[SilverBolt]

Oops! I'm sorry, I deleted them. None had been accessed or modified since August at the latest, though. My computer seems okay for the most part now. I've been trying to keep things pretty well scanned and cleaned up. But I don't think Prevx actually offers "real-time" protection despite its claims, since I've never gotten any notification that anything was wrong. Anybody know a real-time antivirus with a low footprint that won't ravish my system resources shamelessly?

~*SilverBolt

[Cookiegal]

Avast is a good one.

Please visit Combofix Guide & Instructions for instructions for installing the recovery console and downloading and running ComboFix.

The only thing different from the instructions there is that when downloading and saving the ComboFix.exe I would like you to rename it to Combo-Fix.exe please.

Post the log from ComboFix when you've accomplished that along with a new HijackThis log.

Important notes regarding ComboFix:

ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. This can easily be changed once we're finished.

ComboFix also prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you, please let me know. This can be undone manually when we're finished. Read HERE for an article written by dvk01 on why we disable autoruns.

[SilverBolt]

Disabling autoruns is going to be a little bit of a problem, but so long as it can be reset to do that manually with relatively little trouble, it shouldn't be too bad. I can imagine why they're disabled, since there's no telling what's on a peripheral you plug into your computer. Though, what we have is a window pops up that asks what we want to do with the CD we put in. I think it calls itself AutoPlay. That's all we need to preserve. How do we go about doing that?

~*SilverBolt

[Cookiegal]

We cannot preserve Autoplay but we can reset it after we're finished. All you need to do is click on the media you insert to play it.

[SilverBolt]

I have a couple more questions. Firstly, how would I go about resetting the Autoplay, I'd like to go ahead and know how to do that before I start fiddling with anything.

Secondly...well, this one's a little odd. My spouse is asking why we're downloading all these programs onto our computer, and seems to be a little frustrated with the having to download a new program every time we check the boards.

I know he's concerned, and I am too, since this is our only computer, and getting another computer is not an option. At all. Ever in a million years. Not just "it would be hard". It will literally be impossible. There are a lot of people that I talk to that really, truly don't understand the concept of not being able to get something they want, so I've taken to trying to explain it. It's...not easy. XD

Anyway...my spouse wants to know why all these programs. I'm sorry, I don't mean to offend anybody, but he's concerned.

~*SilverBolt

[Cookiegal]

You asked for help to remove this infection and that's what I was doing. These programs are needed for that. I'm surprised that you're so concerned about them but not so much about running a computer without any anti-virus program or MS updates, thus leaving it a sitting duck in the water.

[SilverBolt]

I'm sorry this took me forever and a day to get back to. But my online time has decreased drastically in the last couple of weeks, and I rarely have time to work anymore, especially during the week.

I actually pointed out that it was my spouse who was concerned about it, not me. And I do apologize once again if I offended you by asking the question.

We have not had any other trouble with the computer, yet I'm fairly certain there's still something lurking in there. But unfortunately, we cannot know there is a problem until there is a problem.

I do appreciate your efforts; thank you very much!

~*SilverBolt

[Cookiegal]

You're welcome and I wish you the best of luck.

[SilverBolt]

Whew...looks like we ARE still having problems, though not with the same thing. IE is having problems with Hotmail now. Many times the bar with "Reply" and the like won't load, no matter how long I leave it. Also, when I tried to reply to a message that it claimed was too big to open (and it shouldn't have been), IE closed. However, it was not the typical window. It looked odd. If I could have gotten a screencap of it, I would have, but I didn't think about it 'till after I closed the window.

I'm going to run combofix now, and see what it tells me. Those I'll try to post, along with another HijackThis log. I'm sorry if I offended anyone; I do appreciate your help, and I know you're doing this out of the goodness of your heart. Thank you all so much! I'll hope to post something soon.

~*Silverbolt

[SilverBolt]

Here's the ComboFix log:
------------------------------------------------------

ComboFix 09-10-25.01 - Owner 10/25/2009 16:56.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.247.136 [GMT -6:00]
Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\recycler\S-1-5-21-2700397627-2277956075-1170964477-1003
c:\recycler\S-1-5-21-450399507-511736373-3662135532-500
c:\recycler\S-1-5-21-716990362-2579666946-2042503000-1003
c:\windows\Downloaded Program Files\RdxIE.dll
c:\windows\hosts
c:\windows\system32\iAlmcoin.dll
c:\windows\system32\ps2.bat
c:\windows\viassary-hp.reg
Infected copy of c:\windows\system32\qmgr.dll was found and disinfected
Restored copy from - c:\windows\$NtUninstallKB842773$\qmgr.dll
.
((((((((((((((((((((((((( Files Created from 2009-09-25 to 2009-10-25 )))))))))))))))))))))))))))))))
.
2009-10-22 12:47 . 2009-10-22 12:47 -------- d-----w- c:\documents and settings\All Users\Application Data\NetZero
2009-10-18 06:17 . 2009-10-18 06:17 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\DNA
2009-10-18 06:17 . 2009-10-18 06:22 -------- d-----w- c:\program files\DNA
2009-10-18 06:17 . 2009-10-18 06:25 -------- d-----w- c:\documents and settings\Owner\Application Data\DNA
2009-10-17 03:21 . 2009-10-22 13:46 -------- d-----w- c:\program files\NetZero
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-24 16:47 . 2009-07-22 07:03 -------- d-----w- c:\documents and settings\All Users\Application Data\PrevxCSI
2009-10-22 23:34 . 2004-12-20 21:06 -------- d-----w- c:\program files\Dictionary
2009-10-21 04:19 . 2009-03-26 00:15 -------- d-----w- c:\documents and settings\Owner\Application Data\CoreFTP
2009-10-13 08:59 . 2004-11-11 17:04 -------- d-----w- c:\program files\MUSHclient
2009-10-04 20:11 . 2009-07-22 07:04 27656 ----a-w- c:\windows\system32\drivers\pxsec.sys
2009-10-04 20:11 . 2009-07-22 07:04 22024 ----a-w- c:\windows\system32\drivers\pxscan.sys
2009-09-14 05:38 . 2007-02-05 10:36 -------- d-----w- c:\documents and settings\Owner\Application Data\uTorrent
2009-09-06 08:38 . 2003-08-23 14:12 50088 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-06 22:40 . 2009-01-13 01:38 522505 ----a-w- c:\documents and settings\All Users\Application Data\phn.dat
2007-06-05 05:56 . 2006-07-20 12:36 15872 --sha-w- c:\program files\Thumbs.db
2001-07-01 22:41 . 2001-07-01 22:41 311 ----a-w- c:\program files\LEGGIMI by RADOX.txt
2004-01-07 01:34 . 2004-02-19 22:02 0 -csha-w- c:\windows\SMINST\HPCD.SYS
.
------- Sigcheck -------

[-] 2002-11-27 09:03 . 36678803A8030EE9A771935CFC1848BD . 52224 . . [9.0.1.56] . . c:\windows\system32\mspmsnsv.dll
c:\windows\system32\wscntfy.exe ... is missing !!
c:\windows\system32\xmlprov.dll ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpySweeper"="c:\program files\Webroot\Spy Sweeper\SpySweeper.exe" [2005-10-27 3296256]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-12-29 185872]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2002-08-29 51200]
c:\documents and settings\Default User\Start Menu\Programs\Startup\
mod_sm.lnk - c:\hp\bin\cloaker.exe [1999-11-7 27136]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina]
2003-02-21 10:50 40960 ----a-w- c:\program files\Softex\OmniPass\OPXPGina.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e\0SsiEfr.e
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\svcWRS SSDK]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [7/22/2009 1:04 AM 22024]
R0 SSI;SSI;c:\windows\system32\drivers\ssi.sys [7/22/2009 11:41 AM 78336]
R1 ATMhelpr;ATMhelpr;c:\windows\system32\drivers\ATMHELPR.SYS [8/26/2008 10:13 AM 4064]
R2 PPCLASS;PPCLASS;c:\windows\system32\drivers\ppclass.sys [8/24/2008 8:24 PM 85868]
R2 PPSCAN;PPSCAN;c:\windows\system32\drivers\ppscan.sys [8/24/2008 8:24 PM 120544]
S0 pxsec;pxsec;c:\windows\system32\drivers\pxsec.sys [7/22/2009 1:04 AM 27656]
S2 CSIScanner;CSIScanner;c:\program files\Prevx\prevx.exe [7/22/2009 1:04 AM 4368952]
S2 mrtRate;mrtRate; [x]
S2 wwEngineSvc;Window Washer Engine;c:\program files\Webroot\Washer\WasherSvc.exe [8/24/2008 8:16 PM 598856]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - ALG
*NewlyCreated* - IPNAT
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://srch-us9.hpwis.com/
mStart Page = hxxp://us9.hpwis.com/
mSearch Bar = hxxp://srch-us9.hpwis.com/
uInternet Connection Wizard,ShellNext = hxxp://my.netzero.net/s/sp?r=al&cf=sp&mem=kumorikiki&login=cc563de9b9fa9632f563083857072e7d/kumorikiki:netzero.net/1219629547/30/sss.5.30383/&ts=48b211eb&A=0&B=1157698800000&C=1157698800000&D=1088406000000&I=8.NQ4&N= PL&O=A&UT=companion
uInternet Settings,ProxyOverride = localhost
uSearchURL,(Default) = hxxp://my.netzero.net/s/search?r=minisearch
IE: Display All Images with Full Quality - "c:\program files\NetZero\qsacc\appres.dll/228"
IE: Display Image with Full Quality - "c:\program files\NetZero\qsacc\appres.dll/227"
Name-Space Handler: ftp\GetRightIEClickCatcher - {73BA8F12-723E-11D1-A9E2-00403320FCF2} - c:\progra~1\GetRight\xx2gr.dll
Name-Space Handler: http\GetRightIEClickCatcher - {73BA8F12-723E-11D1-A9E2-00403320FCF2} - c:\progra~1\GetRight\xx2gr.dll
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -
AddRemove-HijackThis - c:\documents and settings\Owner\My Documents\HiJackThis\HijackThis.exe

**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-25 17:12
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(464)
c:\windows\System32\ODBC32.dll
c:\program files\Softex\OmniPass\opxpgina.dll
c:\windows\system32\WRLogonNTF.dll
- - - - - - - > 'lsass.exe'(520)
c:\windows\System32\dssenh.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Webroot\Spy Sweeper\WRSSSDK.exe
c:\combo-fix\CF14025.exe
c:\combo-fix\PEV.cfxxe
.
**************************************************************************
.
Completion time: 2009-10-25 17:20 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-25 23:19
Pre-Run: 2,663,686,144 bytes free
Post-Run: 2,644,774,912 bytes free
- - End Of File - - A3B0D2CDAC0156B29CDD45678300DEBD

------------------------------------------------------
And here's the HijackThis Log:
------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:23:04 PM, on 10/25/2009
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Prevx\prevx.exe
C:\Program Files\Prevx\prevx.exe
C:\Documents and Settings\Owner\My Documents\compstuff\HiJackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.netzero.net/s/sp?r=al&cf=s...A&UT=companion
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NetZero\SearchEnh1.dll
O2 - BHO: Pop-up Blocker - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\X1IEBHO.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O8 - Extra context menu item: Display All Images with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/228"
O8 - Extra context menu item: Display Image with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/227"
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O23 - Service: CSIScanner - Prevx - C:\Program Files\Prevx\prevx.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe
--
End of file - 3827 bytes

------------------------------------------------------

See anything weird?

~*Silverbolt

[Cookiegal]

The best thing to do would be to reformat the machine and start fresh. Be sure to back up anything important first and then go directly to MS to get ALL SP3 and then all critical updates immediately. Then install a good anti-virus and firewall program.

Be sure to change all of your passwords as well.

[SilverBolt]

Oh no...I was hoping it wouldn't come to that. Is the problem that bad? You can tell from the logs I posted that it's completely and totally beyond all hope? I can't really do that because 1) I don't know how, 2) I have no other way to access the Internet except this computer, and 3) if I screw it up, I am completely and utterly screwed, because I do not have another computer.

*sigh* Oh well...I guess I'll use this one 'till it explodes. Since Prevx caught all that weird stuff, I haven't really had any other extremely bad problems with the machine other than the problems I've had with every PC I've ever owned. Thanks so much for all your help!

~*SilverBolt

[Cookiegal]

Yes, you really should reformat and start fresh.