Ipsec.sys detected as virus and now I don't have connection

I was planning to change my AV. I had one from another company but the license expired. Then today I’ve tried Avast! free on my computer with WinXp Home Edition with SP3. After the installation I’ve made a full scan in safe mode and Avast! detected 5 viruses, one of them being the file “\windows\system32\drivers\ipsec.sys” infected with WIN32/Alureon. I’ve send them all to quarantine and restarted computer in normal mode. But then I noticed that there was no connection to internet.

Took a look at the “Device manager” with the option to show hidden devices enabled and I saw 2 alerts:

-Controlador de protocolo TCP/IP = Detenido. Archivo del controlador: tcpip.sys

-Traductor de direcciones de red ip =Detenido. Archivo del controlador: ipnat.sys

I’ve tried to start both manually but there was missing dependencies.

After 2 hours trying things in vain, I’ve decide to restore the file from the quarantine. When the file was again under “windows\system32\drivers” I’ve analyzed it with right click and it said it was clean >:(

I’ve restarted the computer again but still no connection.

I think I need to install ipsec.sys again and not just copy the file again to his original folder. But I don’t know how.

Restore the quarantined file and the run TDSSKiller - this is a specialist tool which will do a clean replacement

Please read carefully and follow these steps.

[*]Download TDSSKiller and save it to your Desktop.
[*]Extract its contents to your desktop.
[*]Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillermain.png

[*]If an infected file is detected, the default action will be Cure, click on Continue.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerMal-1.png

[*]If a suspicious file is detected, the default action will be Skip, click on Continue.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerSuspicious.png

[*]It may ask you to reboot the computer to complete the process. Click on Reboot Now.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerCompleted.png

[*]If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
[*]If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of “TDSSKiller.[Version][Date][Time]_log.txt”. Please copy and paste the contents of that file here.

I can’t see ipsec.sys on this report, but it’s there on his folder “drivers”

2010/10/06 10:26:14.0546    ================================================================================
2010/10/06 10:26:14.0937    Initialize success
2010/10/06 10:26:40.0187    ================================================================================
2010/10/06 10:26:40.0187    Scan started
2010/10/06 10:26:40.0187    Mode: Manual;
2010/10/06 10:26:40.0187    ================================================================================
2010/10/06 10:26:40.0359    Aavmker4        (8d488938e2f7048906f1fbd3af394887) C:\WINDOWS\system32\drivers\Aavmker4.sys
2010/10/06 10:26:40.0390    ACPI            (cf2a07e1751a2d612d7e13aa431ab057) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/10/06 10:26:40.0421    ACPIEC          (1c905333c0b9f3d7c68ddf25e54b00f9) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/10/06 10:26:40.0437    aec             (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/10/06 10:26:40.0484    AFD             (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2010/10/06 10:26:40.0562    AsIO            (2b4e66fac6503494a2c6f32bb6ab3826) C:\WINDOWS\system32\drivers\AsIO.sys
2010/10/06 10:26:40.0578    aswFsBlk        (a0d86b8ac93ef95620420c7a24ac5344) C:\WINDOWS\system32\drivers\aswFsBlk.sys
2010/10/06 10:26:40.0593    aswMon2         (7d880c76a285a41284d862e2d798ec0d) C:\WINDOWS\system32\drivers\aswMon2.sys
2010/10/06 10:26:40.0609    aswRdr          (69823954bbd461a73d69774928c9737e) C:\WINDOWS\system32\drivers\aswRdr.sys
2010/10/06 10:26:40.0609    aswSP           (7ecc2776638b04553f9a85bd684c3abf) C:\WINDOWS\system32\drivers\aswSP.sys
2010/10/06 10:26:40.0625    aswTdi          (095ed820a926aa8189180b305e1bcfc9) C:\WINDOWS\system32\drivers\aswTdi.sys
2010/10/06 10:26:40.0640    AsyncMac        (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/10/06 10:26:40.0656    atapi           (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/10/06 10:26:40.0734    ati2mtag        (67124e317582758e04230f7800e8b6f8) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
2010/10/06 10:26:40.0765    AtiHdmiService  (fac04a8e09c8d70594382656d99772a3) C:\WINDOWS\system32\drivers\AtiHdmi.sys
2010/10/06 10:26:40.0781    Atmarpc         (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/10/06 10:26:40.0812    audstub         (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/10/06 10:26:40.0843    Beep            (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/10/06 10:26:40.0875    cbidf2k         (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/10/06 10:26:40.0890    Cdaudio         (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/10/06 10:26:40.0890    Cdfs            (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/10/06 10:26:40.0906    Cdrom           (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/10/06 10:26:41.0046    DeepFrz         (093ba89b26d4f2ac664bf98711852b62) C:\WINDOWS\system32\drivers\DeepFrz.sys
2010/10/06 10:26:41.0046    Disk            (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/10/06 10:26:41.0078    dmboot          (c252a99c0a78b39faa2e2d1d048b1050) C:\WINDOWS\system32\drivers\dmboot.sys
2010/10/06 10:26:41.0109    dmio            (33b4d4039cd2cb25351a7bf13b2988d9) C:\WINDOWS\system32\drivers\dmio.sys
2010/10/06 10:26:41.0109    dmload          (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/10/06 10:26:41.0125    DMusic          (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2010/10/06 10:26:41.0156    drmkaud         (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/10/06 10:26:41.0171    Fastfat         (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/10/06 10:26:41.0187    Fdc             (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2010/10/06 10:26:41.0187    Fips            (e5e61f2c07344e91dbfb7eafde549ab4) C:\WINDOWS\system32\drivers\Fips.sys
2010/10/06 10:26:41.0203    Flpydisk        (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2010/10/06 10:26:41.0218    FltMgr          (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2010/10/06 10:26:41.0234    Fs_Rec          (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/10/06 10:26:41.0250    Ftdisk          (cc5f3af5711a1c7c8fa1d43bb16b401a) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/10/06 10:26:41.0296    GarenaPEngine   (97590bdd20e90546045982f6ea24eb1e) C:\DOCUME~1\admin\CONFIG~1\Temp\GRR4.tmp
2010/10/06 10:26:41.0296    Gpc             (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/10/06 10:26:41.0328    hamachi         (833051c6c6c42117191935f734cfbd97) C:\WINDOWS\system32\DRIVERS\hamachi.sys
2010/10/06 10:26:41.0343    HDAudBus        (3fcc124b6e08ee0e9351f717dd136939) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2010/10/06 10:26:41.0359    hidusb          (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/10/06 10:26:41.0390    HTTP            (f6aacf5bce2893e0c1754afeb672e5c9) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/10/06 10:26:41.0453    i8042prt        (4a2490a66e8271901e89dd5fb79748ae) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/10/06 10:26:41.0468    Imapi           (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/10/06 10:26:41.0500    ip6fw           (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2010/10/06 10:26:41.0515    IpFilterDriver  (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/10/06 10:26:41.0531    IpInIp          (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/10/06 10:26:41.0546    IpNat           (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/10/06 10:26:41.0546    IRENUM          (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/10/06 10:26:41.0562    isapnp          (0f3d281b0410fe5d482aada37d20524b) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/10/06 10:26:41.0578    Kbdclass        (188ddd286bc0daea6984858c6a4d7bbf) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/10/06 10:26:41.0593    kmixer          (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2010/10/06 10:26:41.0609    KSecDD          (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/10/06 10:26:41.0656    mnmdd           (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/10/06 10:26:41.0687    Modem           (9024556e739b8469d2b8f5f0e4c9bc9f) C:\WINDOWS\system32\drivers\Modem.sys
2010/10/06 10:26:41.0718    monfilt         (9fa7207d1b1adead88ae8eed9cdbbaa5) C:\WINDOWS\system32\drivers\monfilt.sys
2010/10/06 10:26:41.0765    Mouclass        (6fd36b4994a2363659a65c9f970cfdb7) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/10/06 10:26:41.0765    mouhid          (8ee532e516b2d23d686cfc1cc0a15c25) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/10/06 10:26:41.0781    MountMgr        (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/10/06 10:26:41.0796    MRxDAV          (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/10/06 10:26:41.0828    MRxSmb          (60ae98742484e7ab80c3c1450e708148) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/10/06 10:26:41.0843    Msfs            (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/10/06 10:26:41.0843    MSKSSRV         (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/10/06 10:26:41.0859    MSPCLOCK        (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/10/06 10:26:41.0859    MSPQM           (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/10/06 10:26:41.0890    mssmbios        (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

2010/10/06 10:26:41.0906    MTsensor        (d48659bb24c48345d926ecb45c1ebdf5) C:\WINDOWS\system32\DRIVERS\ASACPI.sys
2010/10/06 10:26:41.0921    Mup             (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2010/10/06 10:26:41.0937    NDIS            (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2010/10/06 10:26:41.0937    NdisTapi        (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/10/06 10:26:41.0953    Ndisuio         (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/10/06 10:26:42.0015    NdisWan         (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/10/06 10:26:42.0015    NDProxy         (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/10/06 10:26:42.0031    NetBIOS         (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/10/06 10:26:42.0046    NetBT           (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/10/06 10:26:42.0062    Npfs            (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/10/06 10:26:42.0078    Ntfs            (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/10/06 10:26:42.0109    Null            (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/10/06 10:26:42.0125    NVENETFD        (7d275ecda4628318912f6c945d5cf963) C:\WINDOWS\system32\DRIVERS\NVENETFD.sys
2010/10/06 10:26:42.0156    NVHDA           (422bbe63a70950440e1db5fe7a9557a7) C:\WINDOWS\system32\drivers\nvhda32.sys
2010/10/06 10:26:42.0156    nvnetbus        (b64aacefad2be5bff5353fe681253c67) C:\WINDOWS\system32\DRIVERS\nvnetbus.sys
2010/10/06 10:26:42.0171    nvsmu           (2a085aec3ab2b1211611d2a7b9e22456) C:\WINDOWS\system32\DRIVERS\nvsmu.sys
2010/10/06 10:26:42.0203    NwlnkFlt        (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/10/06 10:26:42.0203    NwlnkFwd        (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/10/06 10:26:42.0218    Parport         (e7855cbd8bd1fda085a3f92cff7906e2) C:\WINDOWS\system32\drivers\Parport.sys
2010/10/06 10:26:42.0234    PartMgr         (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/10/06 10:26:42.0234    ParVdm          (fad44d704ecd7d39ad01415b8bb34204) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/10/06 10:26:42.0250    PCI             (f11bc84ae6c7b003b5e0c8eeb4a1f444) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/10/06 10:26:42.0265    PCIIde          (33d63f0a9021acb4d75d83b646b93a30) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/10/06 10:26:42.0281    Pcmcia          (f50c27cca56dc97b3a45e7f0059bd2ba) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/10/06 10:26:42.0375    PptpMiniport    (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/10/06 10:26:42.0390    Processor       (d4d8634dfdae3eca83620ee4088f7aa9) C:\WINDOWS\system32\DRIVERS\processr.sys
2010/10/06 10:26:42.0406    PSched          (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/10/06 10:26:42.0406    Ptilink         (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/10/06 10:26:42.0453    RasAcd          (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/10/06 10:26:42.0468    Rasl2tp         (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/10/06 10:26:42.0484    RasPppoe        (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/10/06 10:26:42.0500    Raspti          (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/10/06 10:26:42.0500    Rdbss           (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/10/06 10:26:42.0515    RDPCDD          (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/10/06 10:26:42.0531    RDPWD           (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/10/06 10:26:42.0546    redbook         (20950948970a0ea329b4254052bcf093) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/10/06 10:26:42.0593    Secdrv          (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/10/06 10:26:42.0593    serenum         (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2010/10/06 10:26:42.0609    Serial          (f41b42b92ae9c1191858c3f80cc24a9c) C:\WINDOWS\system32\DRIVERS\serial.sys
2010/10/06 10:26:42.0625    Sfloppy         (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/10/06 10:26:42.0656    splitter        (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2010/10/06 10:26:42.0687    sptd            (cdddec541bc3c96f91ecb48759673505) C:\WINDOWS\system32\Drivers\sptd.sys
2010/10/06 10:26:42.0703    Suspicious file (NoAccess): C:\WINDOWS\system32\Drivers\sptd.sys. md5: cdddec541bc3c96f91ecb48759673505
2010/10/06 10:26:42.0703    sptd - detected Locked file (1)
2010/10/06 10:26:42.0718    sr              (ccb3065c3ee63a4515fe84af9e78d1dd) C:\WINDOWS\System32\DRIVERS\sr.sys
2010/10/06 10:26:42.0734    Srv             (3bb03f2ba89d2be417206c373d2af17c) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/10/06 10:26:42.0765    swenum          (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/10/06 10:26:42.0781    swmidi          (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2010/10/06 10:26:42.0828    sysaudio        (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/10/06 10:26:42.0859    Tcpip           (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/10/06 10:26:42.0875    TDPIPE          (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/10/06 10:26:42.0890    TDTCP           (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/10/06 10:26:42.0890    TermDD          (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/10/06 10:26:42.0906    ThwSpace        (346d7fcc0024af18e1fcac019a4acbea) C:\WINDOWS\system32\drivers\ThwSpace.sys
2010/10/06 10:26:42.0937    Udfs            (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2010/10/06 10:26:42.0984    Update          (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2010/10/06 10:26:43.0015    usbehci         (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/10/06 10:26:43.0031    usbhub          (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/10/06 10:26:43.0031    usbohci         (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
2010/10/06 10:26:43.0062    UsbStor         (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/10/06 10:26:43.0093    VgaSave         (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2010/10/06 10:26:43.0140    VIAHdAudAddService (29cc58050804de6c3a900045ea2dd564) C:\WINDOWS\system32\drivers\viahduaa.sys
2010/10/06 10:26:43.0156    VolSnap         (c41ffdc191e6c832e2e53c967eae0a16) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/10/06 10:26:43.0187    Wanarp          (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/10/06 10:26:43.0203    wdmaud          (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/10/06 10:26:43.0234    WmiAcpi         (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
2010/10/06 10:26:43.0265    WS2IFSL         (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
2010/10/06 10:26:43.0296    WudfPf          (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2010/10/06 10:26:43.0296    WudfRd          (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2010/10/06 10:26:43.0375    ================================================================================
2010/10/06 10:26:43.0375    Scan finished
2010/10/06 10:26:43.0375    ================================================================================
2010/10/06 10:26:43.0390    Detected object count: 1
2010/10/06 10:27:30.0875    Locked file(sptd) - User select action: Skip

Could be a new variant

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

[*]Double click on ComboFix.exe & follow the prompts.

[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

ComboFix 10-10-06.02 - admin 07/10/2010  10:43:32.1.4 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.34.3082.18.3327.2828 [GMT 2:00]
Running from: c:\documents and settings\admin\Escritorio\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Outdated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\dfinstall.log
c:\windows\ufdata2000.log

.
(((((((((((((((((((((((((   Files Created from 2010-09-07 to 2010-10-07  )))))))))))))))))))))))))))))))
.

2010-10-06 18:03 . 2010-10-06 18:06    --------    d-----w-    c:\documents and settings\admin\Datos de programa\IPSecureLogs
2010-10-06 18:03 . 2010-10-06 18:06    --------    d-----w-    c:\archivos de programa\Microsoft IPsec Diagnostic Tool
2010-10-06 10:02 . 2009-07-01 09:55    701440    ----a-w-    c:\windows\system32\cohelper.dll
2010-10-06 10:02 . 2009-06-30 22:42    485920    ----a-w-    c:\windows\system32\nvunrm.exe
2010-10-06 09:55 . 2009-07-01 09:55    888320    ----a-w-    c:\windows\system32\fdco1.dll
2010-10-06 09:55 . 2009-07-01 09:55    11264    ----a-w-    c:\windows\system32\bdco1.dll
2010-10-06 09:55 . 2009-07-01 09:53    13824    ----a-w-    c:\windows\system32\drivers\nvnetbus.sys
2010-10-06 09:55 . 2009-07-01 09:53    66688    ----a-w-    c:\windows\system32\drivers\NVENETFD.sys
2010-10-06 09:55 . 2009-07-01 09:53    207872    ----a-w-    c:\windows\system32\drivers\nvnrm.sys
2010-10-06 09:55 . 2009-06-30 22:42    151552    ----a-w-    c:\windows\system32\nvconrm.dll
2010-10-05 17:02 . 2010-10-05 17:02    --------    d-----w-    c:\documents and settings\All Users\Datos de programa\MSN6
2010-10-05 17:02 . 2010-10-05 17:02    --------    d-----w-    c:\documents and settings\admin\Datos de programa\MSN6
2010-10-05 16:00 . 2001-08-22 20:14    66048    -c--a-w-    c:\windows\system32\dllcache\s3legacy.dll
2010-10-05 14:17 . 2008-04-13 19:19    75264    -c--a-w-    c:\windows\system32\dllcache\ipsec.sys
2010-10-05 14:17 . 2008-04-13 19:19    75264    ----a-w-    c:\windows\system32\drivers\ipsec.sys
2010-10-05 11:48 . 2010-10-05 11:48    --------    d-sh--w-    c:\documents and settings\Administrador\PrivacIE
2010-10-05 11:48 . 2010-09-07 14:47    17744    ----a-w-    c:\windows\system32\drivers\aswFsBlk.sys
2010-10-05 11:48 . 2010-09-07 14:52    165584    ----a-w-    c:\windows\system32\drivers\aswSP.sys
2010-10-05 11:48 . 2010-09-07 14:52    46672    ----a-w-    c:\windows\system32\drivers\aswTdi.sys
2010-10-05 11:42 . 2010-10-05 11:42    --------    d--h--r-    c:\documents and settings\Administrador\Datos de programa
2010-10-05 11:42 . 2010-01-23 22:38    38784    ----a-w-    c:\documents and settings\Administrador\Datos de programa\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-10-05 11:42 . 2009-12-03 16:44    --------    d--h--w-    c:\documents and settings\Administrador\Plantillas
2010-10-05 11:42 . 2009-12-03 16:38    --------    d--h--w-    c:\documents and settings\Administrador\Reciente
2010-10-05 11:42 . 2009-12-03 16:38    --------    d--h--w-    c:\documents and settings\Administrador\Impresoras
2010-10-05 11:42 . 2009-12-03 16:38    --------    d--h--w-    c:\documents and settings\Administrador\Entorno de red
2010-10-05 11:42 . 2009-12-03 16:38    --------    d-----w-    c:\documents and settings\Administrador\Mis documentos
2010-10-05 11:42 . 2009-12-03 16:38    --------    d-----w-    c:\documents and settings\Administrador\Escritorio
2010-10-05 11:42 . 2009-12-03 16:38    --------    d-----r-    c:\documents and settings\Administrador\Menú Inicio

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-07 08:44 . 2003-04-24 12:00    90482    ----a-w-    c:\windows\system32\perfc00A.dat
2010-10-07 08:44 . 2003-04-24 12:00    504342    ----a-w-    c:\windows\system32\perfh00A.dat
2010-10-05 14:50 . 2010-03-11 10:40    --------    d-----w-    c:\archivos de programa\Symantec
2010-10-05 11:47 . 2010-10-05 11:47    --------    d-----w-    c:\documents and settings\All Users\Datos de programa\Alwil Software
2010-10-05 11:47 . 2010-10-05 11:47    --------    d-----w-    c:\archivos de programa\Alwil Software
2010-09-07 15:12 . 2010-10-05 11:47    38848    ----a-w-    c:\windows\avastSS.scr
2010-09-07 15:11 . 2010-10-05 11:47    167592    ----a-w-    c:\windows\system32\aswBoot.exe
2010-09-07 14:47 . 2010-10-05 11:48    23376    ----a-w-    c:\windows\system32\drivers\aswRdr.sys
2010-09-07 14:47 . 2010-10-05 11:47    100176    ----a-w-    c:\windows\system32\drivers\aswmon2.sys
2010-09-07 14:47 . 2010-10-05 11:47    94544    ----a-w-    c:\windows\system32\drivers\aswmon.sys
2010-09-07 14:46 . 2010-10-05 11:47    28880    ----a-w-    c:\windows\system32\drivers\aavmker4.sys
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\archivos de programa\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HDAudDeck"="c:\archivos de programa\VIA\VIAudioi\HDADeck\HDeck.exe" [2009-06-05 33628160]
"Six Engine"="c:\archivos de programa\ASUS\EPU\EPU.exe" [2009-06-10 4113920]
"StartCCC"="c:\archivos de programa\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-09-18 98304]
"Adobe Reader Speed Launcher"="c:\archivos de programa\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\archivos de programa\Archivos comunes\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"avast5"="c:\archivos de programa\Alwil Software\Avast5\avastUI.exe" [2010-09-07 2838912]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoFileUrl"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DfLogon]
2004-04-13 15:04    49152    ----a-w-    c:\windows\system32\LogonDll.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute    REG_MULTI_SZ       autocheck autochk /k:C /k:E *

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Norton AntiVirus Server"=2 (0x2)
"DefWatch"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Archivos de programa\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Documents and Settings\\admin\\Configuración local\\Apps\\2.0\\2KWRC7MT.E25\\L27OLOWB.QAC\\curs..tion_eee711038731a406_0004.0000_10385b9745e33e88\\CurseClient.exe"=
"c:\\Archivos de programa\\Ventrilo\\Ventrilo.exe"=
"c:\\Archivos de programa\\Skype\\Phone\\Skype.exe"=
"c:\\Archivos de programa\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Archivos de programa\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Archivos de programa\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"e:\\Juegos\\Steam\\Steam.exe"=
"e:\\Juegos\\League of Legends\\Air\\LolClient.exe"=
"e:\\Juegos\\League of Legends\\Game\\League of Legends.exe"=
"e:\\Juegos\\STREETFIGHTERIV\\StreetFighterIV.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"e:\\Juegos\\RESIDENT EVIL 5\\RE5DX9.EXE"=
"e:\\Juegos\\RESIDENT EVIL 5\\RE5DX10.EXE"=
"e:\\Juegos\\Crysis\\Bin32\\Crysis.exe"=
"e:\\Juegos\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"e:\\Juegos\\The Battle for Middle-earth (tm) II\\game.dat"=
"e:\\Juegos\\El Resurgir del Rey Brujo\\game.dat"=
"c:\\Archivos de programa\\Curse\\CurseClient.exe"=
"e:\\Juegos\\Mass Effect 2\\Binaries\\MassEffect2.exe"=
"e:\\Juegos\\Mass Effect 2\\MassEffect2Launcher.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8394:TCP"= 8394:TCP:League of Legends Launcher
"8394:UDP"= 8394:UDP:League of Legends Launcher

R0 DeepFrz;DeepFrz;c:\windows\system32\drivers\DeepFrz.sys [13/05/2004 18:40 93440]
R0 ThwSpace;ThwSpace;c:\windows\system32\drivers\ThwSpace.sys [13/05/2004 18:40 63104]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [05/10/2010 13:48 165584]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [05/10/2010 13:48 17744]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [03/12/2009 20:29 46752]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [03/12/2009 19:57 1374464]
S3 GarenaPEngine;GarenaPEngine;\??\c:\docume~1\admin\CONFIG~1\Temp\GRR4.tmp --> c:\docume~1\admin\CONFIG~1\Temp\GRR4.tmp [?]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [04/12/2009 14:37 691696]

.
.
------- Supplementary Scan -------
.
TCP: {51FE52B1-D185-459F-9E46-A1AE4BAEC6E5} = 80.58.0.33,80.58.32.97
FF - ProfilePath - c:\documents and settings\admin\Datos de programa\Mozilla\Firefox\Profiles\ucjqr0qc.default\
FF - component: c:\archivos de programa\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-MsServer - msfun80.exe



[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\GarenaPEngine]
"ImagePath"="\??\c:\docume~1\admin\CONFIG~1\Temp\GRR4.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1439153163-2046799148-1720684632-1004\Software\SecuROM\License information*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"datasecu"=hex:69,fe,3a,5d,37,03,d5,ce,bb,dc,69,cb,1e,f1,60,da,db,a0,6c,a7,ba,
   2e,0f,36,0d,f4,5a,16,0b,01,c5,3b,49,a6,8b,01,f5,8a,ab,7b,3a,89,a8,69,b7,4b,\
"rkeysecu"=hex:e3,b6,ae,20,ac,92,ab,ae,af,bf,c1,d8,31,7f,f8,13
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(496)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\LogonDll.dll
.
Completion time: 2010-10-07  10:45:45
ComboFix-quarantined-files.txt  2010-10-07 08:45

Pre-Run: 7.330.484.224 bytes libres
Post-Run: 8.190.472.192 bytes libres

- - End Of File - - 79DD96CE664C7FF8C5C1EDDAE5EDBF59

I can’t answer “yes” when ComboFix asks me to install the Recovery console because it says that needs internet connection.
After the scan, the only thing noticeable was that Daemon tools didn’t load because I assume ComboFix deleted the SPTD.
I’ll be waiting your answer. Thanks for trying to help me.

Lets get windows to repair it

-Controlador de protocolo TCP/IP = Detenido. Archivo del controlador: tcpip.sys

-Traductor de direcciones de red ip =Detenido. Archivo del controlador: ipnat.sys

To repair these go to the MS page here http://support.microsoft.com/kb/811259 about halfway down the page is a fixit button press that and download the programme - transfer to the affected system and run

Let me know if that clears it

Nothing happened. Still no connection and in Device Manager, under “Dispositivos que no son Plug and Play” (Non-PnP devices) “TCP/IP protocol driver” and “IP Network translator” still appear with exclamation. No signs of “IPSEC driver”.

OK could you first create a restore point and then go to control panel and right click the offending items, select uninstall and then reboot. Windows should then replace the correct files

Created restore point and after reboot:

TCP/IP reinstalled but stopped because of “missing dependencies”
IP Network translator not reinstalled
IPSEC driver not reinstalled

Restore from the restore point as Windows boots.

Alureon is a pretty hardy piece of s**t - I found the best solution was a format of my OS drive. My variant caused general slowdown of the system and lots of other crap I don’t really remember. If nothing works for you that essexboy suggests, I’d tell you to you backup all of your data to a separate partition and format everything else, then reinstall. Another plus is that you’ll have a clean system.

It does look like it has deleted some files - does it state which dependancies are missing ?

The message says (translated by me :D)

[i]The system found an error while trying to start the service.

Dependency service does not exist or has been marked to be eliminated.[/i]

I think I’ll take cakedoer’s advice. But I really appreciate your help essexboy. :slight_smile:

I have no problem with that as you know best ;D

I do have a small tutorial on reformating available here http://www.geekstogo.com/forum/topic/173729-reformat-and-install-of-windows/ this may help you on your way