ComboFix 09-05-17.08 - Compaq_Administrator 05/18/2009 14:21.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.446.130 [GMT -4:00]
Running from: c:\documents and settings\Compaq_Administrator.JSM43PC\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Norton AntiVirus *enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\docume~1\COMPAQ~1.JSM\LOCALS~1\Temp\IadHide5.dll
c:\documents and settings\Compaq_Administrator.JSM43PC\Application Data\AntiSpywareDAT
c:\documents and settings\Compaq_Administrator.JSM43PC\Application Data\AntiSpywareDAT\Scan_Log.txt
c:\documents and settings\Compaq_Administrator.JSM43PC\Local Settings\Temp\IadHide5.dll
c:\program files\Common\helper.sig
c:\recycler\S-1-5-21-3927575683-2371404712-2248107785-1007\Dc15.JPG
c:\recycler\S-1-5-21-3927575683-2371404712-2248107785-1007\Dc16.JPG
c:\recycler\S-1-5-21-3927575683-2371404712-2248107785-1007\Dc17.JPG
c:\recycler\S-1-5-21-3927575683-2371404712-2248107785-1007\Dc18.JPG
c:\recycler\S-1-5-21-3927575683-2371404712-2248107785-1007\Dc19.JPG
c:\recycler\S-1-5-21-3927575683-2371404712-2248107785-1007\Dc20.JPG
c:\recycler\S-1-5-21-3927575683-2371404712-2248107785-1007\Dc21.JPG
c:\recycler\S-1-5-21-3927575683-2371404712-2248107785-1007\Dc22.JPG
c:\recycler\S-1-5-21-3927575683-2371404712-2248107785-1007\Dc23.JPG
c:\recycler\S-1-5-21-3927575683-2371404712-2248107785-1007\Dc24.JPG
c:\recycler\S-1-5-21-3927575683-2371404712-2248107785-1007\Dc25.JPG
c:\recycler\S-1-5-21-3927575683-2371404712-2248107785-1007\Dc26.JPG
c:\recycler\S-1-5-21-3927575683-2371404712-2248107785-1007\Dc27.JPG
c:\recycler\S-1-5-21-3927575683-2371404712-2248107785-1007\Dc28.JPG
c:\recycler\S-1-5-21-3927575683-2371404712-2248107785-1007\Dc29.JPG
c:\recycler\S-1-5-21-3927575683-2371404712-2248107785-1007\Dc30.JPG
c:\recycler\S-1-5-21-3927575683-2371404712-2248107785-1007\Dc31.JPG
c:\recycler\S-1-5-21-3927575683-2371404712-2248107785-1007\Dc32.JPG
c:\recycler\S-1-5-21-3927575683-2371404712-2248107785-1007\Dc33.tif
c:\recycler\S-1-5-21-3927575683-2371404712-2248107785-1007\Dc34.tif
c:\recycler\S-1-5-21-3927575683-2371404712-2248107785-1007\Dc35.eml
c:\recycler\S-1-5-21-3927575683-2371404712-2248107785-1007\Dc36.eml
c:\recycler\S-1-5-21-3927575683-2371404712-2248107785-1007\Dc37.eml
c:\recycler\S-1-5-21-3927575683-2371404712-2248107785-1007\Dc38.eml
c:\recycler\S-1-5-21-3927575683-2371404712-2248107785-1007\Dc39.eml
c:\recycler\S-1-5-21-3927575683-2371404712-2248107785-1007\Dc40.eml
c:\recycler\S-1-5-21-3927575683-2371404712-2248107785-1007\Dc41.eml
c:\recycler\S-1-5-21-3927575683-2371404712-2248107785-1007\Dc42.eml
c:\recycler\S-1-5-21-3927575683-2371404712-2248107785-1007\Dc43.eml
c:\recycler\S-1-5-21-3927575683-2371404712-2248107785-1007\Dc44.url
c:\recycler\S-1-5-21-3927575683-2371404712-2248107785-1007\Dc45.url
c:\recycler\S-1-5-21-3927575683-2371404712-2248107785-1007\Dc46.url
c:\recycler\S-1-5-21-3927575683-2371404712-2248107785-1007\Dc47.url
c:\recycler\S-1-5-21-3927575683-2371404712-2248107785-1007\INFO2
c:\windows\IE4 Error Log.txt
c:\windows\system32\avwa.dll
c:\windows\system32\drivers\alohbbyr.sys
c:\windows\system32\drivers\tqsgpsar.sys
c:\windows\system32\skinboxer43.dll
C:\xcrashdump.dat
D:\Autorun.inf
d:\recycled\Warning.bmp
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_TQSGPSAR
-------\Service_tqsgpsar
((((((((((((((((((((((((( Files Created from 2009-04-18 to 2009-05-18 )))))))))))))))))))))))))))))))
.
2009-05-16 19:22 . 2002-03-06 16:36 40960 ------w c:\windows\system32\Stlhook.dll
2009-05-16 19:22 . 2002-01-24 15:23 13545 ------w c:\windows\system32\drivers\STLTRK2K.sys
2009-05-16 19:20 . 2009-05-16 19:20 -------- d-----w c:\program files\Common Files\SCM
2009-05-05 23:49 . 2009-05-05 23:49 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\Identities
2009-05-03 15:38 . 2009-05-16 19:13 -------- d--h--w C:\$AVG8.VAULT$
2009-05-03 15:31 . 2009-05-03 15:31 11952 ----a-w c:\windows\system32\avgrsstx.dll
2009-05-03 15:31 . 2009-05-03 15:31 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-05-03 15:31 . 2009-05-03 15:31 325896 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-05-03 15:31 . 2009-05-18 13:52 -------- d-----w c:\windows\system32\drivers\Avg
2009-05-03 15:31 . 2009-05-04 13:56 -------- d-----w c:\documents and settings\Compaq_Administrator.JSM43PC\Application Data\AVGTOOLBAR
2009-05-03 15:31 . 2009-05-03 15:31 -------- d-----w c:\program files\AVG
2009-05-03 15:31 . 2009-05-16 19:18 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-05-03 14:39 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-05-03 14:39 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-05-03 14:39 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-05-03 14:39 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-05-03 14:39 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-05-03 14:39 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-05-03 14:39 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-05-03 14:39 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-05-03 14:39 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-05-03 14:36 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-05-03 14:36 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-05-03 14:23 . 2009-05-03 14:23 -------- d-----w c:\program files\Sun
2009-05-03 14:22 . 2009-05-03 14:22 -------- d-----w c:\program files\Apple Software Update
2009-05-03 14:22 . 2009-05-03 14:22 -------- d-----w c:\documents and settings\All Users\Application Data\Apple
2009-05-03 14:21 . 2009-05-03 14:21 -------- d-----w c:\documents and settings\Compaq_Administrator.JSM43PC\Local Settings\Application Data\Google
2009-05-03 14:21 . 2009-05-03 14:21 -------- d-----w c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-05-03 14:21 . 2009-05-03 14:21 -------- d-----w c:\program files\Symantec
2009-05-03 14:21 . 2009-05-03 14:21 -------- d-----w c:\windows\E80F62FF5D3C4A1984099721F2928206.TMP
2009-04-30 03:52 . 2009-05-03 14:21 -------- d-----w c:\documents and settings\Compaq_Administrator.JSM43PC\Application Data\SpyProtector
2009-04-30 03:22 . 2009-05-03 14:21 -------- d-----w c:\documents and settings\Compaq_Administrator.JSM43PC\Application Data\MSNInstaller
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-18 18:21 . 2009-03-31 20:48 -------- d-----w c:\program files\Common
2009-05-16 19:29 . 2006-01-02 08:08 -------- d-----w c:\program files\Common Files\Adobe
2009-05-16 19:22 . 2006-01-02 08:17 -------- d--h--w c:\program files\InstallShield Installation Information
2009-05-16 17:41 . 2009-01-28 17:19 410984 ----a-w c:\windows\system32\deploytk.dll
2009-05-16 17:41 . 2006-01-02 07:32 -------- d-----w c:\program files\Java
2009-05-06 00:03 . 2008-06-22 02:43 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-05-03 16:22 . 2009-05-03 16:22 4720 ----a-w c:\windows\system32\PerfStringBackup.TMP
2009-05-03 14:24 . 2007-04-01 20:14 -------- d-----w c:\program files\Google
2009-04-29 16:34 . 2007-04-01 17:40 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-04-01 00:51 . 2006-01-02 08:07 19368 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-01 00:35 . 2009-04-01 00:35 -------- d-----w c:\program files\MSBuild
2009-04-01 00:34 . 2009-04-01 00:34 -------- d-----w c:\program files\Reference Assemblies
2009-03-06 14:22 . 2006-10-27 18:02 284160 ----a-w c:\windows\system32\pdh.dll
2009-02-20 08:10 . 2006-10-28 01:04 666112 ----a-w c:\windows\system32\wininet.dll
2009-02-20 08:10 . 2006-10-27 18:01 81920 ----a-w c:\windows\system32\ieencode.dll
2008-11-15 02:00 . 2008-11-15 02:00 310 ---ha-w c:\program files\hpothb07.dat
2008-11-15 02:00 . 2008-11-15 02:00 521 ---ha-w c:\program files\hpothb07.tif
2007-01-21 23:04 . 2007-04-01 17:34 40798696 ----a-w c:\program files\NAV071420.exe
2006-12-11 02:07 . 2007-04-01 19:30 25755448 ----a-w c:\program files\wmp11-windowsxp-x86-enu.exe
2006-11-25 01:28 . 2007-04-01 19:31 1665 ----a-w c:\program files\WeatherBug.lnk
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-30 67584]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-10 7311360]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-23 237568]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-16 249856]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-11 69632]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-03 1947928]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-16 148888]
"ftutil2"="ftutil2.dll" - c:\windows\system32\ftutil2.dll [2004-06-08 106496]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2006-06-14 16239616]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-05-10 1519616]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Compaq Connections.lnk - c:\program files\Compaq Connections\5577497\Program\Compaq Connections.exe [2006-1-2 36903]
hp psc 2000 Series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2002-6-27 323646]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-03 15:31 11952 ----a-w c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\HP Games\\JEOPARDY\\JEOPARDY!.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/3/2009 11:31 AM 325896]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/3/2009 11:31 AM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [5/3/2009 11:31 AM 908568]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [5/3/2009 11:31 AM 298776]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - TQSGPSAR
*Deregistered* - tqsgpsar
.
Contents of the 'Scheduled Tasks' folder
2009-03-09 c:\windows\Tasks\FRU Task 2002-06-27 08:46ewlett-Packard2002-06-27 08:46p psc 2200 seriesF56855811176EC24C9B302F94878AD886AF77CFF228768365.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2002-06-27 06:46]
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-ares ultra - c:\program files\Ares Ultra\Ares Ultra.exe
HKCU-RunOnce-Shockwave Updater - c:\windows\system32\Adobe\SHOCKW~1\SWHELP~1.EXE -Update -1100465 -Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; GTB5; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET
HKLM-Run-PCDrProfiler - (no file)
Notify-__c001BD2C - c:\windows\system32\__c001BD2C.dat
.
------- Supplementary Scan -------
.
uDefault_Search_URL =
hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktopmStart Page =
hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktopmSearch Bar =
hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktopuInternet Connection Wizard,ShellNext = iexplore
TCP: {09012135-7F3D-4AD2-B271-DA0BAF140ADD} = 198.190.226.3,198.190.226.30
FF - ProfilePath - c:\documents and settings\Compaq_Administrator.JSM43PC\Application Data\Mozilla\Firefox\Profiles\6l3u3hie.default\
FF - prefs.js: browser.search.defaulturl -
hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2009-05-18 14:30
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(736)
c:\windows\system32\msacm32.drv
- - - - - - - > 'explorer.exe'(4068)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\HPZipm12.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\wscntfy.exe
c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
c:\windows\system32\dllhost.exe
c:\program files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
c:\program files\Hewlett-Packard\Digital Imaging\bin\hposts08.exe
.
**************************************************************************
.
Completion time: 2009-05-18 14:37 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-18 18:37
Pre-Run: 93,866,651,648 bytes free
Post-Run: 95,881,854,976 bytes free
233 --- E O F --- 2009-05-14 03:57
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Wednesday, May 20, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Wednesday, May 20, 2009 14:40:19
Records in database: 2204527
--------------------------------------------------------------------------------
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
C:\
D:\
E:\
Scan statistics:
Files scanned: 110113
Threat name: 3
Infected objects: 6
Suspicious objects: 0
Duration of the scan: 02:35:40
File name / Threat name / Threats count
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_tqsgpsar_.sys.zip Infected: Trojan.Win32.BHO.ext 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\_avwa_.dll.zip Infected: Rootkit.Win32.Podnuha.cbs 1
D:\I386\APPS\APP08793\src\CompaqPresario_Spring06.exe Infected: not-a-virus:AdWare.Win32.WeatherBug.a 2
D:\I386\APPS\APP08793\src\HPPavillion_Spring06.exe Infected: not-a-virus:AdWare.Win32.WeatherBug.a 2
The selected area was scanned.