Hola gente!
Hace una semana más o menos se me infectó la máquina con lo que Spybot SD llama Virtumonde, un Vundo. Siguiendo los pasos en

Eliminar Vundo \ Winfixer \ Virtuamundo

corrí el Hijack This, y éste es el reporte que me ha dado:


--------------------------------------------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:32:14 PM, on 7/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device

Support\bin\AppleMobileDeviceService.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Creative\Shared Files\CTDevSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ

Antivirus\VetMsg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ

Antivirus\CAVRID.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\CA\eTrust Internet Security Suite\cctray\cctray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462

\GoogleToolbarNotifier.exe
C:\Program Files\CA\eTrust Internet Security Suite\ccprovsp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32Info.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

Main Page - Wikipedia, the free encyclopedia
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

Live Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

MSN.com
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} -

C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program

files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-

Fi\Volume Panel\VolPanlu.exe" /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 SPIRun.dll,RunDLLEntry
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Internet Security

Suite\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil

/RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE

/SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE

/IMEName
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05

\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common

Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common

Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\eTrust Internet Security

Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common

Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader

8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32

\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -

atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [bcbafd15] rundll32.exe "C:\WINDOWS\system32\qorqjibq.dll",b
O4 - HKLM\..\Run: [BMbf89ce89] Rundll32.exe "C:\WINDOWS\system32\mwrxotjo.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows

Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program

Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search &

Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [swg] C:\Program

Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1

\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with WordPerfect - C:\Program

Files\WordPerfect Office X3\Programs\WPLauncher.hta
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-

00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration -

{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} -

C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-

f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-

00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage

Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) -

http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) -

http://picasaweb.google.com/s/v/30.66/uploader2.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) -

http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) -

http://tools.ebayimg.com/eps/wl/acti...ontrol_v1-0-3-

48.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) -

http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media

Upload) - Cell Phones, Cell Phone Plans, Cell Phone Accessories - Verizon Wireless
O16 - DPF: {D1548A26-B8F6-4E86-AE74-E7062CCC2E2A} (igLoader Content on Demand) -

http://www.miniclip.com/igloader/igloader.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -

https://fpdownload.macromedia.com/pu...sh/swflash.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program

Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common

Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32

\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\eTrust Internet

Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program

Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd -

C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: CT Device Query service (CTDevice_Srv) - Creative Technology Ltd

- C:\Program Files\Creative\Shared Files\CTDevSrv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program

Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program

Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero

BackItUp\NBService.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program

Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe

------------------------------------------------------------------------------------------------

Por favor avísenme cuales son los archvos para hacer el "Fix Checked", y seguir con el procedimiento en la guía. Muchísimas gracias.

Hola a11571 , te doy la bienvenida al Foro de InfoSpyware.

Paso 1- Descarga, Instala y/o actualiza estas herramientas: (pero no los ejecutes aun)

• ComboFix.exe
• Malwarebytes' Anti-Malware

Paso 2- Con todos los programas cerrados, ejecuta HijackThis y dale a las siguientes entradas:


O4 - HKLM\..\Run: [bcbafd15] rundll32.exe "C:\WINDOWS\system32\qorqjibq.dll",b
O4 - HKLM\..\Run: [BMbf89ce89] Rundll32.exe "C:\WINDOWS\system32\mwrxotjo.dll",s





Paso 3- Ejecuta estas herramientas, de a una:

• Malwarebytes' Anti-Malware
  *Nota* Es importante que envíes a "Cuarentena" todo lo que este detecte antes de copiar y pegarnos su reporte.

• Antes de usar ComboFix....
• Desactiva temporalmente el Antivirus y/o Antispyware.
• Cierra todas las ventanas abiertas.
• Hacele doble clic al archivo ComboFix.exe y seguí las instrucciones.
• Cuando termine, generara un registro en C:\ComboFix.txt.
  • *Nota* Mientras CF este trabajando no mover el mouse ya que pararía su proceso.
  • *Nota* ComboFix puede reiniciar automáticamente el PC para completar el proceso de eliminación.

Paso 4- Descarga CCleaner y ejecútalo usando primero su opción de "Limpiador" para borrar cookies, temporales de Internet y todos los archivos que este te muestre como obsoletos, y luego usa su opción de "Registro" para limpiar todo el registro de Windows (haciendo copia de seguridad).

Reinicia y nos contas los resultados. junto con el reporte de

Paso 5- Reinicia en modo normal y nos dejas los reportes de:

• Malwarebytes' Anti-Malware
• C:\ComboFix.txt en este mismo mensaje.

**Nota**
- Para mayor comodidad imprime los pasos.
- Recuerda regresar y contarnos los resultados.

Salu2

ElPiedra,
Vos sos todo un galán hollywoodense! Parece que con el procedimiento que me habés mandado pude eliminar la infección de Virtumonde. A continuación te pongo los reportes de Malwarebytes' Anti-Malware y Combofix:

---------------------------------------------------------
Malwarebytes' Anti-Malware 1.20
Database version: 930
Windows 5.1.2600 Service Pack 2

9:08:12 PM 7/9/2008
mbam-log-7-9-2008 (21-08-11).txt

Scan type: Full Scan (C:\|)
Objects scanned: 121011
Time elapsed: 56 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 9
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 28

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\pmnli.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\rqrqqrr.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{9a240591-902d-44ff-b64c-43baf39eb0ba} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{9a240591-902d-44ff-b64c-43baf39eb0ba} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a1c77420-d2af-4a94-88da-77ce0c551bed} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{a1c77420-d2af-4a94-88da-77ce0c551bed} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\rqrqqrr (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\ShellExecuteHooks\{a1c77420-d2af-4a94-88da-77ce0c551bed} (Trojan.Vundo) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\LSA\Notification Packages (Trojan.Vundo) -> Data: c:\windows\system32\pmnli -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\pmnli -> Delete on reboot.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\pmnli.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\ilnmp.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ilnmp.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yltqlvco.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ocvlqtly.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\X1DPE4XB\kb767887[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\VundoFix Backups\ajatvc.dll.bad (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\VundoFix Backups\bhpveg.dll.bad (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\VundoFix Backups\cptnhfcy.dll.bad (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\VundoFix Backups\evakfnoj.dll.bad (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\VundoFix Backups\fcnmda.dll.bad (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\VundoFix Backups\fetppyrp.dll.bad (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\VundoFix Backups\hepacgav.dll.bad (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\VundoFix Backups\hpgwunno.dll.bad (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\VundoFix Backups\ibbwnlra.dll.bad (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\VundoFix Backups\iireosjr.dll.bad (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\VundoFix Backups\iqtaml.dll.bad (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\VundoFix Backups\lizojy.dll.bad (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\VundoFix Backups\mmhzzc.dll.bad (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\VundoFix Backups\nobhkpjo.dll.bad (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\VundoFix Backups\qittsmin.dll.bad (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\VundoFix Backups\qmgkelxq.dll.bad (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\VundoFix Backups\rwsjaj.dll.bad (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\VundoFix Backups\ugdelwdr.dll.bad (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\VundoFix Backups\xhfwvb.dll.bad (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pac.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rqrqqrr.dll (Trojan.Vundo) -> Delete on reboot.
--------------------------------------------------------------

ComboFix 08-07-09.3 - allan 2008-07-09 21:17:46.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.643 [GMT -6:00]
Running from: C:\Documents and Settings\allan\My Documents\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BMbf89ce89.txt
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\bkxyracc.dll
C:\WINDOWS\system32\bvoiytvw.ini
C:\WINDOWS\system32\cdeeg.ini
C:\WINDOWS\system32\cdeeg.ini2
C:\WINDOWS\system32\dmlmfahb.dll
C:\WINDOWS\system32\driver
C:\WINDOWS\system32\driver\bcm43xx.cat
C:\WINDOWS\system32\driver\RNDISMP.sys
C:\WINDOWS\system32\driver\RNDISMPK.sys
C:\WINDOWS\system32\driver\usb8023.sys
C:\WINDOWS\system32\driver\usb8023k.sys
C:\WINDOWS\system32\ehhkj.ini
C:\WINDOWS\system32\ehhkj.ini2
C:\WINDOWS\system32\falnop.dll
C:\WINDOWS\system32\fuswhv.dll
C:\WINDOWS\system32\gfhkj.ini
C:\WINDOWS\system32\gfhkj.ini2
C:\WINDOWS\system32\gwieallx.ini
C:\WINDOWS\system32\huoekumy.dll
C:\WINDOWS\system32\ilnmp.ini
C:\WINDOWS\system32\jlnmp.ini
C:\WINDOWS\system32\jlnmp.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\mwrxotjo.dll
C:\WINDOWS\system32\onnmp.ini
C:\WINDOWS\system32\onnmp.ini2
C:\WINDOWS\system32\owxnelmu.ini
C:\WINDOWS\system32\pmnli.dll
C:\WINDOWS\system32\qbijqroq.ini
C:\WINDOWS\system32\qgjwkddu.ini
C:\WINDOWS\system32\rqrqqrr.dll
C:\WINDOWS\system32\utvwa.ini
C:\WINDOWS\system32\utvwa.ini2
C:\WINDOWS\system32\yybeg.ini
C:\WINDOWS\system32\yybeg.ini2

.
((((((((((((((((((((((((( Files Created from 2008-06-10 to 2008-07-10 )))))))))))))))))))))))))))))))
.

2008-07-09 17:05 . 2008-07-09 17:05 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-09 17:05 . 2008-07-09 17:05 <DIR> d-------- C:\Documents and Settings\allan\Application Data\Malwarebytes
2008-07-09 17:05 . 2008-07-09 17:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-09 17:05 . 2008-07-07 17:35 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-07-09 17:05 . 2008-07-07 17:35 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-08 13:31 . 2008-07-08 13:31 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-07 13:53 . 2008-07-07 13:53 <DIR> d-------- C:\Program Files\Yahoo!
2008-07-07 13:52 . 2008-07-07 13:52 <DIR> d-------- C:\Program Files\CCleaner
2008-07-06 13:18 . 2008-07-06 13:18 294 --ahs---- C:\WINDOWS\system32\qxlekgmq.ini
2008-07-02 07:35 . 2008-07-07 18:23 <DIR> d-------- C:\VundoFix Backups
2008-07-01 21:22 . 2008-07-07 15:58 809 --a------ C:\WINDOWS\wininit.ini
2008-07-01 20:18 . 2008-07-01 20:18 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-01 20:18 . 2008-07-07 17:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-30 21:26 . 2008-07-09 09:15 110,428 --a------ C:\WINDOWS\BMbf89ce89.xml
2008-06-30 12:36 . 2008-07-01 13:00 <DIR> d-------- C:\WINDOWS\system32\lib
2008-06-30 12:36 . 2008-07-01 13:00 <DIR> d-------- C:\WINDOWS\system32\fonts
2008-06-30 12:36 . 2008-07-01 13:00 <DIR> d-------- C:\Program Files\psconvert
2008-06-30 09:18 . 2008-06-30 09:18 <DIR> d-------- C:\WINDOWS\system32\edcA16
2008-06-30 09:18 . 2008-06-30 09:18 <DIR> d-------- C:\Temp\Ryuan1
2008-06-30 09:18 . 2008-06-30 09:18 352,410 --a------ C:\WINDOWS\system32\ope20.exe
2008-06-30 09:18 . 2008-06-30 09:18 111,835 --a------ C:\WINDOWS\system32\ope29.exe
2008-06-30 09:18 . 2008-06-30 09:18 0 --a------ C:\WINDOWS\system32\ope29.tmp
2008-06-30 09:18 . 2008-06-30 09:18 0 --a------ C:\WINDOWS\system32\ope20.tmp
2008-06-30 09:18 . 2008-06-30 09:18 0 --a------ C:\WINDOWS\ope27.tmp
2008-06-11 03:44 . 2008-06-11 03:44 <DIR> d-------- C:\Program Files\Image-Line
2008-06-10 17:48 . 2008-06-13 07:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-10 17:48 . 2008-06-13 07:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-07-09 19:10 --------- d-----w C:\Documents and Settings\allan\Application Data\Vso
2008-07-02 13:38 --------- d-----w C:\Program Files\Google
2008-06-30 14:03 --------- d-----w C:\Documents and Settings\allan\Application Data\LimeWire
2008-06-28 09:07 --------- d-----w C:\Program Files\BitTorrent
2008-06-28 09:07 --------- d-----w C:\Documents and Settings\allan\Application Data\BitTorrent
2008-06-27 01:04 --------- d-----w C:\Documents and Settings\allan\Application Data\MegauploadToolbar
2008-06-15 12:30 32,240 ----a-w C:\WINDOWS\system32\drivers\vetmonnt.sys
2008-06-15 12:30 26,352 ----a-w C:\WINDOWS\system32\drivers\vet-filt.sys
2008-06-15 12:30 21,488 ----a-w C:\WINDOWS\system32\drivers\vetfddnt.sys
2008-06-15 12:30 21,104 ----a-w C:\WINDOWS\system32\drivers\vet-rec.sys
2008-06-11 09:44 --------- d-----w C:\Program Files\VstPlugins
2008-06-10 16:41 --------- d-----w C:\Program Files\Quicken
2008-06-08 20:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Creative
2008-06-05 20:50 --------- d-----w C:\Program Files\7-Zip
2008-06-05 14:30 --------- d-----w C:\Program Files\TotalAudioConverter
2008-06-05 07:20 --------- d-----w C:\Program Files\Creative
2008-06-04 12:45 880,560 ----a-w C:\WINDOWS\system32\drivers\vetefile.sys
2008-06-04 12:45 108,368 ----a-w C:\WINDOWS\system32\drivers\veteboot.sys
2008-05-29 04:14 --------- d-----w C:\Documents and Settings\allan\Application Data\vlc
2008-05-23 01:01 --------- d-----w C:\Program Files\K-Lite Codec Pack
2008-05-22 05:40 --------- d-----w C:\Program Files\MSECache
2008-05-10 01:35 --------- d-----w C:\Program Files\Real Alternative
2008-05-10 01:35 --------- d-----w C:\Program Files\Nero
2008-05-10 01:35 --------- d-----w C:\Program Files\Common Files\Ahead
2008-05-10 01:35 --------- d-----w C:\Program Files\Avanquest update
2008-05-10 01:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero
2008-04-28 03:13 24,192 ----a-w C:\Documents and Settings\allan\usbsermptxp.sys
2008-04-28 03:13 22,768 ----a-w C:\Documents and Settings\allan\usbsermpt.sys
2008-03-27 05:09 227 ----a-w C:\Documents and Settings\Admin\Application Data\config.dat
2007-12-30 23:07 0 ----a-w C:\Documents and Settings\allan\OFXLOG.DAT
2007-07-04 20:55 87,608 ----a-w C:\Documents and Settings\allan\Application Data\inst.exe
2007-07-04 20:55 47,360 ----a-w C:\Documents and Settings\allan\Application Data\pcouffin.sys
2007-12-01 21:11 80 --sha-r C:\WINDOWS\system32\0BF13AC052.dll
2007-05-18 19:55 848 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 11:34 5724184]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24 1694208]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-03-12 13:49 153136]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe" [2008-07-02 07:38 171448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"VolPanel"="C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" [2006-07-28 10:56 122880]
"CAVRID"="C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe" [2008-06-15 06:30 234736]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.E XE" [2004-08-04 06:00 208952]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScI nst.exe" [2004-08-04 06:00 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT \TINTSETP.EXE" [2004-08-04 06:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TIN TSETP.EXE" [2004-08-04 06:00 455168]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 16:30 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 16:30 81920]
"cctray"="C:\Program Files\CA\eTrust Internet Security Suite\cctray\cctray.exe" [2008-05-22 07:18 181512]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-09 18:53 153136]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86 \3\hpztsb07.exe" [2002-11-05 12:34 188416]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"P17Helper"="SPIRun.dll" [2006-07-03 13:43 10752 C:\WINDOWS\system32\SPIRun.dll]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.iv41"= ir41_32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"D:\\Program Files\\Sonic\\RecordNow Deluxe\\Update Manager\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

S3 WLIU2KG125S;BUFFALO WLI-U2-KG125S Wireless LAN Adapter Driver;C:\WINDOWS\system32\DRIVERS\usb8023.sys [2004-08-04 06:00]

.
Contents of the 'Scheduled Tasks' folder
"2008-07-09 04:19:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
- - - - ORPHANS REMOVED - - - -

BHO-{1AEF1D3D-B328-498C-A097-48C5D1E2E908} - (no file)
BHO-{1C17761C-D10E-474C-859C-587B767F3EDF} - C:\WINDOWS\system32\sstqo.dll
BHO-{1DA47655-1917-405B-9F73-75BD1F5CB44E} - C:\WINDOWS\system32\jkhfg.dll
BHO-{31244B3A-0E9F-41B3-91A4-0B9D00013CAA} - (no file)
BHO-{431E0216-9553-4F52-A184-8DEB9D0A164B} - (no file)
BHO-{5B59CD37-CD40-4C7E-A558-B664F6341623} - (no file)
BHO-{5BDBAB12-5B04-4A01-BE95-E17C19B7F365} - (no file)
BHO-{7829B6AE-EF17-41D5-8D1A-DBAC838B0BF8} - C:\WINDOWS\system32\awvtu.dll
BHO-{864D0D17-3ED6-4C5E-AB3F-52F01BE8EBF9} - C:\WINDOWS\system32\geedc.dll
BHO-{8AECED63-21B9-4999-9433-50E6FF044E94} - C:\WINDOWS\system32\pmnno.dll
BHO-{9A240591-902D-44FF-B64C-43BAF39EB0BA} - (no file)
BHO-{A1C77420-D2AF-4A94-88DA-77CE0C551BED} - (no file)
BHO-{d21e8bab-8a16-411e-aaea-9528abae5e37} - (no file)
BHO-{D305842A-6DFA-450E-BE94-CD0F4E0CB51E} - C:\WINDOWS\system32\gebyy.dll
BHO-{DC950C22-B2B9-47CF-94CA-6BE62F624CCA} - C:\WINDOWS\system32\mljjg.dll
BHO-{F13D90B6-BFA6-4DF6-A10A-874D02FB3675} - C:\WINDOWS\system32\jkhhe.dll
Notify-rqrqqrr - (no file)


************************************************** ************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-09 21:28:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\Program Files\Creative\Shared Files\CTDevSrv.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\vetmsg.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\CA\eTrust Internet Security Suite\ccprovsp.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\isafe.exe
.
************************************************** ************************
.
Completion time: 2008-07-09 21:38:25 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-10 03:37:53

Pre-Run: 146,491,592,704 bytes free
Post-Run: 147,407,101,952 bytes free

211 --- E O F --- 2008-06-24 17:30:29
-------------------------------------------------------------------

Revisálos y me contás si hay algo más que tenga que hacer. Te agradezco mil veces por la ayuda, y me tomo un trago a tu salud!

allan

Hola, ComboFix ya se encargo de eliminar los archivos de malwares encontrados en tu PC, por lo que si todo esta funcionado bien, damos por terminado el tema.

Para terminar solo te quedaría desinstalar CF de la siguiente manera:

• Ir a Inicio > Ejecutar
• Escribir lo siguiente: ComboFix /u como muestra la imagen debajo:
  
  
  • 
• Esto activara el desinstalador de ComboFix abriendo su pantalla principal y luego de unos segundos veras ("ComboFix is uninstalled")

Salu2