Antivirus Software Alert infection! Not able to run any programs

My sister's computer has been infected with Antivirus Software alert virus/malware (Win32/Nugel.E). The system tray has about 50 Red X shields in it and I am not able to run ANY programs at all, the browser is even failing to go to the random disreputable sites that it tries to send it to, so getting on the internet to download programs may not be possible.

There are a total of 4 warnings on the screen, on bigger window with red title bar, one in the corner with red title bar, one classic window red x 'Security Warning' saying 'Application cannot be executed. The file wscntfy.exe is infected. Do you want to activate your antivirus software now?' And also a small blurb in the corner, 'Windows Security Alert'.

Download OTL by OldTimer to your Desktop.

• Close all windows and double click OTL.exe
  
• Click Run Scan and let the program run uninterrupted
  
• It will produce two logs for you, one will pop up - OTL.txt, the other will be saved on your Desktop - Extras.txt. Post both logs in this thread.
  
• You may need to use two posts to get it all.
  

I copied the application over from a USB jump drive since the infected computer is not able to access the internet right now... Every time i try to start up the program, it shuts it down in less than 1 second and gives me the 'Security Warning' Application cannot be executed. The file otl.exe is infected. Do you want to activate your antivirus software now?

Bleh, try this, I got a feeling the malware wont notice this.

Please download Ice Sword from HERE

1. Download the zip to your desktop and extract it.
   
2. Open the Ice Sword folder and then launch IceSword.exe.
   
3. Will IceSword open?
   

Yes luckily IceSword will open... will await further instructions, thank you.

Hello.

• Now, on the left hand side tool, hit the Process button at the top of the list.
  
• Just above the list, there is a log button, press that and save the log to your Desktop.
  
• Next, hit the Startup on the left side list.
  
• Press the log button again.
  
• Post the two logs in your next reply.
  

Process:

System Idle Process
System
C:\WINDOWS\explorer.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\IDT\WDM\stacsv.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\alg.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\sttray.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\WINDOWS\system32\AESTFltr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Documents and Settings\HH\Local Settings\Application Data\dseiwy\hxxrsftav.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\HH\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Salaat Time\SalaatTime.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
E:\IceSword122en\IceSword122en\IceSword.exe


Startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
IgfxTray
C:\WINDOWS\system32\igfxtray.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HotKeysCmds
C:\WINDOWS\system32\hkcmd.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Persistence
C:\WINDOWS\system32\igfxpers.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
IDTSysTrayApp
sttray.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SysTrayApp
%ProgramFiles%\IDT\WDM\sttray.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
AESTFltr
%SystemRoot%\system32\AESTFltr.exe /NoDlg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SynTPEnh
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HP Mobile Broadband
c:\SWsetup\HPQWWAN\HPMobileBroadband.exe /TrayMode

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
hpWirelessAssistant
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
QuickTime Task
"C:\Program Files\QuickTime\qttask.exe" -atboottime

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
GrooveMonitor
"C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
AVG9_TRAY
C:\PROGRA~1\AVG\AVG9\avgtray.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
rlbplfpt
C:\Documents and Settings\HH\Local Settings\Application Data\stbgge\hdylsftav.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
nmigurpi
C:\Documents and Settings\HH\Local Settings\Application Data\dseiwy\hxxrsftav.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
ctfmon.exe
C:\WINDOWS\system32\ctfmon.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Google Update
"C:\Documents and Settings\HH\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
swg
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Skype
"C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
SalaatTime
C:\Program Files\Salaat Time\SalaatTime.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
rlbplfpt
C:\Documents and Settings\HH\Local Settings\Application Data\stbgge\hdylsftav.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
nmigurpi
C:\Documents and Settings\HH\Local Settings\Application Data\dseiwy\hxxrsftav.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Bluetooth.lnk
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Remark£ºBluetooth start-up shortcut)

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
desktop.ini


C:\Documents and Settings\HH\Start Menu\Programs\Startup
desktop.ini

Hello.

• Open IceSword again.
  
• Go into the Process list again, and right click on the following filename:
  
  hxxrsftav.exe
  
  
• Select Terminate Process.
  
• Close IceSword.
  

Please download and run this tool.

Download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

Post the contents of the MBAM Log.

Very odd... didn't seem to find anything (?).... perhaps I ran a slight older version of the program (i had it on my jump drive since the last time I used it a few months ago to fix a malware-infested computer).


Malwarebytes' Anti-Malware 1.40
Database version: 2551
Windows 5.1.2600 Service Pack 3

3/2/2010 2:02:57 PM
mbam-log-2010-03-02 (14-02-57).txt

Scan type: Quick Scan
Objects scanned: 92417
Time elapsed: 12 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Yep, an old version, infact 4 versions behind, please update it.

Updating with newer version and then will repost MBAM log...

Last edited by ssaifull on 2nd March 2010, 7:32 pm; edited 1 time in total (Reason for editing : misspoke)

Ran the latest version but still didn't pick up anything... perhaps try a 'full scan'?


Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

3/2/2010 2:38:04 PM
mbam-log-2010-03-02 (14-38-04).txt

Scan type: Quick Scan
Objects scanned: 111341
Time elapsed: 12 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Please update again, then run a new scan.

You have database 3510, and the latest database is 3815.

Ok this brings us to the next challenge, internet connectivity has been stifled by this malware. It won't let me find wireless networks, like the one in my home, so luckily, after much messing about i was able to get my AT&T wireless data card setup. However when trying to go online using internet explorer, it redirects the URL. But the datacard does show as being connected ....

When I click on check for updates on the Updates tab in MalwareBytes Anti-Malware, i get the error:

'An error occurred. Please report the following error code to the MBAM support team'

Error code: 732 (12029, 0)

Uninstalling AVG (just in case, as that may be one cause of not being able to update... knowledge gleaned from googling the error) and restarting....

Nope, still shot down when trying to 'Check for Updates' for MBAM. Same error...

Tried these steps for the heck of it (found in the malwarebytes forum), but didn't get past step 3 (got a different error message there, talk about frustrating!)

Please try this on the computer that is having an issue.

1. Uninstall Malwarebytes' Anti-Malware using Add/Remove programs in the control panel.
2. Restart your computer (very important).
3. Download and run this utility. mbam-clean.exe
4. It will ask to restart your computer (please allow it to).
5. After the computer restarts, install the latest version from here. mbam-setup.exe

Hello.

• Download combofix from here
  Link 1
  Link 2
  
  1. If you are using Firefox, make sure that your download settings are as follows:
  
  * Tools->Options->Main tab
  * Set to "Always ask me where to Save the files".
  
  2. During the download, rename Combofix to Combo-Fix as follows:
  
  
  
  
  
  3. It is important you rename Combofix during the download, but not after.
  4. Please do not rename Combofix to other names, but only to the one indicated.
  5. Close any open browsers.
  6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  
  
• We need to disable your local AV (Anti-virus) before running Combofix.
  
• See HERE for how to disable your AV.
  
• Double click on ComboFix.exe.
  
• Follow the prompts. NOTE:
  
• ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
  ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***
  
  **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.
  
  
  
• The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.
  
  
  
  
• Allow ComboFix to download the Recovery Console.
  
• Accept the End-User License Agreement.
  
• The Recovery Console will be installed.
  
• You will then get this next prompt that asks if you want to continue the malware scan, select yes
  
  
  
  
• Allow combofix to run
  
• Post C:\combofix.txt back here.
  
  Note:
  Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  

Combofix log:


ComboFix 10-03-02.02 - HH 03/02/2010 18:03:46.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.607 [GMT -5:00]
Running from: e:\hajera netbook fix\Combo-Fix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
c:\documents and settings\HH\Local Settings\Application Data\dseiwy
c:\documents and settings\HH\Local Settings\Application Data\dseiwy\hxxrsftav.exe
c:\documents and settings\HH\Local Settings\Application Data\stbgge
c:\documents and settings\HH\Local Settings\Application Data\stbgge\hdylsftav.exe
c:\recycler\S-1-5-21-1770227689-2806628479-656278076-1003
c:\recycler\S-1-5-21-2429837910-1187963566-3045481847-1003
c:\recycler\S-1-5-21-931290050-3804774149-3105744162-1003
c:\windows\system32\oem1.inf
c:\windows\system32\stacsv.exe

.
((((((((((((((((((((((((( Files Created from 2010-02-02 to 2010-03-02 )))))))))))))))))))))))))))))))
.

2010-03-02 20:25 . 2010-03-02 20:27 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Temp
2010-03-02 20:24 . 2010-03-02 20:24 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Bytemobile
2010-03-02 20:22 . 2010-03-02 20:22 -------- d-----w- c:\documents and settings\HH\Application Data\Bytemobile
2010-03-02 20:22 . 2010-03-02 20:22 -------- d-----w- c:\documents and settings\HH\Application Data\DBUpdater
2010-03-02 20:22 . 2008-11-21 02:59 27072 ----a-w- c:\windows\system32\drivers\PCASp50.sys
2010-03-02 20:22 . 2010-03-02 20:22 -------- d-----w- c:\documents and settings\HH\Application Data\AT&T
2010-03-02 20:21 . 2008-08-22 17:05 26760 ----a-w- c:\windows\system32\drivers\swmsflt.sys
2010-03-02 20:16 . 2007-01-18 15:24 26496 ----a-r- c:\windows\system32\drivers\RimSerial.sys
2010-03-02 20:15 . 2010-03-02 20:15 -------- d-----w- c:\program files\Common Files\Motorola Shared
2010-03-02 20:15 . 2010-03-02 20:15 -------- d-----w- C:\Research in Motion
2010-03-02 20:15 . 2010-03-02 20:15 -------- d-----w- c:\program files\Common Files\Research in Motion
2010-03-02 20:15 . 2010-03-02 20:15 -------- d-----w- c:\program files\AT&T
2010-03-02 20:15 . 2010-03-02 20:15 -------- d-----w- c:\documents and settings\All Users\Application Data\AT&T
2010-03-02 20:14 . 2010-03-02 20:14 -------- d-----w- c:\program files\Option
2010-03-02 19:49 . 2010-03-02 19:49 -------- d-----w- c:\program files\Sierra Wireless Inc
2010-03-02 19:49 . 2010-03-02 19:49 -------- d-----w- c:\documents and settings\HH\Application Data\Sierra Wireless
2010-03-02 18:48 . 2010-03-02 22:18 -------- d-----w- c:\documents and settings\HH\Application Data\Malwarebytes
2010-03-02 18:48 . 2010-03-02 22:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-26 05:29 . 2010-02-26 05:29 -------- d-----w- c:\windows\Sun
2010-02-08 07:10 . 2010-02-08 07:10 -------- d-----w- c:\program files\AVG
2010-02-08 06:50 . 2010-02-08 06:50 -------- d-----w- c:\program files\IrfanView
2010-02-05 23:28 . 2010-02-05 23:36 -------- d-----w- c:\documents and settings\HH\Praat
2010-02-05 15:39 . 2010-02-05 15:39 251376 ----a-w- c:\documents and settings\HH\Application Data\Mozilla\plugins\npgoogletalk.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-02 23:01 . 2009-12-02 19:11 -------- d-----w- c:\documents and settings\HH\Application Data\U3
2010-03-02 19:53 . 2009-12-23 07:27 -------- d-----w- c:\documents and settings\HH\Application Data\skypePM
2010-02-10 14:41 . 2009-12-08 19:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-01-28 21:47 . 2009-11-16 23:17 -------- d-----w- c:\program files\Google
2010-01-19 19:00 . 2009-12-23 07:25 -------- d-----w- c:\documents and settings\HH\Application Data\Skype
2010-01-05 10:00 . 2007-08-14 09:54 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2008-04-15 04:00 78336 ------w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2008-04-15 04:00 17408 ------w- c:\windows\system32\corpol.dll
2009-12-31 16:50 . 2008-04-15 04:00 353792 ------w- c:\windows\system32\drivers\srv.sys
2009-12-23 07:27 . 2009-12-23 07:27 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-12-16 18:43 . 2008-04-15 04:00 343040 ------w- c:\windows\system32\mspaint.exe
2009-12-14 17:53 . 2009-11-15 23:01 85384 ----a-w- c:\documents and settings\HH\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-14 07:08 . 2008-04-15 04:00 33280 ------w- c:\windows\system32\csrsrv.dll
2009-12-09 03:07 . 2009-11-15 19:37 1626 ----a-w- c:\documents and settings\HH\Application Data\wklnhst.dat
2009-12-08 22:13 . 2009-12-08 22:13 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-12-08 19:26 . 2008-04-15 04:00 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2008-04-15 04:00 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
2009-12-04 18:22 . 2008-04-15 04:00 455424 ------w- c:\windows\system32\drivers\mrxsmb.sys
2006-10-12 03:09 . 2009-12-26 10:18 94208 --sh--w- c:\windows\system32\SalaatTime.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\HH\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-11-15 135664]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-11-16 39408]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-10-09 25623336]
"SalaatTime"="c:\program files\Salaat Time\SalaatTime.exe" [2008-05-16 13496320]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-15 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-15 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-15 131072]
"IDTSysTrayApp"="sttray.exe" [2008-08-30 442477]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2008-08-30 442477]
"AESTFltr"="c:\windows\system32\AESTFltr.exe" [2008-08-28 471040]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-07-31 1343488]
"HP Mobile Broadband"="c:\swsetup\HPQWWAN\HPMobileBroadband.exe" [2008-07-08 439600]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"AT&T Communication Manager"="c:\program files\AT&T\Communication Manager\ATTCM.exe" [2008-12-01 33280]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\HH\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\HH\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [10/5/2008 11:41 PM 112128]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/28/2010 4:47 PM 135664]
S3 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\AT&T\Communication Manager\RcAppSvc.exe [11/20/2008 10:07 PM 113152]
S3 SWNC8U80;Sierra Wireless MUX NDIS Driver (UMTS80);c:\windows\system32\drivers\swnc8u80.sys [8/20/2008 1:35 PM 168192]
S3 SWUMX80;Sierra Wireless USB MUX Driver (UMTS80);c:\windows\system32\drivers\swumx80.sys [8/20/2008 1:36 PM 142976]
.
Contents of the 'Scheduled Tasks' folder

2009-11-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-03-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore1caba46efd00086.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-28 21:47]

2010-02-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2853163502-4067377615-73162678-1006Core1cab6497254320e.job
- c:\documents and settings\HH\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-15 23:01]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.cnn.com/
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride =
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
LSP: bmnet.dll
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-rlbplfpt - c:\documents and settings\HH\Local Settings\Application Data\stbgge\hdylsftav.exe
HKCU-Run-nmigurpi - c:\documents and settings\HH\Local Settings\Application Data\dseiwy\hxxrsftav.exe
HKLM-Run-rlbplfpt - c:\documents and settings\HH\Local Settings\Application Data\stbgge\hdylsftav.exe
HKLM-Run-nmigurpi - c:\documents and settings\HH\Local Settings\Application Data\dseiwy\hxxrsftav.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-02 18:10
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(800)
c:\windows\system32\igfxdev.dll

- - - - - - - > 'lsass.exe'(856)
c:\windows\system32\bmnet.dll
.
Completion time: 2010-03-02 18:12:56
ComboFix-quarantined-files.txt 2010-03-02 23:12

Pre-Run: 46,061,301,760 bytes free
Post-Run: 46,608,277,504 bytes free

- - End Of File - - 8276C0B98ACA28F4EB7175C04A8C5A91

Hello.
Hello.

1. Close any open browsers.
   
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   
3. Open notepad and copy/paste the text in the quotebox below into it:
   

   
   DDS::
   uInternet Settings,ProxyServer = http=127.0.0.1:5555
   uInternet Settings,ProxyOverride =
   

   
   
4. Save this as CFScript.txt, in the same location as ComboFix.exe
   
   
   
   
5. Referring to the picture above, drag CFScript into ComboFix.exe
   
6. When finished, it shall produce a log for you at C:\ComboFix.txt
   
7. Please post the contents of the log in your next reply.
   

I did as instructed. Here is the log:


ComboFix 10-03-02.02 - HH 03/02/2010 22:49:25.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.552 [GMT -5:00]
Running from: c:\documents and settings\HH\Desktop\Hajera netbook fix\Combo-Fix.exe
Command switches used :: c:\documents and settings\HH\Desktop\Hajera netbook fix\CFScript.txt
.

((((((((((((((((((((((((( Files Created from 2010-02-03 to 2010-03-03 )))))))))))))))))))))))))))))))
.

2010-03-02 20:25 . 2010-03-02 20:27 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Temp
2010-03-02 20:24 . 2010-03-02 20:24 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Bytemobile
2010-03-02 20:22 . 2010-03-02 20:22 -------- d-----w- c:\documents and settings\HH\Application Data\Bytemobile
2010-03-02 20:22 . 2010-03-02 20:22 -------- d-----w- c:\documents and settings\HH\Application Data\DBUpdater
2010-03-02 20:22 . 2008-11-21 02:59 27072 ----a-w- c:\windows\system32\drivers\PCASp50.sys
2010-03-02 20:22 . 2010-03-02 20:22 -------- d-----w- c:\documents and settings\HH\Application Data\AT&T
2010-03-02 20:21 . 2008-08-22 17:05 26760 ----a-w- c:\windows\system32\drivers\swmsflt.sys
2010-03-02 20:16 . 2007-01-18 15:24 26496 ----a-r- c:\windows\system32\drivers\RimSerial.sys
2010-03-02 20:15 . 2010-03-02 20:15 -------- d-----w- c:\program files\Common Files\Motorola Shared
2010-03-02 20:15 . 2010-03-02 20:15 -------- d-----w- C:\Research in Motion
2010-03-02 20:15 . 2010-03-02 20:15 -------- d-----w- c:\program files\Common Files\Research in Motion
2010-03-02 20:15 . 2010-03-02 20:15 -------- d-----w- c:\program files\AT&T
2010-03-02 20:15 . 2010-03-02 20:15 -------- d-----w- c:\documents and settings\All Users\Application Data\AT&T
2010-03-02 20:14 . 2010-03-02 20:14 -------- d-----w- c:\program files\Option
2010-03-02 19:49 . 2010-03-02 19:49 -------- d-----w- c:\program files\Sierra Wireless Inc
2010-03-02 19:49 . 2010-03-02 19:49 -------- d-----w- c:\documents and settings\HH\Application Data\Sierra Wireless
2010-03-02 18:48 . 2010-03-02 22:18 -------- d-----w- c:\documents and settings\HH\Application Data\Malwarebytes
2010-03-02 18:48 . 2010-03-02 22:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-26 05:29 . 2010-02-26 05:29 -------- d-----w- c:\windows\Sun
2010-02-08 07:10 . 2010-02-08 07:10 -------- d-----w- c:\program files\AVG
2010-02-08 06:50 . 2010-02-08 06:50 -------- d-----w- c:\program files\IrfanView
2010-02-05 23:28 . 2010-02-05 23:36 -------- d-----w- c:\documents and settings\HH\Praat
2010-02-05 15:39 . 2010-02-05 15:39 251376 ----a-w- c:\documents and settings\HH\Application Data\Mozilla\plugins\npgoogletalk.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-02 23:01 . 2009-12-02 19:11 -------- d-----w- c:\documents and settings\HH\Application Data\U3
2010-03-02 19:53 . 2009-12-23 07:27 -------- d-----w- c:\documents and settings\HH\Application Data\skypePM
2010-02-10 14:41 . 2009-12-08 19:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-01-28 21:47 . 2009-11-16 23:17 -------- d-----w- c:\program files\Google
2010-01-19 19:00 . 2009-12-23 07:25 -------- d-----w- c:\documents and settings\HH\Application Data\Skype
2010-01-05 10:00 . 2007-08-14 09:54 832512 ------w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2008-04-15 04:00 78336 ------w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2008-04-15 04:00 17408 ------w- c:\windows\system32\corpol.dll
2009-12-31 16:50 . 2008-04-15 04:00 353792 ------w- c:\windows\system32\drivers\srv.sys
2009-12-23 07:27 . 2009-12-23 07:27 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-12-16 18:43 . 2008-04-15 04:00 343040 ------w- c:\windows\system32\mspaint.exe
2009-12-14 17:53 . 2009-11-15 23:01 85384 ----a-w- c:\documents and settings\HH\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-14 07:08 . 2008-04-15 04:00 33280 ------w- c:\windows\system32\csrsrv.dll
2009-12-09 03:07 . 2009-11-15 19:37 1626 ----a-w- c:\documents and settings\HH\Application Data\wklnhst.dat
2009-12-08 22:13 . 2009-12-08 22:13 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-12-08 19:26 . 2008-04-15 04:00 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2008-04-15 04:00 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
2009-12-04 18:22 . 2008-04-15 04:00 455424 ------w- c:\windows\system32\drivers\mrxsmb.sys
2006-10-12 03:09 . 2009-12-26 10:18 94208 --sh--w- c:\windows\system32\SalaatTime.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\HH\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-11-15 135664]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-11-16 39408]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-10-09 25623336]
"SalaatTime"="c:\program files\Salaat Time\SalaatTime.exe" [2008-05-16 13496320]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-15 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-15 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-15 131072]
"IDTSysTrayApp"="sttray.exe" [2008-08-30 442477]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2008-08-30 442477]
"AESTFltr"="c:\windows\system32\AESTFltr.exe" [2008-08-28 471040]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-07-31 1343488]
"HP Mobile Broadband"="c:\swsetup\HPQWWAN\HPMobileBroadband.exe" [2008-07-08 439600]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"AT&T Communication Manager"="c:\program files\AT&T\Communication Manager\ATTCM.exe" [2008-12-01 33280]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\HH\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\HH\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [10/5/2008 11:41 PM 112128]
R3 SWNC8U80;Sierra Wireless MUX NDIS Driver (UMTS80);c:\windows\system32\drivers\swnc8u80.sys [8/20/2008 1:35 PM 168192]
R3 SWUMX80;Sierra Wireless USB MUX Driver (UMTS80);c:\windows\system32\drivers\swumx80.sys [8/20/2008 1:36 PM 142976]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/28/2010 4:47 PM 135664]
S3 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\AT&T\Communication Manager\RcAppSvc.exe [11/20/2008 10:07 PM 113152]
.
Contents of the 'Scheduled Tasks' folder

2009-11-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-03-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore1caba46efd00086.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-28 21:47]

2010-02-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2853163502-4067377615-73162678-1006Core1cab6497254320e.job
- c:\documents and settings\HH\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-15 23:01]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.cnn.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
LSP: bmnet.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-02 22:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(800)
c:\windows\system32\igfxdev.dll

- - - - - - - > 'lsass.exe'(856)
c:\windows\system32\bmnet.dll

- - - - - - - > 'explorer.exe'(3772)
c:\windows\system32\WININET.dll
c:\windows\system32\btmmhook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-03-02 22:55:10
ComboFix-quarantined-files.txt 2010-03-03 03:55
ComboFix2.txt 2010-03-02 23:12

Pre-Run: 46,593,519,616 bytes free
Post-Run: 46,576,713,728 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - D0DCE0E65A6429B27E4C6FD7BA5868FC

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /uninstall

This will also reset your restore points.

How is the machine running now?

I did as instructed and Combo Fix ran one last time...

The machine seems to be running GREAT!! Thank you very much.

Hello.

You aren't running Anti Virus Software

Please install Avira antivirus otherwise you won't be protected.

1) Antivir PersonalEditionClassic
-Free anti-virus software for Windows.
-Detects and removes more than 50,000 viruses. Free support.

It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts.

Run ESET Online Scan
Please do an online scan with ESET Online Scanner. Please use Internet Explorer as it uses ActiveX.

• Check (tick) this box: YES, I accept the Terms of Use.
  
• Click on the Start button next to it.
  
• When prompted to run ActiveX. click Yes.
  
• You will be asked to install an ActiveX. Click Install.
  
• Once installed, the scanner will be initialized.
  
• After the scanner is initialized, click Start.
  
• Check (tick) Remove found threats box.
  
• Check (tick) Scan unwanted applications.
  
• Click on Scan.
  
• It will start scanning. Please be patient.
  
• Once the scan is done, the log will be saved here: C:\Program Files\esetonlinescanner\log.txt.
  

I'm running the ESET online scanner before downloading Antivir... I hope that's ok.

Running ESET online scanner gave me some random error. Then i went ahead and downloaded Antivir before re-running ESET. Then it said there was already an antivirus program running (antivir) so i am guessing i only had to do 1 of the 2, right?

So now that I have Antivir installed and the machine seems to be running fine, I am out of the woods yet?

Yes.

This should be fine now.

Thanks a lot once again! A donation should be forthcoming :-)