Hi, there!
I was googling for a good free av program and went to a fake webpage that installed automatically this so-called "Total Security". Since this happened, the system started to behave erratically: sometimes no executable runs (not even the Notepad), sometimes they do; there are tons of pop-ups, balloons with security warnings, and "Total Security" opens time to time for "system scans". The desktop wallpaper was replaced by a charming text "warning" that i'm "in danger" because my "computer is infected with spyware!"...
I dowloaded HJT and created a log int the Safe Mode. Can you help me? Thanks in advance.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:07:00, on 27/8/2001
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Arquivos de programas\Le Robert\Le Petit Robert\prhyper.exe
C:\Documents and Settings\WindowsXP\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
O2 - BHO: &iG - {7EEF1E3D-FD97-4401-BCDB-5827F2D11709} - C:\ARQUIV~1\IG\igshop.dll (file missing)
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &iG - {7EEF1E3D-FD97-4401-BCDB-5827F2D11709} - C:\ARQUIV~1\IG\igshop.dll (file missing)
O4 - HKLM\..\Run: [Eac_Download] C:\Arquivos de programas\Arquivos comuns\eAcceleration\download.exe -k
O4 - HKLM\..\Run: [Sysres] C:\ARQUIV~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [regtmlp] C:\ARQUIV~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Arquivos de programas\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [KAZAA] C:\Arquivos de programas\Kazaa\kazaa.exe /SYSTRAY
O4 - HKLM\..\Run: [HotVideo_br] c:\program files\dialers\hotvideo_br\hotvideo_br.exe /noconnect
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [odby] C:\WINDOWS\odb.exe
O4 - HKLM\..\Run: [netc] C:\WINDOWS\svc.exe
O4 - HKLM\..\Run: [lsass] C:\WINDOWS\lsass.exe
O4 - HKLM\..\Run: [UpdateWin] C:\WINDOWS\System32\2052t.exe
O4 - HKLM\..\Run: [13843124] C:\Documents and Settings\All Users\Dados de aplicativos\13843124\13843124.exe
O4 - HKLM\..\RunServices: [UpdateWin] C:\WINDOWS\System32\2052t.exe
O4 - HKLM\..\RunOnce: [DELDIR0.EXE] "C:\DOCUME~1\WINDOW~1\CONFIG~1\Temp\DELDIR0.EXE" "C:\Arquivos de programas\McAfee\McAfee Shared Components\Guardian\"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [UltraDiscador iBest] "C:\Arquivos de programas\UltraDiscador iBest\autoupdate.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Arquivos de programas\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Le Petit Robert Hyperappel] C:\Arquivos de programas\Le Robert\Le Petit Robert\prhyper.exe
O4 - HKCU\..\Run: [UpdateWin] C:\WINDOWS\System32\2052t.exe
O4 - HKCU\..\RunServices: [UpdateWin] C:\WINDOWS\System32\2052t.exe
O4 - HKUS\S-1-5-21-1202660629-1708537768-2146889571-1003\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-1202660629-1708537768-2146889571-1003\..\Run: [UltraDiscador iBest] "C:\Arquivos de programas\UltraDiscador iBest\autoupdate.exe" (User '?')
O4 - HKUS\S-1-5-21-1202660629-1708537768-2146889571-1003\..\Run: [MSMSGS] "C:\Arquivos de programas\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-21-1202660629-1708537768-2146889571-1003\..\Run: [Le Petit Robert Hyperappel] C:\Arquivos de programas\Le Robert\Le Petit Robert\prhyper.exe (User '?')
O4 - HKUS\S-1-5-21-1202660629-1708537768-2146889571-1003\..\Run: [UpdateWin] C:\WINDOWS\System32\2052t.exe (User '?')
O4 - HKUS\S-1-5-21-1202660629-1708537768-2146889571-1003\..\RunServices: [UpdateWin] C:\WINDOWS\System32\2052t.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\MSMSGS.EXE
O9 - Extra button: Barra do iG - {FD1672E0-AE0D-465B-B345-F7B0944A121D} - C:\ARQUIV~1\IG\igshop.dll (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

--
End of file - 4629 bytes

Please note that all instructions given are customised for this computer only,
the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.

Hello and welcome to the forums

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:
Please Read All Instructions Carefully
If you don't understand something, stop and ask! Don't keep going on.
Please do not run any other tools or scans whilst I am helping you
Failure to reply within 5 days will result in the topic being closed.
Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)

If you can do those few things, everything should go smoothly http://www.countingcows.de/laechel.gif

Some of the logs I request will be quite large, You may need to split them over a couple of replies.

Please Note, your security programs may give warnings for some of the tools I will ask you to use.
Be assured, any links I give are safe
----------------------------------------------------------------------------------------

Your log shows quite a high level of infection, which Antivirus are you using ?



Platform: Windows XP (WinNT 5.01.2600)
Is there a reason that you have never updated XP ?


Please run the MGA Diagnostic Tool and post back the report it creates:
Download MGADiag (http://go.microsoft.com/fwlink/?linkid=56062) to your desktop.
Double-click on MGADiag.exe to launch the program
Click "Continue"
Ensure that the "Windows" tab is selected (it should be by default).
Click the "Copy" button to copy the MGA Diagnostic Report to the Windows clipboard.
Paste the MGA Diagnostic Report back here in your next reply.



Download and Run RSIT

Please download Random's System Information Tool by random/random from here (http://images.malwareremoval.com/random/RSIT.exe) and save it to your desktop.
Double click on RSIT.exe to run RSIT.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open:

log.txt will be opened maximized.
info.txt will be opened minimized.

Please post the contents of both log.txt and info.txt.
( They can also be found in the C:\RSIT folder )

Due to inactivity, this thread will now be closed.

Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.