Possibly still infected

Did you knowingly install WinPCAP on this PC? If so, you will have to reinstall it AFTER we finish all cleanup since ComboFix broke it. While WinPCAP is a legit application used to perform packet capturing, it can be used by malware too.

Did you knowingly setup Microsoft Remote Desktop Connection to run at Startup? See below
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Remote Desktop Connection.lnk - c:\windows\system32\mstsc.exe [2004-8-4 677888]

You need to delete MGtools from the below location as this is not where we asked you to download to or run it from:
C:\Documents and Settings\User\Desktop\Allison's AV\MGtools.exe


The below are out of date and security risks. You should uninstall and update as requested in the READ & RUN ME.
Java(TM) 6 Update 5
Mozilla Firefox (3.0)

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

After clicking Fix, exit HJT.

Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.


Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).


Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

You did not answer my questions about WinPCAP or the Remote Desktop Connection software.

Also you did not tell me how things are working now.

The below file failed to delete:
c:\windows\SYSTEM32\DRIVERS\LTEPSGGR.SYS

Can you see this file? If so right click on it and select Properties and look at the Version tab information to see if you can determine what it is and who it belongs too. If there is no version info and you can see the file, have it scanned at the below link and report what is found:

http://www.virustotal.com/

 

NOTE: RE your PM. We respond to threads in queue order which you should know. Our procedures are mentioned in this sticky: Don't Bump! It Only Hurts You!!! Also as stated in other stickies, we rarely will respond to PMs. Most PMs that are related to normal operatons or malware removal in the forum are just ignored since all threads are answered and they are answered in queue order.

I did not ask you to move or to delete the file. Since ComboFix could not so easily delete it (it is in use) there is no way you could move or delete it manually. You could putting a copy into a zip file and attaching here. That is assuming that you can ZIP it. It could block you.

Otherwise you will have try doing the above in safe mode to see if it will work or you will have to boot to the Recovery Console and rename the file to something like LTEPSGGR.SYS.BAD and then reboot back normally and see if it cause any problems to normal operation. Then ZIP the renamed file and attach it here.

 

You're welcome.

Well the scans of the file seem to believe it is a problem. See the below link from the scan:

http://www.virustotal.com/analisis/...2c2277f5143e6e8ed66bd1ff65a7b4cdc6-1262799910

If everything is running okay without this file, then you should be able to delete it. Make sure it has not respawned.

 

You're welcome. If you have not wipe it yet, you may want to just try installing the current version of ComboFix and running it and attaching a new log. You were out of date of the last run and it ran in reduced functionality mode. There could be a couple leftovers that still needed removing.

 

Okay! Sometimes this is the most secure way to know a PC is really 100% clean.