Free Malware Removal Forum

[jsmac43]

Disregard previous reply. I have the CFScript & ComboFix log saved on my desktop. Will tackle Kaspersky scan later today or tomorrow. Sorry about my confusion.

[jmw3]

OK... no worries

[jsmac43]

ComboFix 09-05-17.08 - Compaq_Administrator 05/18/2009 14:21.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.446.130 [GMT -4:00]
Running from: c:\documents and settings\Compaq_Administrator.JSM43PC\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Norton AntiVirus *enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\COMPAQ~1.JSM\LOCALS~1\Temp\IadHide5.dll
c:\documents and settings\Compaq_Administrator.JSM43PC\Application Data\AntiSpywareDAT
c:\documents and settings\Compaq_Administrator.JSM43PC\Application Data\AntiSpywareDAT\Scan_Log.txt
c:\documents and settings\Compaq_Administrator.JSM43PC\Local Settings\Temp\IadHide5.dll
c:\program files\Common\helper.sig
c:\recycler\S-1-5-21-3927575683-2371404712-2248107785-1007\Dc15.JPG
c:\recycler\S-1-5-21-3927575683-2371404712-2248107785-1007\Dc16.JPG
c:\recycler\S-1-5-21-3927575683-2371404712-2248107785-1007\Dc17.JPG
c:\recycler\S-1-5-21-3927575683-2371404712-2248107785-1007\Dc18.JPG
c:\recycler\S-1-5-21-3927575683-2371404712-2248107785-1007\Dc19.JPG
c:\recycler\S-1-5-21-3927575683-2371404712-2248107785-1007\Dc20.JPG
c:\recycler\S-1-5-21-3927575683-2371404712-2248107785-1007\Dc21.JPG
c:\recycler\S-1-5-21-3927575683-2371404712-2248107785-1007\Dc22.JPG
c:\recycler\S-1-5-21-3927575683-2371404712-2248107785-1007\Dc23.JPG
c:\recycler\S-1-5-21-3927575683-2371404712-2248107785-1007\Dc24.JPG
c:\recycler\S-1-5-21-3927575683-2371404712-2248107785-1007\Dc25.JPG
c:\recycler\S-1-5-21-3927575683-2371404712-2248107785-1007\Dc26.JPG
c:\recycler\S-1-5-21-3927575683-2371404712-2248107785-1007\Dc27.JPG
c:\recycler\S-1-5-21-3927575683-2371404712-2248107785-1007\Dc28.JPG
c:\recycler\S-1-5-21-3927575683-2371404712-2248107785-1007\Dc29.JPG
c:\recycler\S-1-5-21-3927575683-2371404712-2248107785-1007\Dc30.JPG
c:\recycler\S-1-5-21-3927575683-2371404712-2248107785-1007\Dc31.JPG
c:\recycler\S-1-5-21-3927575683-2371404712-2248107785-1007\Dc32.JPG
c:\recycler\S-1-5-21-3927575683-2371404712-2248107785-1007\Dc33.tif
c:\recycler\S-1-5-21-3927575683-2371404712-2248107785-1007\Dc34.tif
c:\recycler\S-1-5-21-3927575683-2371404712-2248107785-1007\Dc35.eml
c:\recycler\S-1-5-21-3927575683-2371404712-2248107785-1007\Dc36.eml
c:\recycler\S-1-5-21-3927575683-2371404712-2248107785-1007\Dc37.eml
c:\recycler\S-1-5-21-3927575683-2371404712-2248107785-1007\Dc38.eml
c:\recycler\S-1-5-21-3927575683-2371404712-2248107785-1007\Dc39.eml
c:\recycler\S-1-5-21-3927575683-2371404712-2248107785-1007\Dc40.eml
c:\recycler\S-1-5-21-3927575683-2371404712-2248107785-1007\Dc41.eml
c:\recycler\S-1-5-21-3927575683-2371404712-2248107785-1007\Dc42.eml
c:\recycler\S-1-5-21-3927575683-2371404712-2248107785-1007\Dc43.eml
c:\recycler\S-1-5-21-3927575683-2371404712-2248107785-1007\Dc44.url
c:\recycler\S-1-5-21-3927575683-2371404712-2248107785-1007\Dc45.url
c:\recycler\S-1-5-21-3927575683-2371404712-2248107785-1007\Dc46.url
c:\recycler\S-1-5-21-3927575683-2371404712-2248107785-1007\Dc47.url
c:\recycler\S-1-5-21-3927575683-2371404712-2248107785-1007\INFO2
c:\windows\IE4 Error Log.txt
c:\windows\system32\avwa.dll
c:\windows\system32\drivers\alohbbyr.sys
c:\windows\system32\drivers\tqsgpsar.sys
c:\windows\system32\skinboxer43.dll
C:\xcrashdump.dat
D:\Autorun.inf
d:\recycled\Warning.bmp

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TQSGPSAR
-------\Service_tqsgpsar


((((((((((((((((((((((((( Files Created from 2009-04-18 to 2009-05-18 )))))))))))))))))))))))))))))))
.

2009-05-16 19:22 . 2002-03-06 16:36 40960 ------w c:\windows\system32\Stlhook.dll
2009-05-16 19:22 . 2002-01-24 15:23 13545 ------w c:\windows\system32\drivers\STLTRK2K.sys
2009-05-16 19:20 . 2009-05-16 19:20 -------- d-----w c:\program files\Common Files\SCM
2009-05-05 23:49 . 2009-05-05 23:49 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\Identities
2009-05-03 15:38 . 2009-05-16 19:13 -------- d--h--w C:\$AVG8.VAULT$
2009-05-03 15:31 . 2009-05-03 15:31 11952 ----a-w c:\windows\system32\avgrsstx.dll
2009-05-03 15:31 . 2009-05-03 15:31 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-05-03 15:31 . 2009-05-03 15:31 325896 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-05-03 15:31 . 2009-05-18 13:52 -------- d-----w c:\windows\system32\drivers\Avg
2009-05-03 15:31 . 2009-05-04 13:56 -------- d-----w c:\documents and settings\Compaq_Administrator.JSM43PC\Application Data\AVGTOOLBAR
2009-05-03 15:31 . 2009-05-03 15:31 -------- d-----w c:\program files\AVG
2009-05-03 15:31 . 2009-05-16 19:18 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-05-03 14:39 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-05-03 14:39 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-05-03 14:39 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-05-03 14:39 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-05-03 14:39 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-05-03 14:39 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-05-03 14:39 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-05-03 14:39 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-05-03 14:39 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-05-03 14:36 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-05-03 14:36 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-05-03 14:23 . 2009-05-03 14:23 -------- d-----w c:\program files\Sun
2009-05-03 14:22 . 2009-05-03 14:22 -------- d-----w c:\program files\Apple Software Update
2009-05-03 14:22 . 2009-05-03 14:22 -------- d-----w c:\documents and settings\All Users\Application Data\Apple
2009-05-03 14:21 . 2009-05-03 14:21 -------- d-----w c:\documents and settings\Compaq_Administrator.JSM43PC\Local Settings\Application Data\Google
2009-05-03 14:21 . 2009-05-03 14:21 -------- d-----w c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-05-03 14:21 . 2009-05-03 14:21 -------- d-----w c:\program files\Symantec
2009-05-03 14:21 . 2009-05-03 14:21 -------- d-----w c:\windows\E80F62FF5D3C4A1984099721F2928206.TMP
2009-04-30 03:52 . 2009-05-03 14:21 -------- d-----w c:\documents and settings\Compaq_Administrator.JSM43PC\Application Data\SpyProtector
2009-04-30 03:22 . 2009-05-03 14:21 -------- d-----w c:\documents and settings\Compaq_Administrator.JSM43PC\Application Data\MSNInstaller

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-18 18:21 . 2009-03-31 20:48 -------- d-----w c:\program files\Common
2009-05-16 19:29 . 2006-01-02 08:08 -------- d-----w c:\program files\Common Files\Adobe
2009-05-16 19:22 . 2006-01-02 08:17 -------- d--h--w c:\program files\InstallShield Installation Information
2009-05-16 17:41 . 2009-01-28 17:19 410984 ----a-w c:\windows\system32\deploytk.dll
2009-05-16 17:41 . 2006-01-02 07:32 -------- d-----w c:\program files\Java
2009-05-06 00:03 . 2008-06-22 02:43 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-05-03 16:22 . 2009-05-03 16:22 4720 ----a-w c:\windows\system32\PerfStringBackup.TMP
2009-05-03 14:24 . 2007-04-01 20:14 -------- d-----w c:\program files\Google
2009-04-29 16:34 . 2007-04-01 17:40 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-04-01 00:51 . 2006-01-02 08:07 19368 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-01 00:35 . 2009-04-01 00:35 -------- d-----w c:\program files\MSBuild
2009-04-01 00:34 . 2009-04-01 00:34 -------- d-----w c:\program files\Reference Assemblies
2009-03-06 14:22 . 2006-10-27 18:02 284160 ----a-w c:\windows\system32\pdh.dll
2009-02-20 08:10 . 2006-10-28 01:04 666112 ----a-w c:\windows\system32\wininet.dll
2009-02-20 08:10 . 2006-10-27 18:01 81920 ----a-w c:\windows\system32\ieencode.dll
2008-11-15 02:00 . 2008-11-15 02:00 310 ---ha-w c:\program files\hpothb07.dat
2008-11-15 02:00 . 2008-11-15 02:00 521 ---ha-w c:\program files\hpothb07.tif
2007-01-21 23:04 . 2007-04-01 17:34 40798696 ----a-w c:\program files\NAV071420.exe
2006-12-11 02:07 . 2007-04-01 19:30 25755448 ----a-w c:\program files\wmp11-windowsxp-x86-enu.exe
2006-11-25 01:28 . 2007-04-01 19:31 1665 ----a-w c:\program files\WeatherBug.lnk
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-30 67584]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-10 7311360]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-23 237568]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-16 249856]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-11 69632]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-03 1947928]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-16 148888]
"ftutil2"="ftutil2.dll" - c:\windows\system32\ftutil2.dll [2004-06-08 106496]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2006-06-14 16239616]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-05-10 1519616]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Compaq Connections.lnk - c:\program files\Compaq Connections\5577497\Program\Compaq Connections.exe [2006-1-2 36903]
hp psc 2000 Series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2002-6-27 323646]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-03 15:31 11952 ----a-w c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\HP Games\\JEOPARDY\\JEOPARDY!.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/3/2009 11:31 AM 325896]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/3/2009 11:31 AM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [5/3/2009 11:31 AM 908568]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [5/3/2009 11:31 AM 298776]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - TQSGPSAR
*Deregistered* - tqsgpsar
.
Contents of the 'Scheduled Tasks' folder

2009-03-09 c:\windows\Tasks\FRU Task 2002-06-27 08:46ewlett-Packard2002-06-27 08:46p psc 2200 seriesF56855811176EC24C9B302F94878AD886AF77CFF228768365.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2002-06-27 06:46]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-ares ultra - c:\program files\Ares Ultra\Ares Ultra.exe
HKCU-RunOnce-Shockwave Updater - c:\windows\system32\Adobe\SHOCKW~1\SWHELP~1.EXE -Update -1100465 -Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; GTB5; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET
HKLM-Run-PCDrProfiler - (no file)
Notify-__c001BD2C - c:\windows\system32\__c001BD2C.dat


.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
uInternet Connection Wizard,ShellNext = iexplore
TCP: {09012135-7F3D-4AD2-B271-DA0BAF140ADD} = 198.190.226.3,198.190.226.30
FF - ProfilePath - c:\documents and settings\Compaq_Administrator.JSM43PC\Application Data\Mozilla\Firefox\Profiles\6l3u3hie.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-18 14:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(736)
c:\windows\system32\msacm32.drv

- - - - - - - > 'explorer.exe'(4068)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\HPZipm12.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\wscntfy.exe
c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
c:\windows\system32\dllhost.exe
c:\program files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
c:\program files\Hewlett-Packard\Digital Imaging\bin\hposts08.exe
.
**************************************************************************
.
Completion time: 2009-05-18 14:37 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-18 18:37

Pre-Run: 93,866,651,648 bytes free
Post-Run: 95,881,854,976 bytes free

233 --- E O F --- 2009-05-14 03:57
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Wednesday, May 20, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Wednesday, May 20, 2009 14:40:19
Records in database: 2204527
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Files scanned: 110113
Threat name: 3
Infected objects: 6
Suspicious objects: 0
Duration of the scan: 02:35:40


File name / Threat name / Threats count
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_tqsgpsar_.sys.zip Infected: Trojan.Win32.BHO.ext 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\_avwa_.dll.zip Infected: Rootkit.Win32.Podnuha.cbs 1
D:\I386\APPS\APP08793\src\CompaqPresario_Spring06.exe Infected: not-a-virus:AdWare.Win32.WeatherBug.a 2
D:\I386\APPS\APP08793\src\HPPavillion_Spring06.exe Infected: not-a-virus:AdWare.Win32.WeatherBug.a 2

The selected area was scanned.

[jsmac43]

Just posted ComboFix and Kaspersky scan logs. I'm noticing I have to open your messages to view the lastest posts several times before it will open. I have to go back to previous saved messages and have beter luck opening your site from them. Computer is definitely running better but I'm sure there is a lot to clean up yet. I noticed Symantec in my programs. Is that conflicting with AVG or compatable?

[jmw3]

Hi

Hate to tell you this but the Combofix log you posted is from the first run of Combofix. I need to see the log after the CFScript. The latest log should be saved at C:\ComboFix.txt. I would also like to to see the contents of the following log: C:\Qoobox\ComboFix-quarantined-files.txt

I noticed Symantec in my programs. Is that conflicting with AVG or compatable?

If you no longer use the Symantec products, get rid of them as they will conflict. Go to this site & select the appropriate download: http://service1.symantec.com/Support/ts ... 3108162039

Update Adobe Reader
Recently there have been vunerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version: Adobe Reader 9.1
You can download it from http://www.adobe.com/products/acrobat/readstep2.html
If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed Uncheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

Adobe 9 is a large program and if you prefer a smaller program you can get Foxit 3 instead from http://www.foxitsoftware.com/pdf/rd_intro.php

So if I could see the contents of that second Combofix log & the ComboFix-quarantined-files log please.

[jsmac43]

I have NO C:\ComboFix.txt in my computer. I check through C programs and did a "Search" and it is not in here. I must have done something wrong. Should I DELETE the icons on my desktop and start over and do a new scan?

[jmw3]

I have NO C:\ComboFix.txt in my computer. I check through C programs and did a "Search" and it is not in here. I must have done something wrong. Should I DELETE the icons on my desktop and start over and do a new scan?

Yes. Delete any logs you have saved on your desktop & delete Combofix.exe (just the desktop icon) then download it again:
Link 1
Link 2
Link 3
When the scan finishes DON'T save the log it will automatically save itself to C:\Combofix.txt

Post the contents of the log when done

[jsmac43]

I deleted ComboFix icons, log and script from my desktop. Went back and disabled my AVG antivirus and after I download ComboFix from Link 1 [I saed it to desktop but when I click on RUN I get an error notice.
Error: You cannot rename ComboFix as ComboFix [1]. Please use another name, preferably made up of alpha numeric characters. I never renamed anything, don't know how this is happening and what to do to run the download. HELP PLEASE!

[jmw3]

OK... do this:
Click Start > Run & copy/paste the following bolded text into the Run box and click OK:
ComboFix /u
This will completely remove Combofix. Then if you still have DDS on desktop do another scan with that & post the log.

[jsmac43]

I opened ComboFix from the desktop icon and it ran the scan. I got a log report but can only find it in Notepad. I'm sending it HOPING it's the right scan. If not I'll try again.
ComboFix 09-05-20.A1 - Compaq_Administrator 05/21/2009 14:15.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.446.130 [GMT -4:00]
Running from: c:\documents and settings\Compaq_Administrator.JSM43PC\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Norton AntiVirus *enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\COMPAQ~1.JSM\LOCALS~1\Temp\IadHide5.dll
c:\documents and settings\Compaq_Administrator.JSM43PC\Local Settings\Temp\IadHide5.dll
D:\Desktop.ini

.
((((((((((((((((((((((((( Files Created from 2009-04-21 to 2009-05-21 )))))))))))))))))))))))))))))))
.

2009-05-19 03:29 . 2002-03-06 16:36 40960 ------w c:\windows\system32\Stlhook.dll
2009-05-19 03:29 . 2002-01-24 15:23 13545 ------w c:\windows\system32\drivers\STLTRK2K.sys
2009-05-19 03:28 . 2009-05-19 03:28 -------- d-----w c:\program files\Common Files\SCM
2009-05-05 23:49 . 2009-05-05 23:49 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\Identities
2009-05-03 15:38 . 2009-05-16 19:13 -------- d--h--w C:\$AVG8.VAULT$
2009-05-03 15:31 . 2009-05-03 15:31 11952 ----a-w c:\windows\system32\avgrsstx.dll
2009-05-03 15:31 . 2009-05-03 15:31 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-05-03 15:31 . 2009-05-03 15:31 325896 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-05-03 15:31 . 2009-05-21 12:43 -------- d-----w c:\windows\system32\drivers\Avg
2009-05-03 15:31 . 2009-05-04 13:56 -------- d-----w c:\documents and settings\Compaq_Administrator.JSM43PC\Application Data\AVGTOOLBAR
2009-05-03 15:31 . 2009-05-03 15:31 -------- d-----w c:\program files\AVG
2009-05-03 15:31 . 2009-05-16 19:18 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-05-03 14:39 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-05-03 14:39 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-05-03 14:39 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-05-03 14:39 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-05-03 14:39 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-05-03 14:39 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-05-03 14:39 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-05-03 14:39 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-05-03 14:39 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-05-03 14:36 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-05-03 14:36 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-05-03 14:23 . 2009-05-03 14:23 -------- d-----w c:\program files\Sun
2009-05-03 14:22 . 2009-05-03 14:22 -------- d-----w c:\program files\Apple Software Update
2009-05-03 14:22 . 2009-05-03 14:22 -------- d-----w c:\documents and settings\All Users\Application Data\Apple
2009-05-03 14:21 . 2009-05-03 14:21 -------- d-----w c:\documents and settings\Compaq_Administrator.JSM43PC\Local Settings\Application Data\Google
2009-05-03 14:21 . 2009-05-03 14:21 -------- d-----w c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-05-03 14:21 . 2009-05-03 14:21 -------- d-----w c:\program files\Symantec
2009-05-03 14:21 . 2009-05-03 14:21 -------- d-----w c:\windows\E80F62FF5D3C4A1984099721F2928206.TMP
2009-04-30 03:52 . 2009-05-03 14:21 -------- d-----w c:\documents and settings\Compaq_Administrator.JSM43PC\Application Data\SpyProtector
2009-04-30 03:22 . 2009-05-03 14:21 -------- d-----w c:\documents and settings\Compaq_Administrator.JSM43PC\Application Data\MSNInstaller

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-19 03:29 . 2006-01-02 08:17 -------- d--h--w c:\program files\InstallShield Installation Information
2009-05-18 18:21 . 2009-03-31 20:48 -------- d-----w c:\program files\Common
2009-05-16 19:29 . 2006-01-02 08:08 -------- d-----w c:\program files\Common Files\Adobe
2009-05-16 17:41 . 2009-01-28 17:19 410984 ----a-w c:\windows\system32\deploytk.dll
2009-05-16 17:41 . 2006-01-02 07:32 -------- d-----w c:\program files\Java
2009-05-06 00:03 . 2008-06-22 02:43 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-05-03 16:22 . 2009-05-03 16:22 4720 ----a-w c:\windows\system32\PerfStringBackup.TMP
2009-05-03 14:24 . 2007-04-01 20:14 -------- d-----w c:\program files\Google
2009-04-29 16:34 . 2007-04-01 17:40 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-04-01 00:51 . 2006-01-02 08:07 19368 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-01 00:35 . 2009-04-01 00:35 -------- d-----w c:\program files\MSBuild
2009-04-01 00:34 . 2009-04-01 00:34 -------- d-----w c:\program files\Reference Assemblies
2009-03-06 14:22 . 2006-10-27 18:02 284160 ----a-w c:\windows\system32\pdh.dll
2008-11-15 02:00 . 2008-11-15 02:00 310 ---ha-w c:\program files\hpothb07.dat
2008-11-15 02:00 . 2008-11-15 02:00 521 ---ha-w c:\program files\hpothb07.tif
2007-01-21 23:04 . 2007-04-01 17:34 40798696 ----a-w c:\program files\NAV071420.exe
2006-12-11 02:07 . 2007-04-01 19:30 25755448 ----a-w c:\program files\wmp11-windowsxp-x86-enu.exe
2006-11-25 01:28 . 2007-04-01 19:31 1665 ----a-w c:\program files\WeatherBug.lnk
.

((((((((((((((((((((((((((((( SnapShot@2009-05-18_18.31.04 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-21 18:19 . 2009-05-21 18:19 16384 c:\windows\Temp\Perflib_Perfdata_2b0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-30 67584]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-10 7311360]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-23 237568]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-16 249856]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-11 69632]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-03 1947928]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-16 148888]
"ftutil2"="ftutil2.dll" - c:\windows\system32\ftutil2.dll [2004-06-08 106496]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2006-06-14 16239616]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-05-10 1519616]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Compaq Connections.lnk - c:\program files\Compaq Connections\5577497\Program\Compaq Connections.exe [2006-1-2 36903]
hp psc 2000 Series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2002-6-27 323646]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-03 15:31 11952 ----a-w c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\HP Games\\JEOPARDY\\JEOPARDY!.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/3/2009 11:31 AM 325896]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/3/2009 11:31 AM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [5/3/2009 11:31 AM 908568]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [5/3/2009 11:31 AM 298776]
.
Contents of the 'Scheduled Tasks' folder

2009-03-09 c:\windows\Tasks\FRU Task 2002-06-27 08:46ewlett-Packard2002-06-27 08:46p psc 2200 seriesF56855811176EC24C9B302F94878AD886AF77CFF228768365.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2002-06-27 06:46]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
uInternet Connection Wizard,ShellNext = iexplore
TCP: {09012135-7F3D-4AD2-B271-DA0BAF140ADD} = 198.190.226.3,198.190.226.30
FF - ProfilePath - c:\documents and settings\Compaq_Administrator.JSM43PC\Application Data\Mozilla\Firefox\Profiles\6l3u3hie.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-21 14:20
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3852)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
c:\windows\system32\wscntfy.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\dllhost.exe
c:\program files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
c:\program files\Hewlett-Packard\Digital Imaging\bin\hposts08.exe
.
**************************************************************************
.
Completion time: 2009-05-21 14:27 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-21 18:27
ComboFix2.txt 2009-05-18 18:37

Pre-Run: 95,567,888,384 bytes free
Post-Run: 95,695,757,312 bytes free

177 --- E O F --- 2009-05-14 03:57

[jmw3]

Hi
Still a couple of things there I'm not happy with.

OTM
Download OTM by OldTimer Here & save it to your desktop.

• Double click on OTM.exe to run it
• Copy & paste the contents of the Code box below into Paste Instructions for Items to be Moved

Note: Do not type it out to minimize the risk of typo error

Code: Select all

:Files
c:\documents and settings\Compaq_Administrator.JSM43PC\Application Data\SpyProtector
c:\documents and settings\Compaq_Administrator.JSM43PC\Application Data\MSNInstaller
:Reg
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000000
:Commands
[Purity]
[EmptyTemp]
[Reboot]

• Click on MoveIt!
• When done, click on Exit

Note: If a file or folder can't be moved immediately, you may be asked to restart your computer. Choose Yes.
A log will be produced at C:\_OTM\MovedFiles\date_time.log, where date_time are numbers. Post this log in your next reply.

Malwarebytes' Anti-Malware
Download Malwarebytes' Anti-Malware here & save to your desktop.

• Double-click mbam-setup.exe & follow the prompts to install the program
• At the end, be sure a checkmark is placed next to:
  Update Malwarebytes' Anti-Malware
  Launch Malwarebytes' Anti-Malware
• Then click Finish
• If an update is found, it will download and install the latest version
• Once the program has loaded, select Perform full scan, then click Scan
• When the scan is complete, click OK, then Show Results to view the results
• Be sure that everything is checked, and click Remove Selected
• When completed, a log will open in Notepad. Please copy & paste the log back into your next reply
  Note:
• The log is automatically saved by Malwarebytes' Anti-Malware & can be viewed by clicking the Logs tab

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either & let Malwarebytes' Anti-Malware proceed with the disinfection process.
If asked to restart the computer, please do so. Failure to reboot will prevent MBAM from removing all the malware.
If you receive an (Error Loading) error on reboot please reboot a second time . It is normal for this error to occur once & does not need to be reported unless it returns on future reboots.

To post in next reply:
OTM log
Malwarebytes log
Update on how the computer is running

[jsmac43]

========== FILES ==========
c:\documents and settings\Compaq_Administrator.JSM43PC\Application Data\SpyProtector moved successfully.
c:\documents and settings\Compaq_Administrator.JSM43PC\Application Data\MSNInstaller moved successfully.
========== REGISTRY ==========
HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\\"DisableMonitoring"|dword:00000000 /E : value set successfully!
========== COMMANDS ==========
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\Compaq_Administrator.JSM43PC\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
User's Temporary Internet Files folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
Network Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_2b0.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
FireFox cache emptied.
Temp folders emptied.

OTM by OldTimer - Version 2.1.0.0 log created on 05212009_161853

Files moved on Reboot...
File C:\WINDOWS\temp\Perflib_Perfdata_2b0.dat not found!

Registry entries deleted on Reboot...
Malwarebytes' Anti-Malware 1.36
Database version: 2164
Windows 5.1.2600 Service Pack 3

5/21/2009 7:45:36 PM
mbam-log-2009-05-21 (19-45-36).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 200353
Time elapsed: 1 hour(s), 48 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\main.bho.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\Compaq_Administrator.JSM43PC\Start Menu\Programs\System Protector (Rogue.SystemProtector) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\Online Services\PeoplePC\ISP5900\Utilities\AtlBrowser.exe (Dialer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP16\A0002423.exe (Rogue.VirusRemover) -> Quarantined and deleted successfully.
C:\Documents and Settings\Compaq_Administrator.JSM43PC\Start Menu\Programs\System Protector\Purchase License.url (Rogue.SystemProtector) -> Quarantined and deleted successfully.
C:\Documents and Settings\Compaq_Administrator.JSM43PC\Start Menu\Programs\System Protector\Support Page.url (Rogue.SystemProtector) -> Quarantined and deleted successfully.

That last scan removed a lot of infections. Haven't used the computer enought to tell you any changes. yet. Will do so later. Will you let me know when I can/should delete all the icons for the 7 scans we ran. All the reports were posted to Malware Removal. Are you happy with these 2 new scans?

[jmw3]

Hi

That last scan removed a lot of infections.

Appear to be just left overs. Nothing to serious. Other than that logs look good.

Clean Up
Now we need to clear out the programs we've been using to clean up your computer, they are not suitable for general malware removal and could cause damage if used inappropriately.
Remove Combofix
The following will implement some cleanup procedures as well as reset System Restore points:
Click Start > Run then copy/paste the following bolded text into the Run box and click OK:
ComboFix /u

• Double-click OTM
• Click the CleanUp! button
• Select Yes when the Begin cleanup Process? prompt appears
• If you are prompted to Reboot during the cleanup, select Yes
• The tool will delete itself once it finishes, if not delete it yourself

You can delete the following from your desktop:
DDS.scr
Any logs that may have been saved to your desktop
You should also remove HijackThis. You can do this by clicking Start>Control Panel>Add or Remove Programs, highlight HijackThis 2.0.2 then click Remove
Open Malwarebytes Anti-Malware, click the Quarantine tab then Delete All. Exit the program.

Let me know if your having any problems.

[jsmac43]

This is not going well at all. I deleted ComboFix as you described. Double clicked on OTM and nothing happens. Went to my C drive and it searches for a long long time before it finally shows up. The Combo Fix icon on my desktop is gone but there is still a file folder in my C drive.

I deleted DDS.scr and saved logs on my desktop. I deleted HijackThis from add/remove And I opened Malware Anti Malware clicked Quarantine and Delete All and Exit. It's still on my desktop and in C: programs- file folder.

Should I delete the scan reports saved in Notepad? And what about Kaspersky and Virascan and GMER? The computer is running extremely slow now.

[jsmac43]

I decided to reboot. When I did OTC would not end it's program. THAT is what was causing the pc to run so slow. Odd thing though, there was nothing showing on the task bar that it was running. It finally closed when I hit End Program. I rebooted and it's running better.

I'm working a 10 hour job tomorrow. I need the mental break I think. I will check for messages in the morning. I forgot about updating Adobe Reader. Will do that soon.