Files removed in registry except Default. Mbam will not run. It will open but when run is selected the program closes. Internet access is still blocked and redirected. The fake antivirus loads and runs displaying its false results. "warnings" still appearing in task bar. Document folder still "empty".

Next idea?

Reg

P.S. Malwarebytes is now running. Had to do an end run. Updated as well.

Malwarebytes found 25 infections and clean. On restart I can make it to the Internet but am still being redirect most of the time. It took three tries to make it here with redirect through pebble.com.

Explorer favorites is still empty and so is the document folder. I saw pictures and documents being scanned yesterday so where are they?

I have uploaded the GMER and two Mbam files. Somehow I created two.

Let me know what is next since the reply to my question stated to upload or the virus would return. Also to the admin person this thread has not been resolved. I'll post when it is. Thanks,

Reg

For some reason the GMER didn't will not upload. The error message say invalid file. So here is a copy and paste:

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2011-05-14 07:39:21
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD1600JB-00REA0 rev.20.00K20
Running: 48k7ihsc.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\pwxdyaob.sys

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)

---- Threads - GMER 1.0.15 ----

Thread System [4:196] 8A320E7A
Thread System [4:200] 8A323008

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\RG94XERR\red_shield[1] 3508 bytes
File C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\VEHU5ADQ\background_gradient_red[1] 868 bytes
File C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\VEHU5ADQ\green_shield[1] 3501 bytes
File C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\VEHU5ADQ\red_shield_48[1] 7005 bytes

---- EOF - GMER 1.0.15 ----

One of the infections was a Spyware.Password.Xgen. Should I be concerned about changing my various passwords?

The completed DDS (unzipped) is attached. Hijackthis would upload so I copied and pasted. sorry for the mess.

I have not accessed any password protected site once the issue began. Should I still change all passwords?And how do I make the documents and IE favorites reappear without loading externally?

Thanks for all of your help.

Reg

Hijackthis:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 7:42:18 PM, on 5/15/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device

Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\NCH Software\BroadCam\broadcam.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\lxcjcoms.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Wacom_Tablet.exe
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\WTablet\Wacom_TabletUser.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\System32\Wacom_Tablet.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\WrtMon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Lexmark 8300 Series\lxcjmon.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\WrtProc.exe
C:\Program Files\Lexmark 8300 Series\ezprint.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\Program Files\Java\jre6\bin\jucheck.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet

Settings,ProxyOverride = localhost;*.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-

0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2

\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-

7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2

\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-

FA578C2EBDC3} - C:\Program Files\Common

Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-

D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-

8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft

Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-

BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-

86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn2

\YTSingleInstance.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-

05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-

0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2

\yt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [WrtMon.exe] C:\WINDOWS\System32

\spool\drivers\w32x86\3\WrtMon.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE

C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1

\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32

\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [LXCJCATS] rundll32 C:\WINDOWS\System32

\spool\DRIVERS\W32X86\3\LXCJtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxcjmon.exe] "C:\Program Files\Lexmark 8300

Series\lxcjmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 8300

Series\ezprint.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common

Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common

Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program

Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common

Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program

Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program

Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32

\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program

Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: spamsubtract.lnk = C:\Program

Files\interMute\SpamSubtract\SpamSubtract.exe
O8 - Extra context menu item: &ieSpell Options -

res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program

Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster -

file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia -

file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-

00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-

11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6

\bin\jp2iexp.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-

CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6

-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-

ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-

4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-

5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-

4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12

\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-

3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-

f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-

d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network

Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-

00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110

-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows

Genuine Advantage Validation Tool) -

http://go.microsoft.com/fwlink/?linkid=39204
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis

- C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program

Files\Common Files\Apple\Mobile Device

Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program

Files\Bonjour\mDNSResponder.exe
O23 - Service: BroadCam Video Streaming Server (BroadCamService)

- Unknown owner - C:\Program Files\NCH

Software\BroadCam\broadcam.exe
O23 - Service: InstallDriver Table Manager (IDriverT) -

Macrovision Corporation - C:\Program Files\Common

Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program

Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service

(LightScribeService) - Hewlett-Packard Company - C:\Program

Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: lxcj_device - - C:\WINDOWS\system32

\lxcjcoms.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA

Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown

owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: TabletServiceWacom - Wacom Technology, Corp. -

C:\WINDOWS\System32\Wacom_Tablet.exe
O23 - Service: TomTomHOMEService - TomTom - C:\Program

Files\TomTom HOME 2\TomTomHOMEService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation

- C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. -

C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 9049 bytes

HJT log? Isn't that what I pasted? Also re passwords I could never go anywhere but the fake Microsoft 2011 site. Their doing.

You must have added the HJT log after I made my previous post. The HJT log is a real mess, quite a few incomplete registry entries.
[/url]

That is why I apologized for the mess. Again thanks.

Do you think I can get the documents to reappear or should I just reload? I know they are there I watched them being scanned.

Seems to me hiding them was part of the virus's scare tactics to get one to buy.

I'll setting up and scanning with AVG. The BitDefender is out of date.

Reg

I downloaded the AVG and did full scan. Eleven items found. Four removed 7 not. I clicked on removed unhealed items. Screen just blinks so I don't know if they were removed without doing another scan. On a positive note the never ending talk show is gone.

Changing passwords but like I said I never could go anywhere but the virus's site once infected.

Explorer favorites still empty as well as document folder. Fortunately documents and pictures are on a thumb drive.

Would restoring computer to an earlier now date help? I restored while infected but things were still missing.

Reg

Taking short cut to bleepingcomputers I received:

404 ERROR: Page Not Found!

The requested page http://www.bleepingcomputer.comwww.bleepingcomputer.com/down...virus/combofix could not be found on this server.

Trying to find it by various searchs kept getting redirected. With no protection I didn't want to continue wandering about the Internet, especially to unrequested sites.

I downloaded the TDSS killer. It downloaded but will not run. When I clicked on RUN the program closes. I had a similar issue with Mbam.

I guess we are done. If there is nothing else I will be reinstalling AVG.

Reg

Found, installed and ran Combofix. Will attach results. Got TDSS killer to run. 212 files scanned nothing found.

Where are the documents and pictures???

Thanks for all of the help. I do appreciate it.

Reg

It was mentioned that the restore drive may be affected. Have I lost the ability to safely restore the computer?