Hi I am new to this forum and I am looking for some help. Some time ago I was infected with W32/Bagle.dv.dr. I know this is the exact virus because I asked me to "select a file to crack" when I downloaded a game from eMule. I rebooted and saw wintems.exe running in task manager, I also saw hldrrr.exe but only once. My AVG, SPYBOT S&D, and CCleaner don't work. Will removing this infection be difficult, since I am not a security expert?

I can't provide a HJT log since I get a message that is is not a valid windows 32 application, probably the virus blocked it or deleted it. Thanks in advance. :bigthumb:

PC SPECS:
AMD 3700
8800GTS 512
K8N4-E
2 GB RAM
111 GB HD
Windows Xp Home Edition

Here is the virus description by McAfee: http://vil.nai.com/vil/content/v_138585.htm



Here is my Kaspersky log:
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, February 25, 2008 6:41:36 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 25/02/2008
Kaspersky Anti-Virus database records: 580494
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 124009
Number of viruses found: 4
Number of infected objects: 9
Number of suspicious objects: 0
Duration of the scan process: 02:49:05

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\AOL\ACS\1.0\ph Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\ACS\1.0\variable Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0\idb\kalendariusz\MyDB.idx Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0\idb\kalendariusz\toolbar.lst Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0\idb\SNMaster.idx Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0\organize\CACHE\kalendariu00 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0\organize\kalendariusz Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0\organize\kalendariusz.abi Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0\organize\kalendariusz.aby Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\aolstderr.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\aolstdout.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\aoltsmon.lock Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\cache.db Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\server.lock Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\user\Application Data\AOL\C_America Online 9.0\IDB\Apps.Lst Object is locked skipped
C:\Documents and Settings\user\Application Data\AOL\C_America Online 9.0\IDB\art.idx Object is locked skipped
C:\Documents and Settings\user\Application Data\AOL\C_America Online 9.0\IDB\sap.dat Object is locked skipped
C:\Documents and Settings\user\Application Data\AOL\C_America Online 9.0\IDB\spool.lst Object is locked skipped
C:\Documents and Settings\user\Application Data\AOL\C_America Online 9.0\IDB\sysnews.lst Object is locked skipped
C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\xm5y9kj0.Default User\cert8.db Object is locked skipped
C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\xm5y9kj0.Default User\formhistory.dat Object is locked skipped
C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\xm5y9kj0.Default User\history.dat Object is locked skipped
C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\xm5y9kj0.Default User\key3.db Object is locked skipped
C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\xm5y9kj0.Default User\parent.lock Object is locked skipped
C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\xm5y9kj0.Default User\search.sqlite Object is locked skipped
C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\xm5y9kj0.Default User\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\user\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\user\KHALMNPR.EXE Infected: Trojan-Downloader.Win32.Bagle.jv skipped
C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\Mozilla\Firefox\Profiles\xm5y9kj0.Default User\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\Mozilla\Firefox\Profiles\xm5y9kj0.Default User\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\Mozilla\Firefox\Profiles\xm5y9kj0.Default User\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\Mozilla\Firefox\Profiles\xm5y9kj0.Default User\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\user\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\4TGS27IR\b64_1[1].jpg Infected: Trojan-PSW.Win32.Agent.xd skipped
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\4TGS27IR\b64_1[2].jpg Infected: Trojan-PSW.Win32.Agent.xd skipped
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\LC1VL64E\b64_1[1].jpg Infected: Trojan-PSW.Win32.Agent.xd skipped
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\OTUQAG0Q\b64_31[1].jpg Infected: Email-Worm.Win32.Bagle.of skipped
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\OTUQAG0Q\b64_31[2].jpg Infected: Email-Worm.Win32.Bagle.of skipped
C:\Documents and Settings\user\ntuser.dat Object is locked skipped
C:\Documents and Settings\user\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Logitech\Video\LogiTray.exe Infected: Trojan-Downloader.Win32.Bagle.jv skipped
C:\Program Files\Windows Media Player\projy.html Infected: Trojan-Clicker.HTML.IFrame.dn skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe Object is locked skipped
C:\WINDOWS\$hf_mig$\KB929338\SP2QFE\ntkrnlpa.exe Object is locked skipped
C:\WINDOWS\$hf_mig$\KB931784\SP2QFE\ntkrnlpa.exe Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Driver Cache\i386\ntkrnlpa.exe Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\mdelk.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped

Scan process completed.







WEB SITE REPORT:
file:///C:/Documents%20and%20Settings/user/Desktop/Kaspersky2.html

Ok I looked over the result and the threats are:

1)C:\Documents and Settings\user\KHALMNPR.EXE
Infected: Trojan-Downloader.Win32.Bagle.jv

2)C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\4TGS27IR\b64_1[1].jpg
Infected: Trojan-PSW.Win32.Agent.xd

3)C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\4TGS27IR\b64_1[2].jpg
Infected: Trojan-PSW.Win32.Agent.xd

4)C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\LC1VL64E\b64_1[1].jpg
Infected: Trojan-PSW.Win32.Agent.xd

5)C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\OTUQAG0Q\b64_31[1].jpg
Infected: Email-Worm.Win32.Bagle.of

6)C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\OTUQAG0Q\b64_31[2].jpg
Infected: Email-Worm.Win32.Bagle.of

7)C:\Program Files\Logitech\Video\LogiTray.exe
Infected: Trojan-Downloader.Win32.Bagle.jv

8)C:\Program Files\Windows Media Player\projy.html Infected: Trojan-Clicker.HTML.IFrame.dn

9)C:\WINDOWS\system32\mdelk.exe
Infected: Email-Worm.Win32.Bagle.of

I saw some infections in the Temporary Internet Folder so I got rid of everything in it. And I got rid of the infection in Windows Media Player, but I don't know if I should delete the rest, need advice and guidance.

We should be able to remove the infection without too much trouble:

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)

http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_FF.gif


http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_rename.gif
--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the C:\ComboFix.txt so we can continue cleaning the system.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

Problem is combo fix doesn't work, I get a blue window and a white pulsing line. I tried in safe mode but I can't get into safe mode because it says that my pc stopped responding.

Unfortunately, this infection breaks safemode. We'll fix it after we've removed the active infection.

Let's see if we can get a logfile from your PC:


Download Autoruns from here (http://download.sysinternals.com/Files/Autoruns.zip)
Unzip/extract it to a folder on your desktop
Double click on autoruns.exe to start Autoruns
Wait for it to finish scanning
Under Options make sure the following options are slected

Verify Code Signatures
Hide Signed Microsoft Entries

Click File > Refresh
Click File > Save As
Save it to the desktop as autoruns.txt
Post the contents of autoruns.txt as a reply to this topic

Here it is.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
+ AVG7_CC File not found: C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
+ LogitechGalleryRepair Logitech QuickCam Startup Application (Not verified) Labtec Inc. c:\program files\logitech\video\isstart.exe
+ LogitechVideoTray File not found: C:\Program Files\Logitech\Video\LogiTray.exe
+ nwiz NVIDIA nView Wizard, Version 111.32 (Not verified) NVIDIA Corporation c:\windows\system32\nwiz.exe
+ QuickTime Task QuickTime Task (Not verified) Apple Inc. c:\program files\quicktime\qttask.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
+ ReEXEc Utilidad AntiVirus (Not verified) Satinfo S.L. c:\documents and settings\user\desktop\elibagla.09032008.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
+ Logitech SetPoint.lnk Logitech SetPoint Event Manager (UNICODE) (Verified) Logitech c:\program files\logitech\setpoint\setpoint.exe
C:\Documents and Settings\user\Start Menu\Programs\Startup
+ PowerReg SchedulerV2.exe PRegScheduler MFC Application c:\documents and settings\user\start menu\programs\startup\powerreg schedulerv2.exe
+ Webshots.lnk c:\program files\webshots\launcher.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
+ NBJ Nero BackItUp Scheduler Application (Not verified) Ahead Software AG c:\program files\ahead\nero backitup\nbj.exe
+ SpybotSD TeaTimer System settings protector (Verified) Safer Networking Ltd. c:\program files\spybot - search & destroy\teatimer.exe
HKLM\SOFTWARE\Classes\Protocols\Handler
+ skype4com Skype for COM API (Verified) Skype Technologies SA c:\program files\common files\skype\skype4com.dll
HKCU\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components
+ 0 File not found: About:Home
HKLM\Software\Classes\*\ShellEx\ContextMenuHandlers
+ AVG7 Shell Extension File not found: C:\Program Files\Grisoft\AVG7\avgse.dll
+ VIDEOTRANS AmvTransform Module c:\program files\mp3 player utilities 3.68\amvtools\amvtransform.dll
HKLM\Software\Classes\Folder\ShellEx\ContextMenuHandlers
+ AVG7 Shell Extension File not found: C:\Program Files\Grisoft\AVG7\avgse.dll
HKLM\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers
+ 00nView NVIDIA Desktop Explorer, Version 111.32 (Not verified) NVIDIA Corporation c:\windows\system32\nvshell.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
+ AVG7 Find Extension File not found: C:\Program Files\Grisoft\AVG7\avgse.dll
+ AVG7 Shell Extension File not found: C:\Program Files\Grisoft\AVG7\avgse.dll
+ Desktop Explorer NVIDIA Desktop Explorer, Version 111.32 (Not verified) NVIDIA Corporation c:\windows\system32\nvshell.dll
+ Desktop Explorer Menu NVIDIA Desktop Explorer, Version 111.32 (Not verified) NVIDIA Corporation c:\windows\system32\nvshell.dll
+ Display Panning CPL Extension File not found: deskpan.dll
+ Logitech Setpoint Extension Logitech SetPoint Event Manager (Verified) Logitech c:\program files\logitech\setpoint\kbcplext.dll
+ Logitech Setpoint Extension Logitech SetPoint Event Manager (Verified) Logitech c:\program files\logitech\setpoint\mcplext.dll
+ My Logitech Pictures Logitech Namespace2 (Not verified) Labtec Inc. c:\program files\logitech\video\namespc2.dll
+ nView Desktop Context Menu NVIDIA Desktop Explorer, Version 111.32 (Not verified) NVIDIA Corporation c:\windows\system32\nvshell.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
+ AcroIEHlprObj Class AcroIEHelper Module (Verified) Adobe Systems, Incorporated c:\program files\adobe\acrobat 5.0\reader\activex\acroiehelper.ocx
+ AOL Toolbar Launcher AOL IE Toolbar Dynamic Link Library (Not verified) America Online, Inc. c:\program files\aol\aol toolbar 3.0\aoltb.dll
+ Spybot-S&D IE Protection SBSD IE Protection (Verified) Safer Networking Ltd. c:\program files\spybot - search & destroy\sdhelper.dll
HKCU\Software\Microsoft\Internet Explorer\UrlSearchHooks
+ AOL Search AOL IE Toolbar Dynamic Link Library (Not verified) America Online, Inc. c:\program files\aol\aol toolbar 3.0\aoltb.dll
HKLM\Software\Microsoft\Internet Explorer\Toolbar
+ AOL Toolbar AOL IE Toolbar Dynamic Link Library (Not verified) America Online, Inc. c:\program files\aol\aol toolbar 3.0\aoltb.dll
Task Scheduler
+ SmartDefrag.job (Verified) IObit.com c:\program files\iobit\iobit smartdefrag\schedule.exe
HKLM\System\CurrentControlSet\Services
+ AOL ACS AOL Connectivity Service (Verified) AOL LLC c:\program files\common files\aol\acs\aolacsd.exe
+ AOL TopSpeedMonitor AOL TopSpeed(TM) Monitor (Verified) America Online, Inc. c:\program files\common files\aol\topspeed\2.0\aoltsmon.exe
+ AVGEMS File not found: C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
+ PnkBstrA PunkBuster Service Component [v1029] http://www.evenbalance.com (Verified) Even Balance, Inc. c:\windows\system32\pnkbstra.exe
HKLM\System\CurrentControlSet\Services
+ ASCTRM TR Manager (Not verified) Windows (R) 2000 DDK provider c:\windows\system32\drivers\asctrm.sys
+ ATI Remote Wonder II File not found: system32\drivers\ATIRWVD.SYS
+ AvgClean File not found: C:\WINDOWS\System32\Drivers\avgclean.sys
+ Changer File not found: C:\WINDOWS\System32\Drivers\Changer.sys
+ cusbohcn File not found: C:\DOCUME~1\user\LOCALS~1\Temp\cusbohcn.sys
+ CxLPT ECP Parallel Port DMA Driver (Not verified) Logitech Inc. c:\windows\system32\drivers\cxlpt.sys
+ CxUSB Video Camera Driver (Not verified) Logitech Inc. c:\windows\system32\drivers\cxusb.sys
+ ENTECH (Not verified) EnTech Taiwan c:\windows\system32\drivers\entech.sys
+ i2omgmt File not found: C:\WINDOWS\System32\Drivers\i2omgmt.sys
+ IKFileSec File Security Device Driver (Verified) PC Tools c:\windows\system32\drivers\ikfilesec.sys
+ IKSysFlt System Filter Device Driver (Verified) PC Tools c:\windows\system32\drivers\iksysflt.sys
+ IntelC51 Driver executs DSP proccessing (Not verified) Intel Corporation c:\windows\system32\drivers\intelc51.sys
+ IntelC52 Intel V.92 Modem (Not verified) Intel Corporation c:\windows\system32\drivers\intelc52.sys
+ IntelC53 Driver executs AFE proccessing (Not verified) Intel Corporation c:\windows\system32\drivers\intelc53.sys
+ IPFilter File not found: system32\DRIVERS\IPFilter.sys
+ lbrtfdc File not found: C:\WINDOWS\System32\Drivers\lbrtfdc.sys
+ MTsensor ATK0110 ACPI Utility c:\windows\system32\drivers\asacpi.sys
+ nvnetbus NVIDIA Networking Bus Driver. (Not verified) NVIDIA Corporation c:\windows\system32\drivers\nvnetbus.sys
+ PCIDump File not found: C:\WINDOWS\System32\Drivers\PCIDump.sys
+ PDCOMP File not found: C:\WINDOWS\System32\Drivers\PDCOMP.sys
+ PDFRAME File not found: C:\WINDOWS\System32\Drivers\PDFRAME.sys
+ PDRELI File not found: C:\WINDOWS\System32\Drivers\PDRELI.sys
+ PDRFRAME File not found: C:\WINDOWS\System32\Drivers\PDRFRAME.sys
+ prodrv06 StarForce Protection Environment Driver (Not verified) Protection Technology c:\windows\system32\drivers\prodrv06.sys
+ prohlp02 StarForce Protection Helper Driver (Not verified) Protection Technology c:\windows\system32\drivers\prohlp02.sys
+ prosync1 StarForce Protection Synchronization Driver (Not verified) Protection Technology c:\windows\system32\drivers\prosync1.sys
+ SANDRA File not found: C:\Program Files\SiSoftware\SiSoftware Sandra Lite XI\Sandra.sys
+ sfdrv01 StarForce Protection Environment Driver (Not verified) Protection Technology c:\windows\system32\drivers\sfdrv01.sys
+ sfhlp01 StarForce Protection Helper Driver (Not verified) Protection Technology c:\windows\system32\drivers\sfhlp01.sys
+ sfhlp02 StarForce Protection Helper Driver (Not verified) Protection Technology c:\windows\system32\drivers\sfhlp02.sys
+ sfvfs02 StarForce Protection VFS Driver (Not verified) Protection Technology c:\windows\system32\drivers\sfvfs02.sys
+ srosa c:\windows\system32\drivers\srosa.sys
+ STEAMDVR File not found: C:\Program Files\Valve\Steam\bin\x86\SteamDvr.sys
+ szkg File not found: system32\DRIVERS\szkg.sys
+ WDICA File not found: C:\WINDOWS\System32\Drivers\WDICA.sys
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
+ LBTWlgn Logitech Bluetooth Service (Verified) Logitech c:\program files\common files\logishrd\bluetooth\lbtwlgn.dll
HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors
+ Lexmark Print-2-Fax Port Print Monitor (Win2k/WinXP) c:\windows\system32\lxf3pmon.dll

I've edited the autoruns log into your post. Please don't post logs as attachments unless requested to do so, as it amkes it more difficult for me.

I shall be back with some instructions shortly.

Please follow these instructions to disable any security programs you have running that bagle hasn't already killed and then attempt to run combofix again:

http://www.bleepingcomputer.com/forums/topic114351.html

Followed the steps:

I get "Combofix.exe is not a valid Win32 application" message.

Please delete your current copy of combofix, and follow the instructions in this post:

http://forums.spybot.info/showpost.php?p=168980&postcount=3

to download a copy of combofix renamed to combo-fix.exe

I get "Combo-fix.exe is not a valid Win32 application".

Please follow the instructions again, but this time, instead of saving it as Combo-Fix.exe, save it as Karol.exe

Same thing as before.

Do you have access to another PC that you can transfer files from?

no, sorry.

Open a new notepad window (Start>All Programs>Accessories>Notepad)
Copy & paste the contents of the following codebox into the notepad window

findstr /i /m /s Themida "C:\*.exe" >> %systemdrive%\themida.txt
notepad %systemdrive%\themida.txt
Click File > Save as
In the box labelled File name copy and paste cleanup.bat
Change Save as type to All Files
Save it to your desktop
Close the notepad window
Double click on search.bat
It should take a few minutes to run. Once it has finished, a notepad window shall open. Copy and paste the contents of that window as a reply to this topic.


Also, please tell me which browser you're using.