Red circle white x Delself.bat

Tictocdoc · November 2008

I got the red circle with the white x in taskbar the other day. Also noticed Delself.bat file on desktop. Unable to restore to an earlier point. Also unable to create a restore point. I'm getting popups saying I'm infected with a virus. I can't navigate to a web page after I search for one (I'm redirected). Virus won't allow me to get to sites like Mcafee, I get the message "unble to connect to site". I don't have antivirus protection. My ISP provides one for free from Mcafee. So I called them and they wanted me to download and install Windows Onecare. Now I can't uninstall it. I also downloaded/installed something called Uniblue Register Booster. Big mistake. Got rid of that by deleting anything I saw with Uniblue in it with regedit. Probably should have waited for help from you. I have download/installed/ran Ad-ware after that I could not log into my computer, had to use safe mode. I was able to download/install/run Malwarebytes by renaming it from safe mode. That got rid of red circle and Delself.bat. and now I can log into computer. Still have browser hijacking problems, and sometimes I can't log into computer. I keep running Malware to "stay alive". Keep getting same two files with trojans found. Have not tried to create a restore point yet. Although I have disabled restore figuring all past points are infected. I have download/installed/ran Superantispyware. Also I have downloaded Hijackthis and am posting log here now, as per your request. Wish I would have found you guys earlier as it seems you guys know what to do. At least more than I. So as of now I just have the hijacks and the popups, and maybe the restore problem, plus I want to get rid of live onecare. Please help

Tictocdoc

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:58:26 AM, on 11/20/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
O4 - S-1-5-18 Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe (file missing)
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunCasino.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunCasino.exe (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\GameClient.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {2357B3CF-7F8D-4451-8D81-FD6097610AEE} (CamfrogWEB Advanced Unicode Control) - http://activex.camfrogweb.com/advanced/2.0.2.3/cfweb_activex.camfrogweb.com-advanced-2.0.2.3_instmodule.exe
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} (KXHCM10 Control) - http://collegio-cam.pittstate.edu/kxhcm10.ocx
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1127230483562
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://runvirusscan.com/ols3/fscax.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5246/mcfscan.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su2/CTL_V02002/ocx/15034/CTPID.cab
O20 - AppInit_DLLs: karna.dat
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
--
End of file - 10487 bytes

Trogan · November 2008

Hi, welcome to Icrontic!

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.

Tictocdoc · November 2008

I am unable to open the Combofix link you provided. I have done a web search for other Combofix download sites and can't open any of them. As I am unable to open web pages from a web search. I have been copying and pasteing the web address to my address bar, which only works on some sites. This is how I was able to get to this site.
I am able to click and open cache of some web results from web searchs. Navagation is limited however. This is how I became confused about the PM thingy. I aplogize I was trying to be short. Here is a sample link to the cache I was able to view that you requested. The bottom of the thread is where I was.

icrontic.com/forum/showthread.php?t=46699

Should I keep running Malware and Superantispyware. I have ran Malware several times since my first post, but not Superantispyware. Will I be able to download Combofix from another computer to a cd? I only ask because I heard Combofix can mess up one's computer if the user does not have the experience needed. I don't want to mess up someone's computer. It's only an Exe. file right?
Tictocdoc

Trogan · November 2008

Hi,

Please avoid running any scans until instructed to do so, otherwise it can make things more complicated, especially since we are dealing with a possible tricky infection.

Please do the following...

If you have access to another computer, you can download ComboFix and transfer it to your PC via CD or USB.
Delete ComboFix from the second computer after transferring it.
In case you cannot visit the original link on your PC for running ComboFix; make notes or print out the instructions for ComboFix from the second computer.
Follow the instructions on your PC
Let me know if you have any problems running ComboFix!

Next, I need to see the log/report from Malwarebytes.

The log file is saved here and will be named like this:
C:\\Documents and Settings\\Username\\Application Data\\Malwarebytes\\Malwarebytes' Anti-Malware\\Logs\\mbam-log-date (time).txt

If you have run Malwarebytes more than once, post the logs from previous scans also.

Tictocdoc · November 2008

HI
I was able download ComboFix to cd from another computer, also printed instructions. Went to the Microsoft link and downloaded that file to cd also. Was able to transfer both files to my desktop. However when trying to drag the WindowsXP-KB file to the ComboFix icon as instructions said, nothing happened. The file is still on my desktop. FYI I do have my recovery Disks (6 Disks) that I made when I first bought computer. Did not want to use them unless necessary for fear of loosing pictures and such. I do have windows recovery option on boot up. Windows Restore is not working. In either case I went ahead and tried to run ComboFix in normal mode. Nothing happened. Should I try in Safe Mode?
There have been 11 scans with Malware. All logs are the same (+/- 500 files scaned) except the first one; which I am posting below with the last scan done.
Tictocdoc.......BTW thank you for helping
.............................................................................

FIRST SCAN

11/18/2008 6:37:20 AM
mbam-log-2008-11-18 (06-37-20).txt
Scan type: Quick Scan
Objects scanned: 77536
Time elapsed: 14 minute(s), 27 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 19
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost.exe (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\brastk (Trojan.FakeAlert) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\drivers\svchost.exe (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll (Adware.Minibug) -> Quarantined and deleted successfully.
C:\WINDOWS\karna.dat (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\karna.dat (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\beep.sys (Fake.Beep.Sys) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dllcache\beep.sys (Fake.Beep.Sys) -> Quarantined and deleted successfully.
C:\WINDOWS\system32:rpaa.dll (Rootkit.ADS) -> Quarantined and deleted successfully.
C:\WINDOWS\brastk.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wini10894.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\brastk.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\~.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\My Documents\My Music\My Music.url (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\My Documents\My Pictures\My Pictures.url (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\My Documents\My Videos\My Video.url (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\My Documents\My Documents.url (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\pey1F14.tmp (Backdoor.ProRat) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\xrg2.exe (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Favorites\Antivirus Scan.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winlogon.old (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

........................................................................
LAST SCAN

Malwarebytes' Anti-Malware 1.30
Database version: 1378
Windows 5.1.2600 Service Pack 3
11/21/2008 2:43:17 AM
mbam-log-2008-11-21 (02-43-17).txt
Scan type: Quick Scan
Objects scanned: 79102
Time elapsed: 34 minute(s), 10 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)

Trogan · November 2008

I have sent you a PM, please check it.

Also, could you confirm if you tried running ComboFix without dragging the Microsoft file for Windows Recovery?

Tictocdoc · November 2008

OK this is what has happened since yesterday. As I told you I was having problems running Combofix. What I did was change the name of the file. This is something that skipped my mind. I did the same thing with Malware if you remember. When it ran it did everything it was supposed to do. It ftold me it found a rootkit. Then it rebooted my computer. This is where I think I ran into a problem. When it got to the "preparing log file screen" It took forever. After six hours I decided to try and shut it down. I coulded. However I was able to navigate to my MSconfig folder, which was good cause I noticed on reboot some start up programs such as my HP software was running in taskbar. So I went to MSCONFIG and disabled all startup programs. Then I went to taskbar and hit restart. When I got back to the desktop I ran Combofix again. This time it produced the log file I am posting below. After I post this I am going to change my Startup settings again and reboot. If it works I will look to see if by chance I have a log file from the first try with ComboFix. I will then post results. Right now before I reboot I am able to navigate the internet with no Hijacks and everthing seems ok. But who knows. I will wait for your ok. Then I will get me a good antivirus program that my ISP provides. It's called Cox Security Suite by Mcafee. I took it off because it slows down my computer. But I think I can live with that instead of the headache of this last week.
Tictocdoc

ComboFix 08-11-23.01 - Owner 2008-11-23 23:21:49.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.932 [GMT -8:00]
Running from: c:\documents and settings\Owner\Desktop\DRwine.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run

.
c:\documents and settings\Owner\Application Data\install.dat
c:\program files\INSTALL.LOG
c:\windows\IE4 Error Log.txt
c:\windows\system32\iAlmcoin.dll
D:\Autorun.inf
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

\Service_TDSSSERV.SYS

\Legacy_TDSSSERV.SYS

((((((((((((((((((((((((( Files Created from 2008-10-24 to 2008-11-24 )))))))))))))))))))))))))))))))
.
2008-11-21 19:06 . 2008-11-21 19:06 <DIR> d

C:\WINSSLog
2008-11-19 13:32 . 2008-11-19 13:32 526,111 --a

C:\OneCareSupportData.zip
2008-11-19 12:56 . 2008-11-19 12:56 <DIR> d

c:\program files\Trend Micro
2008-11-19 10:44 . 2008-11-22 11:56 <DIR> d

c:\program files\SUPERAntiSpyware
2008-11-19 10:44 . 2008-11-19 10:44 <DIR> d

c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2008-11-19 10:44 . 2008-11-19 10:44 <DIR> d

c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-11-19 04:41 . 2008-11-19 04:41 3,676 --a

c:\windows\system32\OEMINFO.PNF
2008-11-18 06:20 . 2008-11-18 06:20 <DIR> d

c:\documents and settings\Owner\Application Data\Malwarebytes
2008-11-18 04:57 . 2008-11-18 06:47 <DIR> d

c:\program files\Malwarebytes' Anti-Malware
2008-11-18 04:57 . 2008-11-18 04:57 <DIR> d

c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-18 04:57 . 2008-10-22 16:10 38,496 --a

c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-18 04:57 . 2008-10-22 16:10 15,504 --a

c:\windows\system32\drivers\mbam.sys
2008-11-17 22:51 . 2003-07-24 01:56 <DIR> d

c:\documents and settings\Administrator\WINDOWS
2008-11-17 22:51 . 2003-07-26 00:54 <DIR> d

c:\documents and settings\Administrator\Application Data\Symantec
2008-11-17 22:51 . 2003-07-24 01:35 <DIR> d

c:\documents and settings\Administrator\Application Data\Sonic
2008-11-17 22:51 . 2003-07-24 02:02 <DIR> d

c:\documents and settings\Administrator\Application Data\SampleView
2008-11-17 22:51 . 2003-07-26 00:57 <DIR> d

c:\documents and settings\Administrator\Application Data\interMute
2008-11-17 22:51 . 2008-11-17 22:51 <DIR> d

c:\documents and settings\Administrator
2008-11-16 22:34 . 2008-11-17 07:04 1,627 --a

c:\documents and settings\Owner\nah_log.dat
2008-11-16 22:19 . 2008-11-16 22:19 79,872 --a

c:\documents and settings\Owner\nah_eamq.exe
2008-11-16 22:19 . 2008-11-21 08:13 73,728 --a

c:\windows\system32\TDSSacun.dll
2008-11-16 22:19 . 2008-11-21 08:13 60,416 --a

c:\windows\system32\drivers\TDSSxxou.sys
2008-11-16 22:19 . 2008-11-21 08:13 35,840 --a

c:\windows\system32\TDSSktpa.dll
2008-11-16 22:19 . 2008-11-21 08:13 31,232 --a

c:\windows\system32\TDSSyavu.dll
2008-11-16 22:19 . 2008-11-21 08:13 29,696 --a

c:\windows\system32\TDSSirxy.dll
2008-11-16 22:19 . 2008-11-23 17:44 2,351 --a

c:\windows\system32\TDSSqqcn.dll
2008-11-16 22:19 . 2008-11-21 08:13 527 --a

c:\windows\system32\TDSSwupe.dat
2008-11-12 16:33 . 2008-10-24 03:21 455,296

c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-12 16:32 . 2008-09-04 09:15 1,106,944

c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-06 02:37 . 2008-11-06 02:37 1,409 --a

c:\windows\system32\tmpD362E.FOT
2008-11-06 02:37 . 2008-11-06 02:37 1,409 --a

c:\windows\system32\tmpBA62E.FOT
2008-11-06 02:37 . 2008-11-06 02:37 1,409 --a

c:\windows\system32\tmp8172E.FOT
2008-11-06 02:37 . 2008-11-06 02:37 1,409 --a

c:\windows\system32\tmp0C52E.FOT
2008-11-03 13:43 . 2008-11-06 23:30 <DIR> d

c:\program files\ClubWPT
2008-11-01 11:05 . 2008-11-16 07:16 54,156 --ah

c:\windows\QTFont.qfn
2008-11-01 11:05 . 2008-11-01 11:05 1,409 --a

c:\windows\QTFont.for
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-23 21:18

d--h--w c:\documents and settings\All Users\Application Data\yahoo!
2008-11-23 21:18

d

w c:\program files\Yahoo!
2008-11-23 00:13

d

w c:\program files\Full Tilt Poker
2008-11-22 03:22

d

w c:\program files\ICQ
2008-11-19 21:26

d

w c:\program files\PCPitstop
2008-11-17 18:20

d--h--w c:\program files\Common Files\Authentium Shared
2008-11-17 06:19 295,424 ----a-w c:\windows\system32\termsrv.dll
2008-11-16 09:12

d

w c:\program files\PokerStars
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 23:40

d

w c:\documents and settings\Visitor\Application Data\Yahoo!
2008-10-17 05:29

d--h--w c:\documents and settings\Owner\Application Data\yahoo!
2008-10-16 22:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 22:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 22:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 22:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 22:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 22:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 22:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 22:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 22:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 22:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-12 04:33

d

w c:\program files\Accent WORD Password Recovery
2008-10-01 00:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-13 18:52 77,824 ----a-w c:\windows\PCHealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Presario\XPHNARS3EN\plugin\bin\WinVerifyTrust.dll
2008-09-13 18:52 49,152 ----a-w c:\windows\PCHealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Presario\XPHNARS3EN\plugin\bin\PCHI18N.dll
2008-09-13 18:52 422,802 ----a-w c:\windows\PCHealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Presario\XPHNARS3EN\plugin\bin\pchplugin.zip
2008-09-13 18:52 28,672 ----a-w c:\windows\PCHealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Presario\XPHNARS3EN\plugin\bin\InetWrap.dll
2008-09-13 18:52 118,784 ----a-w c:\windows\PCHealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Presario\XPHNARS3EN\plugin\bin\SearchCtrl.dll
2008-09-13 18:52 106,496 ----a-w c:\windows\PCHealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Presario\XPHNARS3EN\plugin\bin\PluginCtrl.dll
2008-09-13 18:51 159,744 ----a-w c:\windows\PCHealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Presario\XPHNARS3EN\plugin\bin\PCHButton.exe
2008-09-13 18:51 126,976 ----a-w c:\windows\PCHealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Presario\XPHNARS3EN\plugin\bin\ContentUpdater.exe
2008-09-13 18:51 1,306,152 ----a-w c:\windows\PCHealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Presario\XPHNARS3EN\plugin\bin\motdeusr.zip
2008-09-10 01:14 1,307,648

w c:\windows\system32\msxml6.dll
2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-08-26 07:24 826,368 ----a-w c:\windows\system32\wininet.dll
2008-03-07 13:35 3,856 ----a-w c:\documents and settings\Owner\Application Data\mindhabits.dat
2005-01-28 13:07 0 ---ha-w c:\program files\Common Files\MSN
2004-01-11 07:36 0 --sha-w c:\windows\SMINST\HPCD.sys
2006-01-22 20:45 220 --sha-w c:\windows\system32\ss.drv
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nah_Shell"="c:\documents and settings\Owner\nah_eamq.exe" [2008-11-16 79872]
c:\documents and settings\Default User\Start Menu\Programs\Startup\
mod_sm.lnk - c:\hp\bin\cloaker.exe [1999-11-07 27136]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= pvmjpg21.dll
"Midi1"= ma_cmidn.dll
"msacm.divxa32"= msaud32_divx.acm
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a

2008-01-11 21:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a

2008-04-13 16:12 15360 c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a

2004-11-02 07:59 126976 c:\windows\system32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a

2007-05-08 15:24 54840 c:\program files\HP\HP Software Update\hpwuSchd2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
--a

1998-05-07 15:04 52736 c:\windows\system\hpsysdrv.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a

2004-11-02 08:03 155648 c:\windows\system32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
--a

2005-02-02 16:44 61440 c:\hp\KBD\kbd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
--a

2005-05-09 15:32 53248 c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
--a

2002-07-17 17:00 200767 c:\program files\Microsoft Money\System\mnyexpr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]

2004-12-07 16:44 1884160 c:\program files\Ahead\Nero BackItUp\NBJ.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a

2001-07-09 10:50 155648 c:\windows\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a

2003-05-02 22:19 4640768 c:\windows\system32\nvcpl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OM_Monitor]
--a

2005-11-29 19:19 40960 c:\program files\OLYMPUS\OLYMPUS Master\FirstStart.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhotoShow Deluxe Media Manager]
--a

2004-11-11 17:50 212992 c:\progra~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a

2008-04-19 10:59 98304 c:\program files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
--a

2002-09-13 20:42 212992 c:\windows\SMINST\Recguard.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a

2008-06-10 03:27 144784 c:\program files\Java\jre1.6.0_07\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a

2008-04-01 20:04 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
--a

2004-09-07 13:47 57344 c:\windows\ALCXMNTR.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIEW]
--a

2003-05-02 22:19 835654 c:\windows\system32\nview.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a

2003-05-02 22:19 323584 c:\windows\system32\nwiz.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\GameSpy Arcade\\Aphex.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"%windir%\\system32\\sessmgr.exe"=
S0 xnupo;xnupo;c:\windows\system32\drivers\lygnnm.sys []
S2 OcHealthMon;Windows Live OneCare Health Monitor;"c:\program files\Microsoft Windows OneCare Live\OcHealthMon.exe" []
S3 MA_CMIDI;M-Audio USB Driver;c:\windows\system32\drivers\ma_cmidi.sys []
S3 RLDesignVirtualAudioCableWdm;Live! Cam Virtual;c:\windows\system32\DRIVERS\livecamv.sys [2008-01-31 31616]
.
Contents of the 'Scheduled Tasks' folder
2008-11-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe []
.
- - - - ORPHANS REMOVED - - - -
SafeBoot-OneCareMP
MSConfigStartUp-OneCareUI - c:\program files\Microsoft Windows OneCare Live\winssnotify.exe

.

Supplementary Scan

.
FireFox -: Profile - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\afrk05m5.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - www.yahoo.com
FF -: plugin - c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF -: plugin - c:\program files\Yahoo!\Shared\npYState.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-23 23:27:17
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...

**************************************************************************
.

DLLs Loaded Under Running Processes

- - - - - - - > 'winlogon.exe'(496)
c:\windows\System32\dimsntfy.dll
c:\windows\system32\WgaLogon.dll
.
Completion time: 2008-11-23 23:29:37
ComboFix-quarantined-files.txt 2008-11-24 07:28:14
Pre-Run: 25,704,964,096 bytes free
Post-Run: 25,682,464,768 bytes free
232 --- E O F --- 2008-11-13 09:28:12

Tictocdoc · November 2008

Hi
In case you don't catch it please read post before this one. Rebooted, everything is still fine. Did not find any other ComboFix logs. Turned back on all startup programs and turned on my firewall. Waiting on further instructions

Tictocdoc

Trogan · November 2008

Hi,

Good job on getting ComboFix to run. Also, there are plenty of excellent free anti-virus software available. I will suggest some after we are done here, but try and keep off the net until then.

Please do the following...

1. Flash Disinfector

Please download Flash_Disinfector and save it to your desktop.
Double click to run it.
You will be prompted to plug in your flash drive. Plug it in.
Flash_Disinfector will start disinfecting your flash and hard drives. This takes a few seconds. Your desktop will disappear in the meantime.
When done, a message box will appear. Click OK. Your desktop should now appear. If it doesn't, press Ctrl + Shift + Esc to open Task Manager.
Click on File > New Task (Run...). Type in explorer.exe and press Enter. Your desktop should now appear.

2. Open Notepad and copy/paste the text in the Quote Box below into it:

File::
c:\windows\system32\TDSSacun.dll
c:\windows\system32\drivers\TDSSxxou.sys
c:\windows\system32\TDSSktpa.dll
c:\windows\system32\TDSSyavu.dll
c:\windows\system32\TDSSirxy.dll
c:\windows\system32\TDSSqqcn.dll
c:\windows\system32\TDSSwupe.dat
c:\windows\system32\tmpD362E.FOT
c:\windows\system32\tmpBA62E.FOT
c:\windows\system32\tmp8172E.FOT
c:\windows\system32\tmp0C52E.FOT

Save this as CFScript.txt to your Desktop

Referring to the picture above, drag CFScript.txt into ComboFix.exe

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

3. I'd like some files scanned...

Go to VirusTotal
Copy and paste the following file path into the Search Box in the middle of the page:
- c:\windows\system32\drivers\lygnnm.sys
Now click on the Send File button
NOTE:
If you come to the "File has already been analysed:" page, select "Reanalyse file now" to get a fresh scan.

[*]Save a copy of the Anti-Virus results only. Post the results in your next reply.

Do the same for the following file
c:\documents and settings\Owner\nah_eamq.exe

4. Please post the following...

VirusTotal results
ComboFix log
New HijackThis log

Tictocdoc · November 2008

could not get c:\windows\system32\drivers\lygnnm.sys to work in virus scan. A window opened up and said "O bytes recieved". Here are other logs
___________________________________________________________________________________________________
VIRUS SCAN

File nah_eamq.exe received on 11.25.2008 01:55:14 (CET)

Antivirus Version Last Update Result
AhnLab-V3 2008.11.24.3 2008.11.24 -
AntiVir 7.9.0.35 2008.11.24 -
Authentium 5.1.0.4 2008.11.24 -
Avast 4.8.1281.0 2008.11.24 -
AVG 8.0.0.199 2008.11.24 SHeur2.CJJ
BitDefender 7.2 2008.11.25 -
CAT-QuickHeal 10.00 2008.11.24 -
ClamAV 0.94.1 2008.11.24 -
DrWeb 4.44.0.09170 2008.11.24 -
eSafe 7.0.17.0 2008.11.24 Suspicious File
eTrust-Vet 31.6.6226 2008.11.25 -
Ewido 4.0 2008.11.24 -
F-Prot 4.4.4.56 2008.11.24 -
F-Secure 8.0.14332.0 2008.11.25 -
Fortinet 3.117.0.0 2008.11.24 -
GData 19 2008.11.25 -
Ikarus T3.1.1.45.0 2008.11.24 -
K7AntiVirus 7.10.532 2008.11.24 -
Kaspersky 7.0.0.125 2008.11.25 -
McAfee 5444 2008.11.24 -
McAfee+Artemis 5444 2008.11.24 -
Microsoft 1.4104 2008.11.25 -
NOD32 3637 2008.11.24 -
Norman 5.80.02 2008.11.24 -
Panda 9.0.0.4 2008.11.24 -
PCTools 4.4.2.0 2008.11.24 -
Prevx1 V2 2008.11.25 -
Rising 21.05.02.00 2008.11.24 -
SecureWeb-Gateway 6.7.6 2008.11.24 Trojan.LooksLike.Fakealert
Sophos 4.35.0 2008.11.24 -
Sunbelt 3.1.1823.2 2008.11.22 -
Symantec 10 2008.11.25 -
TheHacker 6.3.1.1.161 2008.11.24 -
TrendMicro 8.700.0.1004 2008.11.24 -
VBA32 None 2008.11.24 -
ViRobot 2008.11.24.1483 2008.11.24 -
VirusBuster 4.5.11.0 2008.11.24 -
___________________________________________________________________________________________________
ComboFix 08-11-23.02 - Owner 2008-11-24 16:36:53.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.881 [GMT -8:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
* Created a new restore point
FILE ::
c:\windows\system32\drivers\TDSSxxou.sys
c:\windows\system32\TDSSacun.dll
c:\windows\system32\TDSSirxy.dll
c:\windows\system32\TDSSktpa.dll
c:\windows\system32\TDSSqqcn.dll
c:\windows\system32\TDSSwupe.dat
c:\windows\system32\TDSSyavu.dll
c:\windows\system32\tmp0C52E.FOT
c:\windows\system32\tmp8172E.FOT
c:\windows\system32\tmpBA62E.FOT
c:\windows\system32\tmpD362E.FOT
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\drivers\TDSSxxou.sys
c:\windows\system32\TDSSacun.dll
c:\windows\system32\TDSSirxy.dll
c:\windows\system32\TDSSktpa.dll
c:\windows\system32\TDSSqqcn.dll
c:\windows\system32\TDSSwupe.dat
c:\windows\system32\TDSSyavu.dll
c:\windows\system32\tmp0C52E.FOT
c:\windows\system32\tmp8172E.FOT
c:\windows\system32\tmpBA62E.FOT
c:\windows\system32\tmpD362E.FOT
.
((((((((((((((((((((((((( Files Created from 2008-10-25 to 2008-11-25 )))))))))))))))))))))))))))))))
.
2008-11-23 23:21 . 2008-11-23 23:29 <DIR> d

C:\DRwine
2008-11-21 19:06 . 2008-11-21 19:06 <DIR> d