Infected... Please help

[LloydP]

i may have done something wrong...or it may not be nothing::; Avg popped up with something that said combofix\handler.3xe and i moved to vault in hast to copy the log... woops... anyways here is the report:

ComboFix 12-02-27.02 - Owner 02/28/2012 14:59:37.4.2 - x86

Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1918.1075 [GMT -5:00]

Running from: c:\users\Owner\Desktop\ComboFix.exe

Command switches used :: c:\users\Owner\Desktop\CFScript.txt

AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}

SP: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

FILE ::

"c:\windows\system32\vCB68H0K.com"

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

C:\TDSSKiller_Quarantine

c:\tdsskiller_quarantine\28.02.2012_08.58.38\mbr0000\mbr0000\object.ini

c:\tdsskiller_quarantine\28.02.2012_08.58.38\mbr0000\mbr0000\tsk0000.dta

c:\tdsskiller_quarantine\28.02.2012_08.58.38\mbr0000\mbr0000\tsk0000.ini

c:\tdsskiller_quarantine\28.02.2012_08.58.38\mbr0000\mbr0000\tsk0001.dta

c:\tdsskiller_quarantine\28.02.2012_08.58.38\mbr0000\mbr0000\tsk0001.ini

c:\tdsskiller_quarantine\28.02.2012_08.58.38\mbr0000\object.ini

c:\tdsskiller_quarantine\28.02.2012_08.58.38\mbr0000\tdlfs0000\object.ini

c:\tdsskiller_quarantine\28.02.2012_08.58.38\mbr0000\tdlfs0000\tsk0000.dta

c:\tdsskiller_quarantine\28.02.2012_08.58.38\mbr0000\tdlfs0000\tsk0000.ini

c:\tdsskiller_quarantine\28.02.2012_08.58.38\mbr0000\tdlfs0000\tsk0001.dta

c:\tdsskiller_quarantine\28.02.2012_08.58.38\mbr0000\tdlfs0000\tsk0001.ini

c:\tdsskiller_quarantine\28.02.2012_08.58.38\mbr0000\tdlfs0000\tsk0002.dta

c:\tdsskiller_quarantine\28.02.2012_08.58.38\mbr0000\tdlfs0000\tsk0002.ini

c:\tdsskiller_quarantine\28.02.2012_08.58.38\mbr0000\tdlfs0000\tsk0003.dta

c:\tdsskiller_quarantine\28.02.2012_08.58.38\mbr0000\tdlfs0000\tsk0003.ini

c:\tdsskiller_quarantine\28.02.2012_08.58.38\mbr0000\tdlfs0000\tsk0004.dta

c:\tdsskiller_quarantine\28.02.2012_08.58.38\mbr0000\tdlfs0000\tsk0004.ini

c:\tdsskiller_quarantine\28.02.2012_08.58.38\mbr0000\tdlfs0000\tsk0005.dta

c:\tdsskiller_quarantine\28.02.2012_08.58.38\mbr0000\tdlfs0000\tsk0005.ini

c:\tdsskiller_quarantine\28.02.2012_08.58.38\mbr0000\tdlfs0000\tsk0006.dta

c:\tdsskiller_quarantine\28.02.2012_08.58.38\mbr0000\tdlfs0000\tsk0006.ini

c:\tdsskiller_quarantine\28.02.2012_08.58.38\mbr0000\tdlfs0000\tsk0007.dta

c:\tdsskiller_quarantine\28.02.2012_08.58.38\mbr0000\tdlfs0000\tsk0007.ini

c:\tdsskiller_quarantine\28.02.2012_08.58.38\mbr0000\tdlfs0000\tsk0008.dta

c:\tdsskiller_quarantine\28.02.2012_08.58.38\mbr0000\tdlfs0000\tsk0008.ini

c:\tdsskiller_quarantine\28.02.2012_08.58.38\mbr0000\tdlfs0000\tsk0009.dta

c:\tdsskiller_quarantine\28.02.2012_08.58.38\mbr0000\tdlfs0000\tsk0009.ini

c:\users\Owner\AppData\Local\Temp\nsiA170.tmp\System.dll

c:\windows\system32\vCB68H0K.com

c:\windows\Tasks\At1.job

c:\windows\Tasks\At11.job

c:\windows\Tasks\At13.job

c:\windows\Tasks\At15.job

c:\windows\Tasks\At17.job

c:\windows\Tasks\At19.job

c:\windows\Tasks\At21.job

c:\windows\Tasks\At23.job

c:\windows\Tasks\At25.job

c:\windows\Tasks\At27.job

c:\windows\Tasks\At3.job

c:\windows\Tasks\At5.job

c:\windows\Tasks\At7.job

c:\windows\Tasks\At9.job

.

.

((((((((((((((((((((((((( Files Created from 2012-01-28 to 2012-02-28 )))))))))))))))))))))))))))))))

.

.

2012-02-28 20:15 . 2012-02-28 20:15 -------- d-----w- c:\users\Public\AppData\Local\temp

2012-02-28 20:15 . 2012-02-28 20:15 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-02-28 18:41 . 2009-04-11 04:45 185856 ----a-w- c:\windows\system32\drivers\netbt.sys

2012-02-28 14:26 . 2012-02-28 14:26 -------- d-----w- C:\$AVG

2012-02-26 01:48 . 2012-02-28 13:14 0 --sha-w- c:\windows\system32\dds_trash_log.cmd

2012-02-26 01:40 . 2012-02-26 01:40 -------- d-----w- c:\programdata\Faronics

2012-02-01 13:37 . 2012-02-01 13:37 -------- d-----w- c:\users\Owner\AppData\Roaming\AVG2012

2012-02-01 13:28 . 2012-02-01 13:53 -------- d-----w- c:\programdata\AVG2012

2012-02-01 13:09 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2012-02-01 13:09 . 2012-02-01 13:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2012-02-01 13:09 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-01-24 16:04 . 2012-01-24 16:04 388096 ----a-r- c:\users\Owner\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2011-12-09 01:41 . 2011-06-10 01:28 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-03-18 17:53 . 2011-03-31 15:13 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2007-07-09 159744]

"OnScreenDisplay"="c:\program files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe" [2007-09-04 554320]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-06-24 13601312]

"HP CP1020 System Tray"="c:\program files\HP\HP LaserJet Professional CP1020 Series\HPCP1020STRAY.EXE" [2011-03-31 2620416]

"InCD"="c:\program files\Nero 7\InCD\InCD.exe" [2007-06-25 1057064]

"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2012-01-24 2416480]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableLUA"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"HideSCAHealth"= 1 (0x1)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"aux"=wdmaud.drv

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart

.

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Canon iC D800 Status Window.LNK]

path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Canon iC D800 Status Window.LNK

backup=c:\windows\pss\Canon iC D800 Status Window.LNK.CommonStartup

backupExtension=.CommonStartup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

2011-06-06 16:55 937920 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2011-06-06 16:55 35736 ----a-w- c:\program files\Adobe\Reader 10.0\Reader\reader_sl.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]

2007-06-27 23:03 152872 ----a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BrMfcWnd]

2008-04-11 19:13 1085440 ------r- c:\program files\Brother\Brmfcmon\BrMfcWnd.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter3]

2007-12-21 22:57 86016 ------w- c:\program files\Brother\ControlCenter3\BrCtrCen.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]

2010-09-16 20:04 1164584 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]

2011-05-24 13:13 136176 ----atw- c:\users\Owner\AppData\Local\Google\Update\GoogleUpdate.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

2007-10-15 01:17 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPADVISOR]

2007-10-01 23:10 1783136 ----a-w- c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]

2007-09-13 15:47 480560 ----a-w- c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2011-04-14 15:32 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

2007-03-01 19:57 153136 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]

2009-06-24 15:38 92704 ----a-w- c:\windows\System32\nvmctray.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QPService]

2007-12-20 00:27 468264 ----a-w- c:\program files\HP\QuickPlay\QPService.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2010-11-29 22:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SecurDisc]

2007-06-25 12:47 1629480 ----a-w- c:\program files\Nero 7\InCD\NBHGui.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2010-10-29 18:49 249064 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UCam_Menu]

2008-06-13 22:11 210216 ------w- c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WAWifiMessage]

2007-01-08 22:53 311296 ----a-w- c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]

2008-01-19 07:38 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Mobile Device Center]

2007-05-31 13:21 648072 ----a-w- c:\windows\WindowsMobile\wmdc.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Mobile-based device management]

2006-11-02 09:45 215552 ----a-w- c:\windows\WindowsMobile\wmdSync.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]

2008-01-19 07:33 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]

"AntiVirusOverride"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2594951614-2104154672-3464771787-1004]

"EnableNotificationsRef"=dword:00000001

.

S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]

.

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

WindowsMobile REG_MULTI_SZ wcescomm rapimgr

LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr

LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

WSIMD

pageserver

.

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]

2007-10-18 20:25 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe

.

Contents of the 'Scheduled Tasks' folder

.

2012-02-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2011-08-15 01:15]

.

2011-11-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2011-08-15 01:15]

.

2011-05-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2594951614-2104154672-3464771787-1004Core.job

- c:\users\Owner\AppData\Local\Google\Update\GoogleUpdate.exe [2011-05-24 13:13]

.

2011-05-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2594951614-2104154672-3464771787-1004UA.job

- c:\users\Owner\AppData\Local\Google\Update\GoogleUpdate.exe [2011-05-24 13:13]

.

2011-03-30 c:\windows\Tasks\User_Feed_Synchronization-{2B218748-593F-4BDD-B64A-F5C65DE210E2}.job

- c:\windows\system32\msfeedssync.exe [2011-10-29 23:20]

.

2011-03-30 c:\windows\Tasks\User_Feed_Synchronization-{E5B0DB57-5983-461A-AB59-62B6F077BFCE}.job

- c:\windows\system32\msfeedssync.exe [2011-10-29 23:20]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

mStart Page = hxxp://www.google.com

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000

TCP: DhcpNameServer = 192.168.1.1

FF - ProfilePath - c:\users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\cb370nv0.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=Z016&form=ZGAADF&q=

FF - prefs.js: network.proxy.type - 0

.

- - - - ORPHANS REMOVED - - - -

.

SafeBoot-Wdf01000.sys

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,

http://www.gmer.net

Rootkit scan 2012-02-28 15:49

Windows 6.0.6002 Service Pack 2 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0008\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

------------------------ Other Running Processes ------------------------

.

c:\progra~1\AVG\AVG2012\avgrsx.exe

c:\program files\AVG\AVG2012\avgcsrvx.exe

c:\windows\system32\nvvsvc.exe

c:\windows\system32\rundll32.exe

c:\windows\system32\WLANExt.exe

c:\windows\system32\CAPM5RSK.EXE

c:\windows\system32\spool\DRIVERS\W32X86\3\HP1006MC.EXE

c:\windows\system32\spool\drivers\w32x86\3\CAPM5SWK.EXE

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\AVG\AVG2012\avgwdsvc.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\windows\system32\HPSIsvc.exe

c:\program files\Nero 7\InCD\InCDsrv.exe

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\program files\AVG\AVG2012\avgnsx.exe

c:\program files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe

c:\program files\Apoint2K\ApMsgFwd.exe

c:\program files\Apoint2K\Apntex.exe

c:\windows\ehome\ehmsas.exe

c:\program files\CyberLink\Shared Files\RichVideo.exe

c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

c:\windows\system32\DRIVERS\xaudio.exe

c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe

c:\program files\HP\QuickPlay\Kernel\TV\QPSched.exe

c:\program files\AVG\AVG2012\AVGIDSAgent.exe

.

**************************************************************************

.

Completion time: 2012-02-28 15:56:04 - machine was rebooted

ComboFix-quarantined-files.txt 2012-02-28 20:56

ComboFix2.txt 2012-02-28 18:50

.

Pre-Run: 21,315,563,520 bytes free

Post-Run: 21,267,562,496 bytes free

.

- - End Of File - - D19501C1B80B8571C8672523BEA2CB01

Let me know if the file i moved with avg should be restored or left or what have you.., Thanx once again for speedily responding to all my ailments, Thank You

[LDTate]

No, don't restore that file.

How's it running now?

[LloydP]

Sorry, thought you had gone for the day yesterday so i had shutdown the laptop n didn't check til now, but it seems to be running pretty smooth; the command prompt and regedit are running, the msconfig comes up; it seems great! :-) ..The only concern, or thoughts i have are of the CD drive and if its going to mess up again or stay visible. And any thoughts of yours that i could apply to my laptop, like with the start up services or any programs to disable or keep running, to keep the laptop running safe and up to par would be excellent..other than that, Everything seems EXCELLENT!!... Thank you very much!?, I truly appreciate the work you do here!

[LDTate]

Good job

The following will implement some cleanup procedures as well as reset System Restore points:

For XP:

• Click START run
  
• Now type ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the /, it needs to be there.
  

For Vista / Windows 7

• Click START Search
  
• Now type ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the /, it needs to be there.
  

Here's my usual all clean post

To be on the safe side, I would also change all my passwords.

This infection appears to have been cleaned, but as the malware could be configured to run any program a remote attacker requires, it's impossible to be 100% sure that any machine is clean.

Log looks good

• Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week
  (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
  
• Use a Firewall - I can not stress how important it is that you use a Firewall on your computer.
  Without a firewall your computer is succeptible to being hacked and taken over.
  I am very serious about this and see it happen almost every day with my clients.
  Simply using a Firewall in its default configuration can lower your risk greatly.
  
• Using a secure browser plugin M86 SecureBrowsing makes it safe to search, surf and socialize online. This free browser plug-in displays security icons next to links on search engines and social networking sites like Facebook, Twitter and LinkedIn, so you'll know which pages are safe and which ones to avoid.
  •Free browser plug-in for Internet Explorer and Firefox
  •Real-time safety ratings
  •Ideal for Facebook, Twitter and LinkedIn
  
• JAVA Click this link and click on the Free JAVA Download
  
• Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly.
  This will ensure your computer has always the latest security updates available installed on your computer.
  If there are new updates to install, install them immediately, reboot your computer, and revisit the site
  until there are no more critical updates.
  

Only run one Anti-Virus and Firewall program.

I would suggest you read:

PC Safety and Security--What Do I Need?.

How to Prevent Malware:

The full version of Malwarebytes' Anti-Malware could have helped protect your computer against this threat.

We use different ways of protecting your computer(s):

• Dynamically Blocks Malware Sites & Servers
  
• Malware Execution Prevention
  

Save yourself the hassle and get protected.

[LloydP]

Hello,

Thank You again, n you've sold me! i am definitely buying the full version.. I have uninstalled the combofix and ran one scan of AVG on the laptop,(which is why the long time in between response) when the computer rebooted the laptop came on with a couple alerts, one "C:\32788R22FWJW\HANDLE.3XE",which seems to be the one that i moved to vault earlier?? and another, after i deleted the combofix, "C:COMBOFIX\NIRCMDB.EXE".... when i looked at the handle one it said its information was "file name:HANDLE.3XE, threat name: TR/Crypt.XPACK.Gen, processes terminated: HANDLE.3XE, files deleted:Procexp113.sys & Handle.3xe".... ..hope these are nothing too serious(any hidden/undetected remains of malware or virus?).... I've installed theM86 to all my browsers i use and downloaded the Java afterwards...turned on my windows firewall all the way and also turned on the UAC.. i will try n keep up with the frequency of the windows update, but i always feel like they sneaking in those 'big brother' products that watch us in with the updates..., and i will check on burning a music cd when i get off work(which is actually what made me realize i even had a virus in the first place!)...

..

.

Thank You Again! Very much Appreciative!!!!

[LloydP]

quick side note; when i try to use the laptops mouse pads scroll area; it does not work... and i just tried to install the java update and it said failed and gave an error message of: "Internal Error 2753 RegUtils.dll"

[LloydP]

I've tried to update the "windows update" and i"m getting an error message as well... didn't get a chance to write it down yet(the error message) but when i do i will post if needed.., also when i'm looking at the update screen it says i have not updated since 05/2011(not surprising), but when i click on view previous updates it has the last known successful update as 1/25/2012... Is this any residuals of the infection? .. PS still can't scroll with the mouse pad.

[LloydP]

Also,

and i hope i'm not being a pester and posting too much, but i just tried to activate the windows defender(i dont know if i should be trying to since i have AVG running already), and it came with an error message stating "Application failed to initialize: 0x800106ba. A problem caused this program's service to stop. To start the service, restart your computer or search Help and Supprort for how to start a service manually."

[LDTate]

Files like this, C:\32788R22FWJW\HANDLE.3XE are from Combofix.

Your AV flagged it and that's why we tell you to disable your AV until CF is finished

You can delete that whole folder C:\32788R22FWJW

Java issues

Firstly in "Task Manager" > Processes Tab. Kill any/all running Java processes eg. java, jqs, javaws etc

Then just download this Java Fix tool > JavaMSIFix.exe and run it. ("Download File" near middle of that page)

http://forums.whatthetech.com/index.php?autocom=downloads&req=download&code=confirm_download&id=41

Sounds like you need to re-install the driver for the built-in mouse pad.

There should be a driver download for it at the manufactor's website

[LloydP]

I took a "freeze frame" picture of the laptop and i don't know how to insert into here, it wont copy paste into here; can only attach itpict1.doc.. hope this works.... oh and the scroll just came back and the mouse pad seems to be fully operational.. Thanx again for your time, consideration, and input into helping me rid this laptop of its horrriibble infection :-))

[LloydP]

That worked great for the Java... the windows defender and update are not up to par yet tho...

[LloydP]

Spoke too soon windows updates are ready now :-0

[LDTate]

1. Click start

2. Type Run MsConfig

3. On the System Config Window Click on the Services Tag

4. Click on the "hide all Microsoft Services" option.

5. Click on the Start Up Tab at the top.

6. Scroll down to the Windows Defender box and Uncheck it.

7. Go back to the Services Tab and Uncheck "hide all Microsoft Services".

8. Click on Apply, and OK.

9. Restart Computer

[LloydP]

wow! i have 93 important and 11 optional... a lot are 'security update for windows vista (KB...) should i download all? or just the most recent?

[LDTate]

all important

[LloydP]

Thank you am now.... error at 55% or so, code 80096001

[LloydP]

....with the windows update that is..

[LDTate]

This is for Windows Defender

1. Click start

2. Type Run MsConfig

3. On the System Config Window Click on the Services Tag

4. Click on the "hide all Microsoft Services" option.

5. Click on the Start Up Tab at the top.

6. Scroll down to the Windows Defender box and Uncheck it.

7. Go back to the Services Tab and Uncheck "hide all Microsoft Services".

8. Click on Apply, and OK.

9. Restart Computer

[LloydP]

Sorry yeah, no, i did the windows defender thing and was awaiting a restart to apply and see if it works now, but while i was doing that i was trying to start the windows updates as well

[LDTate]

I suggest you contact MS about the update issues.

http://support.microsoft.com/ph/11732

Ask Microsoft Technical Support

[LloydP]

Ok will do.., i just got done restarting and trying to turn on the windows defender and it did the same error message.. i looked in the msconfig and it seems they are checked but the service is stopped for some reason or another

[LDTate]

MS should be able to help you with that as well.

[LloydP]

okie dokie... Sorry to have disturbed you with the little stuff, just was trying to keep you informed as to the behavior of the computer... Thank You once again for all your assistance, and i will now be leaving to go home and try to burn a cd to the drive n see if it stays n burns or just disappears....

[LDTate]

You're more than welcome.

Glad we were able to help

Peace be with you

[LloydP]

And also with you