://www.infoworld.com/article/07/09/06/Seattle-man-arrested-for-p-to-p-ID-theft_1.html)

When you use them you are downloading software from an unknown source directly onto your computer, bypassing your Firewall and Anti-Virus software. Hardly surprising then that many of these Downloads are being targeted to carry infections.


You have THREE ANTI VIRUS PROGRAMS RUNNING, not recommended, this is overkill, they will use a large amount of system resources and slow your system down, you should only have one, keep it updated and run a scan about once a week. You have Avira, AVG Free and Symantec, your call but you need to uninstall 2 of them via the Add Remove programs in the Control Panel


You still have the TeaTimer in Spybot enabled along with Ad Watch in Ad-Aware, disable them both.

Do this first...Important

Disable the TeaTimer, leave it disabled, do not turn it back on until we're done or it will prevent fixes from taking

Run Spybot-S&D in Advanced Mode.
If it is not already set to do this Go to the Mode menu select "Advanced Mode"
On the left hand side, Click on Tools
Then click on the Resident Icon in the List
Uncheck "Resident TeaTimer" and OK any prompts.
Restart your computer.<--You need to do this for it to take effect

Please do not proceed until the TeaTimer is disabled


You need to Disable AdWatch in Ad-Aware Se Personal as it can stop our fix.

To Disable AdWatch

Open Ad-Aware SE Personal
Go to the AdWatch User Interface.
Go to Tools and Preferences.
At the bottom of the screen you will see 2 options
Active: This will turn Ad-Watch On\Off without closing it.
Automatic: Suspicious activity will be blocked automatically
Uncheck both options.
You should enable these after resolving your problem.






Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.

O2 - BHO: (no name) - {00802B89-BE50-47A6-833D-ECD330BB73A7} - (no file)
O2 - BHO: (no name) - {2CAD3E0B-045B-41C8-8C35-34298F279365} - (no file)
O2 - BHO: (no name) - {5E2402A0-5F99-4188-B30D-D8743996B340} - (no file)
O2 - BHO: (no name) - {68866312-bd50-4056-b439-26a821a2b770} - (no file)
O2 - BHO: (no name) - {83267afa-c1c3-0ae2-5b51-ceab693a8517} - (no file)





You have a file infecter virus that has infected the following files under AWF, what this trojan has done is removed the clean file to a backup folder and installed its own infected copy.

Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above AWF::




AWF::
c:\windows\bak\vsnpstd2.exe
c:\windows\system32\spool\drivers\w32x86\3\bak\E_S4I4V1.EXE
c:\archivos de programa\Java\jre1.5.0_06\bin\bak\jusched.exe

File::
c:\windows\promofreesoft.exe

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"adware_free_soft"=-


Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

http://i24.photobucket.com/albums/c30/ken545/CFScriptB-4.gif


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Latrodectus
2009-06-01, 05:54
Here I am again. Thank you for your quick response, I appreciate your help very much. Three things:

1) I already deleted uTorrent, but I have a problem with those antivirus. I supposedly eliminated SYMANTEC long ago -almost two years!-, then I got AVG Free, and then I eliminated it when I got NOD32 -but I guess the problem is I didn't uninstall them, just removed the folders-. Finally, when I came to this forum and read some recommendations I downloaded Avira and got rid of NOD32. So... Windows doesn't recognize any of those antivirus as installed programs, and I have no way of uninstalling them, they' are nowhere to be found! And, for example, the remaining AVG Free file is in use and it's impossible to tremove it.

2) The ComboFix result:

ComboFix 09-05-31.02 - Usuario 31/05/2009 23:23.2 - FAT32x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.34.3082.18.1535.1274 [GMT -3:00]
Running from: c:\documents and settings\Usuario\Escritorio\ComboFix.exe
Command switches used :: c:\documents and settings\Usuario\Escritorio\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
"c:\windows\promofreesoft.exe"
.

((((((((((((((((((((((((( Files Created from 2009-05-01 to 2009-06-01 )))))))))))))))))))))))))))))))
.

2009-05-31 23:15 . 2009-05-31 23:15 -------- d-sh--w- C:\FOUND.019
2009-05-31 07:12 . 2009-05-31 07:12 -------- d-----w- c:\windows\ERUNT
2009-05-31 07:05 . 2008-11-06 05:03 -------- d-----w- C:\SDFix
2009-05-30 08:54 . 2009-05-30 08:54 -------- d--h--w- c:\windows\PIF
2009-05-30 06:45 . 2009-05-30 06:45 -------- d-----w- c:\documents and settings\NetworkService\Escritorio
2009-05-30 00:43 . 2009-05-30 00:43 -------- d-----r- c:\documents and settings\LocalService\Favoritos
2009-05-29 23:05 . 2009-05-29 23:05 253688 ----a-w- c:\windows\system32\cssdll32.dll
2009-05-29 22:57 . 2009-05-29 22:57 -------- d-----w- c:\documents and settings\All Users\Datos de programa\Comodo
2009-05-29 22:57 . 2009-05-29 22:57 82080 ----a-w- c:\windows\system32\drivers\inspect.sys
2009-05-29 22:57 . 2009-05-29 22:57 24096 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2009-05-29 22:57 . 2009-05-29 22:57 168208 ----a-w- c:\windows\system32\guard32.dll
2009-05-29 22:57 . 2009-05-29 22:57 132640 ----a-w- c:\windows\system32\drivers\cmdguard.sys
2009-05-29 22:57 . 2009-05-29 22:57 -------- d-----w- c:\archivos de programa\COMODO
2009-05-29 22:43 . 2009-05-29 22:43 -------- d-----w- c:\documents and settings\All Users\Datos de programa\TEMP
2009-05-29 22:43 . 2009-05-29 22:43 -------- d-----w- c:\archivos de programa\SpywareBlaster
2009-05-29 22:18 . 2009-03-30 13:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-05-29 22:18 . 2009-03-24 19:08 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-05-29 22:18 . 2009-02-13 15:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-05-29 22:18 . 2009-02-13 15:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-05-29 22:17 . 2009-05-29 22:18 -------- d-----w- c:\documents and settings\All Users\Datos de programa\Avira
2009-05-29 22:17 . 2009-05-29 22:18 -------- d-----w- c:\archivos de programa\Avira
2009-05-29 16:10 . 2009-05-29 16:10 -------- d-----w- c:\archivos de programa\Trend Micro
2009-05-29 16:01 . 2009-05-29 16:01 -------- d-----w- c:\archivos de programa\ERUNT
2009-05-29 00:45 . 2009-05-29 00:45 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-05-28 03:52 . 2009-05-28 03:52 -------- d-----w- c:\archivos de programa\Opera
2009-05-27 22:09 . 2009-05-27 22:09 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-05-27 20:49 . 2009-05-27 20:05 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-05-27 20:17 . 2009-05-27 20:18 -------- d-----w- c:\documents and settings\LocalService\Escritorio
2009-05-27 20:05 . 2009-05-27 20:03 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-05-27 20:05 . 2009-05-27 20:05 314200 ----a-w- c:\documents and settings\All Users\Datos de programa\Lavasoft\Ad-Aware\Update\threatwork.exe
2009-05-27 20:05 . 2009-05-27 20:05 25440 ----a-w- c:\documents and settings\All Users\Datos de programa\Lavasoft\Ad-Aware\Update\savapibridge.dll
2009-05-27 20:04 . 2009-05-27 20:05 169312 ----a-w- c:\documents and settings\All Users\Datos de programa\Lavasoft\Ad-Aware\Update\lavamessage.dll
2009-05-27 20:04 . 2009-05-27 20:05 15688 ----a-w- c:\documents and settings\All Users\Datos de programa\Lavasoft\Ad-Aware\Update\lsdelete.exe
2009-05-27 20:04 . 2009-05-27 20:04 348496 ----a-w- c:\documents and settings\All Users\Datos de programa\Lavasoft\Ad-Aware\Update\lavalicense.dll
2009-05-27 20:04 . 2009-05-27 20:04 294240 ----a-w- c:\documents and settings\All Users\Datos de programa\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2009-05-27 20:04 . 2009-05-27 20:04 83808 ----a-w- c:\documents and settings\All Users\Datos de programa\Lavasoft\Ad-Aware\Update\ShellExt.dll
2009-05-27 20:04 . 2009-05-27 20:04 1630048 ----a-w- c:\documents and settings\All Users\Datos de programa\Lavasoft\Ad-Aware\Update\Resources.dll
2009-05-27 20:03 . 2009-05-27 20:03 212848 ----a-w- c:\documents and settings\All Users\Datos de programa\Lavasoft\Ad-Aware\Update\RPAPI.dll
2009-05-27 20:03 . 2009-05-27 20:03 40288 ----a-w- c:\documents and settings\All Users\Datos de programa\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2009-05-27 20:03 . 2009-05-27 20:03 64160 ----a-w- c:\documents and settings\All Users\Datos de programa\Lavasoft\Ad-Aware\Update\Drivers\32\lbd.sys
2009-05-27 20:03 . 2009-05-27 20:03 640360 ----a-w- c:\documents and settings\All Users\Datos de programa\Lavasoft\Ad-Aware\Update\CEAPI.dll
2009-05-27 20:03 . 2009-05-27 20:03 540536 ----a-w- c:\documents and settings\All Users\Datos de programa\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2009-05-27 20:03 . 2009-05-27 20:03 559464 ----a-w- c:\documents and settings\All Users\Datos de programa\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2009-05-27 20:03 . 2009-05-27 20:03 2352456 ----a-w- c:\documents and settings\All Users\Datos de programa\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-05-27 20:03 . 2009-05-27 20:03 627536 ----a-w- c:\documents and settings\All Users\Datos de programa\Lavasoft\Ad-Aware\Update\AAWWSC.exe
2009-05-27 20:02 . 2009-05-27 20:03 518488 ----a-w- c:\documents and settings\All Users\Datos de programa\Lavasoft\Ad-Aware\Update\AAWTray.exe
2009-05-27 20:02 . 2009-05-27 20:02 1005904 ----a-w- c:\documents and settings\All Users\Datos de programa\Lavasoft\Ad-Aware\Update\AAWService.exe
2009-05-27 19:51 . 2009-05-27 19:51 -------- d--h--w- c:\documents and settings\All Users\Datos de programa\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-05-27 19:51 . 2009-03-12 08:17 2902048 ----a-w- c:\documents and settings\All Users\Datos de programa\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.exe
2009-05-27 19:51 . 2009-05-27 19:51 -------- d-----w- c:\documents and settings\All Users\Datos de programa\Lavasoft
2009-05-27 18:46 . 2009-05-27 18:46 -------- d-----w- c:\documents and settings\Administrador\Datos de programa\Lavasoft
2009-05-27 18:45 . 2009-05-27 18:45 -------- d-sh--w- c:\documents and settings\Administrador\IETldCache
2009-05-26 09:44 . 2009-05-26 09:44 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2009-05-25 01:19 . 2009-05-25 01:19 -------- d-----w- c:\documents and settings\Usuario\Datos de programa\Apple Computer
2009-05-20 17:11 . 2009-05-20 17:11 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-05-18 05:19 . 2009-05-18 05:19 -------- d-sh--w- c:\documents and settings\Usuario\PrivacIE
2009-05-18 05:17 . 2009-05-18 05:17 -------- d-sh--w- c:\documents and settings\Usuario\IETldCache
2009-05-18 05:00 . 2009-05-18 05:00 -------- d--h--w- c:\windows\ie8
2009-05-18 04:58 . 2009-05-18 04:58 -------- d--h--w- c:\windows\msdownld.tmp
2009-05-17 08:46 . 2009-05-17 08:46 -------- d-----w- C:\program Files
2009-05-16 22:31 . 2009-05-16 22:31 -------- d-----w- c:\documents and settings\Usuario\Tracing
2009-05-16 22:22 . 2009-05-16 22:22 -------- d-----w- c:\archivos de programa\Archivos comunes\Windows Live
2009-05-06 14:31 . 2009-05-06 14:31 -------- d-----w- c:\documents and settings\All Users\Datos de programa\Adobe Systems
2009-05-06 14:30 . 2009-05-07 12:50 85728 ----a-w- c:\windows\system32\2062c6b9-9015-34e4-2f08-63dae0dcf2d0.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-30 02:00 . 2001-08-24 15:00 66780 ----a-w- c:\windows\system32\perfc00A.dat
2009-05-30 02:00 . 2001-08-24 15:00 390786 ----a-w- c:\windows\system32\perfh00A.dat
2009-03-08 07:34 . 2004-08-19 21:42 914944 ----a-w- c:\windows\system32\wininet.dll
2009-03-08 07:34 . 2004-08-19 21:42 43008 ----a-w- c:\windows\system32\licmgr10.dll
2009-03-08 07:33 . 2004-08-19 21:41 18944 ----a-w- c:\windows\system32\corpol.dll
2009-03-08 07:33 . 2004-08-19 21:42 420352 ----a-w- c:\windows\system32\vbscript.dll
2009-03-08 07:32 . 2004-08-19 21:41 72704 ----a-w- c:\windows\system32\admparse.dll
2009-03-08 07:32 . 2004-08-19 21:42 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-03-08 07:31 . 2004-08-19 21:42 34816 ----a-w- c:\windows\system32\imgutil.dll
2009-03-08 07:31 . 2004-08-19 21:39 48128 ----a-w- c:\windows\system32\mshtmler.dll
2009-03-08 07:31 . 2004-08-19 21:42 45568 ----a-w- c:\windows\system32\mshta.exe
2009-03-08 07:22 . 2001-08-24 15:00 156160 ----a-w- c:\windows\system32\msls31.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-05-31_23.24.38 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-05-31 08:49 . 2004-05-31 08:49 99840 c:\windows\system32\spool\drivers\w32x86\3\E_S4I4V1.EXE
- 2004-05-31 08:49 . 2004-03-22 15:00 99840 c:\windows\system32\spool\drivers\w32x86\3\E_S4I4V1.EXE
+ 2006-08-20 17:12 . 2004-06-10 14:54 286720 c:\windows\vsnpstd2.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-19 15360]
"SpybotSD TeaTimer"="c:\archivos de programa\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus CX1500 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I4V1.EXE" [2004-05-31 99840]
"EPSON Stylus CX1500 Series (Copiar 1)"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I4V1.EXE" [2004-05-31 99840]
"SunJavaUpdateSched"="c:\archivos de programa\Java\jre6\bin\jusched.exe" [2008-12-04 136600]
"QuickTime Task"="c:\archivos de programa\QuickTime\qttask.exe" [2009-01-05 413696]
"MSConfig"="c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2004-08-19 159744]
"EW Message Server"="msg32.exe" - c:\windows\system32\msg32.exe [2005-06-17 45056]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-19 15360]

c:\documents and settings\Usuario\Men£ Inicio\Programas\Inicio\
ERUNT AutoBackup.lnk - c:\archivos de programa\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Men£ Inicio\Programas\Inicio\
Adobe Gamma Loader.lnk.disabled [2007-3-11 1921]
Microsoft Office.lnk - c:\archivos de programa\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-02-02 11:13 10520 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WgaLogon]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\cssdll32.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"midi"= gmidi.dll
"wave1"= serwvdrv.dll
"wave3"= serwvdrv.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="c:\archivos de programa\Messenger\msmsgs.exe" /background
"CTFMON.EXE"=c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"ccApp"="c:\archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe"
"EPSON Stylus CX1500 Series (Copiar 1)"=c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I4V1.EXE /P37 "EPSON Stylus CX1500 Series (Copiar 1)" /O6 "USB002" /M "Stylus CX1500"
"EPSON Stylus CX1500 Series"=c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I4V1.EXE /P26 "EPSON Stylus CX1500 Series" /O6 "USB001" /M "Stylus CX1500"
"GhostStartTrayApp"=c:\archivos de programa\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
"Zone Labs Client"="c:\archivos de programa\Zone Labs\ZoneAlarm\zlclient.exe"
"Symantec NetDriver Monitor"=c:\archiv~1\SYMNET~1\SNDMon.exe
"QuickTime Task"="c:\archivos de programa\QuickTime\qttask.exe" -atboottime
"SunJavaUpdateSched"="c:\archivos de programa\Java\jre1.6.0_02\bin\jusched.exe"
"SNPSTD2"=c:\windows\vsnpstd2.exe
"Lexmark_X79-55"=c:\windows\system32\lsasss.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Archivos de programa\\Ares\\Ares.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Archivos de programa\\NetMeeting\\conf.exe"=
"c:\\WINDOWS\\PCHEALTH\\HELPCTR\\BINARIES\\HelpCtr.exe"=
"c:\\Archivos de programa\\Messenger\\MSMSGS.EXE"=
"c:\\WINDOWS\\System32\\ftp.exe"=
"c:\\mIRC\\mirc.exe"=
"c:\\Archivos de programa\\MSN Messenger\\msnmsgr.exe"=
"c:\\Archivos de programa\\MSN Messenger\\livecall.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [27/05/2009 05:05 p.m. 64160]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys --> c:\windows\system32\Drivers\avgldx86.sys [?]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys --> c:\windows\system32\Drivers\avgtdix.sys [?]
S1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [29/05/2009 07:57 p.m. 132640]
S1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [29/05/2009 07:57 p.m. 24096]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\archivos de programa\Avira\AntiVir Desktop\sched.exe [29/05/2009 07:18 p.m. 108289]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\archiv~1\AVG\AVG8\avgemc.exe --> c:\archiv~1\AVG\AVG8\avgemc.exe [?]
S2 avg8wd;AVG Free8 WatchDog;c:\archiv~1\AVG\AVG8\avgwdsvc.exe --> c:\archiv~1\AVG\AVG8\avgwdsvc.exe [?]
S3 epflt15;epflt15;c:\windows\system32\DRIVERS\epflt15.SYS --> c:\windows\system32\DRIVERS\epflt15.SYS [?]
S3 EWAVE;EWAVE;c:\windows\system32\drivers\ew.sys [30/08/2007 08:54 p.m. 1706784]
S3 FILESPY;FILESPY;c:\windows\system32\drivers\FileSpy.sys [30/08/2007 08:54 p.m. 26992]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\archivos de programa\Lavasoft\Ad-Aware\AAWService.exe [09/03/2009 04:06 p.m. 1005904]
S3 NMUSB;NMUSB;c:\windows\system32\drivers\nmusb.sys [16/05/2006 08:22 p.m. 23520]
S3 NSTATION;NSTATION;c:\windows\system32\drivers\NSTATION.sys [30/08/2007 08:54 p.m. 18912]
.
Contents of the 'Scheduled Tasks' folder

2009-05-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\archivos de programa\Apple Software Update\SoftwareUpdate.exe [2008-07-30 15:34]

2009-05-16 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\archivos de programa\Spybot - Search & Destroy\SpybotSD.exe [2007-05-25 18:31]

2009-05-27 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\archivos de programa\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 20:03]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-AWMON - c:\archiv~1\LAVASOFT\AD-AWA~1\Ad-Watch.exe
HKU-Default-Run-ALUAlert - c:\archivos de programa\Symantec\LiveUpdate\ALUNotify.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.pagina12.com.ar/
uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
FF - ProfilePath - c:\documents and settings\Usuario\Datos de programa\Mozilla\Firefox\Profiles\8wxzlq4z.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www7.yoog.com/search.php?q=
FF - prefs.js: browser.search.selectedEngine - Yoog Search
FF - prefs.js: browser.startup.homepage - hxxp://www.pagina12.com.ar/
FF - prefs.js: keyword.URL - hxxp://www7.yoog.com/search.php?q=
FF - plugin: c:\archivos de programa\QuickTime\Plugins\npqtplugin8.dll

---- FIREFOX POLICIES ----
FF - user.js: google.toolbar.linkdoctor.enabled - false
FF - user.js: browser.search.defaultenginename - Yoog Search
FF - user.js: browser.search.defaulturl - hxxp://www7.yoog.com/search.php?q=
FF - user.js: browser.search.selectedEngine - Yoog Search
FF - user.js: keyword.URL - hxxp://www7.yoog.com/search.php?q=
FF - user.js: keyword.enabled - true
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-31 23:26
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø•€|ÿÿÿÿ•€|ù•9~*]
"5E7CEC10DF0760D4F8DAFB12FDC06CCD"="02:\\Software\\Adobe\\FeatureSubscriptions\\DVAAdobeDocMeta\\{01CEC7E5-70FD-4D06-8FAD-BF21DF0CC6DC}\\Registered"
"AB141C35E9F4BF344B9FC010BB17F68A"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(272)
c:\windows\system32\l3codecx.acm
c:\windows\system32\vorbis.acm

- - - - - - - > 'explorer.exe'(1680)
c:\windows\system32\ieframe.dll
.
Completion time: 2009-06-01 23:28
ComboFix-quarantined-files.txt 2009-06-01 02:28
ComboFix2.txt 2009-05-31 23:27

Pre-Run: 41.171.124.224 bytes libres
Post-Run: 41.146.974.208 bytes libres

Current=2 Default=2 Failed=1 LastKnownGood=3 Sets=,1,2,3,4,5,6,7,8,9
233 --- E O F --- 2009-01-27 23:15





[B]3) The HJT result:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:54:27 p.m., on 31/05/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Avira\AntiVir Desktop\sched.exe
C:\Archivos de programa\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\system32\msg32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4V1.EXE
C:\Archivos de programa\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\crypserv.exe
C:\Archivos de programa\Java\jre6\bin\jqs.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Archivos de programa\Mozilla Firefox\firefox.exe
C:\Archivos de programa\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pagina12.com.ar/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre6\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Archivos de programa\Norton SystemWorks\Norton Antivirus\NavShExt.dll (file missing)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Archivos de programa\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Archivos de programa\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [EW Message Server] msg32.exe
O4 - HKLM\..\Run: [EPSON Stylus CX1500 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4V1.EXE /P26 "EPSON Stylus CX1500 Series" /O5 "LPT1:" /M "Stylus CX1500"
O4 - HKLM\..\Run: [EPSON Stylus CX1500 Series (Copiar 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4V1.EXE /P37 "EPSON Stylus CX1500 Series (Copiar 1)" /O6 "USB001" /M "Stylus CX1500"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Archivos de programa\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Archivos de programa\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {8436FE12-31DB-48BF-83BF-FE682F9160B4} -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\cssdll32.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Archivos de programa\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Archivos de programa\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Archivos de programa\Ares\chatServer.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - Unknown owner - C:\ARCHIV~1\AVG\AVG8\avgemc.exe (file missing)
O23 - Service: AVG Free8 WatchDog (avg8wd) - Unknown owner - C:\ARCHIV~1\AVG\AVG8\avgwdsvc.exe (file missing)
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Archivos de programa\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Archivos de programa\Archivos comunes\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Archivos de programa\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Archivos de programa\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Servicio Auto-Protect de Norton AntiVirus (navapsvc) - Unknown owner - C:\Archivos de programa\Norton SystemWorks\Norton Antivirus\navapsvc.exe (file missing)
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Archivos de programa\Archivos comunes\Symantec Shared\SNDSrvc.exe (file missing)
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe (file missing)

--
End of file - 7052 bytes

ken545
2009-06-01, 11:33
You never uninstall a program by just deleting the folder, you need to uninstall it via the Add Remove Programs in the Control Panel.

Symantec has a removal tool for uninstalling there product due to a bad install or uninstall.
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2005033108162039




Open Hijackthis
Go to Misc Tools> Open Uninstall Manager.
Click on Save List.
The list will open in Notepad.
Copy and Paste the List into this thread

Latrodectus
2009-06-01, 22:52
Actualización de seguridad para el Reproductor de Windows Media (KB911564)
Actualización de seguridad para el Reproductor de Windows Media 11 (KB936782)
Actualización de seguridad para el Reproductor de Windows Media 11 (KB954154)
Actualización de seguridad para el Reproductor de Windows Media 6.4 (KB925398)
Actualización de seguridad para el Reproductor de Windows Media 9 (KB917734)
Actualización de seguridad para el Reproductor de Windows Media 9 (KB936782)
Actualización de seguridad para Windows Internet Explorer 7 (KB938127)
Actualización de seguridad para Windows Internet Explorer 7 (KB953838)
Actualización de seguridad para Windows Internet Explorer 7 (KB956390)
Actualización de seguridad para Windows XP (KB890046)
Actualización de seguridad para Windows XP (KB893756)
Actualización de seguridad para Windows XP (KB896358)
Actualización de seguridad para Windows XP (KB896423)
Actualización de seguridad para Windows XP (KB896428)
Actualización de seguridad para Windows XP (KB899587)
Actualización de seguridad para Windows XP (KB899591)
Actualización de seguridad para Windows XP (KB900725)
Actualización de seguridad para Windows XP (KB901017)
Actualización de seguridad para Windows XP (KB901214)
Actualización de seguridad para Windows XP (KB902400)
Actualización de seguridad para Windows XP (KB904706)
Actualización de seguridad para Windows XP (KB905414)
Actualización de seguridad para Windows XP (KB905749)
Actualización de seguridad para Windows XP (KB908519)
Actualización de seguridad para Windows XP (KB911562)
Actualización de seguridad para Windows XP (KB911927)
Actualización de seguridad para Windows XP (KB913580)
Actualización de seguridad para Windows XP (KB914388)
Actualización de seguridad para Windows XP (KB914389)
Actualización de seguridad para Windows XP (KB917344)
Actualización de seguridad para Windows XP (KB917422)
Actualización de seguridad para Windows XP (KB917953)
Actualización de seguridad para Windows XP (KB918118)
Actualización de seguridad para Windows XP (KB918439)
Actualización de seguridad para Windows XP (KB919007)
Actualización de seguridad para Windows XP (KB920213)
Actualización de seguridad para Windows XP (KB920670)
Actualización de seguridad para Windows XP (KB920683)
Actualización de seguridad para Windows XP (KB920685)
Actualización de seguridad para Windows XP (KB921503)
Actualización de seguridad para Windows XP (KB922819)
Actualización de seguridad para Windows XP (KB923191)
Actualización de seguridad para Windows XP (KB923414)
Actualización de seguridad para Windows XP (KB923689)
Actualización de seguridad para Windows XP (KB923694)
Actualización de seguridad para Windows XP (KB923980)
Actualización de seguridad para Windows XP (KB924191)
Actualización de seguridad para Windows XP (KB924270)
Actualización de seguridad para Windows XP (KB924667)
Actualización de seguridad para Windows XP (KB925902)
Actualización de seguridad para Windows XP (KB926255)
Actualización de seguridad para Windows XP (KB926436)
Actualización de seguridad para Windows XP (KB927779)
Actualización de seguridad para Windows XP (KB927802)
Actualización de seguridad para Windows XP (KB928255)
Actualización de seguridad para Windows XP (KB928843)
Actualización de seguridad para Windows XP (KB929123)
Actualización de seguridad para Windows XP (KB929969)
Actualización de seguridad para Windows XP (KB930178)
Actualización de seguridad para Windows XP (KB931261)
Actualización de seguridad para Windows XP (KB931768)
Actualización de seguridad para Windows XP (KB931784)
Actualización de seguridad para Windows XP (KB932168)
Actualización de seguridad para Windows XP (KB933566)
Actualización de seguridad para Windows XP (KB933729)
Actualización de seguridad para Windows XP (KB935839)
Actualización de seguridad para Windows XP (KB935840)
Actualización de seguridad para Windows XP (KB936021)
Actualización de seguridad para Windows XP (KB937894)
Actualización de seguridad para Windows XP (KB938127)
Actualización de seguridad para Windows XP (KB938464)
Actualización de seguridad para Windows XP (KB938829)
Actualización de seguridad para Windows XP (KB939653)
Actualización de seguridad para Windows XP (KB941202)
Actualización de seguridad para Windows XP (KB941568)
Actualización de seguridad para Windows XP (KB941569)
Actualización de seguridad para Windows XP (KB941644)
Actualización de seguridad para Windows XP (KB941693)
Actualización de seguridad para Windows XP (KB943055)
Actualización de seguridad para Windows XP (KB943460)
Actualización de seguridad para Windows XP (KB943485)
Actualización de seguridad para Windows XP (KB944338)
Actualización de seguridad para Windows XP (KB944653)
Actualización de seguridad para Windows XP (KB945553)
Actualización de seguridad para Windows XP (KB946026)
Actualización de seguridad para Windows XP (KB946648)
Actualización de seguridad para Windows XP (KB947864)
Actualización de seguridad para Windows XP (KB948590)
Actualización de seguridad para Windows XP (KB948881)
Actualización de seguridad para Windows XP (KB950749)
Actualización de seguridad para Windows XP (KB950762)
Actualización de seguridad para Windows XP (KB950974)
Actualización de seguridad para Windows XP (KB951066)
Actualización de seguridad para Windows XP (KB951376-v2)
Actualización de seguridad para Windows XP (KB951698)
Actualización de seguridad para Windows XP (KB951748)
Actualización de seguridad para Windows XP (KB952954)
Actualización de seguridad para Windows XP (KB953839)
Actualización de seguridad para Windows XP (KB954211)
Actualización de seguridad para Windows XP (KB956391)
Actualización de seguridad para Windows XP (KB956803)
Actualización de seguridad para Windows XP (KB956841)
Actualización de seguridad para Windows XP (KB957095)
Actualización de seguridad para Windows XP (KB958644)
Actualización para Windows XP (KB894391)
Actualización para Windows XP (KB898461)
Actualización para Windows XP (KB900485)
Actualización para Windows XP (KB908531)
Actualización para Windows XP (KB910437)
Actualización para Windows XP (KB911280)
Actualización para Windows XP (KB916595)
Actualización para Windows XP (KB920872)
Actualización para Windows XP (KB922582)
Actualización para Windows XP (KB927891)
Actualización para Windows XP (KB930916)
Actualización para Windows XP (KB931836)
Actualización para Windows XP (KB932823-v3)
Actualización para Windows XP (KB933360)
Actualización para Windows XP (KB938828)
Actualización para Windows XP (KB942763)
Actualización para Windows XP (KB942840)
Actualización para Windows XP (KB951072-v2)
Ad-Aware
Ad-Aware
Adobe Acrobat 4.0
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Photoshop CS
Apple Software Update
Ares 2.0.9
ASIO4ALL
Avira AntiVir Personal - Free Antivirus
BookDB2
Collab
COMODO Internet Security
COMODO SafeSurf
Compresor WinRAR
Contextual Tool Precisead
Crystal Player Professional 1.98
CutePDF Writer 2.7
DivX Codec
DivX Plus DirectShow Filters
Easy CD & DVD Creator 6
English Pronouncing Dictionary
EPSON Printer Software
EPSON Scan Tool Light 1.0
ERUNT 1.1j
FL Studio 7
Google Gmail Notifier
Herramienta de carga de Windows Live
HijackThis 2.0.2
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
IL Download Manager
Java(TM) 6 Update 10
Messenger Plus! Live
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional con FrontPage
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Windows Journal Viewer
mIRC
Mozilla Firefox (3.0.10)
NetoDragon 56K Voice Modem
NVIDIA Drivers
Opera 9.62
QuickTime
Revisión de Windows XP - KB873339
Revisión de Windows XP - KB885835
Revisión de Windows XP - KB885836
Revisión de Windows XP - KB885884
Revisión de Windows XP - KB886185
Revisión de Windows XP - KB887472
Revisión de Windows XP - KB888302
Revisión de Windows XP - KB890859
Revisión de Windows XP - KB891781
Revisión para el Reproductor de Windows Media 11 (KB939683)
Revisión para Windows XP (KB952287)
SoulSeek Client 156c
Spybot - Search & Destroy
SpywareBlaster 4.2
VC80CRTRedist - 8.0.50727.762
VideoCAM Look
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Winamp (remove only)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live Messenger
WinZip

ken545
2009-06-01, 23:31
Hi,

Did you run the Norton Removal Tool ?

Avira AntiVir Personal - Free Antivirus <-- You should be able to uninstall this one via the Add Remove Programs.

Do both things and then post a new HJT log

Latrodectus
2009-06-01, 23:43
Yes, I already run the Norton application. But Avira is the antivirus I want to keep, the one I want to uninstall is AVG Free, but I eliminated most part of it stupidly without uninstalling it -long time ago, I was even more ignorant than now-

ken545
2009-06-02, 00:27
Post a new HJT log and lets see where we stand

Latrodectus
2009-06-02, 01:52
I stand with you in the middle of the storm, don't leave me alone with these malware (?).
How do I uninstall AVG?
And what do we do next to eliminate the rest of the malware?
Avira made an automatic analysis of the system and found and eliminated 8 malware!
What antivirus + firewall + antispyware do you recommend?

The HJT result:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:24:26 p.m., on 01/06/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Avira\AntiVir Desktop\sched.exe
C:\Archivos de programa\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\system32\crypserv.exe
C:\Archivos de programa\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\msg32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4V1.EXE
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
C:\Archivos de programa\Java\jre6\bin\jusched.exe
C:\Archivos de programa\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\Opera\opera.exe
C:\WINDOWS\system32\SNDVOL32.EXE
C:\WINDOWS\system32\SNDVOL32.EXE
C:\WINDOWS\system32\SNDVOL32.EXE
C:\WINDOWS\system32\SNDVOL32.EXE
C:\WINDOWS\system32\SNDVOL32.EXE
C:\WINDOWS\system32\SNDVOL32.EXE
C:\WINDOWS\system32\SNDVOL32.EXE
C:\WINDOWS\system32\SNDVOL32.EXE
C:\WINDOWS\system32\SNDVOL32.EXE
C:\WINDOWS\system32\SNDVOL32.EXE
C:\WINDOWS\system32\SNDVOL32.EXE
C:\WINDOWS\system32\SNDVOL32.EXE
C:\WINDOWS\system32\SNDVOL32.EXE
C:\WINDOWS\system32\SNDVOL32.EXE
C:\WINDOWS\system32\SNDVOL32.EXE
C:\WINDOWS\system32\SNDVOL32.EXE
C:\WINDOWS\system32\SNDVOL32.EXE
C:\WINDOWS\system32\SNDVOL32.EXE
C:\WINDOWS\system32\SNDVOL32.EXE
C:\WINDOWS\system32\SNDVOL32.EXE
C:\WINDOWS\system32\SNDVOL32.EXE
C:\WINDOWS\system32\SNDVOL32.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Archivos de programa\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\Archivos de programa\COMODO\COMODO Internet Security\cfp.exe
C:\Archivos de programa\Lavasoft\Ad-Aware\AAWService.exe
C:\Archivos de programa\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\SNDVOL32.EXE
C:\Archivos de programa\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pagina12.com.ar/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Archivos de programa\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Archivos de programa\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [EW Message Server] msg32.exe
O4 - HKLM\..\Run: [EPSON Stylus CX1500 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4V1.EXE /P26 "EPSON Stylus CX1500 Series" /O5 "LPT1:" /M "Stylus CX1500"
O4 - HKLM\..\Run: [EPSON Stylus CX1500 Series (Copiar 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4V1.EXE /P37 "EPSON Stylus CX1500 Series (Copiar 1)" /O6 "USB001" /M "Stylus CX1500"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Archivos de programa\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Archivos de programa\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {8436FE12-31DB-48BF-83BF-FE682F9160B4} -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\cssdll32.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Archivos de programa\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Archivos de programa\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Archivos de programa\Ares\chatServer.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - Unknown owner - C:\ARCHIV~1\AVG\AVG8\avgemc.exe (file missing)
O23 - Service: AVG Free8 WatchDog (avg8wd) - Unknown owner - C:\ARCHIV~1\AVG\AVG8\avgwdsvc.exe (file missing)
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Archivos de programa\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Archivos de programa\Archivos comunes\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Archivos de programa\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Archivos de programa\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe (file missing)

--
End of file - 7648 bytes

ken545
2009-06-02, 02:52
When you say Avira removed 8 malware, your not telling me anything, what did it remove, where they files, tracking cookies ????

Your HJT log is clean, no malware on it.

Remove these with HJT
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - Unknown owner - C:\ARCHIV~1\AVG\AVG8\avgemc.exe (file missing)
O23 - Service: AVG Free8 WatchDog (avg8wd) - Unknown owner - C:\ARCHIV~1\AVG\AVG8\avgwdsvc.exe (file missing)



Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the quote to Notepad.
Save it to your desktop, make sure the file type is All Files and name it FixServices.bat


sc config avg8emc start= disabled
sc stop avg8emc
sc delete avg8emc
sc config avg8wd start= disabled
sc stop avg8wd
sc delete avg8wd

Double click FixServices.bat. A window will open and close. This is normal.


Delete this folder
C:\ARCHIV~1\AVG



Please download Malwarebytes' Anti-Malware from Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html) or Here (http://www.besttechie.net/tools/mbam-setup.exe)

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.<-- Don't forget this
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and Paste the entire report in your next reply along with a New Hijackthis log.

Latrodectus
2009-06-02, 06:55
I eliminated those files and I did the FixServices.bat operation, and everything was ok, but I couldn't find this folder: C:\ARCHIV~1\AVG, it just isn't there



Here is the report of the malware found by Avira:


Exported events:

01/06/2009 14:43 [Scanner] Malware found
The file
'C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\ovfsthxtpkbmqrm.sys.vir'
contained a virus or unwanted program 'TR/Dropper.Gen' [trojan]
Action(s) taken:
An error has occurred and the file was not deleted. ErrorID: 26004.
The source file could not be found.
Attempting to perform action using the ARK library.
Error in ARK library.
The file is scheduled for deleting after reboot.

01/06/2009 14:43 [Scanner] Scan
Scan ended [The scan has been done completely.].
Number of files: 283009
Number of folders: 6662
Number of malware: 8
Number of errors: 10

01/06/2009 14:43 [Scanner] Malware found
The file 'C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthxymdbnpil.dll.vir'
contained a virus or unwanted program 'TR/Crypt.ZPACK.Gen' [trojan]
Action(s) taken:
An error has occurred and the file was not deleted. ErrorID: 26004.
The source file could not be found.
Attempting to perform action using the ARK library.
Error in ARK library.
The file is scheduled for deleting after reboot.

01/06/2009 14:42 [Scanner] Malware found
The file 'C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthxkogmedvg.dll.vir'
contained a virus or unwanted program 'TR/Crypt.ZPACK.Gen' [trojan]
Action(s) taken:
An error has occurred and the file was not deleted. ErrorID: 26004.
The source file could not be found.
Attempting to perform action using the ARK library.
Error in ARK library.
The file is scheduled for deleting after reboot.

01/06/2009 14:42 [Scanner] Malware found
The file 'C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthxftjcbfoo.dll.vir'
contained a virus or unwanted program 'TR/TDss.GG' [trojan]
Action(s) taken:
An error has occurred and the file was not deleted. ErrorID: 26004.
The source file could not be found.
Attempting to perform action using the ARK library.
Error in ARK library.
The file is scheduled for deleting after reboot.

01/06/2009 14:42 [Scanner] Malware found
The file 'C:\System Volume
Information\_restore{5950D50D-200B-4DB6-B90D-3AD995F33F63}\RP910\A0126332.dll'
contained a virus or unwanted program 'TR/Crypt.ZPACK.Gen' [trojan]
Action(s) taken:
An error has occurred and the file was not deleted. ErrorID: 26004.
The source file could not be found.
Attempting to perform action using the ARK library.
Error in ARK library.
The file is scheduled for deleting after reboot.

01/06/2009 14:41 [Scanner] Malware found
The file 'C:\System Volume
Information\_restore{5950D50D-200B-4DB6-B90D-3AD995F33F63}\RP910\A0126331.dll'
contained a virus or unwanted program 'TR/Crypt.ZPACK.Gen' [trojan]
Action(s) taken:
An error has occurred and the file was not deleted. ErrorID: 26004.
The source file could not be found.
Attempting to perform action using the ARK library.
Error in ARK library.
The file is scheduled for deleting after reboot.

01/06/2009 14:38 [Scanner] Malware found
The file 'C:\System Volume
Information\_restore{5950D50D-200B-4DB6-B90D-3AD995F33F63}\RP910\A0126330.dll'
contained a virus or unwanted program 'TR/TDss.GG' [trojan]
Action(s) taken:
An error has occurred and the file was not deleted. ErrorID: 26004.
The source file could not be found.
Attempting to perform action using the ARK library.
Error in ARK library.
The file is scheduled for deleting after reboot.

01/06/2009 14:38 [Scanner] Malware found
The file 'C:\System Volume
Information\_restore{5950D50D-200B-4DB6-B90D-3AD995F33F63}\RP910\A0126328.sys'
contained a virus or unwanted program 'TR/Dropper.Gen' [trojan]
Action(s) taken:
An error has occurred and the file was not deleted. ErrorID: 26004.
The source file could not be found.
Attempting to perform action using the ARK library.
Error in ARK library.
The file is scheduled for deleting after reboot.

01/06/2009 14:37 [Scanner] Malware found
The file 'C:\System Volume
Information\_restore{5950D50D-200B-4DB6-B90D-3AD995F33F63}\RP910\A0126331.dll'
contained a virus or unwanted program 'TR/Crypt.ZPACK.Gen' [trojan]
Action(s) taken:
The file was moved to '4bf48c57.qua'!

01/06/2009 14:37 [Scanner] Malware found
The file 'C:\System Volume
Information\_restore{5950D50D-200B-4DB6-B90D-3AD995F33F63}\RP910\A0126332.dll'
contained a virus or unwanted program 'TR/Crypt.ZPACK.Gen' [trojan]
Action(s) taken:
The file was moved to '4bc86d37.qua'!

01/06/2009 14:37 [Scanner] Malware found
The file 'C:\System Volume
Information\_restore{5950D50D-200B-4DB6-B90D-3AD995F33F63}\RP910\A0126328.sys'
contained a virus or unwanted program 'TR/Dropper.Gen' [trojan]
Action(s) taken:
The file was moved to '4a55120e.qua'!

01/06/2009 14:37 [Scanner] Malware found
The file 'C:\System Volume
Information\_restore{5950D50D-200B-4DB6-B90D-3AD995F33F63}\RP910\A0126330.dll'
contained a virus or unwanted program 'TR/TDss.GG' [trojan]
Action(s) taken:
The file was moved to '4bf5849f.qua'!

01/06/2009 14:37 [Scanner] Malware found
The file 'C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthxftjcbfoo.dll.vir'
contained a virus or unwanted program 'TR/TDss.GG' [trojan]
Action(s) taken:
The file was moved to '4a8a1254.qua'!

01/06/2009 14:37 [Scanner] Malware found
The file
'C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\ovfsthxtpkbmqrm.sys.vir'
contained a virus or unwanted program 'TR/Dropper.Gen' [trojan]
Action(s) taken:
The file was moved to '494af0a5.qua'!

01/06/2009 14:37 [Scanner] Scan
Scan ended [The scan has been done completely.].
Number of files: 283211
Number of folders: 6663
Number of malware: 8
Number of errors: 2

01/06/2009 14:37 [Scanner] Malware found
The file 'C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthxkogmedvg.dll.vir'
contained a virus or unwanted program 'TR/Crypt.ZPACK.Gen' [trojan]
Action(s) taken:
The file was moved to '4b1075b5.qua'!

01/06/2009 14:37 [Scanner] Malware found
The file 'C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthxymdbnpil.dll.vir'
contained a virus or unwanted program 'TR/Crypt.ZPACK.Gen' [trojan]
Action(s) taken:
The file was moved to '4b166525.qua'!



Here is the report by Malwarebytes:


Malwarebytes' Anti-Malware 1.37
Versión de la Base de Datos: 2211
Windows 5.1.2600 Service Pack 2

02/06/2009 12:31:53 a.m.
mbam-log-2009-06-02 (00-31-53).txt

Tipo de examen : Examen Rápido
Objetos examinados: 88921
Tiempo transcurrido: 5 minute(s), 53 second(s)

Procesos en Memoria Infectados: 0
Módulos en Memoria Infectados: 0
Claves del Registro Infectadas: 4
Valores del Registro Infectados: 0
Elementos de Datos del Registro Infectados: 0
Carpetas Infectadas: 0
Ficheros Infectados: 1

Procesos en Memoria Infectados:
(No se han detectado elementos maliciosos)

Módulos en Memoria Infectados:
(No se han detectado elementos maliciosos)

Claves del Registro Infectadas:
HKEY_CLASSES_ROOT\slidershow.slidershowctrl (Adware.LuckyTender) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\slidershow.slidershowctrl.1 (Adware.LuckyTender) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3794345d-c731-4fbb-8471-73ddc8dffdd2} (Adware.LuckyTender) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\2062c6b9-9015-34e4-2f08-63dae0dcf2d0 (Adware.Adrotator) -> Quarantined and deleted successfully.

Valores del Registro Infectados:
(No se han detectado elementos maliciosos)

Elementos de Datos del Registro Infectados:
(No se han detectado elementos maliciosos)

Carpetas Infectadas:
(No se han detectado elementos maliciosos)

Ficheros Infectados:
c:\WINDOWS\system32\2062c6b9-9015-34e4-2f08-63dae0dcf2d0.exe (Adware.Adrotator) -> Quarantined and deleted successfully.



And finally here is the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:54:45 a.m., on 02/06/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Avira\AntiVir Desktop\sched.exe
C:\Archivos de programa\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\system32\msg32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4V1.EXE
C:\Archivos de programa\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\crypserv.exe
C:\Archivos de programa\Java\jre6\bin\jqs.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Archivos de programa\Mozilla Firefox\firefox.exe
C:\Archivos de programa\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pagina12.com.ar/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Archivos de programa\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Archivos de programa\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [EW Message Server] msg32.exe
O4 - HKLM\..\Run: [EPSON Stylus CX1500 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4V1.EXE /P26 "EPSON Stylus CX1500 Series" /O5 "LPT1:" /M "Stylus CX1500"
O4 - HKLM\..\Run: [EPSON Stylus CX1500 Series (Copiar 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4V1.EXE /P37 "EPSON Stylus CX1500 Series (Copiar 1)" /O6 "USB001" /M "Stylus CX1500"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Archivos de programa\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Archivos de programa\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {8436FE12-31DB-48BF-83BF-FE682F9160B4} -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\cssdll32.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Archivos de programa\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Archivos de programa\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Archivos de programa\Ares\chatServer.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Archivos de programa\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Archivos de programa\Archivos comunes\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Archivos de programa\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Archivos de programa\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe (file missing)

--
End of file - 6369 bytes

ken545
2009-06-02, 11:18
Latrodectus,

That folder may be gone, you said that you deleted it in the past and the rest of AVG is gone also so you should be ok,

C:\Qoobox\Quarantine <---What Alvira found where the backups from running Combofix, these will be flushed out when we're done.

C:\System VolumeInformation\_restore{ <--These are all entries in your Windows System Restore program, there harmless unless you use the program to restore your system to an earlier date , but we're going to flush them all out now.

System Restore makes regular backups of all your settings, if you ever had to use this program to restore your system to a previous date, you will be infected all over again so we need to clean out the previous Restore Points

Turn off System Restore.


Right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore on all Drives.
Click Apply, and then click OK.


Reboot your computer

Turn ON System Restore.


Right-click My Computer.
ClickProperties.
Click the System Restore tab.
UN-Check Turn off System Restore on all Drives.
Click Apply, and then click OK.


Create a new Restore Point <-- Very Important


Go to Start> All Programs> Assesories> System Tools> System Restore and create a New Restore Point

System Restore Tutorial (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- If you need it


Everything else looks fine, how are things running now??

Latrodectus
2009-06-02, 18:36
Everything looks just fine thanks to you. I want to have a baby with you, will you marry me? And by the way... Should I uninstall Ad-Aware too? Cause I thought it was an antispyware but it is a whole antivirus. Tell me WHAT antivirus and antimalware should I have on my computer, please!

ken545
2009-06-02, 19:20
Hello,

Glad all is well :bigthumb: I appreciate your offer :laugh:

You should never have more than One Anti Virus program and One Firewall installed, more would be overkill and can cause problems . You have Avira Anti Virus and the Comodo Firewall so your fine with those.

Ad-Aware is a fine program, its not a virus so you can keep it. You also have Spybot Search and Destroy installed and that is another great program, so keep these both.

Malwarebytes is another great program so I would keep it, run it every few weeks, check for updates and run the scan.

This will clean you up, it will remove Combofix and the Qoobox folder.


ATF Cleaner <-- Yours to keep, run it now and then to clean out the clutter.

Combofix <---Is not a general cleaning tool, just run it with supervision or you can bork your system


Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.


http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png


When shown the disclaimer, Select "2"

The above procedure will:

Delete the following:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.



How did I get infected in the first place ?
Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)





Keep in mind if you install some of these programs. Only ONE Anti Virus and only ONE Firewall is recommended, more is overkill and can cause you problems. You can install all the Spyware programs I have listed without any problems. If you install Spyware Blaster and Spyware Guard, they will conflict with the TeaTimer in Spybot , you can still install Spybot Search and Destroy but do not enable the TeaTimer .


Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community

Spybot Search and Destroy 1.6 (http://www.safer-networking.org/en/download/)
Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.

Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.

Spyware Guard (http://www.javacoolsoftware.com/spywareguard.html) It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.

IE-Spyad (http://www.pcworld.com/downloads/file/fid,23332-order,1-page,1-c,antispywaretools/description.html)
IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.

Firefox 3 (http://www.mozilla.org/products/firefox/) It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.



Safe Surfn
Ken

Latrodectus
2009-06-03, 02:11
Little detail: and where do I get ATF Cleaner? Thank you for everything. :alien:

ken545
2009-06-03, 02:39
Sorry, with all the programs we ran I forgot to add this. This is a great free tool that cleans out your temp files and Temporary Internet files that tend to clog a system down. You should run this tool every few weeks or so to keep your system running nice and smooth.


Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
Please note: If you use online banking or are registered online with any other organizations, ensure you have memorized password and other personal information as removing cookies will temporarily disable the auto-login facility.


Take care,

ken :)

ken545
2009-06-08, 03:29
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.