Problems with TROJANS that are hard to get rid of...

[mauserme]

I think it would be good if you run ComboFix which you should download from Here or Here to your Desktop.
 
Double click combofix.exe and follow the prompts.
 
When finished, it will produce a log for you. Post that log and a new HiJackthis log in your next reply
 
Note: Do not mouseclick combofix's window while its running. That may cause it to stall.

Also note that i would like you to run ComboFix first.  Then, before you run HijackThis, rename the program file from hijackthis.exe to hijackKLM.exe and run it from that.

[FreewheelinFrank]

Virtumonde can be difficult to remove. There is a specialist tool you can use here:

http://www.atribune.org/content/view/24/2/

If you have run the scanners I mentioned, you need to run HijackThis! again and check that the following entries have gone:

C:\WINDOWS\system32\uaknyolm.exe
O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\system32\kxvouybm.dll",realset
O23 - Service: DomainService - - C:\WINDOWS\system32\uaknyolm.exe

If they are still there, you will need to remove them manually.

Run HijackThis! again, tick the box next to these entries, claick 'fix' and reboot into safe mode.

Delete the file C:\WINDOWS\system32\kxvouybm.dll

Remove the service DomainService as described here:

http://www.bleepingcomputer.com/tutorials/tutorial42.html#O23Diag

If the malware resists removal, come back and tell us: there are more powerful methods of removal.

[FreewheelinFrank]

When you have cleaned up your computer, check for out-of-date, unpatched and insecure versions of software which can allow infections such as Vundo. In particular, look for older versions of Sun Java lurking on your computer.

http://secunia.com/software_inspector/

[DavidR]

And, DavidR. You said that after "cleaning" my system i should create a clean system restore point. By cleaning you mean eliminate all the files and folders infected that are in quarantine in the AVG anti-spyware?, and i was unable to acces to the folder C:\system volume information\ It said that the access was restricted....

That is what I mean, there is little point in creating a restore point if there are any infections on the loose. So at the end of this process.

There are some that say whilst you are trying to cure/remove infected files you should have system restore disabled (and reboot, clears ALL restore points). As any infected file that happens to be in a system folder or one protected by system restore then it would create a restore point with a copy of that file. This may have been why these infected files are in the system volume information folder.

[KLM]

Good Mauserme here it is (PART 1):

ComboFix 07-06-18.2 - C:\Documents and Settings\Horacio Morales\Escritorio\ComboFix.exe
"Horacio Morales" - 2007-06-30  8:41:03 - Service Pack 2  NTFS  
(((((((((((   V Log   )))))))))))))


C:\WINDOWS\system32\ijrryuwj.dll
C:\WINDOWS\system32\liadtnjc.dll
C:\WINDOWS\system32\vpknvwqt.dll
C:\WINDOWS\system32\jwuyrrji.ini
C:\WINDOWS\system32\ijjlm.bak1
C:\WINDOWS\system32\ijjlm.bak2
C:\WINDOWS\system32\ijjlm.ini
C:\WINDOWS\system32\ijjlm.bak1
C:\WINDOWS\system32\ijjlm.bak2
C:\WINDOWS\system32\ijjlm.ini
C:\WINDOWS\system32\mljji.dll
C:\WINDOWS\system32\byxyyyy.dll


* * *  POST RUN FILES/FOLDERS  * * * * * *

((((((((((   Files Created from 2007-05-28 to 2007-06-30  ))))))))))))))))))))


2007-06-30 08:40   49,152   --a------   C:\WINDOWS\nircmd.exe
2007-06-29 18:51   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\DATOSD~1\WinZip
2007-06-29 16:44   10,872   --a------   C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-06-29 10:42   <DIR>   d--------   C:\Archivos de programa\Activision
2007-06-24 09:37   <DIR>   d--------   C:\DOCUME~1\HORACI~1\DATOSD~1\AdobeUM
2007-06-24 09:27   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\DATOSD~1\Adobe Systems
2007-06-24 09:27   <DIR>   d--------   C:\Archivos de programa\Archivos comunes\Adobe Systems Shared
2007-06-23 23:43   4,628   --a------   C:\WINDOWS\system32\wncrcfvn.exe
2007-06-21 23:49   306,688   --a------   C:\WINDOWS\IsUninst.exe
2007-06-21 12:28   20,352   --a------   C:\DOCUME~1\HORACI~1\DATOSD~1\GDIPFONTCACHEV1.DAT
2007-06-20 19:37   <DIR>   d--------   C:\Archivos de programa\MSXML 4.0
2007-06-20 19:33   20,016   ---------   C:\WINDOWS\system32\drivers\pxhelp20.sys
2007-06-20 19:33   <DIR>   d--------   C:\Archivos de programa\Winamp
2007-06-20 19:32   90,112   --a------   C:\WINDOWS\unvise32.exe
2007-06-20 19:30   <DIR>   d--------   C:\Archivos de programa\DivX
2007-06-20 19:05   <DIR>   d--------   C:\DOCUME~1\HORACI~1\DATOSD~1\Ahead
2007-06-20 19:03   <DIR>   d--------   C:\Archivos de programa\Nero
2007-06-20 19:03   <DIR>   d--------   C:\Archivos de programa\Archivos comunes\Ahead
2007-06-20 09:15   25,856   --a------   C:\WINDOWS\system32\drivers\usbprint.sys
2007-06-19 23:46   <DIR>   d--------   C:\DOCUME~1\HORACI~1\DATOSD~1\Microsoft Games
2007-06-19 23:29   <DIR>   d--------   C:\Archivos de programa\Microsoft Games
2007-06-19 22:00   <DIR>   d--------   C:\Archivos de programa\LimeWire
2007-06-19 21:56   <DIR>   d--------   C:\DOCUME~1\HORACI~1\DATOSD~1\Google
2007-06-19 21:56   <DIR>   d--------   C:\Archivos de programa\Google
2007-06-19 11:09   <DIR>   d--------   C:\DOCUME~1\HORACI~1\DATOSD~1\fltk.org
2007-06-19 07:45   271,224   --a------   C:\WINDOWS\system32\mucltui.dll
2007-06-18 22:26   <DIR>   d--------   C:\Archivos de programa\Liquid Entertainment
2007-06-18 21:59   82,944   --a------   C:\WINDOWS\system32\drivers\wdmaud.sys
2007-06-18 21:59   7,552   --a------   C:\WINDOWS\system32\drivers\MSKSSRV.sys
2007-06-18 21:59   60,800   --a------   C:\WINDOWS\system32\drivers\sysaudio.sys
2007-06-18 21:59   6,400   --a------   C:\WINDOWS\system32\drivers\splitter.sys
2007-06-18 21:59   54,272   --a------   C:\WINDOWS\system32\drivers\swmidi.sys
2007-06-18 21:59   52,864   --a------   C:\WINDOWS\system32\drivers\DMusic.sys
2007-06-18 21:59   5,376   --a------   C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2007-06-18 21:59   4,992   --a------   C:\WINDOWS\system32\drivers\MSPQM.sys
2007-06-18 21:59   2,944   --a------   C:\WINDOWS\system32\drivers\drmkaud.sys
2007-06-18 21:59   172,416   --a------   C:\WINDOWS\system32\drivers\kmixer.sys
2007-06-18 21:59   142,464   --a------   C:\WINDOWS\system32\drivers\aec.sys
2007-06-18 21:57   60,288   --a------   C:\WINDOWS\system32\drivers\drmk.sys
2007-06-18 21:57   4,096   --a------   C:\WINDOWS\system32\ksuser.dll
2007-06-18 21:57   <DIR>   d--------   C:\Archivos de programa\CONEXANT
2007-06-18 21:37   0   --a------   C:\WINDOWS\PowerReg.dat
2007-06-18 20:54   <DIR>   dr-------   C:\DOCUME~1\LOCALS~1\Favoritos
2007-06-18 20:09   95,872   --a------   C:\WINDOWS\system32\AvastSS.scr
2007-06-18 20:09   94,552   --a------   C:\WINDOWS\system32\drivers\aswmon2.sys
2007-06-18 20:09   85,952   --a------   C:\WINDOWS\system32\drivers\aswmon.sys
2007-06-18 20:09   745,600   --a------   C:\WINDOWS\system32\aswBoot.exe
2007-06-18 20:09   499,712   --a------   C:\WINDOWS\system32\MSVCP71.dll
2007-06-18 20:09   43,176   --a------   C:\WINDOWS\system32\drivers\aswTdi.sys
2007-06-18 20:09   348,160   --a------   C:\WINDOWS\system32\MSVCR71.dll
2007-06-18 20:09   26,888   --a------   C:\WINDOWS\system32\drivers\aavmker4.sys
2007-06-18 20:09   23,416   --a------   C:\WINDOWS\system32\drivers\aswRdr.sys
2007-06-18 20:09   1,060,864   --a------   C:\WINDOWS\system32\MFC71.dll
2007-06-18 20:09   <DIR>   d--------   C:\Archivos de programa\Alwil Software
2007-06-18 13:20   <DIR>   d--------   C:\WINDOWS\system32\es-es
2007-06-18 13:18   <DIR>   d--------   C:\WINDOWS\network diagnostic
2007-06-18 12:37   <DIR>   d--h-----   C:\WINDOWS\$hf_mig$
2007-06-18 12:37   <DIR>   d--------   C:\WINDOWS\system32\PreInstall
2007-06-18 12:28   <DIR>   d--------   C:\DOCUME~1\LOCALS~1\Men£ Inicio
2007-06-18 12:27   <DIR>   d--------   C:\WINDOWS\Prefetch
2007-06-18 12:09   <DIR>   d--------   C:\WINDOWS\provisioning
2007-06-18 12:09   <DIR>   d--------   C:\WINDOWS\peernet
2007-06-18 12:07   <DIR>   d--------   C:\WINDOWS\ServicePackFiles
2007-06-18 12:04   22,752   --a------   C:\WINDOWS\system32\spupdsvc.exe
2007-06-18 12:03   <DIR>   d--------   C:\WINDOWS\EHome
2007-06-18 10:56   4,569   ---------   C:\WINDOWS\system32\secupd.dat
2007-06-18 10:56   11,776   ---------   C:\WINDOWS\system32\spnpinst.exe
2007-06-18 10:26   <DIR>   d--------   C:\WINDOWS\system32\SoftwareDistribution
2007-06-17 22:56   956,416   --a------   C:\WINDOWS\system32\msdtctm.dll
2007-06-17 22:56   91,136   --a------   C:\WINDOWS\system32\mtxoci.dll
2007-06-17 22:56   77,312   --a------   C:\WINDOWS\system32\browser.dll
2007-06-17 22:56   66,560   --a------   C:\WINDOWS\system32\mtxclu.dll
2007-06-17 22:56   625,152   --a------   C:\WINDOWS\system32\catsrvut.dll
2007-06-17 22:56   614,912   --a------   C:\WINDOWS\system32\h323msp.dll
2007-06-17 22:56   60,416   --a------   C:\WINDOWS\system32\colbact.dll
2007-06-17 22:56   581,120   --a------   C:\WINDOWS\system32\rpcrt4.dll
2007-06-17 22:56   540,160   --a------   C:\WINDOWS\system32\comuid.dll
2007-06-17 22:56   426,496   --a------   C:\WINDOWS\system32\msdtcprx.dll
2007-06-17 22:56   40,960   --a------   C:\WINDOWS\system32\mf3216.dll
2007-06-17 22:56   397,824   --a------   C:\WINDOWS\system32\rpcss.dll
2007-06-17 22:56   332,288   --a------   C:\WINDOWS\system32\ipnathlp.dll
2007-06-17 22:56   243,200   --a------   C:\WINDOWS\system32\es.dll
2007-06-17 22:56   225,792   --a------   C:\WINDOWS\system32\catsrv.dll
2007-06-17 22:56   161,280   --a------   C:\WINDOWS\system32\msdtcuiu.dll
2007-06-17 22:56   110,080   --a------   C:\WINDOWS\system32\clbcatex.dll
2007-06-17 22:56   101,376   --a------   C:\WINDOWS\system32\txflog.dll
2007-06-17 22:56   1,284,608   --a------   C:\WINDOWS\system32\ole32.dll
2007-06-17 22:56   1,267,200   --a------   C:\WINDOWS\system32\comsvcs.dll
2007-06-17 22:55   241,152   --a------   C:\WINDOWS\system32\srrstr.dll
2007-06-17 22:53   26,112   --a------   C:\WINDOWS\system32\xpsp1hfm.exe
2007-06-17 22:53   <DIR>   d--h-c---   C:\WINDOWS\$xpsp1hfm$
2007-06-17 22:47   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\DATOSD~1\Windows Genuine Advantage
2007-06-17 22:36   8,192   ---------   C:\WINDOWS\system32\bitsprx2.dll
2007-06-17 22:36   7,168   ---------   C:\WINDOWS\system32\bitsprx3.dll
2007-06-17 22:36   351,232   --a------   C:\WINDOWS\system32\winhttp.dll
2007-06-17 22:36   18,944   --a------   C:\WINDOWS\system32\qmgrprxy.dll
2007-06-17 22:36   <DIR>   d--------   C:\WINDOWS\system32\bits
2007-06-17 22:34   549,720   --a------   C:\WINDOWS\system32\wuapi.dll
2007-06-17 22:34   43,352   --a------   C:\WINDOWS\system32\wups2.dll
2007-06-17 22:34   33,624   --a------   C:\WINDOWS\system32\wups.dll

[KLM]

(PART 2)



(((((((((   Find3M Report   )))))))))))

2007-06-22 15:26:28   2,864   ----a-w   C:\WINDOWS\system32\winsock.dll
2007-06-19 03:00:01   51,266   ----a-w   C:\WINDOWS\system32\perfc00A.dat
2007-06-19 03:00:01   362,442   ----a-w   C:\WINDOWS\system32\perfh00A.dat
2007-06-14 22:30:08   --------   d-----w   C:\Archivos de programa\Servicios en línea
2007-04-25 14:22:37   144,896   ----a-w   C:\WINDOWS\system32\schannel.dll
2007-04-18 16:14:22   2,854,400   ----a-w   C:\WINDOWS\system32\msi.dll
2007-04-17 03:45:36   203,096   ----a-w   C:\WINDOWS\system32\wuweb.dll
2007-04-17 03:45:28   92,504   ----a-w   C:\WINDOWS\system32\cdm.dll
2007-04-17 03:43:40   208,248   ----a-w   C:\WINDOWS\system32\muweb.dll


(((((((((((((((   Reg Loading Points   ))))))))))))
 
 
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2004-12-14 01:56]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Archivos de programa\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{AE7CD045-E861-484f-8273-0445EE161910}=C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [2004-12-14 02:13]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nTrayFw"="C:\Archivos de programa\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe" [2006-03-03 14:43]
"hpWirelessAssistant"="%ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" []
"SynTPEnh"="C:\Archivos de programa\Synaptics\SynTP\SynTPEnh.exe" [2007-01-12 14:36]
"avast!"="C:\ARCHIV~1\ALWILS~1\Avast4\ashDisp.exe" [2007-04-30 09:42]
"SunJavaUpdateSched"="C:\Archivos de programa\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"NeroFilterCheck"="C:\Archivos de programa\Archivos comunes\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40]
"WinampAgent"="C:\Archivos de programa\Winamp\winampa.exe" [2003-12-12 19:50]
"Acrobat Assistant 7.0"="C:\Archivos de programa\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 02:12]
"@"="" []
"!AVG Anti-Spyware"="C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-06-14 19:02]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 17:42]
"MSMSGS"="C:\Archivos de programa\Messenger\msmsgs.exe" [2004-10-13 11:24]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Archivos de programa\Archivos comunes\Ahead\Lib\NMBgMonitor.exe" [2006-06-01 13:32]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 07:29]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winpsa32]
winpsa32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]


Contents of the 'Scheduled Tasks' folder
2007-06-30 13:45:50  C:\WINDOWS\tasks\LEEME.job

***********************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-30 08:45:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

******************************************************

Completion time: 2007-06-30  8:48:59 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-30 08:48

   --- E O F ---

[KLM]

(PART 3)

And the results of Hijackthis (i changed de name to HijackKLM, but as you see, it didn't affected the name in the log):

Logfile of HijackThis v1.99.1
Scan saved at 08:57:34 a.m., on 30/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Alwil Software\Avast4\aswUpdSv.exe
C:\Archivos de programa\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
C:\Archivos de programa\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Archivos de programa\Synaptics\SynTP\SynTPEnh.exe
C:\ARCHIV~1\ALWILS~1\Avast4\ashDisp.exe
C:\Archivos de programa\Java\jre1.6.0_01\bin\jusched.exe
C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Archivos de programa\Winamp\winampa.exe
C:\Archivos de programa\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Archivos de programa\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\Archivos de programa\Archivos comunes\Ahead\Lib\NMBgMonitor.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
C:\Archivos de programa\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Archivos de programa\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Archivos de programa\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Archivos de programa\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Archivos de programa\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Archivos de programa\Alwil Software\Avast4\ashMaiSv.exe
C:\Archivos de programa\Alwil Software\Avast4\ashWebSv.exe
C:\ARCHIV~1\HEWLET~1\Shared\HPQTOA~1.EXE
C:\WINDOWS\system32\notepad.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\Archivos de programa\Hijackthis\HijackKLM.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: PDF de Adobe - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [nTrayFw] C:\Archivos de programa\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Archivos de programa\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [avast!] C:\ARCHIV~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Archivos de programa\Archivos comunes\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Archivos de programa\Winamp\winampa.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Archivos de programa\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Archivos de programa\Archivos comunes\Ahead\Lib\NMBgMonitor.exe"
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Inicio rápido de Adobe Acrobat.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE

[KLM]

(PART 4)

O8 - Extra context menu item: Convertir a PDF de Adobe - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convertir a PDF existente - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convertir destino de vínculo a PDF existente - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convertir destino de vínculo en archivo PDF de Adobe - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convertir selección a archivo PDF existente - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convertir selección a PDF de Adobe - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convertir vínculos seleccionados a PDF de Adobe - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convertir vínculos seleccionados a PDF existente - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1182137518248
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1182192437437
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winpsa32 - winpsa32.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Archivos de programa\Archivos comunes\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Archivos de programa\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Archivos de programa\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Archivos de programa\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Archivos de programa\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\uaknyolm.exe (file missing)
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Archivos de programa\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - C:\Archivos de programa\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing)
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Archivos de programa\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: NBService - Nero AG - C:\Archivos de programa\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Archivos de programa\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Archivos de programa\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe



Well, now i have some questions, i hope not to be annoying...(...)

¿What is combomix?
¿Why combomix can detect infected elements and avast don't (because C:\WINDOWS\system32\byxyyyy.dll is an infected one)?
If it can detect them, ¿can it erase them and function as an antivirus?
I also noted that hijackthis has tools that i suppose are to deal with the proceses produced by the infected file (you know, obviously i am just making suppositions about this, but it is because i want to learn, at least a little), i haven't used them 'cause you are the ones that give the advises (and because i don't understand at all the consecuences, jeje) but ¿can those tool solve the problem in the system?

Good, that is it... thank for helping me and solve my doubts.

[KLM]

oh, i think that you already had answerd one of my questions... FreeWheelingFrank. Thanks, i'm going to try it

[FreewheelinFrank]

Certain spyware infections require specialist tools to remove: Vundo/Virtumonde is one.

AV's are good at detecting files, but sometimes a special tool is required using specific techniques and procedures to remove the infection.

ComboFix removes a number of spyware infections, as well as checking for hidden malware and producing a log of system information which can be used to identify infections.

http://www.windowsbbs.com/showthread.php?t=57442

It looks like ComboFix removed the Virtumonde infection identified but not removed by AVG Anti-Spyware.

It also appears that one of the scanners you ran has removed the malware file for the following entry:

O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\uaknyolm.exe (file missing)

You can follow the procedure I mentioned above to remove the entry.

[KLM]

Well, i downloaded VundoFix but it didn't find any element infected... maybe Combomix erased it because i can't find it in C:\windows\system32 anymore.

Another question:

You guys tell me to post the logs generated by "Hijackthis" and "Combomix", i understand that the logs are reports of the process in the system but ¿how do you identify a suspicious element?, because for me they are just directions.

[essexboy]

It is a mixture of knowledge, google and specialist malware sites for research.  It can be learnt but may take a while.  This area comes under the heading  of a little knowledge is dangerous.  Delete the wrong file and no system

[FreewheelinFrank]

Well, i downloaded VundoFix but it didn't find any element infected... maybe Combomix erased it because i can't find it in C:\windows\system32 anymore.

Yes, ComboFix targets Virtumonde infections amoung others, so there wouldn't be anything left for VundoFix to find.

You guy tell me to post the logs generated by "Hijackthis" and "Combomix", i understand that the logs are reports of the process in the system but ¿how do you identify a suspicious element?, because for me they are just directions.]You guy tell me to post the logs generated by "Hijackthis" and "Combomix", i understand that the logs are reports of the process in the system but ¿how do you identify a suspicious element?, because for me they are just directions.

mauserme will look at the log when he comes back, and analyse it for you. I'm sure he'll give you some information about how malicious entries can be identified too.

People who help out on certain forums have access to databases of file names and registry entries fro newly emerging malware, no doubt. For the rest of us, a Google search often reveals if the file is legitimate or malware. A randomly named file which brings up nothing on Google is most often a malware file.

[KLM]

Ohh, thank you. Interesting...

Well, another question:

Why can't avast solve this problems with the trojans?
Why can't it detect them as other antivirus?
In my opinion is a good antivirus (i have no basis to state that, it's just feeling) but i don't understand why if the team that developed it should be actualizating for new kind of trojans, worms, etc... I even send them one of this infected executables (bxyxyyyy, or something like that) so that the could analize it and develop a defence...
Maybe i am being impatient but i would like you to explain me a little about this dinamic.

[mauserme]

First let's address the malware:

Open HJT again and click to Run a System Scan Only.  When finished, place a check mark next to this line

O20 - Winlogon Notify: winpsa32 - winpsa32.dll (file missing)

Now close all other windows, including your browser, and click the button labled Fix Checked.


Next, please upload these files to Virus Total for analysis and post the results in your next response

C:\WINDOWS\system32\wncrcfvn.exe

C:\WINDOWS\unvise32.exe

C:\WINDOWS\system32\mucltui.dll

C:\WINDOWS\system32\winsock.dll

Now a little explanation:

The line I asked you to fix in HJT is the registry entry that loaded a fine named winpsa32.dll at start up.  We are removing it because it is related to a trojan that has already been removed from your computer.

ComboFix has already removed many other malicious files from your computer (those in the V-Log) but the area below that in the log shows that some suspicious files were recently created on your computer.  Those are the files I asked you to scan at Virus Total because, although I feel confident about a couple of them being malware, I still like to double check before deleting anything.

Combofix is able to identify some of these that regular antivirus programs do not because is has very specifically written signatures for a small number of infections.  The number of malware it detects is not enough to make it useful as a regular antivirus program- just a specialty tool for certain types of infection.  It would be impractial for a regular antivirus program to use such specificity.