[Greed]

Ok! I do see this post elsewhere in the forums and I thought it best to start my own topic simply because I think it to be a bit unique for each person. Or at least some aspects of it. Anyway, I am not able to access windows explorer or my C drive without using the RUN command. Not am I able to access task manager until I set the value in GPGedit. I have run adaware, spybot, avira and TrendMicro housecall. I just downloaded SDfix and HiJackThis. If anyone can help me that would be super awesome. I dont want to start over ;.;

Thanks!

[Advertisements]

Hi there

If possible just run the tools I ask you to for now as it can make this pretty confusing otherwise.

Please go here to install the recovery console and for a guide on using combofix.
Please note: Installing the Recovery Console plays a vital part in making this process of cleaning your computer safe, don't overlook this!

Now please download combofix from here or here. It is important that you save this file to your desktop.

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.
When finished, it shall produce a log for you. Post that log and a Hijack This log in your next reply.

A quick heads up, if you click on combofix's window when it's running, you may cause it to stall.

[Mike]

Hi there

If possible just run the tools I ask you to for now as it can make this pretty confusing otherwise.

Please go here to install the recovery console and for a guide on using combofix.
Please note: Installing the Recovery Console plays a vital part in making this process of cleaning your computer safe, don't overlook this!

Now please download combofix from here or here. It is important that you save this file to your desktop.

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.
When finished, it shall produce a log for you. Post that log and a Hijack This log in your next reply.

A quick heads up, if you click on combofix's window when it's running, you may cause it to stall.

[Greed]

I appriciate the help, the problem is that I do not have my windows XP CD at the moment. So it might have to wait until later tonight after work to either find/borrow an XP cd to get the console. Once that is done I will follow the rest of the steps so we can get this corrected.

[Mike]

Hi there, in the guide there is a way to install it through ComboFix,
Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System




Download the file & save it as it's originally named, next to ComboFix.exe.






Now close all open windows and programs, including all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

• Drag the setup package onto ComboFix.exe and drop it.
  
  
• Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
  
  
• At the next prompt, click 'Yes' to run the full ComboFix scan.
  
  
  
  
• When the tool is finished, it will produce a report for you.

Please post the C:\ComboFix.txt along with a new HijackThis log for further review.

[Greed]

Hey! I got home and dug out my windows CD and it says that the version of windows on my PC is newer than my CD and will not let me install the recovery console. x.x What do I do?

[Greed]

Ok sorry, forgot to refresh! Got your instructions mike, installing the console and then running combofix and hijackthis. Logs pending.

[Greed]

Ok, here is the Combofix log


ComboFix 08-08-06.02 - Greed 2008-08-06 22:19:05.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.590 [GMT -6:00]
Running from: C:\Documents and Settings\Greed\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Greed\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\Greed\Application Data\macromedia\Flash Player\#SharedObjects\RA6FDPVW\interclick.com
C:\Documents and Settings\Greed\Application Data\macromedia\Flash Player\#SharedObjects\RA6FDPVW\interclick.com\ud.sol
C:\Documents and Settings\Greed\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Greed\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\Greed\Desktop\Error Cleaner.url
C:\Documents and Settings\Greed\Desktop\Privacy Protector.url
C:\Documents and Settings\Greed\Desktop\Spyware&Malware Protection.url
C:\Documents and Settings\Greed\Favorites\Error Cleaner.url
C:\Documents and Settings\Greed\Favorites\Privacy Protector.url
C:\Documents and Settings\Greed\Favorites\Spyware&Malware Protection.url
C:\WINDOWS\bgrqfetx.dll
C:\WINDOWS\cookies.ini
C:\WINDOWS\eefq.exe
C:\WINDOWS\system32\cxumqcjp.dll
C:\WINDOWS\system32\cxwwfy.dll
C:\WINDOWS\system32\jkkhfCsT.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\spphetvk.dll
C:\WINDOWS\system32\ugnzhx.dll
C:\WINDOWS\system32\UwGiRqss.ini
C:\WINDOWS\system32\UwGiRqss.ini2
C:\WINDOWS\system32\xaftmdjy.ini
C:\WINDOWS\tfnslopk.dll
C:\WINDOWS\wnlmdakqpmr.dll
C:\WINDOWS\xokvrpwg.dll

----- BITS: Possible infected sites -----

http://ccp.vo.llnwd.net
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IPRIP
-------\Service_Iprip


((((((((((((((((((((((((( Files Created from 2008-07-07 to 2008-08-07 )))))))))))))))))))))))))))))))
.

2008-08-05 15:32 . 2008-08-05 15:32 <DIR> d-------- C:\Program Files\Lavasoft
2008-08-05 15:32 . 2008-08-05 15:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-05 15:14 . 2008-08-05 15:14 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-05 15:00 . 2008-08-06 22:38 36 --a------ C:\WINDOWS\system32\drivers\Ids_cfg.dat
2008-08-05 12:24 . 2008-08-05 12:24 <DIR> d-------- C:\Documents and Settings\Administrator
2008-08-05 11:36 . 2008-08-05 11:36 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-08-05 00:55 . 2008-08-05 00:55 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AdobeUM
2008-08-04 22:29 . 2008-08-04 22:28 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-08-04 22:22 . 2008-08-04 22:22 99,200 --a------ C:\WINDOWS\system32\yjdmtfax.VIR000
2008-08-04 08:34 . 2008-08-04 08:34 323,328 --a------ C:\WINDOWS\system32\ssqRiGwU.VIR000
2008-08-04 08:28 . 2008-08-04 05:01 86,016 --a------ C:\WINDOWS\lnvegaow.exe
2008-08-04 08:28 . 2008-08-04 08:28 34,176 --a------ C:\WINDOWS\system32\khfGyVmN.VIR
2008-08-02 14:37 . 2008-08-02 14:37 <DIR> d-------- C:\Program Files\Sierra
2008-08-01 12:47 . 2008-08-01 12:47 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-08-01 12:47 . 2008-08-01 12:47 1,409 --a------ C:\WINDOWS\QTFont.for
2008-07-22 16:10 . 2008-07-22 16:10 <DIR> d-------- C:\WINDOWS\San Andreas Mod Installer
2008-07-21 22:37 . 2008-07-21 22:38 <DIR> d-------- C:\vcs5core
2008-07-21 22:37 . 2008-07-21 22:37 <DIR> d-------- C:\vcs5BGEffects
2008-07-21 22:37 . 2008-07-21 22:37 <DIR> d-------- C:\AV_LOGS
2008-07-21 17:12 . 2008-07-21 17:12 <DIR> d-------- C:\Program Files\Rockstar Games

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-07 04:36 214,208 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k
2008-08-07 00:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic
2008-08-06 14:25 --------- d-----w C:\Program Files\Steam
2008-08-06 02:12 1,004,032 ----a-w C:\WINDOWS\system32\AutoPartNt.exe
2008-08-05 21:31 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-08-05 21:13 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-02 20:45 108,144 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-08-02 20:37 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-14 02:59 --------- d-----w C:\Program Files\EA GAMES
2008-06-21 06:08 --------- d-----w C:\Documents and Settings\Greed\Application Data\EVEMon
2008-06-21 04:50 --------- d-----w C:\Program Files\EVEMon
2008-06-17 18:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\CCP
2008-06-17 17:51 --------- d-----w C:\Program Files\CCP
2008-05-16 17:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-11-04 01:54 354 -c--a-w C:\Program Files\INSTALL.LOG
2007-01-07 05:30 1 -c--a-w C:\Documents and Settings\Greed\SI.bin
2003-12-18 18:33 20,102 -c--a-w C:\Program Files\Readme.txt
2003-09-03 14:46 10,960 -c--a-w C:\Program Files\EULA.txt
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AMonitor"="C:\Program Files\Tiny Firewall Pro\amon.exe" [2005-08-11 12:12 561152]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]
"Steam"="c:\program files\steam\steam.exe" [2008-04-02 21:07 1271032]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 14:39 1289000]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-09-18 08:16 171464]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LinksysDiag"="C:\Program Files\Linksys\LinksysDiag\LinksysDiag" [X]
"TrueImageMonitor.exe"="C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe" [2005-09-29 19:12 976085]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [2005-09-29 19:12 118784]
"avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [2008-07-17 18:25 266497]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-08-11 14:43 7630848]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-08-11 14:43 86016]
"CTHelper"="CTHELPER.EXE" [2005-12-08 13:06 16384 C:\WINDOWS\CTHELPER.EXE]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2006-03-28 18:38 94208 C:\WINDOWS\KHALMNPR.Exe]
"nwiz"="nwiz.exe" [2006-08-11 14:43 1519616 C:\WINDOWS\system32\nwiz.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2006-03-13 23:33:14 573440]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoFavoritesMenu"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)
"NoSMHelp"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoFavoritesMenu"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)
"NoSMHelp"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
2005-07-12 00:26 73728 C:\WINDOWS\system32\UmxWNP.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=UmxSbxExw.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 relog_ap

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2007-09-18 08:16 171464 C:\Program Files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-04-02 21:07 1271032 C:\Program Files\Steam\steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TinyFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\BitLord\\BitLord.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Steam\\SteamApps\\demoniccalhoon\\counter-strike source\\hl2.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\Sierra\\FEAR\\FEAR.exe"=
"C:\\Program Files\\Sierra\\FEAR\\FEARMP.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 KmxNdis;KmxNdis;C:\WINDOWS\system32\DRIVERS\kmxndis.sys [2005-08-16 12:42]
R1 KmxAgent;KmxAgent;C:\WINDOWS\system32\DRIVERS\kmxagent.sys [2005-07-11 19:39]
R1 KmxFile;KmxFile;C:\WINDOWS\system32\DRIVERS\KmxFile.sys [2005-07-12 00:20]
R1 KmxFw;KmxFw;C:\WINDOWS\system32\DRIVERS\kmxfw.sys [2005-08-16 12:42]
R1 KmxIds;KmxIds;C:\WINDOWS\system32\DRIVERS\kmxids.sys [2005-08-11 15:31]
R1 oreans32;oreans32;C:\WINDOWS\system32\drivers\oreans32.sys [2006-09-04 23:02]
R2 KmxBiG;KmxBiG;C:\WINDOWS\system32\DRIVERS\KmxBiG.sys [2005-07-12 00:21]
R2 KmxSbx;KmxSbx;C:\WINDOWS\system32\DRIVERS\KmxSbx.sys [2005-08-23 23:50]
R2 LANPkt;Linksys LANPkt Protocol Driver;C:\WINDOWS\system32\DRIVERS\LANPkt.sys [2004-03-09 17:50]
R2 UmxAgent;FW Event Manager;C:\Program Files\Tiny Firewall Pro\UmxAgent.exe [2005-08-22 10:51]
R2 UmxCfg;FW Configuration Interpreter;C:\Program Files\Common Files\PFShared\UmxCfg.exe [2005-07-12 17:57]
R2 UmxLU;FW Live Update;C:\Program Files\Common Files\PFShared\umxlu.exe [2005-03-09 18:02]
R2 UmxPol;FW Policy Manager;C:\Program Files\Common Files\PFShared\UmxPol.exe [2005-07-12 01:21]
R3 Diag69xp;Diag69xp;C:\WINDOWS\system32\Drivers\Diag69xp.sys [2004-05-24 18:16]
R3 KmxCfg;KmxCfg;C:\WINDOWS\system32\DRIVERS\kmxcfg.sys [2005-08-23 13:41]
S3 hamachi_oem;PlayLinc Adapter;C:\WINDOWS\system32\DRIVERS\gan_adapter.sys [2006-08-29 00:54]
S3 oflpydin;oflpydin;C:\DOCUME~1\Greed\LOCALS~1\Temp\oflpydin.sys []
S3 RTLVLANXP;Linksys VLAN Intermediate Driver;C:\WINDOWS\system32\DRIVERS\RTLVLANXP.SYS [2005-01-26 23:06]
.
- - - - ORPHANS REMOVED - - - -

BHO-{1A4BA860-573E-4059-8337-6A34AC65C535} - C:\WINDOWS\system32\khfGyVmN.dll
BHO-{656ED517-5D0F-42D1-87C0-4E750E96F364} - C:\WINDOWS\system32\ssqRiGwU.dll
HKCU-Run-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
HKLM-Run-9cbfc396 - C:\WINDOWS\system32\yjdmtfax.dll
ShellExecuteHooks-{1A4BA860-573E-4059-8337-6A34AC65C535} - C:\WINDOWS\system32\khfGyVmN.dll
Notify-khfGyVmN - khfGyVmN.dll


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Greed\Application Data\Mozilla\Firefox\Profiles\87k7akdk.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - www.google.com


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-06 22:39:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Tiny Firewall Pro\UmxFwHlp.exe
C:\Program Files\Tiny Firewall Pro\UmxTray.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Linksys\LinksysDiag\LinksysDiag.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.exe
C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2008-08-06 22:47:32 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-07 04:47:28

Pre-Run: 16,820,396,032 bytes free
Post-Run: 16,816,984,064 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

221

[Greed]

And here is hijack this. Thanks for the help mike! What else do you need me to do?


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:49, on 8/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\PFShared\UmxCfg.exe
C:\Program Files\Tiny Firewall Pro\UmxFwHlp.exe
C:\Program Files\Common Files\PFShared\UmxPol.exe
C:\Program Files\Tiny Firewall Pro\UmxAgent.exe
C:\Program Files\Tiny Firewall Pro\UmxTray.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Common Files\PFShared\umxlu.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Linksys\LinksysDiag\LinksysDiag.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\program files\steam\steam.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarerefer...=...6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [LinksysDiag] C:\Program Files\Linksys\LinksysDiag\LinksysDiag /hw
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [AMonitor] C:\Program Files\Tiny Firewall Pro\amon.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {483EB14D-AF1C-4951-81B0-4E2B41829FF6} (QOLCheck Control) - https://www.select2p...bs/QOLCheck.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1142307337655
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1142308179717
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: FW Event Manager (UmxAgent) - Computer Associates International, Inc. - C:\Program Files\Tiny Firewall Pro\UmxAgent.exe
O23 - Service: FW Configuration Interpreter (UmxCfg) - Computer Associates International, Inc. - C:\Program Files\Common Files\PFShared\UmxCfg.exe
O23 - Service: FW User-Mode Helper (UmxFwHlp) - Computer Associates International, Inc. - C:\Program Files\Tiny Firewall Pro\UmxFwHlp.exe
O23 - Service: FW Live Update (UmxLU) - Tiny Software, Inc. - C:\Program Files\Common Files\PFShared\umxlu.exe
O23 - Service: FW Policy Manager (UmxPol) - Computer Associates International, Inc. - C:\Program Files\Common Files\PFShared\UmxPol.exe

--
End of file - 7691 bytes

[Mike]

Hi there

Please open HijackThis again and choose "Do a system scan only". Please put a check next to each of the following entries (if still present):


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarerefer...=...6Ojg5&lid=2
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)


Now please close all open windows except HJT and press "Fix checked".

Then,

Please click Start then Run, in the window appears type in Notepad.exe.
Highlight the entire content of the codebox below. Copy (Control + C) and Paste (Control + V) the content into the notepad window:

File::
C:\WINDOWS\system32\yjdmtfax.VIR000
C:\WINDOWS\system32\ssqRiGwU.VIR000
C:\WINDOWS\lnvegaow.exe
C:\WINDOWS\system32\khfGyVmN.VIR


Driver::
oflpydin

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoFavoritesMenu"=-
"NoRecentDocsNetHood"=-
"NoSMHelp"=-

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoFavoritesMenu"=-
"NoRecentDocsNetHood"=-
"NoSMHelp"=-

Now in Notepad, go to File and in the menu that drops down click on Save As...
Save the file as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.


After that please reboot your computer if it asks you to and post ComboFix.txt (the report the ComboFix will generate) in your next reply.

And finally for now,

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Post back with the logs please

[Greed]

Second combofix log!


ComboFix 08-08-07.05 - Greed 2008-08-07 22:09:32.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.656 [GMT -6:00]
Running from: C:\Documents and Settings\Greed\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Greed\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\lnvegaow.exe
C:\WINDOWS\system32\khfGyVmN.VIR
C:\WINDOWS\system32\ssqRiGwU.VIR000
C:\WINDOWS\system32\yjdmtfax.VIR000
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\lnvegaow.exe
C:\WINDOWS\system32\khfGyVmN.VIR
C:\WINDOWS\system32\ssqRiGwU.VIR000

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_OFLPYDIN
-------\Service_oflpydin


((((((((((((((((((((((((( Files Created from 2008-07-08 to 2008-08-08 )))))))))))))))))))))))))))))))
.

2008-08-06 23:31 . 2008-08-06 23:31 <DIR> d-------- C:\Program Files\LucasArts
2008-08-05 15:32 . 2008-08-05 15:32 <DIR> d-------- C:\Program Files\Lavasoft
2008-08-05 15:32 . 2008-08-05 15:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-05 15:14 . 2008-08-05 15:14 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-05 15:00 . 2008-08-07 22:15 36 --a------ C:\WINDOWS\system32\drivers\Ids_cfg.dat
2008-08-05 12:24 . 2008-08-05 12:24 <DIR> d-------- C:\Documents and Settings\Administrator
2008-08-05 11:36 . 2008-08-05 11:36 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-08-05 00:55 . 2008-08-05 00:55 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AdobeUM
2008-08-04 22:29 . 2008-08-04 22:28 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-08-02 14:37 . 2008-08-02 14:37 <DIR> d-------- C:\Program Files\Sierra
2008-08-01 12:47 . 2008-08-01 12:47 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-08-01 12:47 . 2008-08-01 12:47 1,409 --a------ C:\WINDOWS\QTFont.for
2008-07-22 16:10 . 2008-07-22 16:10 <DIR> d-------- C:\WINDOWS\San Andreas Mod Installer
2008-07-21 22:37 . 2008-07-21 22:38 <DIR> d-------- C:\vcs5core
2008-07-21 22:37 . 2008-07-21 22:37 <DIR> d-------- C:\vcs5BGEffects
2008-07-21 22:37 . 2008-07-21 22:37 <DIR> d-------- C:\AV_LOGS
2008-07-21 17:12 . 2008-07-21 17:12 <DIR> d-------- C:\Program Files\Rockstar Games

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-08 04:19 --------- d-----w C:\Program Files\Steam
2008-08-08 04:13 214,340 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k
2008-08-08 00:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic
2008-08-07 13:27 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-06 02:12 1,004,032 ----a-w C:\WINDOWS\system32\AutoPartNt.exe
2008-08-05 21:31 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-08-05 21:13 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-02 20:45 108,144 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-07-14 02:59 --------- d-----w C:\Program Files\EA GAMES
2008-06-21 06:08 --------- d-----w C:\Documents and Settings\Greed\Application Data\EVEMon
2008-06-21 04:50 --------- d-----w C:\Program Files\EVEMon
2008-06-17 18:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\CCP
2008-06-17 17:51 --------- d-----w C:\Program Files\CCP
2008-05-16 17:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-11-04 01:54 354 -c--a-w C:\Program Files\INSTALL.LOG
2007-01-07 05:30 1 -c--a-w C:\Documents and Settings\Greed\SI.bin
2003-12-18 18:33 20,102 -c--a-w C:\Program Files\Readme.txt
2003-09-03 14:46 10,960 -c--a-w C:\Program Files\EULA.txt
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AMonitor"="C:\Program Files\Tiny Firewall Pro\amon.exe" [2005-08-11 12:12 561152]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]
"Steam"="c:\program files\steam\steam.exe" [2008-04-02 21:07 1271032]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 14:39 1289000]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-09-18 08:16 171464]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LinksysDiag"="C:\Program Files\Linksys\LinksysDiag\LinksysDiag" [X]
"avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [2008-07-17 18:25 266497]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-08-11 14:43 7630848]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-08-11 14:43 86016]
"CTHelper"="CTHELPER.EXE" [2005-12-08 13:06 16384 C:\WINDOWS\CTHELPER.EXE]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2006-03-28 18:38 94208 C:\WINDOWS\KHALMNPR.Exe]
"nwiz"="nwiz.exe" [2006-08-11 14:43 1519616 C:\WINDOWS\system32\nwiz.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2006-03-13 23:33:14 573440]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
2005-07-12 00:26 73728 C:\WINDOWS\system32\UmxWNP.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=UmxSbxExw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2007-09-18 08:16 171464 C:\Program Files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-04-02 21:07 1271032 C:\Program Files\Steam\steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TinyFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\BitLord\\BitLord.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Steam\\SteamApps\\demoniccalhoon\\counter-strike source\\hl2.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\Sierra\\FEAR\\FEAR.exe"=
"C:\\Program Files\\Sierra\\FEAR\\FEARMP.exe"=
"C:\\Program Files\\Sierra\\FEAR\\FEARXP\\FEARXP.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 KmxNdis;KmxNdis;C:\WINDOWS\system32\DRIVERS\kmxndis.sys [2005-08-16 12:42]
R1 KmxAgent;KmxAgent;C:\WINDOWS\system32\DRIVERS\kmxagent.sys [2005-07-11 19:39]
R1 KmxFile;KmxFile;C:\WINDOWS\system32\DRIVERS\KmxFile.sys [2005-07-12 00:20]
R1 KmxFw;KmxFw;C:\WINDOWS\system32\DRIVERS\kmxfw.sys [2005-08-16 12:42]
R1 KmxIds;KmxIds;C:\WINDOWS\system32\DRIVERS\kmxids.sys [2005-08-11 15:31]
R1 oreans32;oreans32;C:\WINDOWS\system32\drivers\oreans32.sys [2006-09-04 23:02]
R2 KmxBiG;KmxBiG;C:\WINDOWS\system32\DRIVERS\KmxBiG.sys [2005-07-12 00:21]
R2 KmxSbx;KmxSbx;C:\WINDOWS\system32\DRIVERS\KmxSbx.sys [2005-08-23 23:50]
R2 LANPkt;Linksys LANPkt Protocol Driver;C:\WINDOWS\system32\DRIVERS\LANPkt.sys [2004-03-09 17:50]
R2 UmxAgent;FW Event Manager;C:\Program Files\Tiny Firewall Pro\UmxAgent.exe [2005-08-22 10:51]
R2 UmxCfg;FW Configuration Interpreter;C:\Program Files\Common Files\PFShared\UmxCfg.exe [2005-07-12 17:57]
R2 UmxLU;FW Live Update;C:\Program Files\Common Files\PFShared\umxlu.exe [2005-03-09 18:02]
R2 UmxPol;FW Policy Manager;C:\Program Files\Common Files\PFShared\UmxPol.exe [2005-07-12 01:21]
R3 Diag69xp;Diag69xp;C:\WINDOWS\system32\Drivers\Diag69xp.sys [2004-05-24 18:16]
R3 KmxCfg;KmxCfg;C:\WINDOWS\system32\DRIVERS\kmxcfg.sys [2005-08-23 13:41]
S3 hamachi_oem;PlayLinc Adapter;C:\WINDOWS\system32\DRIVERS\gan_adapter.sys [2006-08-29 00:54]
S3 RTLVLANXP;Linksys VLAN Intermediate Driver;C:\WINDOWS\system32\DRIVERS\RTLVLANXP.SYS [2005-01-26 23:06]
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-07 22:16:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Tiny Firewall Pro\UmxFwHlp.exe
C:\Program Files\Tiny Firewall Pro\UmxTray.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Linksys\LinksysDiag\LinksysDiag.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.exe
C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2008-08-07 22:24:33 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-08 04:24:30
ComboFix2.txt 2008-08-07 04:47:33

Pre-Run: 12,538,875,904 bytes free
Post-Run: 12,560,642,048 bytes free

166

[Greed]

And here is the anti malware programlog



Malwarebytes' Anti-Malware 1.24
Database version: 1032
Windows 5.1.2600 Service Pack 2

10:33:26 PM 8/7/2008
mbam-log-8-7-2008 (22-33-26).txt

Scan type: Quick Scan
Objects scanned: 42955
Time elapsed: 4 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\bgrqfetx.btrf (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bgrqfetx.toolbar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping\{306bbb66-d9e4-4481-833e-c1d5fca06774} (Rogue.Foxie) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping\{546e08aa-809f-4f1a-be1a-6b122ebfcd5a} (Rogue.Foxie) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping\{61039b22-563d-4922-b844-b076c318a66a} (Rogue.Foxie) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping\{e4143585-2688-4ebc-b264-27c774f600d5} (Rogue.Foxie) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\Foxie Suite (Rogue.Foxie) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\Foxie Suite\foxiecoreu.dll (Rogue.Foxie) -> Quarantined and deleted successfully.

[Mike]

Looks better

Download the latest version of Java Runtime Environment (JRE) 6 Update 7. Once done, uninstall any older versions of Java through add or remove programs.

Go to Kaspersky website and perform an online antivirus scan.

• Read through the requirements and privacy statement and click on Accept button.
• It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
• When the downloads have finished, click on Settings.
• Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
  • Spyware, Adware, Dialers, and other potentially dangerous programs
    Archives
    Mail databases
• Click on My Computer under Scan.
• Once the scan is complete, it will display the results. Click on View Scan Report.
• You will see a list of infected items there. Click on Save Report As....
• Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.

How is your PC running?

Edited by Mike, 08 August 2008 - 08:19 AM.

[Greed]

Yeah man, seems to be working great! This Kaspersky online scan seems to be taking fraggin forever. Will post log when it finishes! Got my clock and permissions and whatnot back. And that last scan you had me do with the malware hunter cleared out a trojan I was unaware of.

[Greed]

Ok, I finished that KAspersky scan, attaching the report!

Attached Files

•  Report.txt   2.57KB   272 downloads

[Mike]

Hi there

Empty out this folder(i.e delete everything in it): C:\Documents and Settings\Greed\.housecall\Quarantine

Please download ATF Cleaner by Atribune.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Your logs look clean

Click START then RUN
Now type Combofix /u in the runbox and click OK

Notice the space between the x and / -- That needs to be there.

&

Now please download OTCleanIt.

• Save it to your desktop.
• Double Click on OTCleanIt.exe, a window will appear.
• Please press the CleanUp! Button.

This will remove the tools we used during the process of cleaning your computer.

Now that your are clean, you'll want to stay that way.

Some important things that you should keep in mind in order to protect yourself:

• Use common sense. This is the big one! Don't download programs from suspicious sites and be careful where you browse.
  Things you can do to avoid downloading bad programs:
  • Google the program. Read reviews and opinions from other people on the internet, if you dont see any reports of foul play - then there more than likely is none.
  • Stay away from Cracks! However luring the thought of free software can be it's not worth the hassle and potential danger of getting infected.
  • Download the program directly from the website of the developer - then you can be certain you haven't downloaded a bogus copy.
  • Read the EULA (End User License Agreement) - Find out exactly what you are downloading. A good tool to aid you in this would be EULAyzer.
• Keep your programs updated! Software developers update their programs to patch possible security risks. Do a scan once in a while for outdated programs using Secunia's Software Inspector
• Keep your protection programs up to date! No matter how good your Antivirus or Antispyware program is, without an updated set of definitions it will do you no good against the new infections. If you run a free program make sure to update them at least once a week.
• Make sure that windows updates is enabled. Keeping your system up to date is a must - to turn on automatic updates take a look at this article by Microsoft.

I have listed two programs to boost your security while using no resources.

• SpywareBlaster Take a look at the tutorial here.
• ZonedOut Adds thousands of websites to your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

Also consider using an alternative web browser. Two big named ones, both far superior to Internet Explorer in terms of security and performance, would be Firefox and Opera.

Make a habit of scanning your computer for viruses every week or so and backing up important files regularly.

Please also read Expert Tony Klein's excellent article: How I got Infected in the First Place

Please post back and tell me if everything is OK, so that I may mark this thread as Resolved.