Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Trojan Horse Back Door Generic 11.HXH Hi... I just used AVG

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Trojan Horse Back Door Generic 11.HXH Hi... I just used AVG

Unread postby jsmac43 » May 8th, 2009, 10:46 am

Hi... I just used AVG to remove 41 virus' a few days ago. I am getting
pop-ups from AVG that I have a Trojan horse Back Door Generic 11.HXH
that it can't get rid of. A friend highly recommended I get you to
help me with the removal.

I downloaded HiJackThis and ran the scan. Results are below. I will
wait for your assistance. Thank you so much.

I'm very sorry I jumped in on another account. Believe me it was not intentional. I'm so new to this and thought I was getting directions for my issue. This is all so new and confusing to me. I'll try my best to do exactly what you suggest. I apologize to the person who's site I replied to... it was my mistake. Please don't give up on me. jsmac43



Logfile of HijackThis v1.99.1
Scan saved at 4:32:31 PM, on 5/6/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\DOCUME~1\COMPAQ~1.JSM\LOCALS~1\Temp\Temporary Directory 1 for hijackthis1991.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: ::1 localhost
O1 - Hosts: 91.212.65.122 browser-security.microsoft.com
O1 - Hosts: 91.212.65.122 antiwareprotect.com
O1 - Hosts: 91.212.65.122 www.antiwareprotect.com
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {8F09F081-3369-4250-B1A3-C6EF20A69798} - C:\WINDOWS\system32\avwa.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: hpWebHelper Class - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Browser Helper Object - {AFD4AD01-58C1-47DB-A404-FBE00A6C5486} - C:\Program Files\Common\helper.dll (file missing)
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ares ultra] "C:\Program Files\Ares Ultra\Ares Ultra.exe" -h
O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\WINDOWS\system32\Adobe\SHOCKW~1\SWHELP~1.EXE -Update -1100465 -"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; GTB5; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" -"http://www.shockwave.com/contentPlay/shockwave.jsp?dwin=1&id=jigsawpuzzles"
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (file missing)
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microso ... 3671754921
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 3671846640
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/bookwo ... v10_en.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{09012135-7F3D-4AD2-B271-DA0BAF140ADD}: NameServer = 198.190.226.3,198.190.226.30
O17 - HKLM\System\CS1\Services\Tcpip\..\{09012135-7F3D-4AD2-B271-DA0BAF140ADD}: NameServer = 198.190.226.3,198.190.226.30
O17 - HKLM\System\CS2\Services\Tcpip\..\{09012135-7F3D-4AD2-B271-DA0BAF140ADD}: NameServer = 198.190.226.3,198.190.226.30
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Filter: text/html - {615cdc59-842b-499d-9c9f-133902e93601} - C:\WINDOWS\system32\dsound3dd.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: __c001BD2C - C:\WINDOWS\system32\__c001BD2C.dat (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
jsmac43
Regular Member
 
Posts: 24
Joined: May 6th, 2009, 3:26 pm
Advertisement
Register to Remove

Re: Trojan Horse Back Door Generic 11.HXH Hi... I just used AVG

Unread postby MWR 3 day Mod » May 11th, 2009, 12:05 pm

Hi,

We are sorry to see your topic is over three days old and no one has yet been able to respond and offer help.

If you still require assistance, please post a link to your topic in our Waiting for help with malware removal? forum, and our staff will make an effort to assist you as promptly as possible. Only post a LINK to this topic, DO NOT post your DDS log!

Please do not reply to this topic.

If you haven't posted within two days in the "Waiting for help with malware removal?" forum, we will assume you have been able to get assistance in other ways and this topic will be closed.
MWR 3 day Mod
MRU Undergrad
MRU Undergrad
 
Posts: 2534
Joined: April 4th, 2008, 8:40 am

Re: Trojan Horse Back Door Generic 11.HXH Hi... I just used AVG

Unread postby jmw3 » May 11th, 2009, 1:23 pm

Hello & Welcome to Malware Removal

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this ensure Notify me when a reply is postedis ticked on the POST A REPLY page.

In the meantime please note the following:
  • Any recommendations made are for your computer problems only and should NOT be used on any other computer.
  • Please DO NOT run any scans/tools or other fixes unless I ask you to. This is very important for several reasons. Here are just two of them:
    1. The tools that we use are very powerful and can cause >>irreparable damage<< to your computer if not used correctly.
    2. Commercial scanners, for the most part can not completely remove some of the more "resistant" infections. This makes it much more difficult to get rid of completely.
  • If you get stuck or are unsure of something please ask for a further explanation, do not guess.
  • It will require more than one round to properly clean your system. Continue to respond to this thread until I give you the All Clean! even if symptoms seemingly abate.
Please note that the forum is very busy and if I don't hear from you within five days this thread will be closed.
If for any reason you cannot complete instructions within that time, that's fine, just put a post here so that I know you're still here. We get a lot of people who simply leave & if there is no contact for that amount of time I will have to assume you have abandoned your topic.

DDS
Download DDS.scr by sUBs from one of the following links & save it to your desktop.
http://download.bleepingcomputer.com/sUBs/dds.scr
http://www.forospyware.com/sUBs/dds
  • Double-Click on dds.scr and a command window will appear. This is normal
  • Shortly after two logs will appear, DDS.txt & Attach.txt
  • A window will open instructing you save & post the logs
  • Save the logs to a convenient place such as your desktop
  • Copy the contents of both logs & post in your next reply
Gmer
Download gmer.zip from Gmer here & save it to your desktop.
  • Right click on gmer.zip, select Extract All... & extract the contents to your desktop
  • Double click the Gmer.exe file. If asked to allow gmer.sys driver to load, please consent
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO

    Image
    Click the image to enlarge it
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post
  • Save it where you can easily find it, such as your desktop, and post it in reply
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Note: Do not run any programs while Gmer is running.

To post in next reply:
Contents of DDS log
Contents of Attach.txt
Contents of Gmer log
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: Trojan Horse Back Door Generic 11.HXH Hi... I just used AVG

Unread postby jsmac43 » May 16th, 2009, 10:54 pm

I just found your directions, just in time. I posted the DDS log, Attach.txt and Gmer log. I hope I did them correctly and we can finally get rid of this Trojan Horse. The hardest part for me is navigating through the site and finding replies and where to go to post. jsmac43
jsmac43
Regular Member
 
Posts: 24
Joined: May 6th, 2009, 3:26 pm

Re: Trojan Horse Back Door Generic 11.HXH Hi... I just used AVG

Unread postby jmw3 » May 17th, 2009, 12:08 am

Hi

Where did you post the logs??
The hardest part for me is navigating through the site and finding replies and where to go to post.
You need to post any information I request to this topic. If you followed my instructions for subscribing to this thread you will receive an email when I reply. That way you will know where to post.
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: Trojan Horse Back Door Generic 11.HXH Hi... I just used AVG

Unread postby jsmac43 » May 17th, 2009, 8:29 am

Hi OK, I don't understand what a thread is or how to subscribe to one. I do have the reports saved on my desk top so let's try it again. How do I subscribe to this thread again?
jsmac43
Regular Member
 
Posts: 24
Joined: May 6th, 2009, 3:26 pm

Re: Trojan Horse Back Door Generic 11.HXH Hi... I just used AVG

Unread postby jmw3 » May 17th, 2009, 10:02 am

Hi
I don't understand what a thread is or how to subscribe to one.
The thread is this topic you started... we'll call it a topic if that makes it easier.
When you click on Post a reply it will bring you to the page where you type your text. Just below the test box you will see a tab labeled Options. On that tab you will see a list of five options. Ensure the last one Notify me when a reply is posted has a tick in the box.

  • To copy the contents of you your logs open them by double clicking on them
  • Once opened click on Edit then click Select All. The text will turn blue
  • Next click Edit again, then click Copy
  • Come here to your topic & click Post a reply
  • When the text box appears, right-click anywhere inside it, then click Paste
  • The contents of your reports should now be in the text box
Sometimes the contents of the reports maybe to big for one reply. If that happens you will need to split the logs up into a couple of replies.
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: Trojan Horse Back Door Generic 11.HXH Hi... I just used AVG

Unread postby jsmac43 » May 17th, 2009, 1:44 pm

DDS (Ver_09-05-14.01) - NTFSx86
Run by Compaq_Administrator at 19:25:56.06 on Sat 05/16/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.446.77 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Norton AntiVirus *enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\nvsvc32.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\system32\dllhost.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Documents and Settings\Compaq_Administrator.JSM43PC\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
uSearch Bar = hxxp://www.google.com/ie
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
mDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
mSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
uInternet Connection Wizard,ShellNext = iexplore
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: {8f09f081-3369-4250-b1a3-c6ef20a69798} - c:\windows\system32\avwa.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: hpWebHelper Class: {aaae832a-5fff-4661-9c8f-369692d1dcb9} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\WebHelper.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Browser Helper Object: {afd4ad01-58c1-47db-a404-fbe00a6c5486} - c:\program files\common\helper.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ares ultra] "c:\program files\ares ultra\Ares Ultra.exe" -h
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockw~1\SWHELP~1.EXE -Update -1100465 -"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; GTB5; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" -"http://www.shockwave.com/contentPlay/shockwave.jsp?dwin=1&id=jigsawpuzzles"
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [PCDrProfiler]
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Share-to-Web Namespace Daemon] c:\program files\hewlett-packard\hp share-to-web\hpgs2wnd.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRunOnce: [IE 3.0 RegSvr schannel.dll] c:\windows\system32\regsvr32.exe /s c:\windows\system32\schannel.dll
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\compaq~1.lnk - c:\program files\compaq connections\5577497\program\Compaq Connections.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hppsc2~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpobnz08.exe
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/sh ... tor/sw.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microso ... 3671754921
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftup ... 3671846640
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://javadl.sun.com/webapps/download/ ... leId=29223
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shoc ... wflash.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://www.shockwave.com/content/bookwo ... v10_en.cab
TCP: {09012135-7F3D-4AD2-B271-DA0BAF140ADD} = 198.190.226.3,198.190.226.30
Filter: text/html - {615cdc59-842b-499d-9c9f-133902e93601} -
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: __c001BD2C - c:\windows\system32\__c001BD2C.dat
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\compaq~1.jsm\applic~1\mozilla\firefox\profiles\6l3u3hie.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbarff\components\vmAVGConnector.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R0 tqsgpsar;tqsgpsar;c:\windows\system32\drivers\tqsgpsar.sys [2006-10-27 23424]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-5-3 325896]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-5-3 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-5-3 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-5-3 908568]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-5-3 298776]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-6 99328]

=============== Created Last 30 ================

2009-05-16 15:22 40,960 -------- c:\windows\system32\Stlhook.dll
2009-05-16 15:22 13,545 -------- c:\windows\system32\drivers\STLTRK2K.sys
2009-05-16 15:20 <DIR> --d----- c:\program files\common files\SCM
2009-05-16 13:42 73,728 a------- c:\windows\system32\javacpl.cpl
2009-05-03 12:22 4,720 a------- c:\windows\system32\PerfStringBackup.TMP
2009-05-03 11:38 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-05-03 11:31 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-05-03 11:31 325,896 a------- c:\windows\system32\drivers\avgldx86.sys
2009-05-03 11:31 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-05-03 11:31 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-05-03 11:31 <DIR> --d----- c:\docume~1\compaq~1.jsm\applic~1\AVGTOOLBAR
2009-05-03 11:31 <DIR> --d----- c:\program files\AVG
2009-05-03 11:31 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-05-03 10:39 473,600 -------- c:\windows\system32\dllcache\fastprox.dll
2009-05-03 10:39 401,408 -------- c:\windows\system32\dllcache\rpcss.dll
2009-05-03 10:39 284,160 -------- c:\windows\system32\dllcache\pdh.dll
2009-05-03 10:39 227,840 -------- c:\windows\system32\dllcache\wmiprvse.exe
2009-05-03 10:39 110,592 -------- c:\windows\system32\dllcache\services.exe
2009-05-03 10:39 729,088 -------- c:\windows\system32\dllcache\lsasrv.dll
2009-05-03 10:39 714,752 -------- c:\windows\system32\dllcache\ntdll.dll
2009-05-03 10:39 617,472 -------- c:\windows\system32\dllcache\advapi32.dll
2009-05-03 10:39 453,120 -------- c:\windows\system32\dllcache\wmiprvsd.dll
2009-05-03 10:36 1,203,922 -------- c:\windows\system32\dllcache\sysmain.sdb
2009-05-03 10:36 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-05-03 10:36 215,552 -------- c:\windows\system32\dllcache\wordpad.exe
2009-05-03 10:26 <DIR> --d----- c:\program files\VirusRemover2009
2009-05-03 10:23 <DIR> --d----- c:\program files\Sun
2009-05-03 10:21 <DIR> --d----- c:\program files\Symantec
2009-05-03 10:21 <DIR> --d----- c:\windows\E80F62FF5D3C4A1984099721F2928206.TMP
2009-04-29 23:52 <DIR> --d----- c:\docume~1\compaq~1.jsm\applic~1\SpyProtector
2009-04-29 23:22 <DIR> --d----- c:\docume~1\compaq~1.jsm\applic~1\MSNInstaller
2009-04-21 08:56 49 a----r-- C:\xcrashdump.dat

==================== Find3M ====================

2009-05-16 13:41 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-21 10:06 989,696 -------- c:\windows\system32\dllcache\kernel32.dll
2009-03-06 10:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-02 19:04 1,499,136 -------- c:\windows\system32\dllcache\shdocvw.dll
2009-02-20 04:11 3,068,416 -------- c:\windows\system32\dllcache\mshtml.dll
2009-02-20 04:10 666,112 a------- c:\windows\system32\wininet.dll
2009-02-20 04:10 666,112 -------- c:\windows\system32\dllcache\wininet.dll
2009-02-20 04:10 619,520 -------- c:\windows\system32\dllcache\urlmon.dll
2009-02-20 04:10 81,920 a------- c:\windows\system32\ieencode.dll
2009-02-20 04:10 81,920 -------- c:\windows\system32\dllcache\ieencode.dll
2008-11-14 22:00 521 a---h--- c:\program files\hpothb07.tif
2008-11-14 22:00 310 a---h--- c:\program files\hpothb07.dat
2007-01-21 19:04 40,798,696 a------- c:\program files\NAV071420.exe
2006-12-10 22:07 25,755,448 a------- c:\program files\wmp11-windowsxp-x86-enu.exe
2006-11-24 21:28 1,665 a------- c:\program files\WeatherBug.lnk

============= FINISH: 19:26:13.73 ===============

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-05-14.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 10/10/2008 2:49:53 PM
System Uptime: 5/16/2009 3:25:11 PM (4 hours ago)

Motherboard: ASUSTek Computer INC. | | NAOS
Processor: AMD Athlon(tm) 64 Processor 3500+ | Socket AM2 | 2204/199mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 106 GiB total, 87.332 GiB free.
D: is FIXED (FAT32) - 6 GiB total, 0.846 GiB free.
E: is CDROM ()
F: is Removable

==== Disabled Device Manager Items =============

Class GUID:
Description:
Device ID: ACPI\AWY0001\2&DABA3FF&0
Manufacturer:
Name:
PNP Device ID: ACPI\AWY0001\2&DABA3FF&0
Service:

==== System Restore Points ===================

RP1: 5/5/2009 10:29:36 PM - System Checkpoint
RP2: 5/7/2009 10:19:10 AM - Removed Java(TM) 6 Update 11
RP3: 5/7/2009 10:21:53 AM - Removed J2SE Runtime Environment 5.0 Update 6
RP4: 5/8/2009 11:26:30 AM - System Checkpoint
RP5: 5/9/2009 4:11:34 PM - System Checkpoint
RP6: 5/10/2009 4:18:54 PM - System Checkpoint
RP7: 5/11/2009 4:37:11 PM - System Checkpoint
RP8: 5/12/2009 5:03:58 PM - System Checkpoint
RP9: 5/13/2009 5:15:07 PM - System Checkpoint
RP10: 5/13/2009 11:54:06 PM - Software Distribution Service 3.0
RP11: 5/15/2009 11:03:11 AM - System Checkpoint
RP12: 5/16/2009 11:16:14 AM - System Checkpoint
RP13: 5/16/2009 1:41:37 PM - Installed Java(TM) 6 Update 13

==== Installed Programs ======================

Adobe Acrobat 4.0
Adobe Flash Player 10 ActiveX
Adobe Reader 7.0.5
Adobe Shockwave Player
Apple Software Update
AVG Free 8.5
BufferChm
Compaq Connections (remove only)
CP_AtenaShokunin1Config
CP_CalendarTemplates1
cp_LightScribeConfig
cp_OnlineProjectsConfig
CP_Package_Basic1
CP_Package_Variety1
CP_Package_Variety2
CP_Package_Variety3
CP_Panorama1Config
cp_PosterPrintConfig
cp_UpdateProjectsConfig
Critical Update for Windows Media Player 11 (KB959772)
CueTour
Customer Experience Enhancement
Data Fax SoftModem with SmartCP
Destinations
DeviceManagementQFolder
Driver Detective
Easy Internet Sign-up
FullDPAppQFolder
GemMaster Mystic
Google Toolbar for Internet Explorer
High Definition Audio Driver Package - KB888111
HijackThis 1.99.1
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
HP Boot Optimizer
HP Imaging Device Functions 7.0
HP Memories Disc
HP Photo and Imaging 1.0 - HP PSC - HP OfficeJet
HP Photo and Imaging 1.0 - HP PSC - HP OfficeJet Drivers
HP Photosmart Premier Software 6.5
hp psc 2200 series
HP Support Overview
HP Update
HP Web Helper
HPPhotoSmartExpress
HpSdpAppCoreApp
InstantShareDevices
Java(TM) 6 Update 13
LiveUpdate (Symantec Corporation)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.0.10)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
My HP Games
Netscape Browser (remove only)
NVIDIA Drivers
OnDVD
OptionalContentQFolder
Otto
PC-Doctor 5 for Windows
PhotoGallery
PictureMover
Python 2.2 pywin32 extensions (build 203)
Python 2.2.3
QuickTime
RandMap
Readiris 7.5
Realtek High Definition Audio Driver
RegCure 1.5.0.1
Rhapsody
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB963027)
SkinsHP1
SlideShow
SlideShowMusic
Sonic_PrimoSDK
Unload
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB953356)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update Rollup 2 for Windows XP Media Center Edition 2005
USB CF
VirusRemover2009 1.0.9.0 (remove only)
WebFldrs XP
WildTangent Web Driver
Windows Genuine Advantage Validation Tool (KB892130)
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Media Center Edition 2005 KB908246
Windows XP Media Center Edition 2005 KB925766
Windows XP Service Pack 3
Yahoo! Toolbar
Yahoo! Toolbar for Internet Explorer

==== Event Viewer Messages From Past Week ========

5/16/2009 12:08:19 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the stisvc service.
5/15/2009 9:09:58 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AmdK8 AvgLdx86 AvgMfx86 AvgTdiX Fips ftsata2 IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip
5/15/2009 9:09:58 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
5/15/2009 9:09:58 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
5/15/2009 9:09:58 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
5/15/2009 9:09:58 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
5/15/2009 9:09:13 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
5/15/2009 9:09:10 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
5/11/2009 3:45:59 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the Netman service.
5/11/2009 2:09:43 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: ftsata2
5/11/2009 2:09:43 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Automatic LiveUpdate Scheduler service to connect.
5/10/2009 10:59:58 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the WZCSVC service.

==== End Of File ===========================
GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-05-17 13:27:40
Windows 5.1.2600 Service Pack 3


---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----
jsmac43
Regular Member
 
Posts: 24
Joined: May 6th, 2009, 3:26 pm

Re: Trojan Horse Back Door Generic 11.HXH Hi... I just used AVG

Unread postby jmw3 » May 18th, 2009, 3:33 am

Hi

Upload Files for Scanning
Go to VirSCAN & upload the following File & Path for scanning.
  • Copy & paste the following File & Path in the text box next to the Browse button.
    Code: Select all
    c:\windows\system32\drivers\tqsgpsar.sys
  • Click Upload.
  • Wait for scans to finish then copy & paste the results into your next reply.
Remove Programs
Click Start > Control Panel > Add/Remove Programs
Remove these programs by clicking Remove

VirusRemover2009 1.0.9.0 (remove only)

If some programs listed are not present, please do not panic
A couple of optional uninstalls you may wish to consider while in Add or Remove Programs:
Easy Internet Sign-up
RegCure 1.5.0.1


Registry Cleaners

Re: RegCure 1.5.0.1

I don't personally recommend the use of ANY registry cleaners.
Here is an excerpt from a discussion on regcleaners:
Most reg cleaners aren't "bad" as such, but they aren't perfect and even the best have been known to cause problems.
The point we are trying to make is that the risk of using one far outweighs any benefit.
If it does work perfectly you will not see any difference
If it doesn't work properly you may end up with an expensive doorstop.

http://forums.whatthetech.com/Regcleaner_t42862.html

ATF Cleaner
Download ATF Cleaner here by Atribune.
    Double-click ATF-Cleaner.exe to run the program
    Under Main choose: Select All
    Click the Empty Selected button
If you use Firefox browser
    Click Firefox at the top and choose: Select All
    Click the Empty Selected button
    NOTE: If you would like to keep your saved passwords, please click No at the prompt
If you use Opera browser
    Click Opera at the top and choose: Select All
    Click the Empty Selected button
    NOTE: If you would like to keep your saved passwords, please click No at the prompt
Click Exit on the Main menu to close the program.

Combofix
Download ComboFix from one of these locations:
Link 1
Link 2
Link 3

**IMPORTANT !!! Save ComboFix.exe to your Desktop**

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    A guide to do this can be found here
  • Double click on ComboFix.exe & follow the prompts
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Image

  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply
A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


To post in next reply:
Results of VirSCAN log
Combofix log
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: Trojan Horse Back Door Generic 11.HXH Hi... I just used AVG

Unread postby jsmac43 » May 18th, 2009, 11:21 am

Encountered a problem immediately. I can open VirSCAN but when I try to copy and paste in the File & Path it won't highlight it to copy. It puts a block [blue line surrounding them] around all your directions. I tried typing it in but I get a folder from My Pictures popping up. I have a LOT of photo's in My Pictures. Should I save them to a CD and delete them?
I am more than willing to delete [add/remove] any program not necessary. Should I go and remove [1] Easy Internet Sign-up [2] RegCure 1.5.0.1 first... to lighten the load some???
jsmac43
Regular Member
 
Posts: 24
Joined: May 6th, 2009, 3:26 pm

Re: Trojan Horse Back Door Generic 11.HXH Hi... I just used AVG

Unread postby jmw3 » May 18th, 2009, 12:54 pm

Hi
Try uploading the file this way:
View Hidden Files & Folders Windows XP
To view Hidden Files & Folders do the following:
Click Start
Open My Computer
Select the Tools menu and click Folder Options
Select the View Tab
Under the Hidden files and folders heading select Show hidden files and folders
Uncheck the Hide protected operating system files (recommended) option
Click Yes to confirm
Click OK

Upload Files for Scanning
Go to VirSCAN
  • In the File Upload box that opens navigate to c:\windows\system32\drivers\tqsgpsar.sys
  • Click once on tqsgpsar.sys to highlight it then click Open. You should now see the file & path in the text box
  • Click Upload
    Wait for scans to finish then copy & paste the results into your next reply
I tried typing it in but I get a folder from My Pictures popping up. I have a LOT of photo's in My Pictures. Should I save them to a CD and delete them?
You should always have a back up of anything that is important to you whether it be photos, documents, music etc. We're dealing with malware here so things can easily go pear shaped. If the photos are important then make copies, but there is no need to delete them unless you want to free up some space.
I am more than willing to delete [add/remove] any program not necessary. Should I go and remove [1] Easy Internet Sign-up [2] RegCure 1.5.0.1 first... to lighten the load some???
As stated they are optional uninstalls. Remove them if you want too. :)
If you have any problems uploading that file just skip it & move on to the other instructions.
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: Trojan Horse Back Door Generic 11.HXH Hi... I just used AVG

Unread postby jsmac43 » May 18th, 2009, 1:51 pm

tqsgpsar.sys
23424 byte
PE32 executable for MS Windows (native) Intel 80386 32-bit
b395b97de4047d70bc127bd371d5697d
825b0597d25d92b69b8bf4e08b4575351bb906ac

I ran the scan but it will not highlight so I saved it on my desktop. I tried to copy it and paste it here and this is what I got. If you need the whole report tell me how t email it to you or how to get it to you another way.

I copied 10 picture folders and deleted the folders in My Pictures to free things up a bit. And I removed Easy Internet Sign-up and RegCure 1.5.0.1 Moving onto the next step.
jsmac43
Regular Member
 
Posts: 24
Joined: May 6th, 2009, 3:26 pm

Re: Trojan Horse Back Door Generic 11.HXH Hi... I just used AVG

Unread postby jsmac43 » May 18th, 2009, 2:51 pm

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.446.130 [GMT -4:00]
Running from: c:\documents and settings\Compaq_Administrator.JSM43PC\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Norton AntiVirus *enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\COMPAQ~1.JSM\LOCALS~1\Temp\IadHide5.dll
c:\documents and settings\Compaq_Administrator.JSM43PC\Application Data\AntiSpywareDAT
c:\documents and settings\Compaq_Administrator.JSM43PC\Application Data\AntiSpywareDAT\Scan_Log.txt
c:\documents and settings\Compaq_Administrator.JSM43PC\Local Settings\Temp\IadHide5.dll
c:\program files\Common\helper.sig
c:\recycler\S-1-5-21-3927575683-2371404712-2248107785-1007\Dc15.JPG
c:\recycler\S-1-5-21-3927575683-2371404712-2248107785-1007\Dc16.JPG
c:\recycler\S-1-5-21-3927575683-2371404712-2248107785-1007\Dc17.JPG
c:\recycler\S-1-5-21-3927575683-2371404712-2248107785-1007\Dc18.JPG
c:\recycler\S-1-5-21-3927575683-2371404712-2248107785-1007\Dc19.JPG
c:\recycler\S-1-5-21-3927575683-2371404712-2248107785-1007\Dc20.JPG
c:\recycler\S-1-5-21-3927575683-2371404712-2248107785-1007\Dc21.JPG
c:\recycler\S-1-5-21-3927575683-2371404712-2248107785-1007\Dc22.JPG
c:\recycler\S-1-5-21-3927575683-2371404712-2248107785-1007\Dc23.JPG
c:\recycler\S-1-5-21-3927575683-2371404712-2248107785-1007\Dc24.JPG
c:\recycler\S-1-5-21-3927575683-2371404712-2248107785-1007\Dc25.JPG
c:\recycler\S-1-5-21-3927575683-2371404712-2248107785-1007\Dc26.JPG
c:\recycler\S-1-5-21-3927575683-2371404712-2248107785-1007\Dc27.JPG
c:\recycler\S-1-5-21-3927575683-2371404712-2248107785-1007\Dc28.JPG
c:\recycler\S-1-5-21-3927575683-2371404712-2248107785-1007\Dc29.JPG
c:\recycler\S-1-5-21-3927575683-2371404712-2248107785-1007\Dc30.JPG
c:\recycler\S-1-5-21-3927575683-2371404712-2248107785-1007\Dc31.JPG
c:\recycler\S-1-5-21-3927575683-2371404712-2248107785-1007\Dc32.JPG
c:\recycler\S-1-5-21-3927575683-2371404712-2248107785-1007\Dc33.tif
c:\recycler\S-1-5-21-3927575683-2371404712-2248107785-1007\Dc34.tif
c:\recycler\S-1-5-21-3927575683-2371404712-2248107785-1007\Dc35.eml
c:\recycler\S-1-5-21-3927575683-2371404712-2248107785-1007\Dc36.eml
c:\recycler\S-1-5-21-3927575683-2371404712-2248107785-1007\Dc37.eml
c:\recycler\S-1-5-21-3927575683-2371404712-2248107785-1007\Dc38.eml
c:\recycler\S-1-5-21-3927575683-2371404712-2248107785-1007\Dc39.eml
c:\recycler\S-1-5-21-3927575683-2371404712-2248107785-1007\Dc40.eml
c:\recycler\S-1-5-21-3927575683-2371404712-2248107785-1007\Dc41.eml
c:\recycler\S-1-5-21-3927575683-2371404712-2248107785-1007\Dc42.eml
c:\recycler\S-1-5-21-3927575683-2371404712-2248107785-1007\Dc43.eml
c:\recycler\S-1-5-21-3927575683-2371404712-2248107785-1007\Dc44.url
c:\recycler\S-1-5-21-3927575683-2371404712-2248107785-1007\Dc45.url
c:\recycler\S-1-5-21-3927575683-2371404712-2248107785-1007\Dc46.url
c:\recycler\S-1-5-21-3927575683-2371404712-2248107785-1007\Dc47.url
c:\recycler\S-1-5-21-3927575683-2371404712-2248107785-1007\INFO2
c:\windows\IE4 Error Log.txt
c:\windows\system32\avwa.dll
c:\windows\system32\drivers\alohbbyr.sys
c:\windows\system32\drivers\tqsgpsar.sys
c:\windows\system32\skinboxer43.dll
C:\xcrashdump.dat
D:\Autorun.inf
d:\recycled\Warning.bmp

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TQSGPSAR
-------\Service_tqsgpsar


((((((((((((((((((((((((( Files Created from 2009-04-18 to 2009-05-18 )))))))))))))))))))))))))))))))
.

2009-05-16 19:22 . 2002-03-06 16:36 40960 ------w c:\windows\system32\Stlhook.dll
2009-05-16 19:22 . 2002-01-24 15:23 13545 ------w c:\windows\system32\drivers\STLTRK2K.sys
2009-05-16 19:20 . 2009-05-16 19:20 -------- d-----w c:\program files\Common Files\SCM
2009-05-05 23:49 . 2009-05-05 23:49 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\Identities
2009-05-03 15:38 . 2009-05-16 19:13 -------- d--h--w C:\$AVG8.VAULT$
2009-05-03 15:31 . 2009-05-03 15:31 11952 ----a-w c:\windows\system32\avgrsstx.dll
2009-05-03 15:31 . 2009-05-03 15:31 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-05-03 15:31 . 2009-05-03 15:31 325896 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-05-03 15:31 . 2009-05-18 13:52 -------- d-----w c:\windows\system32\drivers\Avg
2009-05-03 15:31 . 2009-05-04 13:56 -------- d-----w c:\documents and settings\Compaq_Administrator.JSM43PC\Application Data\AVGTOOLBAR
2009-05-03 15:31 . 2009-05-03 15:31 -------- d-----w c:\program files\AVG
2009-05-03 15:31 . 2009-05-16 19:18 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-05-03 14:39 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-05-03 14:39 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-05-03 14:39 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-05-03 14:39 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-05-03 14:39 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-05-03 14:39 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-05-03 14:39 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-05-03 14:39 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-05-03 14:39 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-05-03 14:36 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-05-03 14:36 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-05-03 14:23 . 2009-05-03 14:23 -------- d-----w c:\program files\Sun
2009-05-03 14:22 . 2009-05-03 14:22 -------- d-----w c:\program files\Apple Software Update
2009-05-03 14:22 . 2009-05-03 14:22 -------- d-----w c:\documents and settings\All Users\Application Data\Apple
2009-05-03 14:21 . 2009-05-03 14:21 -------- d-----w c:\documents and settings\Compaq_Administrator.JSM43PC\Local Settings\Application Data\Google
2009-05-03 14:21 . 2009-05-03 14:21 -------- d-----w c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-05-03 14:21 . 2009-05-03 14:21 -------- d-----w c:\program files\Symantec
2009-05-03 14:21 . 2009-05-03 14:21 -------- d-----w c:\windows\E80F62FF5D3C4A1984099721F2928206.TMP
2009-04-30 03:52 . 2009-05-03 14:21 -------- d-----w c:\documents and settings\Compaq_Administrator.JSM43PC\Application Data\SpyProtector
2009-04-30 03:22 . 2009-05-03 14:21 -------- d-----w c:\documents and settings\Compaq_Administrator.JSM43PC\Application Data\MSNInstaller

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-18 18:21 . 2009-03-31 20:48 -------- d-----w c:\program files\Common
2009-05-16 19:29 . 2006-01-02 08:08 -------- d-----w c:\program files\Common Files\Adobe
2009-05-16 19:22 . 2006-01-02 08:17 -------- d--h--w c:\program files\InstallShield Installation Information
2009-05-16 17:41 . 2009-01-28 17:19 410984 ----a-w c:\windows\system32\deploytk.dll
2009-05-16 17:41 . 2006-01-02 07:32 -------- d-----w c:\program files\Java
2009-05-06 00:03 . 2008-06-22 02:43 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-05-03 16:22 . 2009-05-03 16:22 4720 ----a-w c:\windows\system32\PerfStringBackup.TMP
2009-05-03 14:24 . 2007-04-01 20:14 -------- d-----w c:\program files\Google
2009-04-29 16:34 . 2007-04-01 17:40 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-04-01 00:51 . 2006-01-02 08:07 19368 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-01 00:35 . 2009-04-01 00:35 -------- d-----w c:\program files\MSBuild
2009-04-01 00:34 . 2009-04-01 00:34 -------- d-----w c:\program files\Reference Assemblies
2009-03-06 14:22 . 2006-10-27 18:02 284160 ----a-w c:\windows\system32\pdh.dll
2009-02-20 08:10 . 2006-10-28 01:04 666112 ----a-w c:\windows\system32\wininet.dll
2009-02-20 08:10 . 2006-10-27 18:01 81920 ----a-w c:\windows\system32\ieencode.dll
2008-11-15 02:00 . 2008-11-15 02:00 310 ---ha-w c:\program files\hpothb07.dat
2008-11-15 02:00 . 2008-11-15 02:00 521 ---ha-w c:\program files\hpothb07.tif
2007-01-21 23:04 . 2007-04-01 17:34 40798696 ----a-w c:\program files\NAV071420.exe
2006-12-11 02:07 . 2007-04-01 19:30 25755448 ----a-w c:\program files\wmp11-windowsxp-x86-enu.exe
2006-11-25 01:28 . 2007-04-01 19:31 1665 ----a-w c:\program files\WeatherBug.lnk
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-30 67584]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-10 7311360]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-23 237568]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-16 249856]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-11 69632]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-03 1947928]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-16 148888]
"ftutil2"="ftutil2.dll" - c:\windows\system32\ftutil2.dll [2004-06-08 106496]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2006-06-14 16239616]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-05-10 1519616]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Compaq Connections.lnk - c:\program files\Compaq Connections\5577497\Program\Compaq Connections.exe [2006-1-2 36903]
hp psc 2000 Series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2002-6-27 323646]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-03 15:31 11952 ----a-w c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\HP Games\\JEOPARDY\\JEOPARDY!.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/3/2009 11:31 AM 325896]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/3/2009 11:31 AM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [5/3/2009 11:31 AM 908568]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [5/3/2009 11:31 AM 298776]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - TQSGPSAR
*Deregistered* - tqsgpsar
.
Contents of the 'Scheduled Tasks' folder

2009-03-09 c:\windows\Tasks\FRU Task 2002-06-27 08:46ewlett-Packard2002-06-27 08:46p psc 2200 seriesF56855811176EC24C9B302F94878AD886AF77CFF228768365.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2002-06-27 06:46]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-ares ultra - c:\program files\Ares Ultra\Ares Ultra.exe
HKCU-RunOnce-Shockwave Updater - c:\windows\system32\Adobe\SHOCKW~1\SWHELP~1.EXE -Update -1100465 -Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; GTB5; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET
HKLM-Run-PCDrProfiler - (no file)
Notify-__c001BD2C - c:\windows\system32\__c001BD2C.dat


.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
uInternet Connection Wizard,ShellNext = iexplore
TCP: {09012135-7F3D-4AD2-B271-DA0BAF140ADD} = 198.190.226.3,198.190.226.30
FF - ProfilePath - c:\documents and settings\Compaq_Administrator.JSM43PC\Application Data\Mozilla\Firefox\Profiles\6l3u3hie.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-18 14:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(736)
c:\windows\system32\msacm32.drv

- - - - - - - > 'explorer.exe'(4068)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\HPZipm12.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\wscntfy.exe
c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
c:\windows\system32\dllhost.exe
c:\program files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
c:\program files\Hewlett-Packard\Digital Imaging\bin\hposts08.exe
.
**************************************************************************
.
Completion time: 2009-05-18 14:37 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-18 18:37

Pre-Run: 93,866,651,648 bytes free
Post-Run: 95,881,854,976 bytes free

233 --- E O F --- 2009-05-14 03:57

I did not receive an notice RE: Windows Recovery Console when running the scan. I saved the site on my desktop and the scan log. P. S. I removed VirusRemover2009 1.0.9.0 before I ran the scan. forgot to mention that previously. Is everything complete that you requested me to do?
jsmac43
Regular Member
 
Posts: 24
Joined: May 6th, 2009, 3:26 pm

Re: Trojan Horse Back Door Generic 11.HXH Hi... I just used AVG

Unread postby jmw3 » May 18th, 2009, 10:54 pm

Hi
Is everything complete that you requested me to do?
Yes... that's fine. We'll move on to the next part. :)

CFScript
Close any open browsers.
Open notepad and copy/paste the text in the code box below into it:

Code: Select all
File::
c:\windows\E80F62FF5D3C4A1984099721F2928206.TMP
c:\program files\common\helper.dll
Folder::
c:\documents and settings\Compaq_Administrator.JSM43PC\Application Data\SpyProtector
c:\documents and settings\Compaq_Administrator.JSM43PC\Application Data\MSNInstaller
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000000
DDS::
BHO: {8f09f081-3369-4250-b1a3-c6ef20a69798} - c:\windows\system32\avwa.dll
BHO: Browser Helper Object: {afd4ad01-58c1-47db-a404-fbe00a6c5486} - c:\program files\common\helper.dll
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://www.shockwave.com/content/bookwo ... v10_en.cab
Filter: text/html - {615cdc59-842b-499d-9c9f-133902e93601} -

Save this as CFScript.txt, in the same location as ComboFix.exe

Image

Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at "C:\ComboFix.txt"
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


Kaspersky Online Scan
Do an online scan with >Kaspersky Online Scanner<
  • Read through the requirements and privacy statement and click on Accept button
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run
  • When the downloads have finished, click on Settings
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan
  • Once the scan is complete, it will display the results. Click on View Scan Report
  • You will see a list of infected items there. Click on Save Report As...
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button
  • Please post this log in your next reply
Be patient with this scan. It can take quite a while sometimes.

To post in next reply:
Combofix log
Kaspersky Scan log
Update on how the computer is running
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: Trojan Horse Back Door Generic 11.HXH Hi... I just used AVG

Unread postby jsmac43 » May 19th, 2009, 1:43 pm

I copied the info in Code box in Notepad and it's stored on my desktop. Now I'm confused... I dragged CFScript.txt from the black box in the instructions to ComboFix [red icon] on desktop. Is that the right place? And how will I know when it's done?

I went to C: programs and did not see "C:\ComboFix.txt" anywhere. There IS a ComboFix log on my desktop [tablet icon above] is that it? After finishing yesterday I checked Hide protected operating system again. Should I uncheck it before running the next scan?

You've been very patient with me and I'm so grateful. It's the silly easy stuff that throws me. Just checking to see if what I did is correct before going on. Pc is running better. Haven't seen the Trojan Horse warning since yesterday.
jsmac43
Regular Member
 
Posts: 24
Joined: May 6th, 2009, 3:26 pm
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: pgmigg and 46 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware