Expert: Brian Benosky - 5/25/2008

Question
QUESTION: Hello Brian,

Thanks for dedicating time to helping people.
My system ran well before May 24. I use original Nod 32 and have the Windows Security Center Fundamentals all activated (green. My system is Vista Starter. Before contacting AllExperts I scanned with free versions of AdWare 2007, which suposedly found 22 infected files and deleted, Spybot S&D found nothing and SpyWareBlaster, I did not know how to use. I am tired of trying to do what I don't know how to do, as you can tell. I rememberd in the past I had asked questions here about other topics. Would you please help me?

Symptoms: My initial Internet page is Yahoo but now when I click on the IExplorer Icon, most of the time I get the message Browsing cancelled, try writing the address again in Spanish and the address is automatically changed to res://ieframe.dll/navcancl.htm
If I go to favorites I can access Google or  other pages but when I type in a search, this messages pops up:

Insecure Internet activity. Threat of virus attack
Due to insecure Internet browsing your PC can easily get infected with viruses, worms and trojans without your knowledge, and that can lead to system slowdown, freezes and crashes.
Also insecure Internet activity can result in revealing your personal information.
To get full advanced real-time protection for PC and Internet activity, install an antivirus and antispyware software.
We recommend you to protect your PC now and continue safe Internet browsing.
Click here to get full advanced real-time protection and continue browsing.
Continue to this website unprotected (not recommended).

I continue anyway and it lets me keep searching but the message appears when it wants.

Also I tried restoring to a previous date through Accesories-System Tools, Restore System, but from what I read in some forums, a calendar option or something like that should display and it does not, in my case.  Have the Trojans or whatever they are cancelled this feature or I am doing it wrongly?

Now I have deactivated restore protection.

The HiJackThis Logfile you require is below.

Also I ran DR.WEB and the results were:

Process.exe
C:\$Recycle.Bin\S-1-5-21-3049109399-2332595613-1713194849-1000\$RSD51QD
Tool.Prockill

restart.exe
C:\$Recycle.Bin\S-1-5-21-3049109399-2332595613-1713194849-1000\$RSD51QD
Tool.ShutDown.11

RJLQZECA.NQF
C:\Archivos de programa\ESET\infected
Trojan.Packed.140
Eliminado

winvnc.exe;C:\Archivos de programa\TELEFONICA\SCR\user\acr
Program.RemoteAdmin.origin

Inbox.dbx;C:\InfoCOMPAQ\WINDOWS\Application Data\Identities\{05182200-D690-11D5-9505-444553540001}\Microsoft\Outlook Express
probablemente BATCH.Virus

winvnc.exe;C:\Program Files\TELEFONICA\SCR\user\acr
Program.RemoteAdmin.origin

Process.exe
C:\Windows\System32
Tool.Prockill
  
Hope to hear from you. Thanks! (Easy instructions please...I am not native speaker)

ROSSANA


LOGFILE OF Trend Micro HijackThis v2.0.2
Scan saved at 04:12:41 a.m., on 25/05/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Eset\nod32kui.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\User\Downloads\launch.exe
C:\Users\User\AppData\Local\Temp\RarSFX0\_start.exe
C:\Users\User\AppData\Local\Temp\RarSFX0\setup.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.olidata.cl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Barra Yahoo! con bloqueador de ventanas emergentes - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {259F616C-A300-44F5-B04A-ED001A26C85C} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {F3642B57-3EA8-4EEA-A643-9DE138381A57} - C:\Users\User\redir.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'Servicio de red')
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {0010ACD5-7EAC-4DD1-874B-5BAF556EE03C} (scrInstaller Class) - http://www.speedy.com.pe/ras/ScrInstall.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://signin3.valueactive.com/Register/Branding/olr3313/OCX/v1018/flashax.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (Control de DownloadManager) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.1.6.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset  - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe

--
End of file - 6344 bytes




ANSWER: Hello Rossana

Please download ComboFix to your desktop from here:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Close all other programs, including any antivirus programs, then double click on the ComboFix icon to run the program.  Please allow the program to run completely (it may take some time), and allow it to reboot your computer.  After restarting, the program will finish up by creating a log report, which I will need you to copy into a follow-up here, along with a fresh HJT log.

Brian

---------- FOLLOW-UP ----------

QUESTION: Hello again Brian,

Thanks so much for the prompt message back.  I followed your instructions but ran the Combofix twice because the first time all the antispywares would pop up change messages and I din't know if accept them or not.  I did accept one from Spybot and it seems it eliminated a Browser Helper Object, :(
Then I did not accept other changes and went and disinstalled these programs plus others I did not need. I did not disinstall my Nod32 and the next time I ran the Combofix and it popped up I just closed it. The Combofix did not reboot the second time, displayed the logfile right after.

The HijackThis displayed a message like this: For some reason your system denied write access to the Hosts file. If any hijacked domains are in this file the HJT may not be able to fix this...and instructions to edit the file myself/exit/right click on HJT Icon and run as administrator.

When it finished,  it seemed I didn't need to do any of that and it displayed the LOgFile which I'am copying below.

Note: My screen (desktop) stayed yellow after the first rebooting.  What does that mean? I went into my Windows Problem Solving and it says the Nod32 created the problem and it is unable to fix it. Also I tried to open an urgent pdf file (with Adobe Reader 8) they sent me to my yahoo and I can't see the Open with option anymore. Would you advise me on that too please? Should I redownload the Adobe?

Many Thanks again, the 2 LogFiles you requested below...


Regards,

Rossana



ComboFix 08-05-24.1 - User 2008-05-25 14:47:47.3 - NTFSx86
Microsoft® Windows Vista™ Starter   6.0.6001.1.1252.1.3082.18.117 [GMT -5:00]
Se ejecuta desde: C:UsersUserDownloadsComboFix.exe
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((   Otras eliminaciones   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:Windowssystem32azip32.dll

.
((((((((((((((((((   Archivos creados desde 2008-04-25 - 2008-05-25  )))))))))))))))))))))))))))))))))
.

Ningún archivo ha sido creado durante este intervalo de tiempo

.
((((((((((((((((((((((((((((((((((((((   Reporte Find3M   )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-25 19:44   ---------   d-----w   C:UsersUserAppDataRoamingSkype
2008-05-25 19:13   ---------   d-----w   C:Program FilesInvestintech.com Inc
2008-05-25 19:11   ---------   d-----w   C:ProgramDataSpybot - Search & Destroy
2008-05-25 19:10   ---------   d-----w   C:Program FilesSpybot - Search & Destroy
2008-05-25 19:07   ---------   d-----w   C:Program FilesFree Internet Window Washer
2008-05-25 19:05   ---------   d-----w   C:Program FilesFree History Eraser
2008-05-25 18:30   ---------   d-----w   C:UsersUserAppDataRoamingskypePM
2008-05-25 09:11   ---------   d-----w   C:Program FilesTrend Micro
2008-05-25 03:45   ---------   d-----w   C:ProgramDataTEMP
2008-05-25 00:39   ---------   d-----w   C:ProgramDataLavasoft
2008-05-25 00:37   ---------   d-----w   C:Program FilesLavasoft
2008-05-25 00:35   ---------   d-----w   C:Program FilesCommon FilesWise Installation Wizard
2008-05-24 16:53   ---------   d-----w   C:Program Filesa-squared Free
2008-05-24 11:41   ---------   d-----w   C:ProgramDataGrisoft
2008-05-24 08:26   27,648   ----a-w   C:UsersUser
edir.dll
2008-05-16 01:43   ---------   d-----w   C:Program FilesUlead iPhoto Express
2008-05-15 01:26   ---------   d-----w   C:Program FilesWindows Mail
2008-04-22 08:08   ---------   d-----w   C:Program FilesYahoo!
2008-04-22 08:02   ---------   d-----w   C:Program FilesGoogle
2008-04-19 22:28   ---------   d-----w   C:ProgramDataLightScribe
2008-01-25 04:38   32   ----a-w   C:UsersAll Usersezsid.dat
2008-01-25 04:38   32   ----a-w   C:ProgramDataezsid.dat
2007-07-25 05:10   174   --sha-w   C:Program Filesdesktop.ini
.

------- Sigcheck -------

.
(((((((((((((((((((((((((((((((((   Cargando Puntos Reg   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* entradas vacías & entradas legítimas predeterminadas no son mostradas

[HKEY_LOCAL_MACHINE~Browser Helper Objects{F3642B57-3EA8-4EEA-A643-9DE138381A57}]
2008-05-24 03:26   27648   --a------   C:UsersUser
edir.dll

[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
"Yahoo! Pager"="C:PROGRA~1Yahoo!MESSEN~1YAHOOM~1.exe" [2007-11-06 19:51 3810544]
"updateMgr"="C:Program FilesAdobeAcrobat 7.0ReaderAdobeUpdateManager.exe" [ ]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:Program FilesCommon FilesAheadLibNMBgMonitor.exe" [2006-12-23 18:05 143360]
"Skype"="C:Program FilesSkypePhoneSkype.exe" [2008-02-01 17:22 21898024]
"SpybotSD TeaTimer"="C:Program FilesSpybot - Search & DestroyTeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
"nod32kui"="C:Program FilesEset
od32kui.exe" [2007-12-26 21:21 949376]
"NBKeyScan"="C:Program FilesNeroNero8Nero BackItUpNBKeyScan.exe" [ ]
"NeroFilterCheck"="C:Program FilesCommon FilesAheadLibNeroCheck.exe" [2006-01-12 15:40 155648]
"Adobe Reader Speed Launcher"="C:Program FilesAdobeReader 8.0ReaderReader_sl.exe" [2008-01-11 22:16 39792]
"RtHDVCpl"="RtHDVCpl.exe" [2007-03-01 14:38 4390912 C:WindowsRtHDVCpl.exe]
"SNM"="C:Program FilesSpyNoMoreSNM.exe" [ ]

[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindowscurrentversionpoliciessystem]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_CURRENT_USERsoftwaremicrosoftwindowscurrentversionpoliciesexplorer]
"NoDFSTab"= 1 (0x1)

[HKEY_USERS.defaultsoftwaremicrosoftwindowscurrentversionpoliciesexplorer]
"NoDFSTab"= 1 (0x1)

[HKLM~startupfolderC:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Inicio rápido de Adobe Reader.lnk]
path=C:ProgramDataMicrosoftWindowsStart MenuProgramsStartupInicio rápido de Adobe Reader.lnk
backup=C:WindowspssInicio rápido de Adobe Reader.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregLanguageShortcut]
--a------ 2006-05-18 10:29 49152 C:Program FilesCyberLinkPowerDVDLanguageLanguage.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregNeroFilterCheck]
--a------ 2006-01-12 15:40 155648 C:Program FilesCommon FilesAheadLibNeroCheck.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregRemoteControl]
--a------ 2006-07-12 21:01 29696 C:Program FilesCyberLinkPowerDVDPDVDServ.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregRtHDVCpl]
--a------ 2007-03-01 14:38 4390912 C:WindowsRtHDVCpl.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregVTTimer]
--a------ 2006-09-21 15:36 53248 C:WindowsSystem32VTTimer.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregVTTrayp]
--a------ 2007-02-06 06:30 176128 C:WindowsSystem32VTTrayp.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregYahoo! Pager]
--a------ 2007-11-06 19:51 3810544 C:PROGRA~1Yahoo!MESSEN~1YAHOOM~1.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity centerMonitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity centerMonitoringSymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity centerMonitoringSymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM~servicessharedaccessparametersirewallpolicyFirewallRules]
"{80F1DEE9-A5D9-4FD8-9269-845C30C5B5C8}"= UDP:C:Program FilesYahoo!MessengerYahooMessenger.exe:Yahoo! Messenger
"{AAE24A60-A495-4BBE-BF18-CFE1A06B8741}"= TCP:C:Program FilesYahoo!MessengerYahooMessenger.exe:Yahoo! Messenger
"{CFA3CA2E-C97E-4B3C-9222-C11C9C251113}"= UDP:C:Program FilesYahoo!MessengerYServer.exe:Yahoo! FT Server
"{21B4C05A-523E-4E27-BD78-4271AFC43E32}"= TCP:C:Program FilesYahoo!MessengerYServer.exe:Yahoo! FT Server

R1 BIOS;BIOS;C:Windowssystem32driversBIOS.sys [2005-03-16 01:23]
R3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service;C:Windowssystem32DRIVERSetnd5bv.sys [2007-02-27 03:14]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;C:Windowssystem32DRIVERS57nd60x.sys [2006-11-02 02:30]

[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionsvchost]
LocalServiceNoNetwork   REG_MULTI_SZ      PLA DPS BFE mpssvc

[HKEY_CURRENT_USERsoftwaremicrosoftwindowscurrentversionexplorermountpoints2{178cc8c3-6aca-11dc-bbaa-806e6f6e6963}]
shellAutoRuncommand - E:Setup16.EXE

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-25 14:54:03
Windows 6.0.6001 Service Pack 1 NTFS

escaneando procesos ocultos ...

escaneando entradas ocultas de autostart ...

escaneando archivos ocultos ...

el escaneo se completo con exito
archivos ocultos: 0

**************************************************************************
.
Tiempo completado: 2008-05-25 14:57:29
ComboFix-quarantined-files.txt  2008-05-25 19:57:17

     El sistema no puede encontrar el texto del mensaje para el mensaje número 0x2379 en el archivo de mensajes para Application.
     El sistema no puede encontrar el texto del mensaje para el mensaje número 0x2379 en el archivo de mensajes para Application.

122   --- E O F ---   2008-05-20 18:15:27

____________________________________________________________________________________________________________________________________________________________________________________

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 04:12:41 a.m., on 25/05/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:Windowssystem32Dwm.exe
C:WindowsExplorer.EXE
C:Windowssystem32   askeng.exe
C:Program FilesWindows DefenderMSASCui.exe
C:WindowsRtHDVCpl.exe
C:Program FilesCommon FilesAheadLibNMBgMonitor.exe
C:Program FilesSkypePhoneSkype.exe
C:Program FilesSpybot - Search & DestroyTeaTimer.exe
C:Program FilesEset
od32kui.exe
C:WindowsSystem32mobsync.exe
C:Program FilesYahoo!Messengerymsgr_tray.exe
C:Program FilesSkypePlugin ManagerskypePM.exe
C:Program FilesInternet Explorerieuser.exe
C:Program FilesInternet Exploreriexplore.exe
C:UsersUserDownloadslaunch.exe
C:UsersUserAppDataLocalTempRarSFX0_start.exe
C:UsersUserAppDataLocalTempRarSFX0setup.exe
C:Windowssystem32   askeng.exe
C:Program FilesInternet Exploreriexplore.exe
C:Windowssystem32SearchFilterHost.exe
C:Program FilesTrend MicroHijackThisHijackThis.exe

R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://www.yahoo.com/
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://www.olidata.cl
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLMSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant =
R0 - HKLMSoftwareMicrosoftInternet ExplorerSearch,CustomizeSearch =
R0 - HKCUSoftwareMicrosoftInternet ExplorerToolbar,LinksFolderName =
R3 - URLSearchHook: Barra Yahoo! con bloqueador de ventanas emergentes - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:Program FilesCommon FilesAdobeAcrobatActiveXAcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:Program FilesSkypeToolbarsInternet ExplorerSkypeIEPlugin.dll
O2 - BHO: (no name) - {259F616C-A300-44F5-B04A-ED001A26C85C} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:Program FilesSpybot - Search & DestroySDHelper.dll
O2 - BHO: (no name) - {F3642B57-3EA8-4EEA-A643-9DE138381A57} - C:UsersUser
edir.dll
O4 - HKLM..Run: [Windows Defender] %ProgramFiles%Windows DefenderMSASCui.exe -hide
O4 - HKLM..Run: [nod32kui] "C:Program FilesEset
od32kui.exe" /WAITSERVICE
O4 - HKLM..Run: [NBKeyScan] "C:Program FilesNeroNero8Nero BackItUpNBKeyScan.exe"
O4 - HKLM..Run: [NeroFilterCheck] C:Program FilesCommon FilesAheadLibNeroCheck.exe
O4 - HKLM..Run: [Adobe Reader Speed Launcher] "C:Program FilesAdobeReader 8.0ReaderReader_sl.exe"
O4 - HKLM..Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM..Run: [SNM] C:Program FilesSpyNoMoreSNM.exe /startup
O4 - HKCU..Run: [Yahoo! Pager] "C:PROGRA~1Yahoo!MESSEN~1YAHOOM~1.EXE" -quiet
O4 - HKCU..Run: [updateMgr] C:Program FilesAdobeAcrobat 7.0ReaderAdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU..Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:Program FilesCommon FilesAheadLibNMBgMonitor.exe"
O4 - HKCU..Run: [Skype] "C:Program FilesSkypePhoneSkype.exe" /nosplash /minimized
O4 - HKCU..Run: [SpybotSD TeaTimer] C:Program FilesSpybot - Search & DestroyTeaTimer.exe
O4 - HKUSS-1-5-19..Run: [Sidebar] %ProgramFiles%Windows SidebarSidebar.exe /detectMem (User 'SERVICIO LOCAL')
O4 - HKUSS-1-5-19..Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'SERVICIO LOCAL')
O4 - HKUSS-1-5-20..Run: [Sidebar] %ProgramFiles%Windows SidebarSidebar.exe /detectMem (User 'Servicio de red')
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:PROGRA~1MICROS~2OFFICE11EXCEL.EXE/3000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:Program FilesSkypeToolbarsInternet ExplorerSkypeIEPlugin.dll
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:PROGRA~1MICROS~2OFFICE11REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:Program FilesSpybot - Search & DestroySDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:Program FilesSpybot - Search & DestroySDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {0010ACD5-7EAC-4DD1-874B-5BAF556EE03C} (scrInstaller Class) - http://www.speedy.com.pe/ras/ScrInstall.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:Program FilesYahoo!Commonyinsthelper.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://signin3.valueactive.com/Register/Branding/olr3313/OCX/v1018/flashax.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (Control de DownloadManager) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.1.6.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:PROGRA~1COMMON~1SkypeSKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:Program FilesLavasoftAd-Aware 2007aawservice.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:Program FilesCommon FilesLightScribeLSSrvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset  - C:Program FilesEset
od32krn.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:Program FilesCyberLinkShared FilesRichVideo.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:Program FilesSpybot - Search & DestroySDWinSec.exe

--
End of file - 6344 bytes  

Answer
Hi Rossana

It was my error by not telling you to exit all programs such as Spybot and ESET while running Combofix.  Please run HJT once again, as the log you sent me is not formatted properly.  Your entries look like this:

C:Windowssystem32Dwm.exe

Whereas they should look like this:

C:\Windows\system32\Dwm.exe

Such as the first log you sent.  When HJT opens up notepad, go to the menu at the top under Format, uncheck "Word Wrap", then send me a copy of the log.  Thanks!

Brian