Need help removing CID pop-ups

What you are noting can be indicative of a LOP infection.
Notice some files are in Spanish, others are not. Any reason?
Please download Malwarebytes' Anti-Malware (MBA-M) to your Desktop.

* DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When MBA-M finishes, Notepad will open with the log. Please save it where you can find it easily. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt.

Also do the following;
The first thing you should do is print out this guide as we will close all the open windows and programs, including your web browser, before starting the ComboFix program.

Next you should download ComboFix
Click on the Save button and then when it asks you where to save it, make sure you save it directly to your Windows Desktop.

At this point you should do the following:

* Close all open Windows including this one.
* Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix.
double-click on the ComboFix icon found on your desktop. Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.
You may get a prompt because ComboFix does not have a digital signature. This is perfectly normal and safe and you can click on the Run button to continue.
ComboFix will prepare to run and when it has finished you will see the Disclaimer screen, just click the number 1 and then Enter.
It will then back up the registry.
Once the Windows Registry has finished being backed up, ComboFix will disconnect your computer from the Internet. Therefore, do not be surprised or concerned if you receive any warnings stating that you are no longer on the Internet as your connection will be completely restored at a later stage in the program.

ComboFix will now start scanning your computer for known infections. This procedure can take some time, so please be patient.
While the program is scanning your computer, it will change your clock format, so do not be concerned when you see this happen. When ComboFix is finished it will restore your clock settings to what they were previously. You will also see the text in the ComboFix window being updated as it goes through the various stages of its scan.
When ComboFix has finished running, you will see a screen stating that it is preparing the log report.
This can take a while, so please be patient. If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.
This can take a while, so please be patient. If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.
Come back here and post the Malwarebytes' log and the ComboFix log.

Thanks j, I'll move forward with your suggested actions and post logs. Regarding the Spanish files, they're there because my nephew is Spanish and has his computer configured likewise. I also thought it could be a Lop infection and tried running nolop.exe prior to reading your reply. Something to note, I was unable to successfully run the nolop.exe program. It would run for about 10 seconds and then just quit and close without any warning or error message. Not sure if that changes anything you suggested. Again, thanks for your help.

Run the MBA-M program first and let it fix what it finds. Then run combofix programand let's see what it shows.
Be sure to follow the instructions exactly and turn off all security programs while running it.
Post back here with both logs.
Judy

Run the MBA-M program first and let it fix what it finds. Then run combofix programand let's see what it shows.
Be sure to follow the instructions exactly and turn off all security programs while running it.
Post back here with both logs.
Judy

Hi Judy. I ran both MBA-M and Combofix. Logs are posted below. Not sure, but the programs have appeared to remedy the problem my nephew was having with CID popups and generally slow computer performance. With regards to Combofix, I was unable to completely disable Mcafee's antivirus program, even by turning off the applicable services using services.msc from Start/Run. If you feel that step was absolutely critical, I can uninstall Mcafee entirely and try running Combofix again.

Thanks for all your help!

Malwarebytes' Anti-Malware 1.28
Database version: 1180
Windows 5.1.2600 Service Pack 2

20/09/2008 15:31:46
mbam-log-2008-09-20 (15-31-46).txt

Scan type: Full Scan (H:\|)
Objects scanned: 187212
Time elapsed: 1 hour(s), 24 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 16
Registry Values Infected: 4
Registry Data Items Infected: 19
Folders Infected: 14
Files Infected: 39

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\sssinstaller.installer (Adware.Comet) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{74278296-0ec7-4f7a-ad55-eb7a2f35f311} (Adware.Comet) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{0fbc3efb-fc98-4b32-bf10-bde9aa4dea5a} (Adware.Comet) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{6a4b7d17-1de9-4c14-8adf-eb4c07060519} (Adware.Comet) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{abf441b2-9b57-4838-96a0-34b1cecd4aa5} (Adware.Comet) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a84e835e-1b9c-4fc0-980f-4b2da3c6a2a7} (Adware.Comet) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{a84e835e-1b9c-4fc0-980f-4b2da3c6a2a7} (Adware.Comet) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{bf0a1ff4-bbaf-487f-bc85-a24ef8f443a8} (Adware.Comet) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{bf0a1ff4-bbaf-487f-bc85-a24ef8f443a8} (Adware.Comet) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\sssinstaller.installer.1 (Adware.Comet) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\sssinstaller.sinstaller (Adware.Comet) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\sssinstaller.sinstaller.1 (Adware.Comet) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{90b5a95a-afd5-4d11-b9bd-a69d53d22226} (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Screensavers.com (Adware.Comet) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SSSInstaller (Adware.Comet) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Ares Gold (Adware.WhenUSave) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\host-domain-lookup.com (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\mysearchnow.com (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\www.host-domain-lookup.com (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\www.mysearchnow.com (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\System (Rootkit.DNSChanger.H) -> Data: kdhvx.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.114.195 85.255.112.96 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{00a9e119-e86b-4062-95cf-c8227abf0d3c}\NameServer (Trojan.DNSChanger) -> Data: 85.255.114.195,85.255.112.96 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0fbc26cf-7c73-43c7-b7b7-b126a15b5d13}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.195,85.255.112.96 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{717d3973-88b6-4782-9931-7708198751eb}\NameServer (Trojan.DNSChanger) -> Data: 85.255.114.195,85.255.112.96 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{f61f93f9-f7b8-4a87-8e31-56e6f9e83de6}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.195,85.255.112.96 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{f61f93f9-f7b8-4a87-8e31-56e6f9e83de6}\NameServer (Trojan.DNSChanger) -> Data: 85.255.114.195,85.255.112.96 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.114.195 85.255.112.96 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{00a9e119-e86b-4062-95cf-c8227abf0d3c}\NameServer (Trojan.DNSChanger) -> Data: 85.255.114.195,85.255.112.96 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{0fbc26cf-7c73-43c7-b7b7-b126a15b5d13}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.195,85.255.112.96 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{717d3973-88b6-4782-9931-7708198751eb}\NameServer (Trojan.DNSChanger) -> Data: 85.255.114.195,85.255.112.96 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{f61f93f9-f7b8-4a87-8e31-56e6f9e83de6}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.195,85.255.112.96 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{f61f93f9-f7b8-4a87-8e31-56e6f9e83de6}\NameServer (Trojan.DNSChanger) -> Data: 85.255.114.195,85.255.112.96 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.114.195 85.255.112.96 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{00a9e119-e86b-4062-95cf-c8227abf0d3c}\NameServer (Trojan.DNSChanger) -> Data: 85.255.114.195,85.255.112.96 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{0fbc26cf-7c73-43c7-b7b7-b126a15b5d13}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.195,85.255.112.96 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{717d3973-88b6-4782-9931-7708198751eb}\NameServer (Trojan.DNSChanger) -> Data: 85.255.114.195,85.255.112.96 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{f61f93f9-f7b8-4a87-8e31-56e6f9e83de6}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.195,85.255.112.96 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{f61f93f9-f7b8-4a87-8e31-56e6f9e83de6}\NameServer (Trojan.DNSChanger) -> Data: 85.255.114.195,85.255.112.96 -> Quarantined and deleted successfully.

Folders Infected:
H:\Documents and Settings\All Users\Datos de programa\Starware316 (Adware.Starware) -> Quarantined and deleted successfully.
H:\Documents and Settings\All Users\Datos de programa\Starware316\buttons (Adware.Starware) -> Quarantined and deleted successfully.
H:\Documents and Settings\All Users\Datos de programa\Starware316\contexts (Adware.Starware) -> Quarantined and deleted successfully.
H:\Archivos de programa\Screensavers.com (Adware.Comet) -> Quarantined and deleted successfully.
H:\Archivos de programa\Screensavers.com\ActiveDesktop (Adware.Comet) -> Quarantined and deleted successfully.
H:\Archivos de programa\Screensavers.com\ActiveDesktop\bin (Adware.Comet) -> Quarantined and deleted successfully.
H:\Archivos de programa\Screensavers.com\SSSInstaller (Adware.Comet) -> Quarantined and deleted successfully.
H:\Archivos de programa\Screensavers.com\SSSInstaller\bin (Adware.Comet) -> Quarantined and deleted successfully.
H:\Archivos de programa\Screensavers.com\SSSInstaller\Ready (Adware.Comet) -> Quarantined and deleted successfully.
H:\Archivos de programa\Screensavers.com\SSSInstaller\temp (Adware.Comet) -> Quarantined and deleted successfully.
H:\Archivos de programa\Screensavers.com\SSSInstaller\Upload (Adware.Comet) -> Quarantined and deleted successfully.
H:\Archivos de programa\Save (Adware.WhenUSave) -> Quarantined and deleted successfully.
H:\Archivos de programa\Ares Gold (Adware.WhenUSave) -> Quarantined and deleted successfully.
H:\Archivos de programa\Ares Gold\Data (Adware.WhenUSave) -> Quarantined and deleted successfully.

Files Infected:
H:\WINDOWS\system32\kdhvx.exe (Rootkit.DNSChanger.H) -> Delete on reboot.
H:\Archivos de programa\Screensavers.com\SSSInstaller\bin\SSSInstaller.dll (Adware.Comet) -> Quarantined and deleted successfully.
H:\Archivos de programa\Screensavers.com\ActiveDesktop\bin\ActiveDesktopExe.exe (Adware.Comet) -> Quarantined and deleted successfully.
H:\Archivos de programa\Screensavers.com\SSSInstaller\bin\sinstaller3.exe (Adware.Comet) -> Quarantined and deleted successfully.
H:\Documents and Settings\papote\Configuración local\Temp\tmp38.tmp (Trojan.Clicker) -> Quarantined and deleted successfully.
H:\Documents and Settings\user\Configuración local\Temp\bit2.exe (Adware.Agent) -> Quarantined and deleted successfully.
H:\Documents and Settings\user\Configuración local\Temp\bitcoll.dll (Adware.Agent) -> Quarantined and deleted successfully.
H:\System Volume Information\_restore{C9201CCA-C68F-4092-A78D-D026CCB7DACB}\RP385\A0037570.exe (Adware.Comet) -> Quarantined and deleted successfully.
H:\Documents and Settings\All Users\Datos de programa\Starware316\buttons\FindIt.bmp (Adware.Starware) -> Quarantined and deleted successfully.
H:\Documents and Settings\All Users\Datos de programa\Starware316\buttons\FindItHot.bmp (Adware.Starware) -> Quarantined and deleted successfully.
H:\Documents and Settings\All Users\Datos de programa\Starware316\buttons\findithotxp.png (Adware.Starware) -> Quarantined and deleted successfully.
H:\Documents and Settings\All Users\Datos de programa\Starware316\buttons\finditxp.png (Adware.Starware) -> Quarantined and deleted successfully.
H:\Documents and Settings\All Users\Datos de programa\Starware316\buttons\Highlight.bmp (Adware.Starware) -> Quarantined and deleted successfully.
H:\Documents and Settings\All Users\Datos de programa\Starware316\buttons\HighlightHot.bmp (Adware.Starware) -> Quarantined and deleted successfully.
H:\Documents and Settings\All Users\Datos de programa\Starware316\buttons\highlighthotxp.png (Adware.Starware) -> Quarantined and deleted successfully.
H:\Documents and Settings\All Users\Datos de programa\Starware316\buttons\highlightxp.png (Adware.Starware) -> Quarantined and deleted successfully.
H:\Documents and Settings\All Users\Datos de programa\Starware316\buttons\Reference.bmp (Adware.Starware) -> Quarantined and deleted successfully.
H:\Documents and Settings\All Users\Datos de programa\Starware316\buttons\ReferenceHot.bmp (Adware.Starware) -> Quarantined and deleted successfully.
H:\Documents and Settings\All Users\Datos de programa\Starware316\buttons\referencehotxp.png (Adware.Starware) -> Quarantined and deleted successfully.
H:\Documents and Settings\All Users\Datos de programa\Starware316\buttons\referencexp.png (Adware.Starware) -> Quarantined and deleted successfully.
H:\Documents and Settings\All Users\Datos de programa\Starware316\buttons\screensaver.bmp (Adware.Starware) -> Quarantined and deleted successfully.
H:\Documents and Settings\All Users\Datos de programa\Starware316\buttons\starware_toolbar_icon.bmp (Adware.Starware) -> Quarantined and deleted successfully.
H:\Documents and Settings\All Users\Datos de programa\Starware316\buttons\Weather.bmp (Adware.Starware) -> Quarantined and deleted successfully.
H:\Documents and Settings\All Users\Datos de programa\Starware316\buttons\weatherhotxp.png (Adware.Starware) -> Quarantined and deleted successfully.
H:\Documents and Settings\All Users\Datos de programa\Starware316\buttons\weatherxp.png (Adware.Starware) -> Quarantined and deleted successfully.
H:\Documents and Settings\All Users\Datos de programa\Starware316\contexts\error.xml (Adware.Starware) -> Quarantined and deleted successfully.
H:\Documents and Settings\All Users\Datos de programa\Starware316\contexts\related.xml (Adware.Starware) -> Quarantined and deleted successfully.
H:\Documents and Settings\All Users\Datos de programa\Starware316\contexts\travel.xml (Adware.Starware) -> Quarantined and deleted successfully.
H:\Archivos de programa\Screensavers.com\SSSUninst.exe (Adware.Comet) -> Quarantined and deleted successfully.
H:\Archivos de programa\Screensavers.com\SSSInstaller\temp\dm69.tmp (Adware.Comet) -> Quarantined and deleted successfully.
H:\Archivos de programa\Screensavers.com\SSSInstaller\temp\dm6B.tmp (Adware.Comet) -> Quarantined and deleted successfully.
H:\Archivos de programa\Screensavers.com\SSSInstaller\temp\dm6D.tmp (Adware.Comet) -> Quarantined and deleted successfully.
H:\Archivos de programa\Screensavers.com\SSSInstaller\temp\dm6D.tmp.di (Adware.Comet) -> Quarantined and deleted successfully.
H:\Archivos de programa\Ares Gold\Data\cache.net (Adware.WhenUSave) -> Quarantined and deleted successfully.
H:\Archivos de programa\Ares Gold\Data\MyMedia.edb (Adware.WhenUSave) -> Quarantined and deleted successfully.
H:\Archivos de programa\Ares Gold\Data\searchkeys.dat (Adware.WhenUSave) -> Quarantined and deleted successfully.
H:\Archivos de programa\Ares Gold\Data\ultracache.net (Adware.WhenUSave) -> Quarantined and deleted successfully.
H:\Archivos de programa\Ares Gold\Data\webcache.net (Adware.WhenUSave) -> Quarantined and deleted successfully.
H:\WINDOWS\system32\nvs2.inf (Adware.EGDAccess) -> Quarantined and deleted successfully.

ComboFix 08-09-19.09 - user 2008-09-20 16:08:19.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.3082.18.631 [GMT 2:00]
Se ejecuta desde: H:\Documents and Settings\user\Escritorio\ComboFix.exe
* Creado un nuevo punto de restauración
* Resident AV is active

ADVERTENCIA - ESTE EQUIPO NO TIENE INSTALADA LA CONSOLA DE RECUPERACION!
.

(((((((((((((((((((((((((((((((((((( Otras eliminaciones )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
H:\Documents and Settings\papote\Cookies\papote@metacafe[2].txt
H:\Documents and Settings\user\Configuración local\Datos de programa\iqecsiw.dat
H:\Documents and Settings\user\Configuración local\Datos de programa\iqecsiw.exe
H:\Documents and Settings\user\Configuración local\Datos de programa\iqecsiw_nav.dat
H:\Documents and Settings\user\Configuración local\Datos de programa\iqecsiw_navps.dat
H:\Documents and Settings\user\Configuración local\Datos de programa\iqecsiw_navup.dat
H:\Documents and Settings\user\Cookies\user@ehg-dig.hitbox[2].txt
H:\Documents and Settings\user\Cookies\user@t.ifilm[1].txt
H:\Documents and Settings\user\Favoritos\Videos.url
H:\Documents and Settings\user\Menú Inicio\Programas\Videos.url
H:\WINDOWS\system32\uninstall.exe

.
(((((((((((((((((( Archivos creados desde 2008-08-20 - 2008-09-20 )))))))))))))))))))))))))))))))))
.

2008-09-20 12:53 . 2008-09-20 12:53 <DIR> d-------- H:\Archivos de programa\NETGEAR
2008-09-20 12:53 . 2004-04-18 16:43 651,264 --a------ H:\WINDOWS\system32\libeay32.dll
2008-09-20 12:53 . 2005-09-26 16:02 362,944 --a------ H:\WINDOWS\system32\drivers\WPN111.sys
2008-09-20 12:53 . 2005-07-27 21:15 149,392 --a------ H:\WINDOWS\system32\drivers\ar5523.bin
2008-09-20 12:53 . 2004-04-18 16:43 147,456 --a------ H:\WINDOWS\system32\ssleay32.dll
2008-09-20 12:53 . 2003-07-24 12:10 94,208 --a------ H:\WINDOWS\system32\DNIN50.dll
2008-09-20 12:53 . 2003-07-24 12:10 17,149 --a------ H:\WINDOWS\system32\DNINDIS5.sys
2008-09-20 12:53 . 2003-07-25 13:30 15,941 --a------ H:\WINDOWS\system32\DNINDIS3.VXD
2008-09-20 12:53 . 2005-10-06 11:28 15,819 --a------ H:\WINDOWS\system32\drivers\netwpn11.inf
2008-09-20 12:53 . 2005-10-19 05:03 8,263 --a------ H:\WINDOWS\system32\drivers\WPN111.cat
2008-09-20 12:37 . 2008-09-20 12:37 <DIR> d-------- H:\Documents and Settings\user\Datos de programa\Malwarebytes
2008-09-20 12:37 . 2008-09-10 00:03 17,200 --a------ H:\WINDOWS\system32\drivers\mbam.sys
2008-09-20 12:36 . 2008-09-20 12:36 <DIR> d-------- H:\Documents and Settings\All Users\Datos de programa\Malwarebytes
2008-09-20 12:36 . 2008-09-20 14:04 <DIR> d-------- H:\Archivos de programa\Malwarebytes' Anti-Malware
2008-09-20 12:36 . 2008-09-10 00:04 38,528 --a------ H:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-16 15:56 . 2008-09-16 15:56 <DIR> d-------- H:\Archivos de programa\grimfrag
2008-09-12 20:55 . 2008-09-12 20:55 <DIR> d-------- H:\Archivos de programa\VirtualDJ
2008-09-07 16:55 . 2008-09-07 16:55 <DIR> d-------- H:\Archivos de programa\Trend Micro
2008-09-07 16:28 . 2008-09-07 16:38 424 --a------ H:\delete.bat
2008-09-07 16:12 . 2008-09-07 16:12 0 --a------ H:\WINDOWS\nsreg.dat
2008-08-31 21:31 . 2008-08-31 21:31 <DIR> d-------- H:\Archivos de programa\Sun

.
(((((((((((((((((((((((((((((((((((((( Reporte Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-20 11:21 --------- d-----w H:\Documents and Settings\user\Datos de programa\SiteAdvisor
2008-09-20 10:53 --------- d--h--w H:\Archivos de programa\InstallShield Installation Information
2008-09-17 18:05 --------- d-----w H:\Documents and Settings\m.mar\Datos de programa\grimfrag
2008-09-16 13:56 --------- d-----w H:\Documents and Settings\user\Datos de programa\grimfrag
2008-09-16 13:56 --------- d-----w H:\Documents and Settings\All Users\Datos de programa\Tick Find Close Surf
2008-09-12 18:54 --------- d-----w H:\Archivos de programa\eMule
2008-09-08 11:45 --------- d-----w H:\Documents and Settings\papote\Datos de programa\grimfrag
2008-09-05 15:09 --------- d-----w H:\WINDOWS\system32\config\systemprofile\Datos de programa\SiteAdvisor
2008-08-31 19:56 --------- d-----w H:\Archivos de programa\beon Widgets
2008-08-31 19:31 --------- d-----w H:\Archivos de programa\Java
2008-08-29 13:00 --------- d-----w H:\Archivos de programa\Norton Security Scan
2008-08-29 10:29 --------- d-----w H:\Documents and Settings\LocalService\Datos de programa\SiteAdvisor
2007-08-10 19:33 2,201,356 ----a-w H:\Documents and Settings\user\medal of honor allied assault - mohaa nocd crack v1 11(2).exe
2006-07-18 12:41 1,019,094 --sha-r H:\Archivos de programa\serial.zip
2006-07-18 12:41 1,019,094 --sha-r H:\Archivos de programa\serial.tde
2006-05-28 15:46 397,306 --sha-r H:\Archivos de programa\wunauclt.zip
2006-05-28 15:46 397,306 --sha-r H:\Archivos de programa\wunauclt.tbe
2004-10-01 14:00 40,960 -c--a-w H:\Archivos de programa\Uninstall_CDS.exe
2003-05-10 02:16 1,438 ----a-w H:\Documents and Settings\user\_Unpak.bat
2001-12-27 22:00 100,864 ----a-w H:\Documents and Settings\user\Tecuha.exe
.

((((((((((((((((((((((((((((((((( Cargando Puntos Reg ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* entradas vacías & entradas legítimas predeterminadas no son mostradas
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="H:\WINDOWS\system32\ctfmon.exe" [2004-08-19 15360]
"MsnMsgr"="H:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"ares"="H:\Archivos de programa\ARES\Ares.exe" [2007-03-05 947712]
"swg"="H:\Archivos de programa\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-13 68856]
"MSMSGS"="H:\Archivos de programa\Messenger\msmsgs.exe" [2004-10-13 1694208]
"junk peak"="H:\DOCUME~1\user\DATOSD~1\grimfrag\TwoEach.exe" [2008-09-16 512512]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="H:\Archivos de programa\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]
"RemoteControl"="H:\Archivos de programa\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"NeroFilterCheck"="H:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 155648]
"SunJavaUpdateSched"="H:\Archivos de programa\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"PCSuiteTrayApplication"="H:\ARCHIV~1\Nokia\NOKIAP~1\LAUNCH~1.EXE" [2006-06-15 229376]
"SiteAdvisor"="H:\Archivos de programa\SiteAdvisor\6261\SiteAdv.exe" [2006-07-31 35416]
"Adobe Photo Downloader"="H:\Archivos de programa\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"Adobe Reader Speed Launcher"="H:\Archivos de programa\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"close surf mail dupe"="H:\Documents and Settings\All Users\Datos de programa\Tick Find Close Surf\Play Send.exe" [2008-09-20 761344]
"SoundMan"="SOUNDMAN.EXE" [2005-04-15 H:\WINDOWS\SOUNDMAN.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="H:\WINDOWS\system32\CTFMON.EXE" [2004-08-19 15360]

H:\Documents and Settings\m.mar\Men£ Inicio\Programas\Inicio\
DesktopEarth AutoStart.lnk - H:\Documents and Settings\user\Datos de programa\Microsoft\Installer\{DBA5E973-660D-4CBE-A469-F5C37FBF0CE4}\_C1A9BF9D98647632ED5172.exe [2008-01-02 29926]

H:\Documents and Settings\All Users\Men£ Inicio\Programas\Inicio\
ECOM Turbo-G Wireless Utility.lnk - H:\Archivos de programa\ECOM\Common\TurboG-UI.exe [2006-12-28 614400]
EPSON Status Monitor 3 Environment Check 2.lnk - H:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE [2007-11-14 127488]
NETGEAR WPN111 Smart Wizard.lnk - H:\Archivos de programa\NETGEAR\WPN111\wpn111.exe [2008-09-20 884838]

[HKLM\~\startupfolder\H:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^VIA RAID TOOL.lnk]
path=H:\Documents and Settings\All Users\Menú Inicio\Programas\Inicio\VIA RAID TOOL.lnk
backup=H:\WINDOWS\pss\VIA RAID TOOL.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\I downloaded pirated Software from P2P ]
NBA Live 2007 [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcagent_exe]
--a------ 2007-08-03 23:33 582992 H:\Archivos de programa\McAfee.com\Agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"H:\\Archivos de programa\\ARES\\Ares.exe"=
"H:\\Archivos de programa\\MotoGP2\\motogp2.exe"=
"H:\\WINDOWS\\system32\\rtcshare.exe"=
"H:\\Archivos de programa\\MSN Messenger\\msnmsgr.exe"=
"H:\\Archivos de programa\\MSN Messenger\\livecall.exe"=
"H:\\Archivos de programa\\Archivos comunes\\McAfee\\MNA\\McNASvc.exe"=

S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;H:\WINDOWS\system32\DNINDIS5.SYS [2003-07-24 17149]
S3 PAC207;VideoCAM GF112;H:\WINDOWS\system32\DRIVERS\pfc027.sys [2005-04-08 162176]
S3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;H:\WINDOWS\system32\DRIVERS\WPN111.sys [2005-09-26 362944]

*Newly Created Service* - PROCEXP90
.
Contenido de carpeta 'Tareas Programadas'
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-updateMgr - H:\Archivos de programa\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
HKCU-Run-iqecsiw - h:\documents and settings\user\configuración local\datos de programa\iqecsiw.exe
HKLM-Run-H:\WINDOWS\system32\kdqnw.exe - H:\WINDOWS\system32\kdqnw.exe
HKLM-Run-H:\WINDOWS\system32\kdhvx.exe - H:\WINDOWS\system32\kdhvx.exe
Notify-WgaLogon - (no file)

.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.es/
R0 -: HKCU-Main,Search Page = hxxp://www.google.com
R0 -: HKCU-Main,Search Bar = hxxp://www.google.com/ie
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s
O8 -: E&xportar a Microsoft Excel - H:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O16 -: Microsoft XML Parser for Java - file://H:\WINDOWS\Java\classes\xmldso.cab
H:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-20 16:15:48
Windows 5.1.2600 Service Pack 2 NTFS

escaneando procesos ocultos ...

escaneando entradas ocultas de autostart ...

escaneando archivos ocultos ...

el escaneo se completo con exito
archivos ocultos: 0

**************************************************************************
.
Tiempo completado: 2008-09-20 16:16:59
ComboFix-quarantined-files.txt 2008-09-20 14:16:56

Pre-Run: 93.034.496.000 bytes libres
Post-Run: 96,248,139,776 bytes libres

163 --- E O F --- 2007-12-27 17:40:10

For now don't worry about the McAfee remainders with the combofix. Let me go through these logs and I will get back to you ASAP.
Can you also run a new HJT Full System scan, save the log and post it back here so we can get a "new" snapshot of what may be remaining.
Judy

Correction...still getting CID popups and webpage redirects. Bummer!

For now don't worry about the McAfee remainders with the combofix. Let me go through these logs and I will get back to you ASAP.
Can you also run a new HJT Full System scan, save the log and post it back here so we can get a "new" snapshot of what may be remaining.
Judy

Here's the latest HJT log...thanks!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:18:59, on 20/09/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\Ati2evxx.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\spoolsv.exe
H:\Archivos de programa\Archivos comunes\EPSON\EBAPI\SAgent2.exe
H:\Archivos de programa\Archivos comunes\LightScribe\LSSrvc.exe
H:\ARCHIV~1\McAfee\MSC\mcmscsvc.exe
H:\WINDOWS\system32\Ati2evxx.exe
h:\archivos de programa\archivos comunes\mcafee\mna\mcnasvc.exe
h:\ARCHIV~1\ARCHIV~1\mcafee\mcproxy\mcproxy.exe
H:\Archivos de programa\McAfee\VirusScan\McShield.exe
H:\Archivos de programa\McAfee\MPF\MPFSrv.exe
H:\Archivos de programa\SiteAdvisor\6261\SAService.exe
H:\WINDOWS\System32\PAStiSvc.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\ARCHIV~1\McAfee\VIRUSS~1\mcsysmon.exe
H:\ARCHIV~1\McAfee.com\Agent\mcagent.exe
H:\WINDOWS\Explorer.EXE
H:\WINDOWS\SOUNDMAN.EXE
H:\Archivos de programa\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
H:\Archivos de programa\Java\jre1.6.0_07\bin\jusched.exe
H:\Archivos de programa\SiteAdvisor\6261\SiteAdv.exe
H:\Archivos de programa\ATI Technologies\ATI.ACE\CLI.EXE
H:\WINDOWS\system32\ctfmon.exe
H:\Archivos de programa\MSN Messenger\MsnMsgr.Exe
H:\Archivos de programa\Messenger\msmsgs.exe
H:\Archivos de programa\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
H:\Archivos de programa\Internet Explorer\iexplore.exe
H:\Archivos de programa\Internet Explorer\iexplore.exe
H:\Archivos de programa\Archivos comunes\PCSuite\Services\ServiceLayer.exe
H:\Archivos de programa\DesktopEarth\DesktopEarth.exe
H:\Archivos de programa\ATI Technologies\ATI.ACE\cli.exe
H:\Archivos de programa\Trend Micro\HijackThis\Greg.exe
h:\ARCHIV~1\mcafee\msc\mcuimgr.exe
H:\Archivos de programa\Archivos comunes\McAfee\HackerWatch\HWUpdChk.exe
h:\ARCHIV~1\mcafee\msc\mcupdui.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.es/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Archivos de programa\Archivos comunes\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - H:\Archivos de programa\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - H:\Archivos de programa\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - H:\Archivos de programa\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - H:\Archivos de programa\Archivos comunes\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - h:\archivos de programa\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - H:\Archivos de programa\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - h:\archivos de programa\google\googletoolbar3.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - H:\Archivos de programa\SiteAdvisor\6261\SiteAdv.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATICCC] "H:\Archivos de programa\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [RemoteControl] "H:\Archivos de programa\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] H:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "H:\Archivos de programa\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] H:\ARCHIV~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [SiteAdvisor] "H:\Archivos de programa\SiteAdvisor\6261\SiteAdv.exe"
O4 - HKLM\..\Run: [close surf mail dupe] H:\Documents and Settings\All Users\Datos de programa\Tick Find Close Surf\Play Send.exe
O4 - HKLM\..\Run: [mcagent_exe] H:\Archivos de programa\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKCU\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "H:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "H:\Archivos de programa\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [junk peak] H:\DOCUME~1\user\DATOSD~1\grimfrag\TwoEach.exe
O4 - HKCU\..\Run: [swg] H:\Archivos de programa\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\CTFMON.EXE (User 'Servicio de red')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Babelbox.lnk = H:\Archivos de programa\beon Widgets\Babelbox\LoaderBeon.exe
O4 - Startup: DesktopEarth AutoStart.lnk = ?
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://H:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Archivos de programa\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Archivos de programa\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - H:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Archivos de programa\Messenger\msmsgs.exe
O12 - Plugin for .spop: H:\Archivos de programa\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - H:\Archivos de programa\Ares\chatServer.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - H:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - H:\WINDOWS\system32\ati2sgag.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - H:\Archivos de programa\Archivos comunes\EPSON\EBAPI\SAgent2.exe
O23 - Service: Google Updater Service (gusvc) - Google - H:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - H:\Archivos de programa\Archivos comunes\LightScribe\LSSrvc.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - H:\ARCHIV~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - h:\archivos de programa\archivos comunes\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - H:\ARCHIV~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - h:\ARCHIV~1\ARCHIV~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - H:\Archivos de programa\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - H:\ARCHIV~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - H:\Archivos de programa\McAfee\MPF\MPFSrv.exe
O23 - Service: ServiceLayer - Nokia. - H:\Archivos de programa\Archivos comunes\PCSuite\Services\ServiceLayer.exe
O23 - Service: Servicio SiteAdvisor (SiteAdvisor Service) - Unknown owner - H:\Archivos de programa\SiteAdvisor\6261\SAService.exe
O23 - Service: STI Simulator - Unknown owner - H:\WINDOWS\System32\PAStiSvc.exe
O24 - Desktop Component 0: (no name) - http://tbn0.google.com/images?q=tbn:w_Qins85EQg8WM:http://www.withfriendship.com/user/images/380/Undertaker2.jpg

--
End of file - 8499 bytes

I am still going through your combofix log, but let's try a fix using HJT and see how that goes.
First you should do the following;
You may want to print out these instructions and save them in notepad on the desktop because part of the time you are going to be in Safe mode and won't be able to access this site;

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT).
Using the F8 Method

1. Restart your computer.
2. When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
3. Select the option for Safe Mode using the arrow keys.
4. Then press enter on your keyboard to boot into Safe Mode.
5. Do whatever tasks you require and when you are done reboot to boot back into normal mode.

Enable Viewing of Hidden Files and Folders
1. Click Start.
2. Open My Computer.
3. Select the Tools menu and click Folder Options.
4. Select the View Tab.
5. Under the Hidden files and folders heading select Show hidden files and folders.
6. Uncheck the Hide protected operating system files (recommended) option.
7. Click Yes to confirm.
8. Click OK.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).
iexplore.exe (if two show then end both)
Play Send.exe
TwoEach.exe

Close task manager.
Run HJT with no other programs open(except notepad). Click the scan button. Have HJT fix the following, by placing a check mark in the little box next to the following(if there);

O4 - HKLM\..\Run: [close surf mail dupe] H:\Documents and Settings\All Users\Datos de programa\Tick Find Close Surf\Play Send.exe
O4 - HKCU\..\Run: [junk peak] H:\DOCUME~1\user\DATOSD~1\grimfrag\TwoEach.exe

Click on the fix checked button.

Close HJT.

Now search for and delete the following bold files and/or directories(if there).

H:\Documents and Settings\All Users\Datos de programa\Tick Find Close Surf\<Delete the entire folder in bold.

H:\DOCUMENTS & SETTINGS\user\DATOSD~1\grimfrag\<Delete the entire folder in bold.
Reboot into normal mode and rehide your protected OS files.

Post a fresh HJT log
Meanwhile I am still going through that combofix log and will get back on that.
Judy

I also would like you to generate and Uninstall list using HJT and post it here. To do this do the following;
1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.
Click on the Save list... button and specify where you would like to save this file. the desktop is the easiest place. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad back here.

I also would like you to generate and Uninstall list using HJT and post it here. To do this do the following;
1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.
Click on the Save list... button and specify where you would like to save this file. the desktop is the easiest place. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad back here.

Ok, I used HJT to remove the two entries you identified and deleted the two directories stated in your previous instructions. Also, here's a fresh HJT log and the Uninstall List you requested. Thanks again for all your help!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:15:09, on 20/09/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\Ati2evxx.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\spoolsv.exe
H:\Archivos de programa\Archivos comunes\EPSON\EBAPI\SAgent2.exe
H:\Archivos de programa\Archivos comunes\LightScribe\LSSrvc.exe
H:\ARCHIV~1\McAfee\MSC\mcmscsvc.exe
H:\WINDOWS\system32\Ati2evxx.exe
h:\archivos de programa\archivos comunes\mcafee\mna\mcnasvc.exe
h:\ARCHIV~1\ARCHIV~1\mcafee\mcproxy\mcproxy.exe
H:\Archivos de programa\McAfee\VirusScan\McShield.exe
H:\Archivos de programa\McAfee\MPF\MPFSrv.exe
H:\Archivos de programa\SiteAdvisor\6261\SAService.exe
H:\WINDOWS\System32\PAStiSvc.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\Explorer.EXE
H:\ARCHIV~1\McAfee.com\Agent\mcagent.exe
H:\WINDOWS\SOUNDMAN.EXE
H:\Archivos de programa\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
H:\Archivos de programa\Java\jre1.6.0_07\bin\jusched.exe
H:\Archivos de programa\ATI Technologies\ATI.ACE\CLI.EXE
H:\Archivos de programa\SiteAdvisor\6261\SiteAdv.exe
H:\WINDOWS\system32\ctfmon.exe
H:\Archivos de programa\Messenger\msmsgs.exe
H:\Archivos de programa\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
H:\WINDOWS\System32\svchost.exe
H:\Archivos de programa\Archivos comunes\PCSuite\Services\ServiceLayer.exe
H:\Archivos de programa\DesktopEarth\DesktopEarth.exe
H:\Archivos de programa\ATI Technologies\ATI.ACE\cli.exe
H:\WINDOWS\system32\wuauclt.exe
H:\ARCHIV~1\McAfee\VIRUSS~1\mcsysmon.exe
H:\Archivos de programa\Trend Micro\HijackThis\Greg.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.es/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Archivos de programa\Archivos comunes\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - H:\Archivos de programa\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - H:\Archivos de programa\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - H:\Archivos de programa\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - H:\Archivos de programa\Archivos comunes\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - h:\archivos de programa\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - H:\Archivos de programa\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - h:\archivos de programa\google\googletoolbar3.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - H:\Archivos de programa\SiteAdvisor\6261\SiteAdv.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATICCC] "H:\Archivos de programa\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [RemoteControl] "H:\Archivos de programa\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] H:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "H:\Archivos de programa\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] H:\ARCHIV~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [SiteAdvisor] "H:\Archivos de programa\SiteAdvisor\6261\SiteAdv.exe"
O4 - HKLM\..\Run: [mcagent_exe] H:\Archivos de programa\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKCU\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "H:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "H:\Archivos de programa\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] H:\Archivos de programa\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\CTFMON.EXE (User 'Servicio de red')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Babelbox.lnk = H:\Archivos de programa\beon Widgets\Babelbox\LoaderBeon.exe
O4 - Startup: DesktopEarth AutoStart.lnk = ?
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://H:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Archivos de programa\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Archivos de programa\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - H:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Archivos de programa\Messenger\msmsgs.exe
O12 - Plugin for .spop: H:\Archivos de programa\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - H:\Archivos de programa\Ares\chatServer.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - H:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - H:\WINDOWS\system32\ati2sgag.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - H:\Archivos de programa\Archivos comunes\EPSON\EBAPI\SAgent2.exe
O23 - Service: Google Updater Service (gusvc) - Google - H:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - H:\Archivos de programa\Archivos comunes\LightScribe\LSSrvc.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - H:\ARCHIV~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - h:\archivos de programa\archivos comunes\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - H:\ARCHIV~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - h:\ARCHIV~1\ARCHIV~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - H:\Archivos de programa\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - H:\ARCHIV~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - H:\Archivos de programa\McAfee\MPF\MPFSrv.exe
O23 - Service: ServiceLayer - Nokia. - H:\Archivos de programa\Archivos comunes\PCSuite\Services\ServiceLayer.exe
O23 - Service: Servicio SiteAdvisor (SiteAdvisor Service) - Unknown owner - H:\Archivos de programa\SiteAdvisor\6261\SAService.exe
O23 - Service: STI Simulator - Unknown owner - H:\WINDOWS\System32\PAStiSvc.exe
O24 - Desktop Component 0: (no name) - http://tbn0.google.com/images?q=tbn:w_Qins85EQg8WM:http://www.withfriendship.com/user/images/380/Undertaker2.jpg

--
End of file - 8014 bytes

UNINSTALL LIST
Actualización de seguridad para el Reproductor de Windows Media (KB911564)
Actualización de seguridad para el Reproductor de Windows Media 6.4 (KB925398)
Actualización de seguridad para el Reproductor de Windows Media 9 (KB917734)
Actualización de seguridad para el Reproductor de Windows Media 9 (KB936782)
Actualización de seguridad para Windows XP (KB893756)
Actualización de seguridad para Windows XP (KB896358)
Actualización de seguridad para Windows XP (KB896423)
Actualización de seguridad para Windows XP (KB896424)
Actualización de seguridad para Windows XP (KB896428)
Actualización de seguridad para Windows XP (KB899587)
Actualización de seguridad para Windows XP (KB899591)
Actualización de seguridad para Windows XP (KB900725)
Actualización de seguridad para Windows XP (KB901017)
Actualización de seguridad para Windows XP (KB901214)
Actualización de seguridad para Windows XP (KB902400)
Actualización de seguridad para Windows XP (KB904706)
Actualización de seguridad para Windows XP (KB905414)
Actualización de seguridad para Windows XP (KB905749)
Actualización de seguridad para Windows XP (KB908519)
Actualización de seguridad para Windows XP (KB911562)
Actualización de seguridad para Windows XP (KB911927)
Actualización de seguridad para Windows XP (KB912919)
Actualización de seguridad para Windows XP (KB913580)
Actualización de seguridad para Windows XP (KB914388)
Actualización de seguridad para Windows XP (KB914389)
Actualización de seguridad para Windows XP (KB917344)
Actualización de seguridad para Windows XP (KB917422)
Actualización de seguridad para Windows XP (KB917953)
Actualización de seguridad para Windows XP (KB918118)
Actualización de seguridad para Windows XP (KB918439)
Actualización de seguridad para Windows XP (KB919007)
Actualización de seguridad para Windows XP (KB920213)
Actualización de seguridad para Windows XP (KB920670)
Actualización de seguridad para Windows XP (KB920683)
Actualización de seguridad para Windows XP (KB920685)
Actualización de seguridad para Windows XP (KB921398)
Actualización de seguridad para Windows XP (KB921503)
Actualización de seguridad para Windows XP (KB922616)
Actualización de seguridad para Windows XP (KB922819)
Actualización de seguridad para Windows XP (KB923191)
Actualización de seguridad para Windows XP (KB923414)
Actualización de seguridad para Windows XP (KB923689)
Actualización de seguridad para Windows XP (KB923694)
Actualización de seguridad para Windows XP (KB923789)
Actualización de seguridad para Windows XP (KB923980)
Actualización de seguridad para Windows XP (KB924191)
Actualización de seguridad para Windows XP (KB924270)
Actualización de seguridad para Windows XP (KB924496)
Actualización de seguridad para Windows XP (KB924667)
Actualización de seguridad para Windows XP (KB925454)
Actualización de seguridad para Windows XP (KB925902)
Actualización de seguridad para Windows XP (KB926255)
Actualización de seguridad para Windows XP (KB926436)
Actualización de seguridad para Windows XP (KB927779)
Actualización de seguridad para Windows XP (KB927802)
Actualización de seguridad para Windows XP (KB928090)
Actualización de seguridad para Windows XP (KB928255)
Actualización de seguridad para Windows XP (KB928843)
Actualización de seguridad para Windows XP (KB929123)
Actualización de seguridad para Windows XP (KB929969)
Actualización de seguridad para Windows XP (KB930178)
Actualización de seguridad para Windows XP (KB931261)
Actualización de seguridad para Windows XP (KB931768)
Actualización de seguridad para Windows XP (KB931784)
Actualización de seguridad para Windows XP (KB932168)
Actualización de seguridad para Windows XP (KB933566)
Actualización de seguridad para Windows XP (KB933729)
Actualización de seguridad para Windows XP (KB935839)
Actualización de seguridad para Windows XP (KB935840)
Actualización de seguridad para Windows XP (KB936021)
Actualización de seguridad para Windows XP (KB937143)
Actualización de seguridad para Windows XP (KB937894)
Actualización de seguridad para Windows XP (KB938127)
Actualización de seguridad para Windows XP (KB938829)
Actualización de seguridad para Windows XP (KB939653)
Actualización de seguridad para Windows XP (KB941202)
Actualización de seguridad para Windows XP (KB941568)
Actualización de seguridad para Windows XP (KB941569)
Actualización de seguridad para Windows XP (KB942615)
Actualización de seguridad para Windows XP (KB943460)
Actualización de seguridad para Windows XP (KB944653)
Actualización para Windows XP (KB894391)
Actualización para Windows XP (KB898461)
Actualización para Windows XP (KB900485)
Actualización para Windows XP (KB908531)
Actualización para Windows XP (KB910437)
Actualización para Windows XP (KB911280)
Actualización para Windows XP (KB916595)
Actualización para Windows XP (KB920872)
Actualización para Windows XP (KB922582)
Actualización para Windows XP (KB927891)
Actualización para Windows XP (KB929338)
Actualización para Windows XP (KB930916)
Actualización para Windows XP (KB931836)
Actualización para Windows XP (KB933360)
Actualización para Windows XP (KB936357)
Actualización para Windows XP (KB938828)
Actualización para Windows XP (KB942763)
Actualización para Windows XP (KB942840)
Actualización para Windows XP (KB946627)
Adobe Acrobat 4.0
Adobe Acrobat 5.0
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Flash Player 9 ActiveX
Adobe Flash Player ActiveX
Adobe Reader 8.1.2
Adobe Shockwave Player 11
Adobe® Photoshop® Album Starter Edition 3.2
ArcSoft PhotoStudio 2000
Ares 2.0.8
ATI - Utilidad de desinstalación de software
ATI Catalyst Control Center
ATI Display Driver
ATI Parental Control & Encoder
AVIVO Codecs
Canon CanoCraft CS-P 3.8
Canon ScanGear Toolbox CS 2.2
Compresor WinRAR
Crazy Taxi 3
Cross Racing Championship 2005
DesktopEarth
DVD Solution
EA SPORTS online 2007
ECOM Turbo-G Wireless
eMule
Enciclopedia Multimedia
FlightGear v0.9.10
FotoAlbum Digital
Frets On Fire
Google Earth
Google Toolbar for Internet Explorer
GT Interactive - Driver
GTA2
HijackThis 2.0.2
Imperivm - Las Grandes Batallas de Roma
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
LEGO TECHNIC Bionicle Nestlé
Línea Abierta Auxiliares
Malwarebytes' Anti-Malware
Marvell Miniport Driver
McAfee SecurityCenter
Messenger Plus! Live & Sponsor (CiD)
Microsoft .NET Framework 2.0
Microsoft Office Professional Edition 2003
Microsoft Word Viewer 97
MotoGP2
MSN
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
Multimedia Launcher
Need For Speed - Porsche 2000
Need For Speed III
Need for Speed™ Most Wanted
Nero OEM
Nokia Connectivity Cable Driver
Nokia PC Connectivity Solution
Nokia PC Suite
OmniPage Pro 9.0
OpenOffice.org Installer 1.0
PowerDVD
QuickTime
Realtek AC'97 Audio
Revisión de Windows XP - KB873339
Revisión de Windows XP - KB885835
Revisión de Windows XP - KB885836
Revisión de Windows XP - KB886185
Revisión de Windows XP - KB887472
Revisión de Windows XP - KB888302
Revisión de Windows XP - KB890859
Revisión de Windows XP - KB891781
Scan Manager 5.2
Security Update para Microsoft .NET Framework 2.0 (KB928365)
Software de impresora EPSON
Spider-Man (tm) Movie
Total Immersion Racing
Urban Chaos
VIA Administrador de dispositivos de plataforma
VideoCAM GF112
Virtual DJ - Atomix Productions
Windows Driver Package - Nokia Modem (06/12/2006 6.81.0.21)
Windows Installer 3.1 (KB893803)
Windows Live Messenger
Windows Live OneCare safety scanner
Windows Live Sign-in Assistant
WWII Battle of Britain

Ok, still going through these new submissions. Update MBA-M and run it again and have it fix whatever it finds.
Also please run ESET Online Scanner and have it fix what it finds.
You will need to use Internet Explorer to to complete this scan.
You will need to temporarily Disable your current Anti-virus program. If you cannot get this to turn off, see if you can use Task Manager to do so by ending the following processes;
mcproxy.exe
McShield.exe
MPFSrv.exe
SAService.exe
mcagent.exe
SiteAdv.exe
mcsysmon.exe

Be sure the option to Remove found threats is checked at this time and the option to Scan unwanted applications is Checked.
When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt.
Reboot the computer, and be certain the McAfee is running properly.
Please post that log for us along with that new MBA-M log.
Judy

Ok Judy, logs from MBA-M and ESET are posted below. I was finally able to disable McAfee so results will hopefully be positive.

Malwarebytes' Anti-Malware 1.28
Database version: 1182
Windows 5.1.2600 Service Pack 2

20/09/2008 21:53:20
mbam-log-2008-09-20 (21-53-20).txt

Scan type: Full Scan (H:\|)
Objects scanned: 132775
Time elapsed: 48 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

ESET LOG:

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3457 (20080919)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=a480d5ef5796314d963a2fbbf185ea6f
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2008-09-20 09:10:37
# local_time=2008-09-20 11:10:37 (+0100, Hora estándar romance)
# country="Spain"
# osver=5.1.2600 NT Service Pack 2
# scanned=311825
# found=5
# scan_time=2520
H:\System Volume Information\_restore{C9201CCA-C68F-4092-A78D-D026CCB7DACB}\RP385\A0037568.dll Win32/Adware.HotBar application (unable to clean - deleted) 00000000000000000000000000000000
H:\System Volume Information\_restore{C9201CCA-C68F-4092-A78D-D026CCB7DACB}\RP385\A0037569.exe Win32/Adware.Comet application (deleted) 00000000000000000000000000000000
H:\System Volume Information\_restore{C9201CCA-C68F-4092-A78D-D026CCB7DACB}\RP385\A0037569.exe »NSIS »Minijuegos.dll Win32/Adware.Comet application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
H:\System Volume Information\_restore{C9201CCA-C68F-4092-A78D-D026CCB7DACB}\RP385\A0037571.exe Win32/Adware.Comet application (deleted) 00000000000000000000000000000000
H:\System Volume Information\_restore{C9201CCA-C68F-4092-A78D-D026CCB7DACB}\RP385\A0037571.exe »NSIS »Minijuegos.dll Win32/Adware.Comet application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000

Hi Jonnie, I believe things look much better, in both logs. Items found by the ESET scanner were only in system restore, which I will tell you how to reset in a moment.
You should uninstall combofix as you will not need it anymore. To do so follow these instructions;

Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
When shown the disclaimer, Select "2"

You can also delete HiJackThis. If you need it again, hopefully you won't, you can download the newest version.

You can uninstall the older versions of Java, you only need the current one 6 update 7.
Java(TM) 6 Update 3
Java(TM) 6 Update 5

Two programs I feel should be removed, though your nephew may disagree, are
ARES
eMule

Why you may ask? These are P2P file sharing programs and very possibly the cause of the infections. I am not suggesting this without reason. P2P programs open a direct line onto your computer, security measures are easily avoided, and Malware writers use them to spread their nasty infections onto your computer. Add to that, if your P2P program is not configured correctly you may be sharing more files than you intended, passwords, address books, personal information like bank account info can be exposed by a badly configured program.
Many of the entries removed were the Trojan.DNSChanger that changes the DNS servers on your machine to point to their own server, where they can direct you to any site they want.

Many of the programs come bundled with other unwanted programs, but even the ones free of any bundled software are not safe to use.
A huge amount of the malware removed was located in the Ares Program folder.

When a person uses these he is downloading software from an unknown source and generally they bypass the anti-virus program and firewall. PLUS most often P2P file sharing is a way to obtain programs which normally are PAID programs for FREE...copyrighted material...this can be considered a crime. Take a look at one of the registry listings which showed in the combofix log;

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\I downloaded pirated Software from P2P ]
NBA Live 2007 [X]

What does that tell you?
I would strongly recommend that you UNINSTALL those two programs.
In the last two weeks I have worked on many threads here and at two other forums and I can honestly say that at least 3/4 of those infected computers had, at the very least, two P2P file sharing programs on them AND the two hardest ones to clean up I found out near the end of the clean up that the persons were actually using the programs to share files while attempting to run some of the clean up programs and couldn't understand why they didn't work! Enough said.

KEEP the Malwarebytes' Anti-Malware program. Use it weekly at least for scanning for malware. BE CERTAIN to UPDATE BEFORE each scan. Do as you have here, have it remove everything it finds.

I would also recommend that you also install the ATF-Cleaner by Atibune to help clean out temp files. It is fast and easy to use FREE too.
I would also recommend Spybot, which you say you have used. Keep it updated and run it at least weekly also, fixing whatever it finds. DON'T however use the TeaTimer portion of the program.
Another MUST HAVE is SpywareBlaster. It too is FREE and the great thing about it is that it does NOT run in the background. To quote from their website;

The most important step you can take is to secure your system. And SpywareBlaster is the most powerful protection program available.

* Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted software.
* Block spyware/tracking cookies in Internet Explorer and Mozilla Firefox.
* Restrict the actions of potentially unwanted sites in Internet Explorer.

I can say from experience it really works.
Be sure to enable the Restricted Sites portion of the program too.

I would also recommend that you Defrag the computer, especially since so many nasty items were removed there may be a lot of fragmented sections on the drive.
You can use the built in Defragger or I like to use the FREE program

Auslogics Disk Defrag Very simple and easy to use. Be sure to clean out temp files before using this.

Keep the anti-virus program updated and scan at least weekly with it.

Finally, reset your System Restore. This will set a new, clean restore point on the computer.
Right Click My Computer. Choose Properties.
When System Properties opens click on the System Restore Tab.
Place a check mark in Turn Off System Restore. Click Ok. You will get a notification that System Restore is shutting down. Click Ok. It will then Shut Down. Wait a moment and then go back in there and Take Out the check mark. System Restore will then turn back on.
Hopefully the system is running smoother. Let us know.
Judy

Uninstall Messenger Plus as it comes bundled with LOP, the infection you currently enjoy :). You can reinstall Messenger Plus without the sponsor.

Thanks for everything, Judy! It appears my nephew's computer is finally free of the annoying CID popups. Will definitely talk to him about your recommendations and make sure he has the applicable protection installed and up to date.

Uninstall Messenger Plus as it comes bundled with LOP, the infection you currently enjoy :). You can reinstall Messenger Plus without the sponsor.

Heavens crunchie! I didn't even SEE that in there....:$ I am SOOOO glad you monitor these threads!
Thank You!!!!

No worries :). Hopefully the OP saw my post.

Uninstall Messenger Plus as it comes bundled with LOP, the infection you currently enjoy :). You can reinstall Messenger Plus without the sponsor.

I noticed this as well after the fact. Since it appears the malware that apparently came from Messenger Plus has already been removed, is it worth uninstalling and reinstalling the program at this point? I'd hate to go through the trouble of taking over my nephew's computer for an evening if it's not actually necessary. Thoughts?

If it has all ready been removed then no. Just forget about reinstall. If he asks, then either follow Crunchie's advice about installing without the sponsor, or just say it comes with infections and that is why it is gone and let it go at that.
Sorry I missed that one by the way.
Judy