Constant pop ups alerts

[lwajsberg]

I have Windows XP with explorer and Mozilla. I use AVG 7.5 and update it oftenly. I use the firewall of windows (now I know that is not good enough). I try to keep to clean websites, but I was surfing and suddenly all my programs went off and the computer went off. When I turned on again it show an alert (on the right part of the bar) that Windows has detected spyware on my computer. I've imagined that was a virus and unplugged the modem but accidentaly click on the alert. Right now I'm connected hoping to solve the problem with you. The alert wrote the word 'prevent' wrongly (it said 'pervent'), maybe that help.

here is the log MAIN

Deckard's System Scanner v20071014.68
Run by Principal on 2008-06-25 00:41:15
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
35: 2008-06-25 03:41:41 UTC - RP303 - Deckard's System Scanner Restore Point
34: 2008-06-25 03:08:29 UTC - RP302 - Software Distribution Service 3.0
33: 2008-06-24 22:24:16 UTC - RP301 - Removed MSN Messenger 7.5
32: 2008-06-23 23:00:46 UTC - RP300 - Punto de control del sistema
31: 2008-06-22 03:31:50 UTC - RP299 - Punto de control del sistema


-- First Restore Point --
1: 2008-03-28 15:08:52 UTC - RP269 - Punto de control del sistema


Backed up registry hives.
Performed disk cleanup.

System Drive C: has 0.89 GiB (less than 15%) free.


-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-06-25 00:44:49
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\Archivos de programa\Grisoft\AVG Free\avgupsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\Archivos comunes\LightScribe\LSSrvc.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\Java\jre1.6.0_01\bin\jusched.exe
C:\Archivos de programa\Winamp\winampa.exe
C:\Archivos de programa\QuickTime\qttask.exe
C:\Archivos de programa\iTunes\iTunesHelper.exe
C:\Archivos de programa\HP\HP Software Update\hpwuSchd2.exe
C:\WINDOWS\system32\braviax.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Skype\Phone\Skype.exe
C:\Archivos de programa\VoipDiscount.com\VoipDiscount\VoipDiscount.exe
C:\Archivos de programa\HP\Digital Imaging\bin\hpqtra08.exe
C:\Archivos de programa\palmOne\HOTSYNC.EXE
C:\Archivos de programa\iPod\bin\iPodService.exe
C:\Archivos de programa\HP\Digital Imaging\bin\hpqste08.exe
C:\Archivos de programa\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Archivos de programa\Grisoft\AVG Free\avgamsvr.exe
C:\Archivos de programa\Grisoft\AVG Free\avgemc.exe
C:\Archivos de programa\Grisoft\AVG Free\avgcc.exe
C:\Documents and Settings\Principal\Mis documentos\Lionel\Software\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O4 - HKLM\..\Run: [AVG7_CC] C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Archivos de programa\Winamp\winampa.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Archivos de programa\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] C:\Archivos de programa\Corel\Corel Graphics 12\Languages\ES\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=071908 serial=DR12WEX-1504397-KTY lang=ES
O4 - HKLM\..\Run: [HP Software Update] C:\Archivos de programa\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [braviax] C:\WINDOWS\system32\braviax.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ares] "C:\Archivos de programa\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [amva] C:\WINDOWS\system32\amvo.exe
O4 - HKCU\..\Run: [Skype] "C:\Archivos de programa\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [VoipDiscount] "C:\Archivos de programa\VoipDiscount.com\VoipDiscount\VoipDiscount.exe" -nosplash -minimized
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\ARCHIV~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\ARCHIV~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\ARCHIV~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [braviax] C:\WINDOWS\system32\braviax.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\ARCHIV~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [braviax] C:\WINDOWS\system32\braviax.exe (User 'Default user')
O4 - Startup: HotSync Manager.lnk = ?
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Archivos de programa\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Portafolios de HP - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Archivos de programa\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Selección inteligente de HP - {700259D7-1666-479a-93B1-3250410481E8} - C:\Archivos de programa\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Archivos de programa\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1214362933277
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/get...nt/swflash.cab
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{84D2332D-C12F-422F-B367-DE36AD5D6DC3}: NameServer = 212.143.212.143 194.90.1.5
O18 - Protocol: ms-help - {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\Help\hxds.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\Information Retrieval\msitss.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Archivos de programa\Archivos comunes\Skype\Skype4COM.dll
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O23 - Service: Microsoft ASPI Manager (aspimgr) - Unknown owner - C:\WINDOWS\system32\aspimgr.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Archivos de programa\Grisoft\AVG Free\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Archivos de programa\Grisoft\AVG Free\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\Archivos de programa\Grisoft\AVG Free\avgemc.exe
O23 - Service: Servicio del iPod (iPod Service) - Apple Inc. - C:\Archivos de programa\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Archivos de programa\Archivos comunes\LightScribe\LSSrvc.exe
O23 - Service: Visual Studio Analyzer RPC bridge - Unknown owner - C:\Archivos de programa\Microsoft Visual Studio


--
End of file - 9548 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

S3 EverestDriver (Lavalys EVEREST Kernel Driver) - d:\everest\kerneld.wnt (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S2 aspimgr (Microsoft ASPI Manager) - c:\windows\system32\aspimgr.exe (file missing)


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2008-05-25 and 2008-06-25 -----------------------------

2008-07-03 12:26:46 0 d-------- C:\Archivos de programa\palmOne
2008-07-02 23:03:07 8704 --a------ C:\WINDOWS\pretbias64.bin <Not Verified; Waitech; Cracker>
2008-06-25 00:09:10 0 d-------- C:\WINDOWS\system32\PreInstall
2008-06-25 00:09:07 0 d--h----- C:\WINDOWS\$hf_mig$
2008-06-25 00:03:24 0 d-------- C:\WINDOWS\system32\SoftwareDistribution
2008-06-24 23:44:47 0 d-------- C:\agnis-sites
2008-06-24 23:37:15 0 d-------- C:\Archivos de programa\SpywareBlaster
2008-06-24 19:59:27 0 d-------- C:\Archivos de programa\Panda Security
2008-06-24 19:59:25 0 d-------- C:\WINDOWS\LastGood
2008-06-22 23:04:48 114 --a------ C:\WINDOWS\system32\delself.bat
2008-06-22 23:04:47 6656 --a------ C:\WINDOWS\system32\braviax.exe
2008-06-18 22:45:42 0 d-------- C:\Archivos de programa\Mission Research
2008-06-18 22:44:06 0 d-------- C:\WINDOWS\Downloaded Installations
2008-06-04 22:30:37 0 d-------- C:\Archivos de programa\Audacity
2008-06-03 23:05:27 0 d-------- C:\Archivos de programa\NCH Software
2008-06-03 23:04:06 0 d-------- C:\Archivos de programa\NCH Swift Sound
2008-06-01 22:13:01 0 d-------- C:\Archivos de programa\VoipDiscount.com
2008-05-31 23:52:14 1188 --a------ C:\WINDOWS\mozver.dat
2008-05-31 23:40:03 56 --ah----- C:\WINDOWS\system32\ezsidmv.dat
2008-05-31 23:37:01 0 d-------- C:\Archivos de programa\Skype
2008-05-31 23:37:00 0 d-------- C:\Archivos de programa\Archivos comunes\Skype
2008-05-31 23:35:30 0 --a------ C:\WINDOWS\nsreg.dat
2008-05-28 22:17:36 98892 --a------ C:\WINDOWS\system32\drivers\PPPoEWin.sys
2008-05-28 22:17:35 98892 --a------ C:\WINDOWS\system32\PPPoEWin.sys
2008-05-28 22:17:35 11456 -r------- C:\WINDOWS\system32\PPPoENdi.dll <Not Verified; Microsoft Corporation; Microsoft® Windows(TM) Operating System>
2008-05-28 22:17:35 11456 -r------- C:\WINDOWS\system32\drivers\PPPoENdi.dll <Not Verified; Microsoft Corporation; Microsoft® Windows(TM) Operating System>
2008-05-28 22:17:28 0 d-------- C:\Archivos de programa\wow250
2008-05-25 23:59:00 16384 --a------ C:\WINDOWS\system32\Server.exe <Not Verified; Pppp; Server>


-- Find3M Report ---------------------------------------------------------------

2008-07-03 13:55:02 0 d-------- C:\Documents and Settings\Principal\Datos de programa\Arcsoft
2008-07-03 12:42:05 0 d-------- C:\Documents and Settings\Principal\Datos de programa\Leadertech
2008-06-25 00:31:54 0 d-------- C:\Documents and Settings\Principal\Datos de programa\Skype
2008-06-24 19:36:10 0 d--h----- C:\Archivos de programa\InstallShield Installation Information
2008-06-24 19:36:10 0 d-------- C:\Archivos de programa\CyberLink
2008-06-24 19:22:31 0 dr-h----- C:\Documents and Settings\Principal\Datos de programa\yahoo!
2008-06-24 19:22:04 0 d-------- C:\Archivos de programa\Yahoo!
2008-06-24 19:17:38 0 d-------- C:\Documents and Settings\Principal\Datos de programa\skypePM
2008-06-23 00:38:15 0 d-------- C:\Documents and Settings\Principal\Datos de programa\AVG7
2008-06-20 13:43:31 0 d-------- C:\Documents and Settings\Principal\Datos de programa\U3
2008-06-18 23:14:11 0 d-------- C:\Documents and Settings\Principal\Datos de programa\MissionResearch.GiftWorks.3
2008-06-12 20:48:27 0 d-------- C:\Documents and Settings\Principal\Datos de programa\AdobeUM
2008-06-11 12:57:13 0 d-------- C:\Documents and Settings\Principal\Datos de programa\Adobe
2008-06-03 23:21:25 0 d-------- C:\Documents and Settings\Principal\Datos de programa\NCH Swift Sound
2008-06-01 22:18:17 0 d-------- C:\Documents and Settings\Principal\Datos de programa\VoipDiscount
2008-05-31 23:37:00 0 d-------- C:\Archivos de programa\Archivos comunes
2008-05-31 23:35:22 0 d-------- C:\Documents and Settings\Principal\Datos de programa\Mozilla
2008-05-28 15:33:22 0 d-------- C:\Archivos de programa\Java
2008-05-28 13:38:10 0 d-------- C:\Archivos de programa\Incomplete
2008-05-28 13:36:49 0 d-------- C:\Archivos de programa\LimeWire
2008-05-22 22:28:41 0 d-------- C:\Documents and Settings\Principal\Datos de programa\HPAppData
2008-05-18 17:14:52 1536 --a------ C:\WINDOWS\system32\TrueSoft.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe" [24/06/2008 11:11 p.m.]
"SunJavaUpdateSched"="C:\Archivos de programa\Java\jre1.6.0_01\bin\jusched.exe" [14/03/2007 03:43 a.m.]
"WinampAgent"="C:\Archivos de programa\Winamp\winampa.exe" [25/10/2006 02:37 a.m.]
"QuickTime Task"="C:\Archivos de programa\QuickTime\qttask.exe" [16/02/2007 10:54 a.m.]
"iTunesHelper"="C:\Archivos de programa\iTunes\iTunesHelper.exe" [14/03/2007 07:05 p.m.]
"CorelDRAW Graphics Suite 11b"="C:\Archivos de programa\Corel\Corel Graphics 12\Languages\ES\Programs\Registration.exe" [28/11/2003 01:52 a.m.]
"HP Software Update"="C:\Archivos de programa\HP\HP Software Update\HPWuSchd2.exe" [11/03/2007 09:34 p.m.]
"braviax"="C:\WINDOWS\system32\braviax.exe" [22/06/2008 11:04 p.m.]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Archivos de programa\MSN Messenger\MsnMsgr.exe" []
"ares"="C:\Archivos de programa\Ares\Ares.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [19/08/2004 03:42 p.m.]
"amva"="C:\WINDOWS\system32\amvo.exe" []
"Skype"="C:\Archivos de programa\Skype\Phone\Skype.exe" [23/04/2008 05:45 p.m.]
"VoipDiscount"="C:\Archivos de programa\VoipDiscount.com\VoipDiscount\VoipDiscount.exe" [31/05/2007 04:22 p.m.]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"braviax"=C:\WINDOWS\system32\braviax.exe

C:\Documents and Settings\Principal\Men£ Inicio\Programas\Inicio\
HotSync Manager.lnk - C:\Archivos de programa\palmOne\HOTSYNC.EXE [04/03/2004 05:25:28 p.m.]
PowerReg Scheduler.exe [03/07/2008 12:42:36 p.m.]

C:\Documents and Settings\All Users\Men£ Inicio\Programas\Inicio\
Adobe Reader Speed Launch.lnk - C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\reader_sl.exe [23/09/2005 10:05:26 p.m.]
HP Digital Imaging Monitor.lnk - C:\Archivos de programa\HP\Digital Imaging\bin\hpqtra08.exe [11/03/2007 09:26:24 p.m.]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIModeChange]
Ati2mdxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
C:\Archivos de programa\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCTVOICE]
pctspk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Archivos de programa\CyberLink\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt hpqcxs08 hpqddsvc


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- D:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0791f144-8357-11dc-89df-00022d7cb7a4}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL copy.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{40d34df0-fb5a-11dc-8ab1-00022d7cb7a4}]
AutoRun\command- 3wcxx91.cmd
explore\Command- 3wcxx91.cmd
open\Command- 3wcxx91.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{95e04880-6c53-11dc-89b4-00022d7cb7a4}]
AutoRun\command- D:\3wcxx91.cmd
explore\Command- D:\3wcxx91.cmd
open\Command- D:\3wcxx91.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{99de17b0-8353-11dc-89de-00022d7cb7a4}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL copy.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9f6e8900-f1e5-11dc-8aa5-00022d7cb7a4}]
AutoRun\command- D:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9f6e8901-f1e5-11dc-8aa5-00022d7cb7a4}]
AutoRun\command- 3wcxx91.cmd
explore\Command- 3wcxx91.cmd
open\Command- 3wcxx91.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c1250f50-ae5f-11dc-8a33-00022d7cb7a4}]
AutoRun\command- F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d41fefd8-57dc-11dc-899b-00022d7cb7a4}]
AutoRun\command- 3wcxx91.cmd
explore\Command- 3wcxx91.cmd
open\Command- 3wcxx91.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d64ba050-a910-11dc-8a28-00022d7cb7a4}]
AutoRun\command- D:\3wcxx91.cmd
explore\Command- D:\3wcxx91.cmd
open\Command- D:\3wcxx91.cmd

*Newly Created Service* - RKPAVPROC



-- End of Deckard's System Scanner: finished at 2008-06-25 00:45:44 ------------

[lwajsberg]

Hi, there is more info that could help. Panda told me that I had some viruses that he could not remove because I don't paid (i registered for free). And I have one more question, should I stop using my PC? Or can I use it the minimum to access this forum? Should I access this forum from another PC?

Thanks

[Ried]

Hello lwajsberg and welcome,

Yes, keep this system disconnected from the internet except to carry out these instructions and to post the information, and check for replies from me.

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.

***************************************************

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3





--------------------------------------------------------------------

Do not run it yet.....


Go to Microsoft's website => http://support.microsoft.com/kb/310994

Select the download that's appropriate for your Operating System




Download the file & save it as it's originally named, next to ComboFix.exe.






Now close all open windows and programs, including all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


**Insert your removable drive that is typically your D: drive. Most likely a flash drive.

• Drag the setup package onto ComboFix.exe and drop it.
  
• Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
  
  
  
• At the next prompt, click 'Yes' to run the full ComboFix scan.
  
• When the tool is finished, it will produce a report for you.

Please post the C:\ComboFix.txt along with a new HijackThis log for further review.

[lwajsberg]

Hi Ried, thanks for answering, I check for 3 days but I just didnt know how to check for replies well. Now I know, and I see you replied almost inmediatly, really thanks.

Ok. I ran everything that you told me and the popup stopped. Now I had an apparently legit popup from windows that tell me that my system is not secure, maybe because I deactivated the AV and SpyBluster, do I click on the alert? Im just afraid.

Another thing is that I realize that for 3 weeks there is a program that tries to instalate but failed, its call "SolutionCenter" and i think is from the printer HP but ...

Ok, here is the ComboFix log

ComboFix 08-06-20.4 - Principal 2008-06-28 23:09:00.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.3082.18.243 [GMT -3:00]
Se ejecuta desde: C:\Documents and Settings\Principal\Escritorio\Combo-Fix.exe
Command switches used :: C:\Documents and Settings\Principal\Escritorio\WindowsXP-KB310994-SP2-Home-BootDisk-ESN.exe
* Creado un nuevo punto de restauración
.

(((((((((((((((((((((((((((((((((((( Otras eliminaciones )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
C:\WINDOWS\s32.txt
C:\WINDOWS\system32\AutoRun.inf
C:\WINDOWS\system32\braviax.exe
C:\WINDOWS\system32\DelSelf.bat
C:\WINDOWS\system32\mdm.exe
C:\WINDOWS\system32\server.exe
C:\WINDOWS\ws386.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ASPIMGR
-------\Service_aspimgr


(((((((((((((((((( Archivos creados desde 2008-05-28 - 2008-06-29 )))))))))))))))))))))))))))))))))
.

2008-07-03 13:55 . 2008-07-03 13:55 <DIR> d-------- C:\Documents and Settings\Principal\Datos de programa\Arcsoft
2008-07-03 12:42 . 2008-07-03 12:42 <DIR> d-------- C:\Documents and Settings\Principal\Datos de programa\Leadertech
2008-07-03 12:26 . 2008-06-05 21:22 <DIR> d-------- C:\Archivos de programa\palmOne
2008-07-02 23:03 . 2005-06-18 23:35 8,704 --a------ C:\WINDOWS\pretbias64.bin
2008-06-29 09:00 . 2007-08-31 13:39 145 --a------ C:\WINDOWS\SPDCLICK.INI
2008-06-25 00:40 . 2008-06-25 00:40 <DIR> d-------- C:\Deckard
2008-06-25 00:09 . 2008-06-25 00:09 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-06-25 00:09 . 2005-02-25 00:35 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-06-25 00:03 . 2007-07-30 19:19 43,352 --a------ C:\WINDOWS\system32\wups2.dll
2008-06-25 00:03 . 2007-07-30 19:19 38,232 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-06-25 00:03 . 2007-07-30 19:18 30,040 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-06-25 00:03 . 2007-07-30 19:20 30,040 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-06-25 00:03 . 2007-07-30 19:18 20,824 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-06-24 23:44 . 2008-06-28 23:00 <DIR> d-------- C:\agnis-sites
2008-06-24 23:37 . 2008-06-28 23:04 <DIR> d-a------ C:\Documents and Settings\All Users\Datos de programa\TEMP
2008-06-24 23:37 . 2008-06-24 23:40 <DIR> d-------- C:\Archivos de programa\SpywareBlaster
2008-06-24 19:59 . 2008-06-24 19:59 <DIR> d-------- C:\Archivos de programa\Panda Security
2008-06-18 23:14 . 2008-06-18 23:14 <DIR> d-------- C:\Documents and Settings\Principal\Datos de programa\MissionResearch.GiftWorks.3
2008-06-18 22:45 . 2008-06-18 23:14 <DIR> d-------- C:\Documents and Settings\All Users\Datos de programa\MissionResearch.GiftWorks.3
2008-06-18 22:45 . 2008-06-18 22:45 <DIR> d-------- C:\Archivos de programa\Mission Research
2008-06-18 22:44 . 2008-06-18 22:44 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-06-15 00:58 . 2008-06-20 13:32 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-06-15 00:58 . 2008-06-15 00:58 1,409 --a------ C:\WINDOWS\QTFont.for
2008-06-04 22:30 . 2008-06-04 22:30 <DIR> d-------- C:\Archivos de programa\Audacity
2008-06-04 21:25 . 2008-06-23 17:11 7,168 --ahs---- C:\WINDOWS\Thumbs.db
2008-06-03 23:05 . 2008-06-10 21:38 <DIR> d-------- C:\Documents and Settings\All Users\Datos de programa\NCH Swift Sound
2008-06-03 23:05 . 2008-06-03 23:05 <DIR> d-------- C:\Documents and Settings\All Users\Datos de programa\NCH Software
2008-06-03 23:05 . 2008-06-03 23:05 <DIR> d-------- C:\Archivos de programa\NCH Software
2008-06-03 23:04 . 2008-06-03 23:21 <DIR> d-------- C:\Documents and Settings\Principal\Datos de programa\NCH Swift Sound
2008-06-03 23:04 . 2008-06-10 21:38 <DIR> d-------- C:\Archivos de programa\NCH Swift Sound
2008-06-01 22:16 . 2008-06-01 22:18 <DIR> d-------- C:\Documents and Settings\Principal\Datos de programa\VoipDiscount
2008-06-01 22:13 . 2008-06-01 22:13 <DIR> d-------- C:\Archivos de programa\VoipDiscount.com
2008-05-31 23:52 . 2008-05-31 23:52 1,188 --a------ C:\WINDOWS\mozver.dat
2008-05-31 23:40 . 2008-06-28 22:05 <DIR> d-------- C:\Documents and Settings\Principal\Datos de programa\skypePM
2008-05-31 23:40 . 2008-05-31 23:40 56 --ah----- C:\WINDOWS\system32\ezsidmv.dat
2008-05-31 23:37 . 2008-06-27 17:09 <DIR> d-------- C:\Documents and Settings\Principal\Datos de programa\Skype
2008-05-31 23:37 . 2008-05-31 23:37 <DIR> d-------- C:\Archivos de programa\Skype
2008-05-31 23:37 . 2008-05-31 23:37 <DIR> d-------- C:\Archivos de programa\Archivos comunes\Skype
2008-05-31 23:36 . 2008-05-31 23:37 <DIR> d-------- C:\Documents and Settings\All Users\Datos de programa\Skype
2008-05-31 23:35 . 2008-05-31 23:35 0 --a------ C:\WINDOWS\nsreg.dat

.
(((((((((((((((((((((((((((((((((((((( Reporte Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-25 23:34 --------- d-----w C:\Documents and Settings\Principal\Datos de programa\AVG7
2008-06-24 22:36 --------- d--h--w C:\Archivos de programa\InstallShield Installation Information
2008-06-24 22:36 --------- d-----w C:\Archivos de programa\CyberLink
2008-06-24 22:22 --------- d--h--r C:\Documents and Settings\Principal\Datos de programa\yahoo!
2008-06-24 22:22 --------- d-----w C:\Documents and Settings\All Users\Datos de programa\Yahoo!
2008-06-24 22:22 --------- d-----w C:\Archivos de programa\Yahoo!
2008-06-20 16:43 --------- d-----w C:\Documents and Settings\Principal\Datos de programa\U3
2008-06-12 23:48 --------- d-----w C:\Documents and Settings\Principal\Datos de programa\AdobeUM
2008-06-11 01:43 --------- d-----w C:\Documents and Settings\All Users\Datos de programa\avg7
2008-05-29 01:17 --------- d-----w C:\Archivos de programa\wow250
2008-05-28 18:33 --------- d-----w C:\Archivos de programa\Java
2008-05-28 16:38 --------- d-----w C:\Archivos de programa\Incomplete
2008-05-28 16:36 --------- d-----w C:\Archivos de programa\LimeWire
2008-05-28 10:23 --------- d-----w C:\Documents and Settings\1\Application Data\U3
2008-05-23 01:28 --------- d-----w C:\Documents and Settings\Principal\Datos de programa\HPAppData
.

((((((((((((((((((((((((((((((((( Cargando Puntos Reg ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* entradas vac¡as & entradas leg¡timas predeterminadas no son mostradas

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" [ ]
"ares"="C:\Archivos de programa\Ares\Ares.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 15:42 15360]
"Skype"="C:\Archivos de programa\Skype\Phone\Skype.exe" [2008-04-23 17:45 22058792]
"VoipDiscount"="C:\Archivos de programa\VoipDiscount.com\VoipDiscount\VoipDiscount.exe" [2007-05-31 16:22 7419456]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe" [2008-06-24 23:11 579584]
"SunJavaUpdateSched"="C:\Archivos de programa\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43 83608]
"WinampAgent"="C:\Archivos de programa\Winamp\winampa.exe" [2006-10-25 02:37 35328]
"QuickTime Task"="C:\Archivos de programa\QuickTime\qttask.exe" [2007-02-16 10:54 282624]
"iTunesHelper"="C:\Archivos de programa\iTunes\iTunesHelper.exe" [2007-03-14 19:05 257088]
"CorelDRAW Graphics Suite 11b"="C:\Archivos de programa\Corel\Corel Graphics 12\Languages\ES\Programs\Registration.exe" [2003-11-28 01:52 733184]
"HP Software Update"="C:\Archivos de programa\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 21:34 49152]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-19 15:42 15360]
"AVG7_Run"="C:\ARCHIV~1\Grisoft\AVGFRE~1\avgw.exe" [2008-05-28 22:50 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIModeChange]
--a------ 2001-09-04 16:24 28672 C:\WINDOWS\system32\Ati2mdxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a------ 2003-08-12 21:10 335872 C:\Archivos de programa\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCTVOICE]
--a------ 2002-07-18 16:58 163840 C:\WINDOWS\system32\pctspk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
C:\Archivos de programa\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Archivos de programa\\Grisoft\\AVG Free\\avginet.exe"=
"C:\\Archivos de programa\\Grisoft\\AVG Free\\avgamsvr.exe"=
"C:\\Archivos de programa\\Grisoft\\AVG Free\\avgcc.exe"=
"C:\\Archivos de programa\\Grisoft\\AVG Free\\avgemc.exe"=
"C:\\StubInstaller.exe"=
"C:\\Archivos de programa\\LimeWire\\LimeWire.exe"=
"C:\\Archivos de programa\\iTunes\\iTunes.exe"=
"C:\\Archivos de programa\\VoipDiscount.com\\VoipDiscount\\VoipDiscount.exe"=
"C:\\Archivos de programa\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8000:UDP"= 8000:UDP:Express Talk RTP Incoming Audio (UDP)

S3 EverestDriver;Lavalys EVEREST Kernel Driver;D:\EVEREST\kerneld.wnt []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{95e04880-6c53-11dc-89b4-00022d7cb7a4}]
\Shell\AutoRun\command - D:\3wcxx91.cmd
\Shell\explore\Command - D:\3wcxx91.cmd
\Shell\open\Command - D:\3wcxx91.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9f6e8900-f1e5-11dc-8aa5-00022d7cb7a4}]
\Shell\AutoRun\command - D:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9f6e8901-f1e5-11dc-8aa5-00022d7cb7a4}]
\Shell\AutoRun\command - 3wcxx91.cmd
\Shell\explore\Command - 3wcxx91.cmd
\Shell\open\Command - 3wcxx91.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c1250f50-ae5f-11dc-8a33-00022d7cb7a4}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d41fefd8-57dc-11dc-899b-00022d7cb7a4}]
\Shell\AutoRun\command - 3wcxx91.cmd
\Shell\explore\Command - 3wcxx91.cmd
\Shell\open\Command - 3wcxx91.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d64ba050-a910-11dc-8a28-00022d7cb7a4}]
\Shell\AutoRun\command - D:\3wcxx91.cmd
\Shell\explore\Command - D:\3wcxx91.cmd
\Shell\open\Command - D:\3wcxx91.cmd

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-28 23:17:39
Windows 5.1.2600 Service Pack 2 NTFS

escaneando procesos ocultos ...

escaneando entradas ocultas de autostart ...

escaneando archivos ocultos ...

el escaneo se completo con exito
archivos ocultos: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EverestDriver]
"ImagePath"="\??\D:\EVEREST\kerneld.wnt"
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Archivos de programa\Archivos comunes\LightScribe\LSSrvc.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\wdfmgr.exe
C:\Archivos de programa\HP\Digital Imaging\bin\hpqtra08.exe
C:\Archivos de programa\palmOne\HOTSYNC.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Archivos de programa\iPod\bin\iPodService.exe
C:\Archivos de programa\HP\Digital Imaging\bin\hpqste08.exe
C:\WINDOWS\system32\msiexec.exe
C:\Archivos de programa\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\msiexec.exe
.
**************************************************************************
.
Tiempo completado: 2008-06-28 23:27:12 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-29 02:27:06

14 dirs 875,147,264 bytes libres
20 dirs 851,795,968 bytes libres

WindowsXP-KB310994-SP2-Home-BootDisk-ESN.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS2
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS2="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

205



And here is the new deckard log

Deckard's System Scanner v20071014.68
Run by Principal on 2008-06-28 23:35:40
Computer is in Normal Mode.
--------------------------------------------------------------------------------

System Drive C: has 0.92 GiB (less than 15%) free.


-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-06-28 23:36:10
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Grisoft\AVG Free\avgamsvr.exe
C:\Archivos de programa\Grisoft\AVG Free\avgupsvc.exe
C:\Archivos de programa\Grisoft\AVG Free\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\Archivos comunes\LightScribe\LSSrvc.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\Grisoft\AVG Free\avgcc.exe
C:\Archivos de programa\Java\jre1.6.0_01\bin\jusched.exe
C:\Archivos de programa\Winamp\winampa.exe
C:\Archivos de programa\QuickTime\qttask.exe
C:\Archivos de programa\iTunes\iTunesHelper.exe
C:\Archivos de programa\HP\HP Software Update\hpwuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Skype\Phone\Skype.exe
C:\Archivos de programa\VoipDiscount.com\VoipDiscount\VoipDiscount.exe
C:\Archivos de programa\HP\Digital Imaging\bin\hpqtra08.exe
C:\Archivos de programa\palmOne\HOTSYNC.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Archivos de programa\iPod\bin\iPodService.exe
C:\Archivos de programa\HP\Digital Imaging\bin\hpqste08.exe
C:\WINDOWS\system32\msiexec.exe
C:\Archivos de programa\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Principal\Mis documentos\Lionel\Software\dss.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O4 - HKLM\..\Run: [AVG7_CC] C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Archivos de programa\Winamp\winampa.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Archivos de programa\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] C:\Archivos de programa\Corel\Corel Graphics 12\Languages\ES\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=071908 serial=DR12WEX-1504397-KTY lang=ES
O4 - HKLM\..\Run: [HP Software Update] C:\Archivos de programa\HP\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ares] "C:\Archivos de programa\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Archivos de programa\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [VoipDiscount] "C:\Archivos de programa\VoipDiscount.com\VoipDiscount\VoipDiscount.exe" -nosplash -minimized
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\ARCHIV~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\ARCHIV~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\ARCHIV~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\ARCHIV~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: HotSync Manager.lnk = ?
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Archivos de programa\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Portafolios de HP - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Archivos de programa\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Selección inteligente de HP - {700259D7-1666-479a-93B1-3250410481E8} - C:\Archivos de programa\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Archivos de programa\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1214362933277
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/get...nt/swflash.cab
O18 - Protocol: ms-help - {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\Help\hxds.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\Information Retrieval\msitss.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Archivos de programa\Archivos comunes\Skype\Skype4COM.dll
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Archivos de programa\Grisoft\AVG Free\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Archivos de programa\Grisoft\AVG Free\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\Archivos de programa\Grisoft\AVG Free\avgemc.exe
O23 - Service: Servicio del iPod (iPod Service) - Apple Inc. - C:\Archivos de programa\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Archivos de programa\Archivos comunes\LightScribe\LSSrvc.exe
O23 - Service: Visual Studio Analyzer RPC bridge - Unknown owner - C:\Archivos de programa\Microsoft Visual Studio


--
End of file - 8828 bytes

-- Files created between 2008-05-28 and 2008-06-28 -----------------------------

2008-07-03 12:26:46 0 d-------- C:\Archivos de programa\palmOne
2008-07-02 23:03:07 8704 --a------ C:\WINDOWS\pretbias64.bin <Not Verified; Waitech; Cracker>
2008-06-28 23:27:23 0 d-------- C:\Documents and Settings\Principal\Configuraci¾n local
2008-06-28 23:08:22 0 d-------- C:\cmdcons
2008-06-28 23:04:59 68096 --a------ C:\WINDOWS\zip.exe
2008-06-28 23:04:59 49152 --a------ C:\WINDOWS\VFind.exe
2008-06-28 23:04:59 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-06-28 23:04:59 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-06-28 23:04:59 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-06-28 23:04:59 98816 --a------ C:\WINDOWS\sed.exe
2008-06-28 23:04:59 80412 --a------ C:\WINDOWS\grep.exe
2008-06-28 23:04:59 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-06-25 00:09:10 0 d-------- C:\WINDOWS\system32\PreInstall
2008-06-25 00:09:07 0 d--h----- C:\WINDOWS\$hf_mig$
2008-06-25 00:03:24 0 d-------- C:\WINDOWS\system32\SoftwareDistribution
2008-06-24 23:44:47 0 d-------- C:\agnis-sites
2008-06-24 23:37:15 0 d-------- C:\Archivos de programa\SpywareBlaster
2008-06-24 19:59:27 0 d-------- C:\Archivos de programa\Panda Security
2008-06-18 22:45:42 0 d-------- C:\Archivos de programa\Mission Research
2008-06-18 22:44:06 0 d-------- C:\WINDOWS\Downloaded Installations
2008-06-04 22:30:37 0 d-------- C:\Archivos de programa\Audacity
2008-06-03 23:05:27 0 d-------- C:\Archivos de programa\NCH Software
2008-06-03 23:04:06 0 d-------- C:\Archivos de programa\NCH Swift Sound
2008-06-01 22:13:01 0 d-------- C:\Archivos de programa\VoipDiscount.com
2008-05-31 23:52:14 1188 --a------ C:\WINDOWS\mozver.dat
2008-05-31 23:40:03 56 --ah----- C:\WINDOWS\system32\ezsidmv.dat
2008-05-31 23:37:01 0 d-------- C:\Archivos de programa\Skype
2008-05-31 23:37:00 0 d-------- C:\Archivos de programa\Archivos comunes\Skype
2008-05-31 23:35:30 0 --a------ C:\WINDOWS\nsreg.dat
2008-05-28 22:17:36 98892 --a------ C:\WINDOWS\system32\drivers\PPPoEWin.sys
2008-05-28 22:17:35 98892 --a------ C:\WINDOWS\system32\PPPoEWin.sys
2008-05-28 22:17:35 11456 -r------- C:\WINDOWS\system32\PPPoENdi.dll <Not Verified; Microsoft Corporation; Microsoft® Windows(TM) Operating System>
2008-05-28 22:17:35 11456 -r------- C:\WINDOWS\system32\drivers\PPPoENdi.dll <Not Verified; Microsoft Corporation; Microsoft® Windows(TM) Operating System>
2008-05-28 22:17:28 0 d-------- C:\Archivos de programa\wow250


-- Find3M Report ---------------------------------------------------------------

2008-07-03 13:55:02 0 d-------- C:\Documents and Settings\Principal\Datos de programa\Arcsoft
2008-07-03 12:42:05 0 d-------- C:\Documents and Settings\Principal\Datos de programa\Leadertech
2008-06-28 22:05:34 0 d-------- C:\Documents and Settings\Principal\Datos de programa\skypePM
2008-06-27 17:09:15 0 d-------- C:\Documents and Settings\Principal\Datos de programa\Skype
2008-06-25 20:34:53 0 d-------- C:\Documents and Settings\Principal\Datos de programa\AVG7
2008-06-24 19:36:10 0 d--h----- C:\Archivos de programa\InstallShield Installation Information
2008-06-24 19:36:10 0 d-------- C:\Archivos de programa\CyberLink
2008-06-24 19:22:31 0 dr-h----- C:\Documents and Settings\Principal\Datos de programa\yahoo!
2008-06-24 19:22:04 0 d-------- C:\Archivos de programa\Yahoo!
2008-06-20 13:43:31 0 d-------- C:\Documents and Settings\Principal\Datos de programa\U3
2008-06-18 23:14:11 0 d-------- C:\Documents and Settings\Principal\Datos de programa\MissionResearch.GiftWorks.3
2008-06-12 20:48:27 0 d-------- C:\Documents and Settings\Principal\Datos de programa\AdobeUM
2008-06-11 12:57:13 0 d-------- C:\Documents and Settings\Principal\Datos de programa\Adobe
2008-06-03 23:21:25 0 d-------- C:\Documents and Settings\Principal\Datos de programa\NCH Swift Sound
2008-06-01 22:18:17 0 d-------- C:\Documents and Settings\Principal\Datos de programa\VoipDiscount
2008-05-31 23:37:00 0 d-------- C:\Archivos de programa\Archivos comunes
2008-05-31 23:35:22 0 d-------- C:\Documents and Settings\Principal\Datos de programa\Mozilla
2008-05-28 15:33:22 0 d-------- C:\Archivos de programa\Java
2008-05-28 13:38:10 0 d-------- C:\Archivos de programa\Incomplete
2008-05-28 13:36:49 0 d-------- C:\Archivos de programa\LimeWire
2008-05-22 22:28:41 0 d-------- C:\Documents and Settings\Principal\Datos de programa\HPAppData
2008-05-18 17:14:52 1536 --a------ C:\WINDOWS\system32\TrueSoft.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe" [24/06/2008 11:11 p.m.]
"SunJavaUpdateSched"="C:\Archivos de programa\Java\jre1.6.0_01\bin\jusched.exe" [14/03/2007 03:43 a.m.]
"WinampAgent"="C:\Archivos de programa\Winamp\winampa.exe" [25/10/2006 02:37 a.m.]
"QuickTime Task"="C:\Archivos de programa\QuickTime\qttask.exe" [16/02/2007 10:54 a.m.]
"iTunesHelper"="C:\Archivos de programa\iTunes\iTunesHelper.exe" [14/03/2007 07:05 p.m.]
"CorelDRAW Graphics Suite 11b"="C:\Archivos de programa\Corel\Corel Graphics 12\Languages\ES\Programs\Registration.exe" [28/11/2003 01:52 a.m.]
"HP Software Update"="C:\Archivos de programa\HP\HP Software Update\HPWuSchd2.exe" [11/03/2007 09:34 p.m.]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Archivos de programa\MSN Messenger\MsnMsgr.exe" []
"ares"="C:\Archivos de programa\Ares\Ares.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [19/08/2004 03:42 p.m.]
"Skype"="C:\Archivos de programa\Skype\Phone\Skype.exe" [23/04/2008 05:45 p.m.]
"VoipDiscount"="C:\Archivos de programa\VoipDiscount.com\VoipDiscount\VoipDiscount.exe" [31/05/2007 04:22 p.m.]

C:\Documents and Settings\Principal\Men£ Inicio\Programas\Inicio\
HotSync Manager.lnk - C:\Archivos de programa\palmOne\HOTSYNC.EXE [04/03/2004 05:25:28 p.m.]
PowerReg Scheduler.exe [03/07/2008 12:42:36 p.m.]

C:\Documents and Settings\All Users\Men£ Inicio\Programas\Inicio\
Adobe Reader Speed Launch.lnk - C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\reader_sl.exe [23/09/2005 10:05:26 p.m.]
HP Digital Imaging Monitor.lnk - C:\Archivos de programa\HP\Digital Imaging\bin\hpqtra08.exe [11/03/2007 09:26:24 p.m.]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIModeChange]
Ati2mdxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
C:\Archivos de programa\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCTVOICE]
pctspk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Archivos de programa\CyberLink\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt hpqcxs08 hpqddsvc


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- D:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{95e04880-6c53-11dc-89b4-00022d7cb7a4}]
AutoRun\command- D:\3wcxx91.cmd
explore\Command- D:\3wcxx91.cmd
open\Command- D:\3wcxx91.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9f6e8900-f1e5-11dc-8aa5-00022d7cb7a4}]
AutoRun\command- D:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9f6e8901-f1e5-11dc-8aa5-00022d7cb7a4}]
AutoRun\command- 3wcxx91.cmd
explore\Command- 3wcxx91.cmd
open\Command- 3wcxx91.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c1250f50-ae5f-11dc-8a33-00022d7cb7a4}]
AutoRun\command- F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d41fefd8-57dc-11dc-899b-00022d7cb7a4}]
AutoRun\command- 3wcxx91.cmd
explore\Command- 3wcxx91.cmd
open\Command- 3wcxx91.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d64ba050-a910-11dc-8a28-00022d7cb7a4}]
AutoRun\command- D:\3wcxx91.cmd
explore\Command- D:\3wcxx91.cmd
open\Command- D:\3wcxx91.cmd




-- End of Deckard's System Scanner: finished at 2008-06-28 23:36:59 ------------

I wait here for orders. And thank you again.

[Ried]

Hi lwajsberg. Nice work in that first round.

Quote:

I check for 3 days but I just didnt know how to check for replies well. Now I know, and I see you replied almost inmediatly, really thanks.

You can subscribe to this thread and you'll get immediate notification of replies as soon as they are posted. To do this, go to the top of this thread and a bit to right you'll see Thread Tools. Click on that, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Quote:

Ok. I ran everything that you told me and the popup stopped. Now I had an apparently legit popup from windows that tell me that my system is not secure, maybe because I deactivated the AV and SpyBluster, do I click on the alert? Im just afraid.

Did that pop up go away once you re-activated AVG Anti Virus? If so, then yes, that was a legit Windows notice.

Quote:

Another thing is that I realize that for 3 weeks there is a program that tries to instalate but failed, its call "SolutionCenter" and i think is from the printer HP but ...

Remind me about that when we're through removing the malware.

--------------------------------------------------------------

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

Also be sure to carry out the instructions in the sequence listed below.

***************************************************

Close any open browsers.

--------------------------------------------------------------------


Open notepad and copy/paste the entire text in the quote box below:

(don't forget to copy and paste that very first line, REGEDIT4)

Quote:

REGEDIT4

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{95e04880-6c53-11dc-89b4-00022d7cb7a4}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9f6e8901-f1e5-11dc-8aa5-00022d7cb7a4}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d41fefd8-57dc-11dc-899b-00022d7cb7a4}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d64ba050-a910-11dc-8a28-00022d7cb7a4}]

Save the file as "delete.reg". Make sure to save it with the quotes. Choose to "Save type as - All Files"
It should look like this:

Double click on the delete.reg file and choose Yes to merge/add it to the registry. You may delete the file afterwards.

--------------------------------------------------------------------

It's important to run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Perform an online scan with Panda ActiveScan

• Click on Scan Your PC Now
• A "pop up" window will appear, or a new tab will open.
• Click on Register
• Choose the option you like most, but we recommend the Free Registration.
• Click on Register
• Enter your e-mail address, and create a password.
• Select "I do not want to receive any type of information". (unless you want to receive such information)
• Click on Send
• Confirm registration, and continue by entering your user name and password, then click on Enter
• Select Full Scan, then Click on Scan Now
• Wait for the components to be loaded and installed. Don't close this window or go to another page while it is downloading. You can continue using the Internet by opening another window in your browser.
  
• If it finds any malware it can disinfect, the Disinfect button will be enabled. Click on Disinfect
• Please ignore the offer to buy the program. Click on Export To
  
• Export the log and save it to your desktop.
• Please attach the contents of that log in your next reply.

* Turn off the real time scanner of any existing antivirus program while performing the online scan

------------------------------------------------------------

Run a new scan with dss.exe.

------------------------------------------------------------

Please include the following in your next reply:

Panda results
new main.txt
Update on system behavior

[lwajsberg]

Hi Ried! About that security alert, it doesnt popup but the shield (icon) is there in the bar. The system is running a little bit slower than normal but it seems ok. I attach the panda results but it said that he couldnt remove everything because I didnt pay. Should I consider to pay?

Ok. Here is the dss log

Deckard's System Scanner v20071014.68
Run by Principal on 2008-06-29 23:52:27
Computer is in Normal Mode.
--------------------------------------------------------------------------------

System Drive C: has 0.85 GiB (less than 15%) free.


-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-06-29 23:54:09
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\Archivos de programa\Grisoft\AVG Free\avgamsvr.exe
C:\Archivos de programa\Grisoft\AVG Free\avgupsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\Archivos comunes\LightScribe\LSSrvc.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\Grisoft\AVG Free\avgcc.exe
C:\Archivos de programa\Java\jre1.6.0_01\bin\jusched.exe
C:\Archivos de programa\Winamp\winampa.exe
C:\Archivos de programa\QuickTime\qttask.exe
C:\Archivos de programa\iTunes\iTunesHelper.exe
C:\Archivos de programa\HP\HP Software Update\hpwuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Skype\Phone\Skype.exe
C:\Archivos de programa\VoipDiscount.com\VoipDiscount\VoipDiscount.exe
C:\Archivos de programa\HP\Digital Imaging\bin\hpqtra08.exe
C:\Archivos de programa\palmOne\HOTSYNC.EXE
C:\Archivos de programa\iPod\bin\iPodService.exe
C:\Archivos de programa\HP\Digital Imaging\bin\hpqste08.exe
C:\Archivos de programa\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Documents and Settings\Principal\Mis documentos\Lionel\Software\dss.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O4 - HKLM\..\Run: [AVG7_CC] C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Archivos de programa\Winamp\winampa.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Archivos de programa\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] C:\Archivos de programa\Corel\Corel Graphics 12\Languages\ES\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=071908 serial=DR12WEX-1504397-KTY lang=ES
O4 - HKLM\..\Run: [HP Software Update] C:\Archivos de programa\HP\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ares] "C:\Archivos de programa\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Archivos de programa\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [VoipDiscount] "C:\Archivos de programa\VoipDiscount.com\VoipDiscount\VoipDiscount.exe" -nosplash -minimized
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\ARCHIV~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\ARCHIV~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\ARCHIV~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\ARCHIV~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: HotSync Manager.lnk = ?
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Archivos de programa\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Portafolios de HP - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Archivos de programa\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Selección inteligente de HP - {700259D7-1666-479a-93B1-3250410481E8} - C:\Archivos de programa\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Archivos de programa\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -