Problems removing Win32.TDSS.rtk and other malware

Status
Not open for further replies.
L

Latrodectus

New member
Hi, I write to you because my MSN Messenger has been shutting down and sending compulsivelly some kind of malware to all my contacts. Plus my Internet Explorer and Firefox have been working terribly, especially Internet Explorer. I have ESET's free trial, Lavasoft's Ad-Aware free edition and Spybot Search & Destroy, they all have found and cleaned different malware, but only Spybot recognizes "Win32.TDSS.rtk", detailed as

Win32.TDSS.rtk: [SBI $DB1744B9] File (Archivo, nothing done)
C:\WINDOWS\system32\drivers\ovfsthxtpkbmqrm.sys
Properties.size=0
Properties.md5=16E1C9E1417E38B4A6EC73C8C3C19240

Win32.TDSS.rtk: [SBI $531954CE] File (Archivo, nothing done)
C:\WINDOWS\system32\ovfsthxeroprvvp.dat
Properties.size=0
Properties.md5=DEBFCCA461C0A48D56C24902798A56DE


--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

2007-05-25 unins000.exe (51.41.0.0)
2008-01-28 SDDelFile.exe (1.0.2.4)
2008-08-14 SDWinSec.exe (1.0.0.12)
2009-03-05 TeaTimer.exe (1.6.6.32)
2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 Update.exe (1.6.0.7)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-04-19 unins001.exe (51.49.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2008-06-19 sqlite3.dll
2009-01-26 advcheck.dll (1.6.2.15)
2009-01-16 UninsSrv.dll (1.0.0.0)
2009-01-26 SDHelper.dll (1.6.2.14)
2009-01-26 Tools.dll (2.1.6.10)
2004-11-29 Includes\LSP.sbi (*)
2009-03-25 Includes\PUPS.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2009-05-06 Includes\Keyloggers.sbi (*)
2009-05-12 Includes\Malware.sbi (*)
2009-05-12 Includes\Trojans.sbi (*)
2009-05-19 Includes\Dialer.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2009-04-07 Includes\Spyware.sbi (*)
2009-05-19 Includes\Adware.sbi (*)
2009-05-26 Includes\Hijackers.sbi (*)
2009-01-22 Includes\Cookies.sbi (*)
2009-01-22 Includes\Revision.sbi (*)
2009-04-07 Includes\Tracks.uti
2009-05-26 Includes\TrojansC.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2009-05-26 Includes\SecurityC.sbi (*)
2009-05-26 Includes\PUPSC.sbi (*)
2009-05-26 Includes\MalwareC.sbi (*)
2009-05-26 Includes\KeyloggersC.sbi (*)
2009-05-26 Includes\HijackersC.sbi (*)
2009-05-26 Includes\DialerC.sbi (*)
2009-01-22 Includes\HeavyDuty.sbi (*)
2009-05-26 Includes\AdwareC.sbi (*)
2009-05-26 Includes\SpywareC.sbi (*)
2007-12-24 Plugins\TCPIPAddress.dll
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll


Spybot supposedly eliminates it, but then I check the system again and the malware is still there -and my MSN keeps shutting down and sending the link to my contacts-. It's also frequent that a malware called "Virtumonde.sci" appear in the list, despite my antivirus and antispyware! And I don't want to think how many unrecognized malware I have. I would appreciate very much if you recommended a good combination of antivirus + firewall + antispyware, because I really don't know which are GOOD and work well together. Oh, and they must be freeware, due to my financial situation is pretty delicate. Thank you very much for your time, and I'm looking forward to hearing from you. Ah! Just in case I paste you the result of HiJackThis -I already saved the registry with ERUNT-:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:27:37 p.m., on 29/05/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\crypserv.exe
C:\Archivos de programa\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Archivos de programa\Java\jre6\bin\jqs.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\ARCHIV~1\LAVASOFT\AD-AWA~1\Ad-Watch.exe
C:\WINDOWS\system32\msg32.exe
C:\Archivos de programa\Java\jre6\bin\jusched.exe
C:\Archivos de programa\ESET\ESET NOD32 Antivirus\egui.exe
C:\Archivos de programa\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Lavasoft\Ad-Aware\AAWTray.exe
C:\Archivos de programa\Mozilla Firefox\firefox.exe
C:\Archivos de programa\Google\Gmail Notifier\gnotify.exe
C:\Archivos de programa\Opera\opera.exe
C:\Archivos de programa\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pagina12.com.ar/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: (no name) - {00802B89-BE50-47A6-833D-ECD330BB73A7} - C:\WINDOWS\system32\nwapi16d.dll (file missing)
O2 - BHO: (no name) - {2CAD3E0B-045B-41C8-8C35-34298F279365} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: LuckyTender - {5E2402A0-5F99-4188-B30D-D8743996B340} - C:\Archivos de programa\LuckyTender\1.3.1\LuckyTender.dll (file missing)
O2 - BHO: (no name) - {68866312-bd50-4056-b439-26a821a2b770} - C:\WINDOWS\system32\furihepi.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: precisead - {83267afa-c1c3-0ae2-5b51-ceab693a8517} - C:\WINDOWS\system32\nsnCC83.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\ARCHIV~1\AVG\AVG8\AVGTOO~1.DLL (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Archivos de programa\Norton SystemWorks\Norton Antivirus\NavShExt.dll (file missing)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Archivos de programa\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Archivos de programa\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: (no name) - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Archivos de programa\Norton SystemWorks\Norton Antivirus\NavShExt.dll (file missing)
O4 - HKLM\..\Run: [AWMON] "C:\ARCHIV~1\LAVASOFT\AD-AWA~1\Ad-Watch.exe"
O4 - HKLM\..\Run: [EW Message Server] msg32.exe
O4 - HKLM\..\Run: [EPSON Stylus CX1500 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4V1.EXE /P26 "EPSON Stylus CX1500 Series" /O5 "LPT1:" /M "Stylus CX1500"
O4 - HKLM\..\Run: [EPSON Stylus CX1500 Series (Copiar 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4V1.EXE /P37 "EPSON Stylus CX1500 Series (Copiar 1)" /O6 "USB001" /M "Stylus CX1500"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\ARCHIV~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Logon Applicationedc] C:\Documents and Settings\Usuario\winlogon.exe
O4 - HKLM\..\Run: [egui] "C:\Archivos de programa\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Archivos de programa\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [adware_free_soft] C:\WINDOWS\promofreesoft.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Servicio de red')
O4 - HKUS\S-1-5-21-725345543-1979792683-2147208981-500\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Administrador')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Archivos de programa\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk.disabled
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan.com/as/v1/cabs/ascstubie.cab
O16 - DPF: {8436FE12-31DB-48BF-83BF-FE682F9160B4} -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Archivos de programa\AVG\AVG8\avgpp.dll (file missing)
O20 - AppInit_DLLs: C:\WINDOWS\system32\levunana.dll c:\windows\system32\,c:\progra~1\ThunMail\testabd.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - (no file)
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Archivos de programa\Ares\chatServer.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - Unknown owner - C:\ARCHIV~1\AVG\AVG8\avgemc.exe (file missing)
O23 - Service: AVG Free8 WatchDog (avg8wd) - Unknown owner - C:\ARCHIV~1\AVG\AVG8\avgwdsvc.exe (file missing)
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Archivos de programa\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Archivos de programa\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Archivos de programa\Archivos comunes\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Archivos de programa\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Archivos de programa\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Servicio Auto-Protect de Norton AntiVirus (navapsvc) - Unknown owner - C:\Archivos de programa\Norton SystemWorks\Norton Antivirus\navapsvc.exe (file missing)
O23 - Service: SAVScan - Unknown owner - C:\Archivos de programa\Norton SystemWorks\Norton Antivirus\SAVScan.exe (file missing)
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Archivos de programa\Archivos comunes\Symantec Shared\SNDSrvc.exe (file missing)
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe (file missing)

--
End of file - 9142 bytes
 
Hello Latrodectus

Welcome to Safer Networking.

Please read Before You Post
That said, All advice given by anyone volunteering here, is taken at your own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.


You have a variety of malware on this system. :red:



Do this first...Important

Disable the TeaTimer, leave it disabled, do not turn it back on until we're done or it will prevent fixes from taking
  • Run Spybot-S&D in Advanced Mode.
  • If it is not already set to do this Go to the Mode menu select "Advanced Mode"
  • On the left hand side, Click on Tools
  • Then click on the Resident Icon in the List
  • Uncheck "Resident TeaTimer" and OK any prompts.
  • Restart your computer.<--You need to do this for it to take effect
Please do not proceed until the TeaTimer is disabled






This tool needs to be run from Safemode to be effective so download it to your desktop then boot to Safemode to run it

To Enter Safemode
  • Go to Start> Shut off your Computer> Restart
  • As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,
    this will bring up a menu.
  • Use the Up and Down Arrow Keys to scroll up to Safemode
  • Then press the Enter Key on your Keyboard
Tutorial if you need it How to boot into Safemode
Click to expand...

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
 
It seems it couldn't clean the infected files! The lsasss.exe has been on my computer for years, I have already had problems with it. And the ovfsthxtpkbmqrm.sys family is still there too. =(

SDFix: Version 1.240
Run by Usuario on 31/05/2009 at 04:16 a.m.

Microsoft Windows XP [Versi¢n 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:



Could Not Remove C:\WINDOWS\system32\lsasss.exe



Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-31 05:00:00
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden services ...

HKLM\SYSTEM\CurrentControlSet\Services\Parportnspoixdk

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\drivers\ovfsthxtpkbmqrm.sys 98304 bytes
C:\WINDOWS\system32\ovfsthxftjcbfoo.dll 65536 bytes
C:\WINDOWS\system32\ovfsthxeroprvvp.dat 32768 bytes
C:\WINDOWS\system32\ovfsthxymdbnpil.dll 32768 bytes
C:\WINDOWS\system32\ovfsthxkogmedvg.dll 32768 bytes

scan completed successfully
hidden processes: 0
hidden services: 1
hidden files: 5


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Archivos de programa\\MSN Messenger\\msncall.exe"="C:\\Archivos de programa\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Documents and Settings\\Usuario\\Escritorio\\utorrent.exe"="C:\\Documents and Settings\\Usuario\\Escritorio\\utorrent.exe:*:Disabled:æTorrent"
"C:\\Archivos de programa\\Ares\\Ares.exe"="C:\\Archivos de programa\\Ares\\Ares.exe:*:Disabled:Ares"
"C:\\Archivos de programa\\eMule\\emule.exe"="C:\\Archivos de programa\\eMule\\emule.exe:*:Disabled:eMule"
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\\Archivos de programa\\NetMeeting\\conf.exe"="C:\\Archivos de programa\\NetMeeting\\conf.exe:*:Disabled:Windows© NetMeeting©"
"C:\\WINDOWS\\System32\\ZoneLabs\\vsmon.exe"="C:\\WINDOWS\\System32\\ZoneLabs\\vsmon.exe:*:Enabled:TrueVector Service"
"C:\\Archivos de programa\\Soulseek-Test\\slsk.exe"="C:\\Archivos de programa\\Soulseek-Test\\slsk.exe:*:Enabled:SoulSeek"
"C:\\WINDOWS\\PCHEALTH\\HELPCTR\\BINARIES\\HelpCtr.exe"="C:\\WINDOWS\\PCHEALTH\\HELPCTR\\BINARIES\\HelpCtr.exe:*:Enabled:Asistencia remota - Windows Messenger and Voice"
"C:\\Archivos de programa\\Messenger\\MSMSGS.EXE"="C:\\Archivos de programa\\Messenger\\MSMSGS.EXE:*:Enabled:Windows Messenger"
"C:\\Archivos de programa\\uTorrent\\uTorrent.exe"="C:\\Archivos de programa\\uTorrent\\uTorrent.exe:*:Enabled:æTorrent"
"C:\\Archivos de programa\\Grisoft\\AVG7\\avginet.exe"="C:\\Archivos de programa\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Archivos de programa\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Archivos de programa\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Archivos de programa\\Grisoft\\AVG7\\avgcc.exe"="C:\\Archivos de programa\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\WINDOWS\\System32\\ftp.exe"="C:\\WINDOWS\\System32\\ftp.exe:*:Enabled:Programa de transferencia de archivos"
"C:\\mIRC\\mirc.exe"="C:\\mIRC\\mirc.exe:*:Enabled:mIRC"
"C:\\Archivos de programa\\AVG\\AVG8\\avgemc.exe"="C:\\Archivos de programa\\AVG\\AVG8\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Archivos de programa\\AVG\\AVG8\\avgupd.exe"="C:\\Archivos de programa\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"
"C:\\WINDOWS\\System32\\WINLOGON.EXE"="C:\\WINDOWS\\System32\\WINLOGON.EXE:*:Enabled:winlogon"
"C:\\Archivos de programa\\MSN Messenger\\msnmsgr.exe"="C:\\Archivos de programa\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Archivos de programa\\MSN Messenger\\livecall.exe"="C:\\Archivos de programa\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Archivos de programa\\MSN Messenger\\msncall.exe"="C:\\Archivos de programa\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Archivos de programa\\MSN Messenger\\msnmsgr.exe"="C:\\Archivos de programa\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Archivos de programa\\MSN Messenger\\livecall.exe"="C:\\Archivos de programa\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

Remaining Files :

C:\WINDOWS\system32\lsasss.exe Found

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Mon 3 Mar 2008 5,702 A..H. --- "C:\WINDOWS\nod32restoretemdono.reg"
Mon 26 Jan 2009 1,740,632 A.SHR --- "C:\Archivos de programa\Spybot - Search & Destroy\is-23BT1.tmp"
Mon 26 Jan 2009 5,365,592 A.SHR --- "C:\Archivos de programa\Spybot - Search & Destroy\is-FA09I.tmp"
Mon 26 Jan 2009 1,740,632 A.SHR --- "C:\Archivos de programa\Spybot - Search & Destroy\SDUpdate.exe"
Mon 26 Jan 2009 5,365,592 A.SHR --- "C:\Archivos de programa\Spybot - Search & Destroy\SpybotSD.exe"
Fri 11 Aug 2006 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Fri 27 Feb 2004 233,472 A..H. --- "C:\Archivos de programa\Image-Line\FL Studio 7\REX Shared Library.dll"
Mon 3 Mar 2008 568 A..H. --- "C:\System Volume Information\_restore{5950D50D-200B-4DB6-B90D-3AD995F33F63}\RP901\A0126225.reg"
Mon 3 Mar 2008 5,702 A..H. --- "C:\System Volume Information\_restore{5950D50D-200B-4DB6-B90D-3AD995F33F63}\RP901\A0126226.reg"
Fri 31 Oct 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Wed 21 Feb 2007 444 ...HR --- "C:\Documents and Settings\Usuario\Datos de programa\SecuROM\UserData\securom_v7_01.bak"
Wed 3 Mar 2004 22,016 A..H. --- "C:\Documents and Settings\Usuario\Escritorio\Nino\Textos\Poes¡as\~WRL0001.tmp"
Sat 17 Apr 2004 23,552 A..H. --- "C:\Documents and Settings\Usuario\Escritorio\Nino\Textos\Poes¡as\~WRL0003.tmp"

Finished!
 
Sorry, this is the HiJackThis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:13:25 a.m., on 31/05/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Avira\AntiVir Desktop\sched.exe
C:\Archivos de programa\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\system32\crypserv.exe
C:\Archivos de programa\Java\jre6\bin\jqs.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\msg32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4V1.EXE
C:\Archivos de programa\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\avast!Antivirus.exe
C:\Archivos de programa\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Archivos de programa\Spybot - Search & Destroy\SpybotSD.exe
C:\Archivos de programa\Spybot - Search & Destroy\TeaTimer.exe
C:\Archivos de programa\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Archivos de programa\Mozilla Firefox\firefox.exe
C:\Archivos de programa\Opera\opera.exe
C:\Archivos de programa\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pagina12.com.ar/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: (no name) - {00802B89-BE50-47A6-833D-ECD330BB73A7} - C:\WINDOWS\system32\nwapi16d.dll (file missing)
O2 - BHO: (no name) - {2CAD3E0B-045B-41C8-8C35-34298F279365} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: LuckyTender - {5E2402A0-5F99-4188-B30D-D8743996B340} - C:\Archivos de programa\LuckyTender\1.3.1\LuckyTender.dll (file missing)
O2 - BHO: (no name) - {68866312-bd50-4056-b439-26a821a2b770} - C:\WINDOWS\system32\furihepi.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: precisead - {83267afa-c1c3-0ae2-5b51-ceab693a8517} - C:\WINDOWS\system32\nsnCC83.dll (file missing)
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\ARCHIV~1\AVG\AVG8\AVGTOO~1.DLL (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Archivos de programa\Norton SystemWorks\Norton Antivirus\NavShExt.dll (file missing)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Archivos de programa\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Archivos de programa\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: (no name) - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Archivos de programa\Norton SystemWorks\Norton Antivirus\NavShExt.dll (file missing)
O4 - HKLM\..\Run: [AWMON] "C:\ARCHIV~1\LAVASOFT\AD-AWA~1\Ad-Watch.exe"
O4 - HKLM\..\Run: [EW Message Server] msg32.exe
O4 - HKLM\..\Run: [EPSON Stylus CX1500 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4V1.EXE /P26 "EPSON Stylus CX1500 Series" /O5 "LPT1:" /M "Stylus CX1500"
O4 - HKLM\..\Run: [EPSON Stylus CX1500 Series (Copiar 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4V1.EXE /P37 "EPSON Stylus CX1500 Series (Copiar 1)" /O6 "USB001" /M "Stylus CX1500"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\ARCHIV~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [egui] "C:\Archivos de programa\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [adware_free_soft] C:\WINDOWS\promofreesoft.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Archivos de programa\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Servicio de red')
O4 - HKUS\S-1-5-21-725345543-1979792683-2147208981-500\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Administrador')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Archivos de programa\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan.com/as/v1/cabs/ascstubie.cab
O16 - DPF: {8436FE12-31DB-48BF-83BF-FE682F9160B4} -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Archivos de programa\AVG\AVG8\avgpp.dll (file missing)
O20 - AppInit_DLLs: C:\WINDOWS\system32\levunana.dll c:\windows\system32\,c:\progra~1\ThunMail\testabd.dll C:\WINDOWS\system32\cssdll32.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - (no file)
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Archivos de programa\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Archivos de programa\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Archivos de programa\Ares\chatServer.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: avast!Antivirus - Unknown owner - C:\WINDOWS\System32\avast!Antivirus.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - Unknown owner - C:\ARCHIV~1\AVG\AVG8\avgemc.exe (file missing)
O23 - Service: AVG Free8 WatchDog (avg8wd) - Unknown owner - C:\ARCHIV~1\AVG\AVG8\avgwdsvc.exe (file missing)
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Archivos de programa\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Archivos de programa\Archivos comunes\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Archivos de programa\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Archivos de programa\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Servicio Auto-Protect de Norton AntiVirus (navapsvc) - Unknown owner - C:\Archivos de programa\Norton SystemWorks\Norton Antivirus\navapsvc.exe (file missing)
O23 - Service: SAVScan - Unknown owner - C:\Archivos de programa\Norton SystemWorks\Norton Antivirus\SAVScan.exe (file missing)
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Archivos de programa\Archivos comunes\Symantec Shared\SNDSrvc.exe (file missing)
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe (file missing)

--
End of file - 9639 bytes
 
Hi,

This is some nasty stuff you have, its going to take a some work to remove it.


Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • See this Link for programs that need to be disabled and instruction on how to disable them.
  • Remember to re-enable them when we're done.

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


RcAuto1.gif


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
whatnext.jpg

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
 
I can't use ComboFix because there's an old AVG free scan running and I don't know how to stop it. I thought I had uninstalled it long time ago, but ComboFix tells me this file still remains: avgrrstx.dll and it's impossible to eliminate! I also have problems deactivating Ad-Aware, it doesn't exit even if I click the option!
 
Do this

Do this first...Important

Disable the TeaTimer, leave it disabled, do not turn it back on until we're done or it will prevent fixes from taking
  • Run Spybot-S&D in Advanced Mode.
  • If it is not already set to do this Go to the Mode menu select "Advanced Mode"
  • On the left hand side, Click on Tools
  • Then click on the Resident Icon in the List
  • Uncheck "Resident TeaTimer" and OK any prompts.
  • Restart your computer.<--You need to do this for it to take effect
Please do not proceed until the TeaTimer is disabled



Run Combofix in Safemode

To Enter Safemode
  • Go to Start> Shut off your Computer> Restart
  • As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,
    this will bring up a menu.
  • Use the Up and Down Arrow Keys to scroll up to Safemode
  • Then press the Enter Key on your Keyboard
Tutorial if you need it How to boot into Safemode
 
Here are the results of the ComboFix:

ComboFix 09-05-31.02 - Usuario 31/05/2009 20:18.1 - FAT32x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.34.3082.18.1535.1269 [GMT -3:00]
Running from: c:\documents and settings\Usuario\Escritorio\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\ovfsthxtpkbmqrm.sys
c:\windows\system32\ftp_non_crp.exe
c:\windows\system32\ovfsthxeroprvvp.dat
c:\windows\system32\ovfsthxftjcbfoo.dll
c:\windows\system32\ovfsthxkogmedvg.dll
c:\windows\system32\ovfsthxsxbuqynq.dat
c:\windows\system32\ovfsthxymdbnpil.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AVAST!ANTIVIRUS
-------\Service_avast!Antivirus


((((((((((((((((((((((((( Files Created from 2009-04-28 to 2009-05-31 )))))))))))))))))))))))))))))))
.

2009-05-31 23:15 . 2009-05-31 23:15 -------- d-sh--w- C:\FOUND.019
2009-05-31 07:12 . 2009-05-31 07:12 -------- d-----w- c:\windows\ERUNT
2009-05-31 07:05 . 2008-11-06 05:03 -------- d-----w- C:\SDFix
2009-05-30 08:54 . 2009-05-30 08:54 -------- d--h--w- c:\windows\PIF
2009-05-30 06:45 . 2009-05-30 06:45 -------- d-----w- c:\documents and settings\NetworkService\Escritorio
2009-05-30 00:43 . 2009-05-30 00:43 -------- d-----r- c:\documents and settings\LocalService\Favoritos
2009-05-29 23:05 . 2009-05-29 23:05 253688 ----a-w- c:\windows\system32\cssdll32.dll
2009-05-29 22:57 . 2009-05-29 22:57 -------- d-----w- c:\documents and settings\All Users\Datos de programa\Comodo
2009-05-29 22:57 . 2009-05-29 22:57 82080 ----a-w- c:\windows\system32\drivers\inspect.sys
2009-05-29 22:57 . 2009-05-29 22:57 24096 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2009-05-29 22:57 . 2009-05-29 22:57 168208 ----a-w- c:\windows\system32\guard32.dll
2009-05-29 22:57 . 2009-05-29 22:57 132640 ----a-w- c:\windows\system32\drivers\cmdguard.sys
2009-05-29 22:57 . 2009-05-29 22:57 -------- d-----w- c:\archivos de programa\COMODO
2009-05-29 22:43 . 2009-05-29 22:43 -------- d-----w- c:\documents and settings\All Users\Datos de programa\TEMP
2009-05-29 22:43 . 2009-05-29 22:43 -------- d-----w- c:\archivos de programa\SpywareBlaster
2009-05-29 22:18 . 2009-03-30 13:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-05-29 22:18 . 2009-03-24 19:08 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-05-29 22:18 . 2009-02-13 15:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-05-29 22:18 . 2009-02-13 15:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-05-29 22:17 . 2009-05-29 22:18 -------- d-----w- c:\documents and settings\All Users\Datos de programa\Avira
2009-05-29 22:17 . 2009-05-29 22:18 -------- d-----w- c:\archivos de programa\Avira
2009-05-29 16:10 . 2009-05-29 16:10 -------- d-----w- c:\archivos de programa\Trend Micro
2009-05-29 16:01 . 2009-05-29 16:01 -------- d-----w- c:\archivos de programa\ERUNT
2009-05-29 00:45 . 2009-05-29 00:45 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-05-28 03:52 . 2009-05-28 03:52 -------- d-----w- c:\archivos de programa\Opera
2009-05-27 22:09 . 2009-05-27 22:09 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-05-27 20:49 . 2009-05-27 20:05 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-05-27 20:17 . 2009-05-27 20:18 -------- d-----w- c:\documents and settings\LocalService\Escritorio
2009-05-27 20:05 . 2009-05-27 20:03 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-05-27 20:05 . 2009-05-27 20:05 314200 ----a-w- c:\documents and settings\All Users\Datos de programa\Lavasoft\Ad-Aware\Update\threatwork.exe
2009-05-27 20:05 . 2009-05-27 20:05 25440 ----a-w- c:\documents and settings\All Users\Datos de programa\Lavasoft\Ad-Aware\Update\savapibridge.dll
2009-05-27 20:04 . 2009-05-27 20:05 169312 ----a-w- c:\documents and settings\All Users\Datos de programa\Lavasoft\Ad-Aware\Update\lavamessage.dll
2009-05-27 20:04 . 2009-05-27 20:05 15688 ----a-w- c:\documents and settings\All Users\Datos de programa\Lavasoft\Ad-Aware\Update\lsdelete.exe
2009-05-27 20:04 . 2009-05-27 20:04 348496 ----a-w- c:\documents and settings\All Users\Datos de programa\Lavasoft\Ad-Aware\Update\lavalicense.dll
2009-05-27 20:04 . 2009-05-27 20:04 294240 ----a-w- c:\documents and settings\All Users\Datos de programa\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2009-05-27 20:04 . 2009-05-27 20:04 83808 ----a-w- c:\documents and settings\All Users\Datos de programa\Lavasoft\Ad-Aware\Update\ShellExt.dll
2009-05-27 20:04 . 2009-05-27 20:04 1630048 ----a-w- c:\documents and settings\All Users\Datos de programa\Lavasoft\Ad-Aware\Update\Resources.dll
2009-05-27 20:03 . 2009-05-27 20:03 212848 ----a-w- c:\documents and settings\All Users\Datos de programa\Lavasoft\Ad-Aware\Update\RPAPI.dll
2009-05-27 20:03 . 2009-05-27 20:03 40288 ----a-w- c:\documents and settings\All Users\Datos de programa\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2009-05-27 20:03 . 2009-05-27 20:03 64160 ----a-w- c:\documents and settings\All Users\Datos de programa\Lavasoft\Ad-Aware\Update\Drivers\32\lbd.sys
2009-05-27 20:03 . 2009-05-27 20:03 640360 ----a-w- c:\documents and settings\All Users\Datos de programa\Lavasoft\Ad-Aware\Update\CEAPI.dll
2009-05-27 20:03 . 2009-05-27 20:03 540536 ----a-w- c:\documents and settings\All Users\Datos de programa\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2009-05-27 20:03 . 2009-05-27 20:03 559464 ----a-w- c:\documents and settings\All Users\Datos de programa\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2009-05-27 20:03 . 2009-05-27 20:03 2352456 ----a-w- c:\documents and settings\All Users\Datos de programa\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-05-27 20:03 . 2009-05-27 20:03 627536 ----a-w- c:\documents and settings\All Users\Datos de programa\Lavasoft\Ad-Aware\Update\AAWWSC.exe
2009-05-27 20:02 . 2009-05-27 20:03 518488 ----a-w- c:\documents and settings\All Users\Datos de programa\Lavasoft\Ad-Aware\Update\AAWTray.exe
2009-05-27 20:02 . 2009-05-27 20:02 1005904 ----a-w- c:\documents and settings\All Users\Datos de programa\Lavasoft\Ad-Aware\Update\AAWService.exe
2009-05-27 19:51 . 2009-05-27 19:51 -------- d--h--w- c:\documents and settings\All Users\Datos de programa\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-05-27 19:51 . 2009-03-12 08:17 2902048 ----a-w- c:\documents and settings\All Users\Datos de programa\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.exe
2009-05-27 19:51 . 2009-05-27 19:51 -------- d-----w- c:\documents and settings\All Users\Datos de programa\Lavasoft
2009-05-27 18:46 . 2009-05-27 18:46 -------- d-----w- c:\documents and settings\Administrador\Datos de programa\Lavasoft
2009-05-27 18:45 . 2009-05-27 18:45 -------- d-sh--w- c:\documents and settings\Administrador\IETldCache
2009-05-26 09:44 . 2009-05-26 09:44 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2009-05-25 01:19 . 2009-05-25 01:19 -------- d-----w- c:\documents and settings\Usuario\Datos de programa\Apple Computer
2009-05-20 17:11 . 2009-05-20 17:11 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-05-18 05:19 . 2009-05-18 05:19 -------- d-sh--w- c:\documents and settings\Usuario\PrivacIE
2009-05-18 05:17 . 2009-05-18 05:17 -------- d-sh--w- c:\documents and settings\Usuario\IETldCache
2009-05-18 05:00 . 2009-05-18 05:00 -------- d--h--w- c:\windows\ie8
2009-05-18 04:58 . 2009-05-18 04:58 -------- d--h--w- c:\windows\msdownld.tmp
2009-05-17 08:46 . 2009-05-17 08:46 -------- d-----w- C:\program Files
2009-05-16 22:31 . 2009-05-16 22:31 -------- d-----w- c:\documents and settings\Usuario\Tracing
2009-05-16 22:22 . 2009-05-16 22:22 -------- d-----w- c:\archivos de programa\Archivos comunes\Windows Live
2009-05-06 14:31 . 2009-05-06 14:31 -------- d-----w- c:\documents and settings\All Users\Datos de programa\Adobe Systems
2009-05-06 14:30 . 2009-05-07 12:50 85728 ----a-w- c:\windows\system32\2062c6b9-9015-34e4-2f08-63dae0dcf2d0.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-30 02:00 . 2001-08-24 15:00 66780 ----a-w- c:\windows\system32\perfc00A.dat
2009-05-30 02:00 . 2001-08-24 15:00 390786 ----a-w- c:\windows\system32\perfh00A.dat
2009-03-08 07:34 . 2004-08-19 21:42 914944 ----a-w- c:\windows\system32\wininet.dll
2009-03-08 07:34 . 2004-08-19 21:42 43008 ----a-w- c:\windows\system32\licmgr10.dll
2009-03-08 07:33 . 2004-08-19 21:41 18944 ----a-w- c:\windows\system32\corpol.dll
2009-03-08 07:33 . 2004-08-19 21:42 420352 ----a-w- c:\windows\system32\vbscript.dll
2009-03-08 07:32 . 2004-08-19 21:41 72704 ----a-w- c:\windows\system32\admparse.dll
2009-03-08 07:32 . 2004-08-19 21:42 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-03-08 07:31 . 2004-08-19 21:42 34816 ----a-w- c:\windows\system32\imgutil.dll
2009-03-08 07:31 . 2004-08-19 21:39 48128 ----a-w- c:\windows\system32\mshtmler.dll
2009-03-08 07:31 . 2004-08-19 21:42 45568 ----a-w- c:\windows\system32\mshta.exe
2009-03-08 07:22 . 2001-08-24 15:00 156160 ----a-w- c:\windows\system32\msls31.dll
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2006-08-20 17:12 . 2004-06-10 14:54 286720 c:\windows\bak\vsnpstd2.exe

2004-05-31 08:49 . 2004-05-31 08:49 99840 c:\windows\system32\spool\drivers\w32x86\3\bak\E_S4I4V1.EXE
2004-05-31 08:49 . 2004-03-22 15:00 99840 c:\windows\system32\spool\drivers\w32x86\3\E_S4I4V1.EXE

2006-09-02 04:25 . 2005-11-10 16:03 36975 c:\archivos de programa\Java\jre1.5.0_06\bin\bak\jusched.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-19 15360]
"adware_free_soft"="c:\windows\promofreesoft.exe" [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AWMON"="c:\archiv~1\LAVASOFT\AD-AWA~1\Ad-Watch.exe" [N/A]
"EPSON Stylus CX1500 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I4V1.EXE" [2004-03-22 99840]
"EPSON Stylus CX1500 Series (Copiar 1)"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I4V1.EXE" [2004-03-22 99840]
"AVG8_TRAY"="c:\archiv~1\AVG\AVG8\avgtray.exe" [N/A]
"SunJavaUpdateSched"="c:\archivos de programa\Java\jre6\bin\jusched.exe" [2008-12-04 136600]
"QuickTime Task"="c:\archivos de programa\QuickTime\qttask.exe" [2009-01-05 413696]
"egui"="c:\archivos de programa\ESET\ESET NOD32 Antivirus\egui.exe" [N/A]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-19 159744]
"EW Message Server"="msg32.exe" - c:\windows\system32\msg32.exe [2005-06-17 45056]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-19 15360]
"ALUAlert"="c:\archivos de programa\Symantec\LiveUpdate\ALUNotify.exe" [N/A]

c:\documents and settings\Usuario\Men£ Inicio\Programas\Inicio\
ERUNT AutoBackup.lnk - c:\archivos de programa\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Men£ Inicio\Programas\Inicio\
Adobe Gamma Loader.lnk.disabled [2007-3-11 1921]
Microsoft Office.lnk - c:\archivos de programa\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-02-02 11:13 10520 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\cssdll32.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"midi"= gmidi.dll
"wave1"= serwvdrv.dll
"wave3"= serwvdrv.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="c:\archivos de programa\Messenger\msmsgs.exe" /background
"CTFMON.EXE"=c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"ccApp"="c:\archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe"
"EPSON Stylus CX1500 Series (Copiar 1)"=c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I4V1.EXE /P37 "EPSON Stylus CX1500 Series (Copiar 1)" /O6 "USB002" /M "Stylus CX1500"
"EPSON Stylus CX1500 Series"=c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I4V1.EXE /P26 "EPSON Stylus CX1500 Series" /O6 "USB001" /M "Stylus CX1500"
"GhostStartTrayApp"=c:\archivos de programa\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
"Zone Labs Client"="c:\archivos de programa\Zone Labs\ZoneAlarm\zlclient.exe"
"Symantec NetDriver Monitor"=c:\archiv~1\SYMNET~1\SNDMon.exe
"QuickTime Task"="c:\archivos de programa\QuickTime\qttask.exe" -atboottime
"SunJavaUpdateSched"="c:\archivos de programa\Java\jre1.6.0_02\bin\jusched.exe"
"SNPSTD2"=c:\windows\vsnpstd2.exe
"Lexmark_X79-55"=c:\windows\system32\lsasss.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Archivos de programa\\Ares\\Ares.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Archivos de programa\\NetMeeting\\conf.exe"=
"c:\\WINDOWS\\PCHEALTH\\HELPCTR\\BINARIES\\HelpCtr.exe"=
"c:\\Archivos de programa\\Messenger\\MSMSGS.EXE"=
"c:\\Archivos de programa\\uTorrent\\uTorrent.exe"=
"c:\\WINDOWS\\System32\\ftp.exe"=
"c:\\mIRC\\mirc.exe"=
"c:\\Archivos de programa\\MSN Messenger\\msnmsgr.exe"=
"c:\\Archivos de programa\\MSN Messenger\\livecall.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [27/05/2009 05:05 p.m. 64160]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys --> c:\windows\system32\Drivers\avgldx86.sys [?]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys --> c:\windows\system32\Drivers\avgtdix.sys [?]
S1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [29/05/2009 07:57 p.m. 132640]
S1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [29/05/2009 07:57 p.m. 24096]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\archivos de programa\Avira\AntiVir Desktop\sched.exe [29/05/2009 07:18 p.m. 108289]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\archiv~1\AVG\AVG8\avgemc.exe --> c:\archiv~1\AVG\AVG8\avgemc.exe [?]
S2 avg8wd;AVG Free8 WatchDog;c:\archiv~1\AVG\AVG8\avgwdsvc.exe --> c:\archiv~1\AVG\AVG8\avgwdsvc.exe [?]
S3 epflt15;epflt15;c:\windows\system32\DRIVERS\epflt15.SYS --> c:\windows\system32\DRIVERS\epflt15.SYS [?]
S3 EWAVE;EWAVE;c:\windows\system32\drivers\ew.sys [30/08/2007 08:54 p.m. 1706784]
S3 FILESPY;FILESPY;c:\windows\system32\drivers\FileSpy.sys [30/08/2007 08:54 p.m. 26992]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\archivos de programa\Lavasoft\Ad-Aware\AAWService.exe [09/03/2009 04:06 p.m. 1005904]
S3 NMUSB;NMUSB;c:\windows\system32\drivers\nmusb.sys [16/05/2006 08:22 p.m. 23520]
S3 NSTATION;NSTATION;c:\windows\system32\drivers\NSTATION.sys [30/08/2007 08:54 p.m. 18912]
.
Contents of the 'Scheduled Tasks' folder

2009-05-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\archivos de programa\Apple Software Update\SoftwareUpdate.exe [2008-07-30 15:34]

2009-05-16 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\archivos de programa\Spybot - Search & Destroy\SpybotSD.exe [2007-05-25 18:31]

2009-05-27 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\archivos de programa\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 20:03]
.
- - - - ORPHANS REMOVED - - - -

BHO-{00802B89-BE50-47A6-833D-ECD330BB73A7} - c:\windows\system32\nwapi16d.dll
BHO-{2CAD3E0B-045B-41C8-8C35-34298F279365} - (no file)
BHO-{68866312-bd50-4056-b439-26a821a2b770} - c:\windows\system32\furihepi.dll
BHO-{83267afa-c1c3-0ae2-5b51-ceab693a8517} - c:\windows\system32\nsnCC83.dll
Notify-WgaLogon - (no file)
SafeBoot-procexp90.Sys


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.pagina12.com.ar/
uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
FF - ProfilePath - c:\documents and settings\Usuario\Datos de programa\Mozilla\Firefox\Profiles\8wxzlq4z.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www7.yoog.com/search.php?q=
FF - prefs.js: browser.search.selectedEngine - Yoog Search
FF - prefs.js: browser.startup.homepage - hxxp://www.pagina12.com.ar/
FF - prefs.js: keyword.URL - hxxp://www7.yoog.com/search.php?q=
FF - plugin: c:\archivos de programa\QuickTime\Plugins\npqtplugin8.dll

---- FIREFOX POLICIES ----
FF - user.js: google.toolbar.linkdoctor.enabled - false
FF - user.js: browser.search.defaultenginename - Yoog Search
FF - user.js: browser.search.defaulturl - hxxp://www7.yoog.com/search.php?q=
FF - user.js: browser.search.selectedEngine - Yoog Search
FF - user.js: keyword.URL - hxxp://www7.yoog.com/search.php?q=
FF - user.js: keyword.enabled - true
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-31 20:24
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø•€|ÿÿÿÿ•€|ù•9~*]
"5E7CEC10DF0760D4F8DAFB12FDC06CCD"="02:\\Software\\Adobe\\FeatureSubscriptions\\DVAAdobeDocMeta\\{01CEC7E5-70FD-4D06-8FAD-BF21DF0CC6DC}\\Registered"
"AB141C35E9F4BF344B9FC010BB17F68A"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(272)
c:\windows\system32\l3codecx.acm
c:\windows\system32\vorbis.acm

- - - - - - - > 'explorer.exe'(1404)
c:\windows\system32\ieframe.dll
.
Completion time: 2009-05-31 20:27 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-31 23:27

Pre-Run: 40.602.501.120 bytes libres
Post-Run: 41.177.219.072 bytes libres

Current=2 Default=2 Failed=1 LastKnownGood=3 Sets=,1,2,3,4,5,6,7,8,9
251 --- E O F --- 2009-01-27 23:15





And here are the results of the HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:41:09 p.m., on 31/05/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Avira\AntiVir Desktop\sched.exe
C:\Archivos de programa\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\system32\msg32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4V1.EXE
C:\Archivos de programa\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Java\jre6\bin\jqs.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Archivos de programa\Spybot - Search & Destroy\TeaTimer.exe
C:\Archivos de programa\COMODO\COMODO Internet Security\cfp.exe
C:\Archivos de programa\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Archivos de programa\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pagina12.com.ar/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: (no name) - {00802B89-BE50-47A6-833D-ECD330BB73A7} - (no file)
O2 - BHO: (no name) - {2CAD3E0B-045B-41C8-8C35-34298F279365} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5E2402A0-5F99-4188-B30D-D8743996B340} - (no file)
O2 - BHO: (no name) - {68866312-bd50-4056-b439-26a821a2b770} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {83267afa-c1c3-0ae2-5b51-ceab693a8517} - (no file)
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\ARCHIV~1\AVG\AVG8\AVGTOO~1.DLL (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Archivos de programa\Norton SystemWorks\Norton Antivirus\NavShExt.dll (file missing)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Archivos de programa\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Archivos de programa\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: (no name) - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Archivos de programa\Norton SystemWorks\Norton Antivirus\NavShExt.dll (file missing)
O4 - HKLM\..\Run: [AWMON] "C:\ARCHIV~1\LAVASOFT\AD-AWA~1\Ad-Watch.exe"
O4 - HKLM\..\Run: [EW Message Server] msg32.exe
O4 - HKLM\..\Run: [EPSON Stylus CX1500 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4V1.EXE /P26 "EPSON Stylus CX1500 Series" /O5 "LPT1:" /M "Stylus CX1500"
O4 - HKLM\..\Run: [EPSON Stylus CX1500 Series (Copiar 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4V1.EXE /P37 "EPSON Stylus CX1500 Series (Copiar 1)" /O6 "USB001" /M "Stylus CX1500"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\ARCHIV~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [egui] "C:\Archivos de programa\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [adware_free_soft] C:\WINDOWS\promofreesoft.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Archivos de programa\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Archivos de programa\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan.com/as/v1/cabs/ascstubie.cab
O16 - DPF: {8436FE12-31DB-48BF-83BF-FE682F9160B4} -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Archivos de programa\AVG\AVG8\avgpp.dll (file missing)
O20 - AppInit_DLLs: C:\WINDOWS\system32\cssdll32.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Archivos de programa\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Archivos de programa\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Archivos de programa\Ares\chatServer.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - Unknown owner - C:\ARCHIV~1\AVG\AVG8\avgemc.exe (file missing)
O23 - Service: AVG Free8 WatchDog (avg8wd) - Unknown owner - C:\ARCHIV~1\AVG\AVG8\avgwdsvc.exe (file missing)
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Archivos de programa\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Archivos de programa\Archivos comunes\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Archivos de programa\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Archivos de programa\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Servicio Auto-Protect de Norton AntiVirus (navapsvc) - Unknown owner - C:\Archivos de programa\Norton SystemWorks\Norton Antivirus\navapsvc.exe (file missing)
O23 - Service: SAVScan - Unknown owner - C:\Archivos de programa\Norton SystemWorks\Norton Antivirus\SAVScan.exe (file missing)
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Archivos de programa\Archivos comunes\Symantec Shared\SNDSrvc.exe (file missing)
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe (file missing)

--
End of file - 8653 bytes
 
Hello,

I knew you could do it :bigthumb: Combofix removed the TDSS rootkit, but it also found other nasty programs that we need to remove.

uTorrent <-- If your using programs like this your going to keep getting infected, read this please.

We have noticed that many people seeking help from us are coming with infections contracted from the use of P2P programs.

Because of this, we changed our malware forum's policy on the use of P2P file sharing programs.

  • If your helper detects the presence of such programs on your computer he/she will ask you to remove them. Help will be withdrawn should you not agree to their removal.
  • If we clean your computer of infection, and you return to us a short time later with an infection contracted by the use of P2P programs, volunteer analysts will refuse their help.

We do not ask you to do this without reason.


P2P (File Sharing ) programs form a direct conduit onto your computer, their security measures are easily circumvented, and Malware writers are increasingly exploiting them to spread their wares onto your computer. Further to that, if your P2P program is not configured correctly you may be sharing more files than you realize. There have been cases where people's Passwords, Address Books and other personal, private, and financial details have been exposed to the file sharing network by a badly configured program.

Many of the programs come bundled with other unwanted programs, but even the ones free of any bundled software are not safe to use.

This article from InfoWorld illustrates the dangers of a poorly configured P2P program.
http://www.infoworld.com/article/07/09/06/...ID-theft_1.html

When you use them you are downloading software from an unknown source directly onto your computer, bypassing your Firewall and Anti-Virus software. Hardly surprising then that many of these Downloads are being targeted to carry infections.
Click to expand...


You have THREE ANTI VIRUS PROGRAMS RUNNING, not recommended, this is overkill, they will use a large amount of system resources and slow your system down, you should only have one, keep it updated and run a scan about once a week. You have Avira, AVG Free and Symantec, your call but you need to uninstall 2 of them via the Add Remove programs in the Control Panel


You still have the TeaTimer in Spybot enabled along with Ad Watch in Ad-Aware, disable them both.

Do this first...Important

Disable the TeaTimer, leave it disabled, do not turn it back on until we're done or it will prevent fixes from taking
  • Run Spybot-S&D in Advanced Mode.
  • If it is not already set to do this Go to the Mode menu select "Advanced Mode"
  • On the left hand side, Click on Tools
  • Then click on the Resident Icon in the List
  • Uncheck "Resident TeaTimer" and OK any prompts.
  • Restart your computer.<--You need to do this for it to take effect
Please do not proceed until the TeaTimer is disabled


You need to Disable AdWatch in Ad-Aware Se Personal as it can stop our fix.

To Disable AdWatch
  • Open Ad-Aware SE Personal
  • Go to the AdWatch User Interface.
  • Go to Tools and Preferences.
  • At the bottom of the screen you will see 2 options
  • Active: This will turn Ad-Watch On\Off without closing it.
  • Automatic: Suspicious activity will be blocked automatically
  • Uncheck both options.
You should enable these after resolving your problem.






Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.

O2 - BHO: (no name) - {00802B89-BE50-47A6-833D-ECD330BB73A7} - (no file)
O2 - BHO: (no name) - {2CAD3E0B-045B-41C8-8C35-34298F279365} - (no file)
O2 - BHO: (no name) - {5E2402A0-5F99-4188-B30D-D8743996B340} - (no file)
O2 - BHO: (no name) - {68866312-bd50-4056-b439-26a821a2b770} - (no file)
O2 - BHO: (no name) - {83267afa-c1c3-0ae2-5b51-ceab693a8517} - (no file)





You have a file infecter virus that has infected the following files under AWF, what this trojan has done is removed the clean file to a backup folder and installed its own infected copy.

Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above AWF::


Code: 
AWF::
c:\windows\bak\vsnpstd2.exe
c:\windows\system32\spool\drivers\w32x86\3\bak\E_S4I4V1.EXE
c:\archivos de programa\Java\jre1.5.0_06\bin\bak\jusched.exe

File::
c:\windows\promofreesoft.exe

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"adware_free_soft"=-

Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScriptB-4.gif



This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
 
Last edited:
Here I am again. Thank you for your quick response, I appreciate your help very much. Three things:

1) I already deleted uTorrent, but I have a problem with those antivirus. I supposedly eliminated SYMANTEC long ago -almost two years!-, then I got AVG Free, and then I eliminated it when I got NOD32 -but I guess the problem is I didn't uninstall them, just removed the folders-. Finally, when I came to this forum and read some recommendations I downloaded Avira and got rid of NOD32. So... Windows doesn't recognize any of those antivirus as installed programs, and I have no way of uninstalling them, they' are nowhere to be found! And, for example, the remaining AVG Free file is in use and it's impossible to tremove it.

2) The ComboFix result:

ComboFix 09-05-31.02 - Usuario 31/05/2009 23:23.2 - FAT32x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.34.3082.18.1535.1274 [GMT -3:00]
Running from: c:\documents and settings\Usuario\Escritorio\ComboFix.exe
Command switches used :: c:\documents and settings\Usuario\Escritorio\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
"c:\windows\promofreesoft.exe"
.

((((((((((((((((((((((((( Files Created from 2009-05-01 to 2009-06-01 )))))))))))))))))))))))))))))))
.

2009-05-31 23:15 . 2009-05-31 23:15 -------- d-sh--w- C:\FOUND.019
2009-05-31 07:12 . 2009-05-31 07:12 -------- d-----w- c:\windows\ERUNT
2009-05-31 07:05 . 2008-11-06 05:03 -------- d-----w- C:\SDFix
2009-05-30 08:54 . 2009-05-30 08:54 -------- d--h--w- c:\windows\PIF
2009-05-30 06:45 . 2009-05-30 06:45 -------- d-----w- c:\documents and settings\NetworkService\Escritorio
2009-05-30 00:43 . 2009-05-30 00:43 -------- d-----r- c:\documents and settings\LocalService\Favoritos
2009-05-29 23:05 . 2009-05-29 23:05 253688 ----a-w- c:\windows\system32\cssdll32.dll
2009-05-29 22:57 . 2009-05-29 22:57 -------- d-----w- c:\documents and settings\All Users\Datos de programa\Comodo
2009-05-29 22:57 . 2009-05-29 22:57 82080 ----a-w- c:\windows\system32\drivers\inspect.sys
2009-05-29 22:57 . 2009-05-29 22:57 24096 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2009-05-29 22:57 . 2009-05-29 22:57 168208 ----a-w- c:\windows\system32\guard32.dll
2009-05-29 22:57 . 2009-05-29 22:57 132640 ----a-w- c:\windows\system32\drivers\cmdguard.sys
2009-05-29 22:57 . 2009-05-29 22:57 -------- d-----w- c:\archivos de programa\COMODO
2009-05-29 22:43 . 2009-05-29 22:43 -------- d-----w- c:\documents and settings\All Users\Datos de programa\TEMP
2009-05-29 22:43 . 2009-05-29 22:43 -------- d-----w- c:\archivos de programa\SpywareBlaster
2009-05-29 22:18 . 2009-03-30 13:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-05-29 22:18 . 2009-03-24 19:08 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-05-29 22:18 . 2009-02-13 15:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-05-29 22:18 . 2009-02-13 15:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-05-29 22:17 . 2009-05-29 22:18 -------- d-----w- c:\documents and settings\All Users\Datos de programa\Avira
2009-05-29 22:17 . 2009-05-29 22:18 -------- d-----w- c:\archivos de programa\Avira
2009-05-29 16:10 . 2009-05-29 16:10 -------- d-----w- c:\archivos de programa\Trend Micro
2009-05-29 16:01 . 2009-05-29 16:01 -------- d-----w- c:\archivos de programa\ERUNT
2009-05-29 00:45 . 2009-05-29 00:45 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-05-28 03:52 . 2009-05-28 03:52 -------- d-----w- c:\archivos de programa\Opera
2009-05-27 22:09 . 2009-05-27 22:09 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-05-27 20:49 . 2009-05-27 20:05 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-05-27 20:17 . 2009-05-27 20:18 -------- d-----w- c:\documents and settings\LocalService\Escritorio
2009-05-27 20:05 . 2009-05-27 20:03 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-05-27 20:05 . 2009-05-27 20:05 314200 ----a-w- c:\documents and settings\All Users\Datos de programa\Lavasoft\Ad-Aware\Update\threatwork.exe
2009-05-27 20:05 . 2009-05-27 20:05 25440 ----a-w- c:\documents and settings\All Users\Datos de programa\Lavasoft\Ad-Aware\Update\savapibridge.dll
2009-05-27 20:04 . 2009-05-27 20:05 169312 ----a-w- c:\documents and settings\All Users\Datos de programa\Lavasoft\Ad-Aware\Update\lavamessage.dll
2009-05-27 20:04 . 2009-05-27 20:05 15688 ----a-w- c:\documents and settings\All Users\Datos de programa\Lavasoft\Ad-Aware\Update\lsdelete.exe
2009-05-27 20:04 . 2009-05-27 20:04 348496 ----a-w- c:\documents and settings\All Users\Datos de programa\Lavasoft\Ad-Aware\Update\lavalicense.dll
2009-05-27 20:04 . 2009-05-27 20:04 294240 ----a-w- c:\documents and settings\All Users\Datos de programa\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2009-05-27 20:04 . 2009-05-27 20:04 83808 ----a-w- c:\documents and settings\All Users\Datos de programa\Lavasoft\Ad-Aware\Update\ShellExt.dll
2009-05-27 20:04 . 2009-05-27 20:04 1630048 ----a-w- c:\documents and settings\All Users\Datos de programa\Lavasoft\Ad-Aware\Update\Resources.dll
2009-05-27 20:03 . 2009-05-27 20:03 212848 ----a-w- c:\documents and settings\All Users\Datos de programa\Lavasoft\Ad-Aware\Update\RPAPI.dll
2009-05-27 20:03 . 2009-05-27 20:03 40288 ----a-w- c:\documents and settings\All Users\Datos de programa\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2009-05-27 20:03 . 2009-05-27 20:03 64160 ----a-w- c:\documents and settings\All Users\Datos de programa\Lavasoft\Ad-Aware\Update\Drivers\32\lbd.sys
2009-05-27 20:03 . 2009-05-27 20:03 640360 ----a-w- c:\documents and settings\All Users\Datos de programa\Lavasoft\Ad-Aware\Update\CEAPI.dll
2009-05-27 20:03 . 2009-05-27 20:03 540536 ----a-w- c:\documents and settings\All Users\Datos de programa\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2009-05-27 20:03 . 2009-05-27 20:03 559464 ----a-w- c:\documents and settings\All Users\Datos de programa\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2009-05-27 20:03 . 2009-05-27 20:03 2352456 ----a-w- c:\documents and settings\All Users\Datos de programa\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-05-27 20:03 . 2009-05-27 20:03 627536 ----a-w- c:\documents and settings\All Users\Datos de programa\Lavasoft\Ad-Aware\Update\AAWWSC.exe
2009-05-27 20:02 . 2009-05-27 20:03 518488 ----a-w- c:\documents and settings\All Users\Datos de programa\Lavasoft\Ad-Aware\Update\AAWTray.exe
2009-05-27 20:02 . 2009-05-27 20:02 1005904 ----a-w- c:\documents and settings\All Users\Datos de programa\Lavasoft\Ad-Aware\Update\AAWService.exe
2009-05-27 19:51 . 2009-05-27 19:51 -------- d--h--w- c:\documents and settings\All Users\Datos de programa\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-05-27 19:51 . 2009-03-12 08:17 2902048 ----a-w- c:\documents and settings\All Users\Datos de programa\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.exe
2009-05-27 19:51 . 2009-05-27 19:51 -------- d-----w- c:\documents and settings\All Users\Datos de programa\Lavasoft
2009-05-27 18:46 . 2009-05-27 18:46 -------- d-----w- c:\documents and settings\Administrador\Datos de programa\Lavasoft
2009-05-27 18:45 . 2009-05-27 18:45 -------- d-sh--w- c:\documents and settings\Administrador\IETldCache
2009-05-26 09:44 . 2009-05-26 09:44 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2009-05-25 01:19 . 2009-05-25 01:19 -------- d-----w- c:\documents and settings\Usuario\Datos de programa\Apple Computer
2009-05-20 17:11 . 2009-05-20 17:11 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-05-18 05:19 . 2009-05-18 05:19 -------- d-sh--w- c:\documents and settings\Usuario\PrivacIE
2009-05-18 05:17 . 2009-05-18 05:17 -------- d-sh--w- c:\documents and settings\Usuario\IETldCache
2009-05-18 05:00 . 2009-05-18 05:00 -------- d--h--w- c:\windows\ie8
2009-05-18 04:58 . 2009-05-18 04:58 -------- d--h--w- c:\windows\msdownld.tmp
2009-05-17 08:46 . 2009-05-17 08:46 -------- d-----w- C:\program Files
2009-05-16 22:31 . 2009-05-16 22:31 -------- d-----w- c:\documents and settings\Usuario\Tracing
2009-05-16 22:22 . 2009-05-16 22:22 -------- d-----w- c:\archivos de programa\Archivos comunes\Windows Live
2009-05-06 14:31 . 2009-05-06 14:31 -------- d-----w- c:\documents and settings\All Users\Datos de programa\Adobe Systems
2009-05-06 14:30 . 2009-05-07 12:50 85728 ----a-w- c:\windows\system32\2062c6b9-9015-34e4-2f08-63dae0dcf2d0.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-30 02:00 . 2001-08-24 15:00 66780 ----a-w- c:\windows\system32\perfc00A.dat
2009-05-30 02:00 . 2001-08-24 15:00 390786 ----a-w- c:\windows\system32\perfh00A.dat
2009-03-08 07:34 . 2004-08-19 21:42 914944 ----a-w- c:\windows\system32\wininet.dll
2009-03-08 07:34 . 2004-08-19 21:42 43008 ----a-w- c:\windows\system32\licmgr10.dll
2009-03-08 07:33 . 2004-08-19 21:41 18944 ----a-w- c:\windows\system32\corpol.dll
2009-03-08 07:33 . 2004-08-19 21:42 420352 ----a-w- c:\windows\system32\vbscript.dll
2009-03-08 07:32 . 2004-08-19 21:41 72704 ----a-w- c:\windows\system32\admparse.dll
2009-03-08 07:32 . 2004-08-19 21:42 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-03-08 07:31 . 2004-08-19 21:42 34816 ----a-w- c:\windows\system32\imgutil.dll
2009-03-08 07:31 . 2004-08-19 21:39 48128 ----a-w- c:\windows\system32\mshtmler.dll
2009-03-08 07:31 . 2004-08-19 21:42 45568 ----a-w- c:\windows\system32\mshta.exe
2009-03-08 07:22 . 2001-08-24 15:00 156160 ----a-w- c:\windows\system32\msls31.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-05-31_23.24.38 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-05-31 08:49 . 2004-05-31 08:49 99840 c:\windows\system32\spool\drivers\w32x86\3\E_S4I4V1.EXE
- 2004-05-31 08:49 . 2004-03-22 15:00 99840 c:\windows\system32\spool\drivers\w32x86\3\E_S4I4V1.EXE
+ 2006-08-20 17:12 . 2004-06-10 14:54 286720 c:\windows\vsnpstd2.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-19 15360]
"SpybotSD TeaTimer"="c:\archivos de programa\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus CX1500 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I4V1.EXE" [2004-05-31 99840]
"EPSON Stylus CX1500 Series (Copiar 1)"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I4V1.EXE" [2004-05-31 99840]
"SunJavaUpdateSched"="c:\archivos de programa\Java\jre6\bin\jusched.exe" [2008-12-04 136600]
"QuickTime Task"="c:\archivos de programa\QuickTime\qttask.exe" [2009-01-05 413696]
"MSConfig"="c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2004-08-19 159744]
"EW Message Server"="msg32.exe" - c:\windows\system32\msg32.exe [2005-06-17 45056]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-19 15360]

c:\documents and settings\Usuario\Men£ Inicio\Programas\Inicio\
ERUNT AutoBackup.lnk - c:\archivos de programa\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Men£ Inicio\Programas\Inicio\
Adobe Gamma Loader.lnk.disabled [2007-3-11 1921]
Microsoft Office.lnk - c:\archivos de programa\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-02-02 11:13 10520 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WgaLogon]
[BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\cssdll32.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"midi"= gmidi.dll
"wave1"= serwvdrv.dll
"wave3"= serwvdrv.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="c:\archivos de programa\Messenger\msmsgs.exe" /background
"CTFMON.EXE"=c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"ccApp"="c:\archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe"
"EPSON Stylus CX1500 Series (Copiar 1)"=c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I4V1.EXE /P37 "EPSON Stylus CX1500 Series (Copiar 1)" /O6 "USB002" /M "Stylus CX1500"
"EPSON Stylus CX1500 Series"=c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I4V1.EXE /P26 "EPSON Stylus CX1500 Series" /O6 "USB001" /M "Stylus CX1500"
"GhostStartTrayApp"=c:\archivos de programa\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
"Zone Labs Client"="c:\archivos de programa\Zone Labs\ZoneAlarm\zlclient.exe"
"Symantec NetDriver Monitor"=c:\archiv~1\SYMNET~1\SNDMon.exe
"QuickTime Task"="c:\archivos de programa\QuickTime\qttask.exe" -atboottime
"SunJavaUpdateSched"="c:\archivos de programa\Java\jre1.6.0_02\bin\jusched.exe"
"SNPSTD2"=c:\windows\vsnpstd2.exe
"Lexmark_X79-55"=c:\windows\system32\lsasss.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Archivos de programa\\Ares\\Ares.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Archivos de programa\\NetMeeting\\conf.exe"=
"c:\\WINDOWS\\PCHEALTH\\HELPCTR\\BINARIES\\HelpCtr.exe"=
"c:\\Archivos de programa\\Messenger\\MSMSGS.EXE"=
"c:\\WINDOWS\\System32\\ftp.exe"=
"c:\\mIRC\\mirc.exe"=
"c:\\Archivos de programa\\MSN Messenger\\msnmsgr.exe"=
"c:\\Archivos de programa\\MSN Messenger\\livecall.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [27/05/2009 05:05 p.m. 64160]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys --> c:\windows\system32\Drivers\avgldx86.sys [?]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys --> c:\windows\system32\Drivers\avgtdix.sys [?]
S1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [29/05/2009 07:57 p.m. 132640]
S1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [29/05/2009 07:57 p.m. 24096]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\archivos de programa\Avira\AntiVir Desktop\sched.exe [29/05/2009 07:18 p.m. 108289]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\archiv~1\AVG\AVG8\avgemc.exe --> c:\archiv~1\AVG\AVG8\avgemc.exe [?]
S2 avg8wd;AVG Free8 WatchDog;c:\archiv~1\AVG\AVG8\avgwdsvc.exe --> c:\archiv~1\AVG\AVG8\avgwdsvc.exe [?]
S3 epflt15;epflt15;c:\windows\system32\DRIVERS\epflt15.SYS --> c:\windows\system32\DRIVERS\epflt15.SYS [?]
S3 EWAVE;EWAVE;c:\windows\system32\drivers\ew.sys [30/08/2007 08:54 p.m. 1706784]
S3 FILESPY;FILESPY;c:\windows\system32\drivers\FileSpy.sys [30/08/2007 08:54 p.m. 26992]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\archivos de programa\Lavasoft\Ad-Aware\AAWService.exe [09/03/2009 04:06 p.m. 1005904]
S3 NMUSB;NMUSB;c:\windows\system32\drivers\nmusb.sys [16/05/2006 08:22 p.m. 23520]
S3 NSTATION;NSTATION;c:\windows\system32\drivers\NSTATION.sys [30/08/2007 08:54 p.m. 18912]
.
Contents of the 'Scheduled Tasks' folder

2009-05-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\archivos de programa\Apple Software Update\SoftwareUpdate.exe [2008-07-30 15:34]

2009-05-16 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\archivos de programa\Spybot - Search & Destroy\SpybotSD.exe [2007-05-25 18:31]

2009-05-27 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\archivos de programa\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 20:03]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-AWMON - c:\archiv~1\LAVASOFT\AD-AWA~1\Ad-Watch.exe
HKU-Default-Run-ALUAlert - c:\archivos de programa\Symantec\LiveUpdate\ALUNotify.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.pagina12.com.ar/
uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
FF - ProfilePath - c:\documents and settings\Usuario\Datos de programa\Mozilla\Firefox\Profiles\8wxzlq4z.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www7.yoog.com/search.php?q=
FF - prefs.js: browser.search.selectedEngine - Yoog Search
FF - prefs.js: browser.startup.homepage - hxxp://www.pagina12.com.ar/
FF - prefs.js: keyword.URL - hxxp://www7.yoog.com/search.php?q=
FF - plugin: c:\archivos de programa\QuickTime\Plugins\npqtplugin8.dll

---- FIREFOX POLICIES ----
FF - user.js: google.toolbar.linkdoctor.enabled - false
FF - user.js: browser.search.defaultenginename - Yoog Search
FF - user.js: browser.search.defaulturl - hxxp://www7.yoog.com/search.php?q=
FF - user.js: browser.search.selectedEngine - Yoog Search
FF - user.js: keyword.URL - hxxp://www7.yoog.com/search.php?q=
FF - user.js: keyword.enabled - true
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-31 23:26
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø•€|ÿÿÿÿ•€|ù•9~*]
"5E7CEC10DF0760D4F8DAFB12FDC06CCD"="02:\\Software\\Adobe\\FeatureSubscriptions\\DVAAdobeDocMeta\\{01CEC7E5-70FD-4D06-8FAD-BF21DF0CC6DC}\\Registered"
"AB141C35E9F4BF344B9FC010BB17F68A"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(272)
c:\windows\system32\l3codecx.acm
c:\windows\system32\vorbis.acm

- - - - - - - > 'explorer.exe'(1680)
c:\windows\system32\ieframe.dll
.
Completion time: 2009-06-01 23:28
ComboFix-quarantined-files.txt 2009-06-01 02:28
ComboFix2.txt 2009-05-31 23:27

Pre-Run: 41.171.124.224 bytes libres
Post-Run: 41.146.974.208 bytes libres

Current=2 Default=2 Failed=1 LastKnownGood=3 Sets=,1,2,3,4,5,6,7,8,9
233 --- E O F --- 2009-01-27 23:15





3) The HJT result:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:54:27 p.m., on 31/05/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Avira\AntiVir Desktop\sched.exe
C:\Archivos de programa\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\system32\msg32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4V1.EXE
C:\Archivos de programa\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\crypserv.exe
C:\Archivos de programa\Java\jre6\bin\jqs.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Archivos de programa\Mozilla Firefox\firefox.exe
C:\Archivos de programa\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pagina12.com.ar/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre6\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Archivos de programa\Norton SystemWorks\Norton Antivirus\NavShExt.dll (file missing)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Archivos de programa\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Archivos de programa\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [EW Message Server] msg32.exe
O4 - HKLM\..\Run: [EPSON Stylus CX1500 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4V1.EXE /P26 "EPSON Stylus CX1500 Series" /O5 "LPT1:" /M "Stylus CX1500"
O4 - HKLM\..\Run: [EPSON Stylus CX1500 Series (Copiar 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4V1.EXE /P37 "EPSON Stylus CX1500 Series (Copiar 1)" /O6 "USB001" /M "Stylus CX1500"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Archivos de programa\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Archivos de programa\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {8436FE12-31DB-48BF-83BF-FE682F9160B4} -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\cssdll32.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Archivos de programa\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Archivos de programa\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Archivos de programa\Ares\chatServer.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - Unknown owner - C:\ARCHIV~1\AVG\AVG8\avgemc.exe (file missing)
O23 - Service: AVG Free8 WatchDog (avg8wd) - Unknown owner - C:\ARCHIV~1\AVG\AVG8\avgwdsvc.exe (file missing)
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Archivos de programa\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Archivos de programa\Archivos comunes\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Archivos de programa\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Archivos de programa\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Servicio Auto-Protect de Norton AntiVirus (navapsvc) - Unknown owner - C:\Archivos de programa\Norton SystemWorks\Norton Antivirus\navapsvc.exe (file missing)
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Archivos de programa\Archivos comunes\Symantec Shared\SNDSrvc.exe (file missing)
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe (file missing)

--
End of file - 7052 bytes
 
You never uninstall a program by just deleting the folder, you need to uninstall it via the Add Remove Programs in the Control Panel.

Symantec has a removal tool for uninstalling there product due to a bad install or uninstall.
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2005033108162039




Open Hijackthis
  • Go to Misc Tools> Open Uninstall Manager.
  • Click on Save List.
  • The list will open in Notepad.
  • Copy and Paste the List into this thread
 
Actualización de seguridad para el Reproductor de Windows Media (KB911564)
Actualización de seguridad para el Reproductor de Windows Media 11 (KB936782)
Actualización de seguridad para el Reproductor de Windows Media 11 (KB954154)
Actualización de seguridad para el Reproductor de Windows Media 6.4 (KB925398)
Actualización de seguridad para el Reproductor de Windows Media 9 (KB917734)
Actualización de seguridad para el Reproductor de Windows Media 9 (KB936782)
Actualización de seguridad para Windows Internet Explorer 7 (KB938127)
Actualización de seguridad para Windows Internet Explorer 7 (KB953838)
Actualización de seguridad para Windows Internet Explorer 7 (KB956390)
Actualización de seguridad para Windows XP (KB890046)
Actualización de seguridad para Windows XP (KB893756)
Actualización de seguridad para Windows XP (KB896358)
Actualización de seguridad para Windows XP (KB896423)
Actualización de seguridad para Windows XP (KB896428)
Actualización de seguridad para Windows XP (KB899587)
Actualización de seguridad para Windows XP (KB899591)
Actualización de seguridad para Windows XP (KB900725)
Actualización de seguridad para Windows XP (KB901017)
Actualización de seguridad para Windows XP (KB901214)
Actualización de seguridad para Windows XP (KB902400)
Actualización de seguridad para Windows XP (KB904706)
Actualización de seguridad para Windows XP (KB905414)
Actualización de seguridad para Windows XP (KB905749)
Actualización de seguridad para Windows XP (KB908519)
Actualización de seguridad para Windows XP (KB911562)
Actualización de seguridad para Windows XP (KB911927)
Actualización de seguridad para Windows XP (KB913580)
Actualización de seguridad para Windows XP (KB914388)
Actualización de seguridad para Windows XP (KB914389)
Actualización de seguridad para Windows XP (KB917344)
Actualización de seguridad para Windows XP (KB917422)
Actualización de seguridad para Windows XP (KB917953)
Actualización de seguridad para Windows XP (KB918118)
Actualización de seguridad para Windows XP (KB918439)
Actualización de seguridad para Windows XP (KB919007)
Actualización de seguridad para Windows XP (KB920213)
Actualización de seguridad para Windows XP (KB920670)
Actualización de seguridad para Windows XP (KB920683)
Actualización de seguridad para Windows XP (KB920685)
Actualización de seguridad para Windows XP (KB921503)
Actualización de seguridad para Windows XP (KB922819)
Actualización de seguridad para Windows XP (KB923191)
Actualización de seguridad para Windows XP (KB923414)
Actualización de seguridad para Windows XP (KB923689)
Actualización de seguridad para Windows XP (KB923694)
Actualización de seguridad para Windows XP (KB923980)
Actualización de seguridad para Windows XP (KB924191)
Actualización de seguridad para Windows XP (KB924270)
Actualización de seguridad para Windows XP (KB924667)
Actualización de seguridad para Windows XP (KB925902)
Actualización de seguridad para Windows XP (KB926255)
Actualización de seguridad para Windows XP (KB926436)
Actualización de seguridad para Windows XP (KB927779)
Actualización de seguridad para Windows XP (KB927802)
Actualización de seguridad para Windows XP (KB928255)
Actualización de seguridad para Windows XP (KB928843)
Actualización de seguridad para Windows XP (KB929123)
Actualización de seguridad para Windows XP (KB929969)
Actualización de seguridad para Windows XP (KB930178)
Actualización de seguridad para Windows XP (KB931261)
Actualización de seguridad para Windows XP (KB931768)
Actualización de seguridad para Windows XP (KB931784)
Actualización de seguridad para Windows XP (KB932168)
Actualización de seguridad para Windows XP (KB933566)
Actualización de seguridad para Windows XP (KB933729)
Actualización de seguridad para Windows XP (KB935839)
Actualización de seguridad para Windows XP (KB935840)
Actualización de seguridad para Windows XP (KB936021)
Actualización de seguridad para Windows XP (KB937894)
Actualización de seguridad para Windows XP (KB938127)
Actualización de seguridad para Windows XP (KB938464)
Actualización de seguridad para Windows XP (KB938829)
Actualización de seguridad para Windows XP (KB939653)
Actualización de seguridad para Windows XP (KB941202)
Actualización de seguridad para Windows XP (KB941568)
Actualización de seguridad para Windows XP (KB941569)
Actualización de seguridad para Windows XP (KB941644)
Actualización de seguridad para Windows XP (KB941693)
Actualización de seguridad para Windows XP (KB943055)
Actualización de seguridad para Windows XP (KB943460)
Actualización de seguridad para Windows XP (KB943485)
Actualización de seguridad para Windows XP (KB944338)
Actualización de seguridad para Windows XP (KB944653)
Actualización de seguridad para Windows XP (KB945553)
Actualización de seguridad para Windows XP (KB946026)
Actualización de seguridad para Windows XP (KB946648)
Actualización de seguridad para Windows XP (KB947864)
Actualización de seguridad para Windows XP (KB948590)
Actualización de seguridad para Windows XP (KB948881)
Actualización de seguridad para Windows XP (KB950749)
Actualización de seguridad para Windows XP (KB950762)
Actualización de seguridad para Windows XP (KB950974)
Actualización de seguridad para Windows XP (KB951066)
Actualización de seguridad para Windows XP (KB951376-v2)
Actualización de seguridad para Windows XP (KB951698)
Actualización de seguridad para Windows XP (KB951748)
Actualización de seguridad para Windows XP (KB952954)
Actualización de seguridad para Windows XP (KB953839)
Actualización de seguridad para Windows XP (KB954211)
Actualización de seguridad para Windows XP (KB956391)
Actualización de seguridad para Windows XP (KB956803)
Actualización de seguridad para Windows XP (KB956841)
Actualización de seguridad para Windows XP (KB957095)
Actualización de seguridad para Windows XP (KB958644)
Actualización para Windows XP (KB894391)
Actualización para Windows XP (KB898461)
Actualización para Windows XP (KB900485)
Actualización para Windows XP (KB908531)
Actualización para Windows XP (KB910437)
Actualización para Windows XP (KB911280)
Actualización para Windows XP (KB916595)
Actualización para Windows XP (KB920872)
Actualización para Windows XP (KB922582)
Actualización para Windows XP (KB927891)
Actualización para Windows XP (KB930916)
Actualización para Windows XP (KB931836)
Actualización para Windows XP (KB932823-v3)
Actualización para Windows XP (KB933360)
Actualización para Windows XP (KB938828)
Actualización para Windows XP (KB942763)
Actualización para Windows XP (KB942840)
Actualización para Windows XP (KB951072-v2)
Ad-Aware
Ad-Aware
Adobe Acrobat 4.0
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Photoshop CS
Apple Software Update
Ares 2.0.9
ASIO4ALL
Avira AntiVir Personal - Free Antivirus
BookDB2
Collab
COMODO Internet Security
COMODO SafeSurf
Compresor WinRAR
Contextual Tool Precisead
Crystal Player Professional 1.98
CutePDF Writer 2.7
DivX Codec
DivX Plus DirectShow Filters
Easy CD & DVD Creator 6
English Pronouncing Dictionary
EPSON Printer Software
EPSON Scan Tool Light 1.0
ERUNT 1.1j
FL Studio 7
Google Gmail Notifier
Herramienta de carga de Windows Live
HijackThis 2.0.2
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
IL Download Manager
Java(TM) 6 Update 10
Messenger Plus! Live
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional con FrontPage
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Windows Journal Viewer
mIRC
Mozilla Firefox (3.0.10)
NetoDragon 56K Voice Modem
NVIDIA Drivers
Opera 9.62
QuickTime
Revisión de Windows XP - KB873339
Revisión de Windows XP - KB885835
Revisión de Windows XP - KB885836
Revisión de Windows XP - KB885884
Revisión de Windows XP - KB886185
Revisión de Windows XP - KB887472
Revisión de Windows XP - KB888302
Revisión de Windows XP - KB890859
Revisión de Windows XP - KB891781
Revisión para el Reproductor de Windows Media 11 (KB939683)
Revisión para Windows XP (KB952287)
SoulSeek Client 156c
Spybot - Search & Destroy
SpywareBlaster 4.2
VC80CRTRedist - 8.0.50727.762
VideoCAM Look
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Winamp (remove only)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live Messenger
WinZip
 
Hi,

Did you run the Norton Removal Tool ?

Avira AntiVir Personal - Free Antivirus <-- You should be able to uninstall this one via the Add Remove Programs.

Do both things and then post a new HJT log
 
Yes, I already run the Norton application. But Avira is the antivirus I want to keep, the one I want to uninstall is AVG Free, but I eliminated most part of it stupidly without uninstalling it -long time ago, I was even more ignorant than now-
 
I stand with you in the middle of the storm, don't leave me alone with these malware (?).
How do I uninstall AVG?
And what do we do next to eliminate the rest of the malware?
Avira made an automatic analysis of the system and found and eliminated 8 malware!
What antivirus + firewall + antispyware do you recommend?

The HJT result:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:24:26 p.m., on 01/06/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Avira\AntiVir Desktop\sched.exe
C:\Archivos de programa\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\system32\crypserv.exe
C:\Archivos de programa\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\msg32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4V1.EXE
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
C:\Archivos de programa\Java\jre6\bin\jusched.exe
C:\Archivos de programa\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\Opera\opera.exe
C:\WINDOWS\system32\SNDVOL32.EXE
C:\WINDOWS\system32\SNDVOL32.EXE
C:\WINDOWS\system32\SNDVOL32.EXE
C:\WINDOWS\system32\SNDVOL32.EXE
C:\WINDOWS\system32\SNDVOL32.EXE
C:\WINDOWS\system32\SNDVOL32.EXE
C:\WINDOWS\system32\SNDVOL32.EXE
C:\WINDOWS\system32\SNDVOL32.EXE
C:\WINDOWS\system32\SNDVOL32.EXE
C:\WINDOWS\system32\SNDVOL32.EXE
C:\WINDOWS\system32\SNDVOL32.EXE
C:\WINDOWS\system32\SNDVOL32.EXE
C:\WINDOWS\system32\SNDVOL32.EXE
C:\WINDOWS\system32\SNDVOL32.EXE
C:\WINDOWS\system32\SNDVOL32.EXE
C:\WINDOWS\system32\SNDVOL32.EXE
C:\WINDOWS\system32\SNDVOL32.EXE
C:\WINDOWS\system32\SNDVOL32.EXE
C:\WINDOWS\system32\SNDVOL32.EXE
C:\WINDOWS\system32\SNDVOL32.EXE
C:\WINDOWS\system32\SNDVOL32.EXE
C:\WINDOWS\system32\SNDVOL32.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Archivos de programa\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\Archivos de programa\COMODO\COMODO Internet Security\cfp.exe
C:\Archivos de programa\Lavasoft\Ad-Aware\AAWService.exe
C:\Archivos de programa\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\SNDVOL32.EXE
C:\Archivos de programa\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pagina12.com.ar/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Archivos de programa\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Archivos de programa\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [EW Message Server] msg32.exe
O4 - HKLM\..\Run: [EPSON Stylus CX1500 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4V1.EXE /P26 "EPSON Stylus CX1500 Series" /O5 "LPT1:" /M "Stylus CX1500"
O4 - HKLM\..\Run: [EPSON Stylus CX1500 Series (Copiar 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4V1.EXE /P37 "EPSON Stylus CX1500 Series (Copiar 1)" /O6 "USB001" /M "Stylus CX1500"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Archivos de programa\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Archivos de programa\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {8436FE12-31DB-48BF-83BF-FE682F9160B4} -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\cssdll32.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Archivos de programa\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Archivos de programa\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Archivos de programa\Ares\chatServer.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - Unknown owner - C:\ARCHIV~1\AVG\AVG8\avgemc.exe (file missing)
O23 - Service: AVG Free8 WatchDog (avg8wd) - Unknown owner - C:\ARCHIV~1\AVG\AVG8\avgwdsvc.exe (file missing)
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Archivos de programa\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Archivos de programa\Archivos comunes\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Archivos de programa\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Archivos de programa\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe (file missing)

--
End of file - 7648 bytes
 
When you say Avira removed 8 malware, your not telling me anything, what did it remove, where they files, tracking cookies ????

Your HJT log is clean, no malware on it.

Remove these with HJT
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - Unknown owner - C:\ARCHIV~1\AVG\AVG8\avgemc.exe (file missing)
O23 - Service: AVG Free8 WatchDog (avg8wd) - Unknown owner - C:\ARCHIV~1\AVG\AVG8\avgwdsvc.exe (file missing)



Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the quote to Notepad.
Save it to your desktop, make sure the file type is All Files and name it FixServices.bat

sc config avg8emc start= disabled
sc stop avg8emc
sc delete avg8emc
sc config avg8wd start= disabled
sc stop avg8wd
sc delete avg8wd
Click to expand...

Double click FixServices.bat. A window will open and close. This is normal.


Delete this folder
C:\ARCHIV~1\AVG



Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.<-- Don't forget this
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and Paste the entire report in your next reply along with a New Hijackthis log.
 
Status
Not open for further replies.
Back
Top