Trojans, Malware & Rootkits!! Oh my!! Please help.

[Edward1]

Hello,

This PC was infected over a month ago and has been festering ever since. Norton Anti-Virus 2007 was installed on the system, but the subscription had expired several months ago. I performed a Trend-Micro Housecall scan, but it crashed after completing the scan and did not save any kind of log-file. I removed Norton System Works, WeatherBug, Zwinky, Mywebsearch along with a few other programs I cannot recall and installed AVG 8.0 with the current definitions. I have scanned in Safe-Mode twice, but the system has crashed & restarted each time. I'm unaware of any removal or quarantine that has been performed. Whenever a scan is initiated after booted normally, the avgscan process is immediately terminated. A new user was created called "Compaq_Administator". It is the only user I am able to boot with. There are re-directs to webpages that I assume are associated with the Malware when browsing the web. There seems to be some kind of Fake Antispyware Malware, which used to pop-up and state that the system is infected and you need to click here to fix it. The link was most likely clicked by the owner (a cousin of mine) but the problem persisted until after one of the safe mode scans. I apologize for the lack of detailed virus names, hopefully with your help I can resolve this. Thank you in advance for any help!!

As requested in the sticky, I have attached the .zip & here's the DDS log file:


DDS (Ver_09-10-24.04) - NTFSx86
Run by Compaq_Administrator at 14:49:16.21 on Sun 10/25/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.515 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\ARPWRMSG.EXE
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\system32\hphmon03.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\DISC\DISCover.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\DISC\DiscStreamHub.exe
C:\HP\KBD\KBD.EXE
c:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\wuauclt.exe
E:\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
uSearch Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Page_URL = hxxp://www.google.com
mDefault_Search_URL = hxxp://www.google.com
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
mSearch Bar = hxxp://www.google.com
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
uURLSearchHooks: SweetIM For Internet Explorer: {bc4ffe41-de9f-46fa-b455-aad49b9f9938} - c:\program files\macrogaming\sweetimbarforie\toolbar.dll
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uURLSearchHooks: ToolbarURLSearchHook Class: {ca3eb689-8f09-4026-aa10-b9534c691ce0} - c:\program files\fast browser search\ie\tbhelper.dll
mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
mURLSearchHooks: SweetIM For Internet Explorer: {bc4ffe41-de9f-46fa-b455-aad49b9f9938} - c:\program files\macrogaming\sweetimbarforie\toolbar.dll
mURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\twext.exe,
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
{0ed403e8-470a-4a8a-85a4-d7688cfe39a3}
BHO: SWEETIE Class: {1a0aadcd-3a72-4b5f-900f-e3bb5a838e2a} - c:\progra~1\macrog~1\sweeti~1\toolbar.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: QWProtectBHO Class: {44b2c9f5-608d-46de-82e1-26c5bcb85193} - c:\documents and settings\all users\application data\ab\QWProtect.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: hpWebHelper Class: {aaae832a-5fff-4661-9c8f-369692d1dcb9} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\WebHelper.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
BHO: Browser Helper Object: {afd4ad01-58c1-47db-a404-fbe00a6c5486} - c:\program files\shared\_lib.dll
BHO: AIM Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - c:\program files\aim toolbar\aimtb.dll
BHO: Search Assistant: {f0626a63-410b-45e2-99a1-3f2475b2d695} - c:\program files\sgpsa\BHO.dll
TB: SweetIM For Internet Explorer: {bc4ffe41-de9f-46fa-b455-aad49b9f9938} - c:\program files\macrogaming\sweetimbarforie\toolbar.dll
TB: Veoh Browser Plug-in: {d0943516-5076-4020-a3b5-aefaf26ab263} - c:\program files\veoh networks\veoh\plugins\reg\VeohToolbar.dll
TB: Veoh Web Player Video Finder: {0fbb9689-d3d7-4f7a-a2e2-585b10099bfc} - c:\program files\veoh networks\veohwebplayer\VeohIEToolbar.dll
TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: {9A7D6AD2-0881-451F-BB27-F5E2EE2C5B14} - No File
uRun: [<NO NAME>]
uRun: [AdobeUpdater] c:\program files\common files\adobe\updater5\AdobeUpdater.exe
uRun: [Steam] "c:\program files\steam\Steam.exe" -silent
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [AlwaysReady Power Message APP] ARPWRMSG.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [<NO NAME>]
mRun: [PCDrProfiler]
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe
mRun: [HPHmon03] c:\windows\system32\hphmon03.exe
mRun: [CXMon] "c:\program files\hewlett-packard\photosmart\photo imaging\Hpi_Monitor.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [DISCover] c:\program files\disc\DISCover.exe nogui
mRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [SGPUpdater] c:\program files\search guard plusu\sgpUpdaters.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [net] "c:\windows\system32\net.net"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
dRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
mExplorerRun: [Lsass Service] c:\documents and settings\compaq_administrator\application data\microsoft\windows\lsass.exe
StartupFolder: c:\docume~1\compaq~1\startm~1\programs\startup\limewi~1.lnk - c:\program files\limewire\LimeWire.exe
StartupFolder: c:\docume~1\compaq~1\startm~1\programs\startup\pictur~1.lnk - c:\program files\sony\sony picture utility\volumewatcher\SPUVolumeWatcher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\compaq~1.lnk - c:\program files\compaq connections\5577497\program\Compaq Connections.exe
uPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
uPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
IE: &AIM Toolbar Search - c:\documents and settings\all users\application data\aim toolbar\ietoolbar\resources\en-us\local\search.html
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\compaq_administrator\start menu\programs\games\imvu\Run IMVU.lnk
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {0b83c99c-1efa-4259-858f-bcb33e007a5b} - {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
Trusted Zone: trymedia.com
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - hxxp://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/CursorManiaFWBInitialSetup1.0.0.15-3.cab
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} - hxxp://disney.go.com/pirates/online/testActiveX/built/signed/DisneyOnlineGames.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase4009.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://game10.zylom.com/activex/zylomgamesplayer.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} - hxxp://games.myspace.com/Gameshell/GameHost/1.0/OberonGameHost.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://www.popcap.com/webgames/popcaploader_v10.cab
Filter: text/html - {77000984-8c0e-46a0-bbf7-c51910b26745} - c:\windows\system32\dsound3dd.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: LMIinit - LMIinit.dll
AppInit_DLLs: c:\progra~1\google\google~2\goec62~1.dll,c:\windows\temp\342119kou.dll,avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\compaq~1\applic~1\mozilla\firefox\profiles\47nyzlzo.default\
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-10-24 96520]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-10-24 873752]
R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-10-24 76040]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2009-8-14 47640]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-10-16 24652]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-10-24 231192]
S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\logmein\x86\rainfo.sys --> c:\program files\logmein\x86\RaInfo.sys [?]
S3 Dot4Usb HPH09;Dot4Usb HPH09;c:\windows\system32\drivers\hphius09.sys [2007-2-18 18864]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\google\google desktop search\GoogleDesktop.exe [2008-4-28 29744]
S3 mfsdisk;mfsdisk;c:\windows\system32\mfsdisk.sys [2004-8-9 2304]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

=============== Created Last 30 ================

2009-10-25 04:04:01 64184576 ----a-w- C:\10-24-2009 w9all697mr.bin
2009-10-25 00:26:53 10520 ----a-w- c:\windows\system32\avgrsstx.dll
2009-10-25 00:26:52 76040 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-10-25 00:26:49 96520 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-10-25 00:26:45 0 d-----w- c:\windows\system32\drivers\Avg
2009-10-04 21:53:11 0 d-----w- C:\VDefs
2009-10-04 19:59:08 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-10-04 19:59:08 0 d-----w- C:\7a72b623c0b2153e588506
2009-10-04 19:55:15 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2009-10-04 19:55:15 12160 ----a-w- c:\windows\system32\dllcache\mouhid.sys
2009-10-04 19:38:27 21504 ----a-w- c:\windows\system32\hidserv.dll
2009-10-04 19:38:27 21504 ----a-w- c:\windows\system32\dllcache\hidserv.dll
2009-10-04 19:38:24 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2009-10-04 19:38:24 14592 ----a-w- c:\windows\system32\dllcache\kbdhid.sys
2009-10-04 19:38:19 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2009-10-04 19:38:19 32128 ----a-w- c:\windows\system32\dllcache\usbccgp.sys
2009-09-26 13:22:52 0 ----a-w- c:\windows\system32\11942.exe
2009-09-26 12:22:51 0 ----a-w- c:\windows\system32\2995.exe
2009-09-26 02:22:41 0 ----a-w- c:\windows\system32\11478.exe
2009-09-26 01:22:41 0 ----a-w- c:\windows\system32\15724.exe
2009-09-26 01:03:17 102664 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-09-25 20:37:57 0 d-----w- c:\documents and settings\compaq_administrator\.housecall6.6
2009-09-25 20:24:32 0 d-----w- C:\9fe6a8749b12fab98ae88a9f856825ee

==================== Find3M ====================

2009-09-27 15:57:44 134144 ----a-w- c:\windows\system32\18467.exe
2009-09-26 08:22:45 134144 ----a-w- c:\windows\system32\23281.exe
2009-09-16 00:41:04 11394 ----a-w- c:\docume~1\compaq~1\applic~1\wklnhst.dat
2009-09-14 19:36:45 50176 ----a-w- c:\windows\system32\drivers\UACd.sys
2009-09-10 14:18:41 54784 ------w- c:\windows\system32\drivers\UACcukaocrjns.sys
2009-09-10 14:18:41 50176 ------w- c:\windows\system32\drivers\UACmxjyaxuoxg.sys
2009-09-10 1457 6567 ----a-w- c:\windows\system32\uacinit.dll
2009-09-10 1456 74240 ------w- c:\windows\system32\UACaytnskexem.dll
2009-09-07 14:41:54 19968 ------w- c:\windows\system32\UACejlitpgbit.dll
2009-09-07 14:41:31 1010176 ----a-w- c:\windows\system32\wscsvc32.exe
2009-09-07 14:41:30 1245184 ----a-w- c:\windows\system32\UACojrpwrcnrm.dll
2009-09-07 14:41:19 24064 ----a-w- c:\windows\system32\UACwqgdkmloxl.dll
2009-08-05 09:01:48 204800 ----a-w- c:\windows\system32\dllcache\mswebdvd.dll
2009-08-05 09:01:48 204800 ------w- c:\windows\system32\mswebdvd.dll
2007-06-26 14:28:40 774144 ----a-w- c:\program files\RngInterstitial.dll
2007-01-02 13:13:58 251 ----a-w- c:\program files\wt3d.ini
2004-08-09 21:00:00 94784 --sh--w- c:\windows\twain.dll
2008-04-14 00:12:07 50688 --sh--w- c:\windows\twain_32.dll
2008-04-14 00:12:01 57344 --sha-w- c:\windows\system32\msvcirt.dll
2008-04-14 00:12:01 413696 --sha-w- c:\windows\system32\msvcp60.dll
2008-04-14 00:12:01 343040 --sha-w- c:\windows\system32\msvcrt.dll
2008-04-14 00:12:02 551936 --sh--w- c:\windows\system32\oleaut32.dll
2008-04-14 00:12:02 84992 --sh--w- c:\windows\system32\olepro32.dll
2008-04-14 00:12:32 11776 --sh--w- c:\windows\system32\regsvr32.exe

============= FINISH: 14:52:32.92 ===============

[Ried]

Hello Edward1 and welcome,

I appreciate the detail you did provide, thank you. :)

It will require more than 1 round to clean the system. Please stay with me until given the 'all clear' even if symptoms seem to abate.

Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT- Save ComboFix.exe to your Desktop

====================================================


Disable your AntiVirus and AntiSpyware applications as they will interfere with our tools and the removal.


====================================================


Double click on combofix.exe & follow the prompts.

• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:





Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.

[Edward1]

Thanks for the reply Ried!

Did as you instructed. I thought I closed AVG and ended all the processes associated with it, but Combofix came back and said that it was still enabled. I clicked the X to close ComboFix so I could just uninstall AVG, but it kept running so I let it run its course. After about 10 seconds the Microsoft Update restart countdown began at 5minutes. I hit restart later before it ended. While scanning a Windows error window appeared stating that PEV.cfxxe had encountered an error and needed to close. After that Combofix instructed me to jot down some files that may need to be replaced later.

Here is what it listed:

C:\Windows\System32\twext.exe
C:\Windows\System32\drivers\UACmxjyauoxg.sys
C:\Windows\System32\UACwqgdkmloxl.dll
C:\Windows\System32\UACCaytnskexem.dll
C:\Windows\System32\UACwbyvovgpvv.dll
C:\Windows\System32\UACojrpwrcnrm.dll
C:\Windows\System32\UACejlitpgbit.dll

The system then restarted. After reboot it began scanning again and this time CF11090.exe, 17111.exe and swxcacls.exe kept popping up as corrupt. This happened about 8 or 9 times, then Combofix rebooted the system. Upon restart, Chkdsk ran and deleted these corrupted records. This took about 40 minutes alone. Rebooted one more time and completed about an hours and 20min later! Judging by the note that the scan should take about 10 minutes to complete, but heavily infected machines can easily double, I'd say this was one hell of an infection.

As requested here is the log:

ComboFix 09-10-24.06 - Compaq_Administrator 10/26/2009 13:58.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.596 [GMT -4:00]
Running from: c:\documents and settings\Compaq_Administrator\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Starware316
c:\documents and settings\All Users\Application Data\Starware316\buttons\FindIt.bmp
c:\documents and settings\All Users\Application Data\Starware316\buttons\FindItHot.bmp
c:\documents and settings\All Users\Application Data\Starware316\buttons\findithotxp.png
c:\documents and settings\All Users\Application Data\Starware316\buttons\finditxp.png
c:\documents and settings\All Users\Application Data\Starware316\buttons\Highlight.bmp
c:\documents and settings\All Users\Application Data\Starware316\buttons\HighlightHot.bmp
c:\documents and settings\All Users\Application Data\Starware316\buttons\highlighthotxp.png
c:\documents and settings\All Users\Application Data\Starware316\buttons\highlightxp.png
c:\documents and settings\All Users\Application Data\Starware316\buttons\Reference.bmp
c:\documents and settings\All Users\Application Data\Starware316\buttons\ReferenceHot.bmp
c:\documents and settings\All Users\Application Data\Starware316\buttons\referencehotxp.png
c:\documents and settings\All Users\Application Data\Starware316\buttons\referencexp.png
c:\documents and settings\All Users\Application Data\Starware316\buttons\screensaver.bmp
c:\documents and settings\All Users\Application Data\Starware316\buttons\Screensavers0.bmp
c:\documents and settings\All Users\Application Data\Starware316\buttons\starware_toolbar_icon.bmp
c:\documents and settings\All Users\Application Data\Starware316\buttons\Weather.bmp
c:\documents and settings\All Users\Application Data\Starware316\buttons\weatherhotxp.png
c:\documents and settings\All Users\Application Data\Starware316\buttons\weatherxp.png
c:\documents and settings\All Users\Application Data\Starware316\contexts\error.xml
c:\documents and settings\All Users\Application Data\Starware316\contexts\Related.xml
c:\documents and settings\All Users\Application Data\Starware316\contexts\Travel.xml
c:\documents and settings\All Users\Application Data\Starware316\images\walertXP.bmp
c:\documents and settings\All Users\Application Data\Starware316\SimpleUpdate\ProductMessagingConfig.xml
c:\documents and settings\All Users\Application Data\Starware316\SimpleUpdate\ProductMessagingConfig.xml.backup
c:\documents and settings\All Users\Application Data\Starware316\SimpleUpdate\SimpleUpdateConfig.xml
c:\documents and settings\All Users\Application Data\Starware316\SimpleUpdate\SimpleUpdateConfig.xml.backup
c:\documents and settings\All Users\Application Data\Starware316\SimpleUpdate\TimerManagerConfig.xml
c:\documents and settings\All Users\Application Data\Starware316\SimpleUpdate\TimerManagerConfig.xml.backup
c:\documents and settings\Compaq_Administrator\Application Data\PrivacyProtector Free
c:\documents and settings\Compaq_Administrator\Application Data\PrivacyProtector Free\Logs\update.log
c:\documents and settings\Compaq_Administrator\err.log
c:\documents and settings\LocalService\Application Data\twain_32
c:\documents and settings\LocalService\Application Data\twain_32\user.ds
c:\documents and settings\NetworkService\Application Data\twain_32
c:\documents and settings\NetworkService\Application Data\twain_32\user.ds
c:\program files\Common\_helper.dll
c:\program files\Common\helper.dll
c:\program files\Common\helper.sig
c:\program files\Fast Browser Search
c:\program files\Fast Browser Search\IE\1.bat
c:\program files\Fast Browser Search\IE\about.html
c:\program files\Fast Browser Search\IE\affid.dat
c:\program files\Fast Browser Search\IE\basis.xml
c:\program files\Fast Browser Search\IE\BHO.dll
c:\program files\Fast Browser Search\IE\ClearRecycleBin.exe
c:\program files\Fast Browser Search\IE\error.html
c:\program files\Fast Browser Search\IE\FBSPlugin.dll
c:\program files\Fast Browser Search\IE\fbsProtection.xml
c:\program files\Fast Browser Search\IE\FbsSearchProvider.xml
c:\program files\Fast Browser Search\IE\FbsSearchProviderIE8.exe
c:\program files\Fast Browser Search\IE\icons.bmp
c:\program files\Fast Browser Search\IE\info.txt
c:\program files\Fast Browser Search\IE\local.xml
c:\program files\Fast Browser Search\IE\logobg.bmp
c:\program files\Fast Browser Search\IE\MTWBtoolbar.html
c:\program files\Fast Browser Search\IE\search.bmp
c:\program files\Fast Browser Search\IE\SearchGuardPlus.exe
c:\program files\Fast Browser Search\IE\SearchGuardPlus.ico
c:\program files\Fast Browser Search\IE\SGPU.ico
c:\program files\Fast Browser Search\IE\sgpUpdater.exe
c:\program files\Fast Browser Search\IE\sgpUpdater.xml
c:\program files\Fast Browser Search\IE\SGPUpdaterS.exe
c:\program files\Fast Browser Search\IE\tbhelper.dll
c:\program files\Fast Browser Search\IE\tbs_include_script_003175.js
c:\program files\Fast Browser Search\IE\tbs_include_script_005064.js
c:\program files\Fast Browser Search\IE\tbs_include_script_012817.js
c:\program files\Fast Browser Search\IE\Toolbar Help.htm
c:\program files\Fast Browser Search\IE\uninstall.exe
c:\program files\Fast Browser Search\IE\uninstalSGP.exe
c:\program files\Fast Browser Search\IE\uninstalSGPU.exe
c:\program files\Fast Browser Search\IE\update.exe
c:\program files\Fast Browser Search\IE\version.txt
c:\program files\gamevance\gamevancelib32.dll
c:\program files\Protection System
c:\program files\SGPSA
c:\program files\SGPSA\BHO.dll
c:\program files\Shared\_lib.dll
c:\program files\Shared\_lib.sig
c:\program files\Shared\lib.dll
c:\program files\Shared\lib.sig
c:\recycler\S-1-5-21-527237240-179605362-725345543-500
c:\windows\Downloaded Program Files\popcaploader.dll
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\kb913800.exe
c:\windows\system32\11478.exe
c:\windows\system32\11942.exe
c:\windows\system32\15724.exe
c:\windows\system32\16827.exe
c:\windows\system32\18467.exe
c:\windows\system32\19169.exe
c:\windows\system32\23281.exe
c:\windows\system32\24464.exe
c:\windows\system32\26500.exe
c:\windows\system32\26962.exe
c:\windows\system32\28145.exe
c:\windows\system32\29358.exe
c:\windows\system32\2995.exe
c:\windows\system32\41.exe
c:\windows\system32\491.exe
c:\windows\system32\5705.exe
c:\windows\system32\6334.exe
c:\windows\system32\6to4v32.dll
c:\windows\system32\9961.exe
c:\windows\system32\certstore.dat
c:\windows\system32\critical_warning.html
c:\windows\system32\drivers\kbiwkmuwrusokl.sys
c:\windows\system32\drivers\UACcukaocrjns.sys
c:\windows\system32\drivers\UACmxjyaxuoxg.sys
c:\windows\system32\dsound3dd.dll
c:\windows\system32\kbiwkmkoehhaps.dat
c:\windows\system32\kbiwkmlqcwpcja.dll
c:\windows\system32\kbiwkmturxsnoo.dll
c:\windows\system32\kbiwkmtwmeyfke.dat
c:\windows\system32\net.net
c:\windows\system32\twain_32
c:\windows\system32\twain_32\local.ds
c:\windows\system32\twain_32\user.ds
c:\windows\system32\twain_32\user.ds.cla
c:\windows\system32\twext.exe
c:\windows\system32\UACaytnskexem.dll
c:\windows\system32\UACejlitpgbit.dll
c:\windows\system32\uacinit.dll
c:\windows\system32\UACojrpwrcnrm.dll
c:\windows\system32\UACwbyvovgpvv.dat
c:\windows\system32\UACwqgdkmloxl.dll
c:\windows\system32\wscsvc32.exe
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys
-------\Legacy_UACd.sys
-------\Legacy_6TO4
-------\Legacy_ONESTEP_SEARCH_SERVICE
-------\Service_6to4
-------\Service_kbiwkmnsxmppje


((((((((((((((((((((((((( Files Created from 2009-09-26 to 2009-10-26 )))))))))))))))))))))))))))))))
.

2009-10-26 18:40 . 2009-10-26 18:40 -------- d-----w- C:\found.000
2009-10-25 19:07 . 2009-10-25 19:07 -------- d-----w- C:\b25217ac99d763e719a9a4
2009-10-25 04:04 . 2009-10-24 21:00 64184576 ----a-w- C:\10-24-2009 w9all697mr.bin
2009-10-25 00:26 . 2009-10-25 00:26 10520 ----a-w- c:\windows\system32\avgrsstx.dll
2009-10-25 00:26 . 2009-10-25 00:26 76040 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-10-25 00:26 . 2009-10-25 00:26 96520 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-10-25 00:26 . 2009-10-25 00:26 26824 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-10-25 00:26 . 2009-10-25 00:26 -------- d-----w- c:\windows\system32\drivers\Avg
2009-10-21 01:51 . 2009-10-21 01:51 -------- d-----w- c:\documents and

settings\Compaq_Administrator\Application Data\Lavasoft
2009-10-20 02:21 . 2009-10-20 02:21 -------- d-----w- c:\documents and

settings\Administrator\Application Data\Lavasoft
2009-10-04 21:53 . 2009-10-04 21:57 -------- d-----w- C:\VDefs
2009-10-04 19:59 . 2009-10-04 19:59 -------- d-----w- C:\7a72b623c0b2153e588506
2009-10-04 19:59 . 2009-10-01 14:29 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-10-04 19:55 . 2001-08-17 17:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2009-10-04 19:55 . 2001-08-17 17:48 12160 ----a-w- c:\windows\system32\dllcache\mouhid.sys
2009-10-04 19:38 . 2008-04-14 00:11 21504 ----a-w- c:\windows\system32\hidserv.dll
2009-10-04 19:38 . 2008-04-14 00:11 21504 ----a-w- c:\windows\system32\dllcache\hidserv.dll
2009-10-04 19:38 . 2008-04-13 18:39 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2009-10-04 19:38 . 2008-04-13 18:39 14592 ----a-w- c:\windows\system32\dllcache\kbdhid.sys
2009-10-04 19:38 . 2008-04-13 18:45 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2009-10-04 19:38 . 2008-04-13 18:45 32128 ----a-w- c:\windows\system32\dllcache\usbccgp.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-26 18:13 . 2009-07-31 17:53 -------- d-----w- c:\program files\Shared
2009-10-26 18:13 . 2009-06-29 04:00 -------- d-----w- c:\program files\Gamevance
2009-10-26 18:13 . 2008-12-05 00:17 -------- d-----w- c:\program files\Common
2009-10-26 17:31 . 2009-07-04 19:40 -------- d-----w- c:\program files\Steam
2009-10-25 04:01 . 2009-05-22 22:05 -------- d-----w- c:\documents and

settings\Compaq_Administrator\Application Data\LimeWire
2009-10-25 01:39 . 2009-01-21 04:05 -------- d-----w- c:\program files\AIM Toolbar
2009-10-25 00:30 . 2008-03-27 01:14 -------- d-----w- c:\documents and settings\All

Users\Application Data\avg8
2009-10-21 02:24 . 2006-08-30 15:10 -------- d-----w- c:\program files\Common Files\Symantec

Shared
2009-10-21 02:24 . 2006-08-30 15:10 -------- d-----w- c:\documents and settings\All

Users\Application Data\Symantec
2009-10-21 02:21 . 2006-08-30 15:07 -------- d-----w- c:\program files\Yahoo!
2009-10-21 02:20 . 2006-08-30 14:46 -------- d-----w- c:\program files\WildTangent
2009-10-21 02:20 . 2006-08-30 14:46 -------- d-----w- c:\program files\HP Games
2009-10-21 02:20 . 2006-08-30 14:46 -------- d-----w- c:\documents and settings\All

Users\Application Data\WildTangent
2009-10-21 02:17 . 2006-08-30 15:10 -------- d-----w- c:\program files\Symantec
2009-09-25 20:26 . 2008-11-02 18:42 -------- d-----w- c:\documents and

settings\Compaq_Administrator\Application Data\Smilebox
2009-09-16 00:41 . 2007-08-03 14:28 11394 ----a-w- c:\documents and

settings\Compaq_Administrator\Application Data\wklnhst.dat
2009-09-11 14:18 . 2004-08-09 21:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 14:32 . 2008-05-08 04:19 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-04 21:03 . 2004-08-09 21:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-03 23:33 . 2007-04-12 14:32 111 ----a-w- c:\windows\popcinfot.dat
2009-08-26 08:00 . 2004-08-09 21:00 247326 ------w- c:\windows\system32\strmdll.dll
2009-08-23 23:27 . 2006-08-30 14:50 49792 ----a-w- c:\documents and settings\Administrator\Local

Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-05 09:01 . 2004-08-09 21:00 204800 ------w- c:\windows\system32\mswebdvd.dll
2009-08-04 15:13 . 2004-08-10 04:00 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2004-08-10 04:00 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
2007-06-26 14:28 . 2007-06-26 14:28 774144 ----a-w- c:\program files\RngInterstitial.dll
2007-01-02 13:13 . 2007-01-02 13:13 251 ----a-w- c:\program files\wt3d.ini
2008-08-21 23:01 . 2008-08-21 23:02 122880 ----a-w- c:\program files\mozilla

firefox\components\GoogleDesktopMozilla.dll
2006-10-11 08:04 . 2008-08-08 16:35 61036 ----a-w- c:\program files\mozilla

firefox\components\jar50.dll
2006-10-11 08:04 . 2008-08-08 16:35 48742 ----a-w- c:\program files\mozilla

firefox\components\jsd3250.dll
2006-10-11 08:05 . 2008-08-08 16:35 29313 ----a-w- c:\program files\mozilla

firefox\components\myspell.dll
2006-10-11 08:05 . 2008-08-08 16:35 41082 ----a-w- c:\program files\mozilla

firefox\components\spellchk.dll
2006-10-11 08:04 . 2008-08-08 16:35 166510 ----a-w- c:\program files\mozilla

firefox\components\xpinstal.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2004-08-09 21:00 . 2004-08-09 21:00 94784 --sh--w- c:\windows\twain.dll
2008-04-14 00:12 . 2004-08-09 21:00 50688 --sh--w- c:\windows\twain_32.dll
2008-04-14 00:12 . 2004-08-09 21:00 57344 --sha-w- c:\windows\system32\msvcirt.dll
2008-04-14 00:12 . 2004-08-09 21:00 413696 --sha-w- c:\windows\system32\msvcp60.dll
2008-04-14 00:12 . 2004-08-09 21:00 343040 --sha-w- c:\windows\system32\msvcrt.dll
2008-04-14 00:12 . 2004-08-09 21:00 551936 --sh--w- c:\windows\system32\oleaut32.dll
2008-04-14 00:12 . 2004-08-09 21:00 84992 --sh--w- c:\windows\system32\olepro32.dll
2008-04-14 00:12 . 2004-08-09 21:00 11776 --sh--w- c:\windows\system32\regsvr32.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-09-09 02:08 279944 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-09-09 279944]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 2321600]
"Steam"="c:\program files\Steam\Steam.exe" [2009-09-26 1217784]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-09 7311360]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-15 249856]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-10-25 196608]
"HPHmon03"="c:\windows\system32\hphmon03.exe" [2001-10-25 311296]
"CXMon"="c:\program files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe" [2001-09-19 45056]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"DISCover"="c:\program files\DISC\DISCover.exe" [2007-10-31 1095256]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2005-10-28 335872]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"SGPUpdater"="c:\program files\Search Guard PlusU\sgpUpdaters.exe" [2009-05-15 67456]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-08-30 180269]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-10-25 1232152]
"ftutil2"="ftutil2.dll" - c:\windows\system32\ftutil2.dll [2004-06-07 106496]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2006-06-13 16239616]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" - c:\windows\arpwrmsg.exe [2005-08-02 77312]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-05-09 1519616]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2007-12-19 8720384]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-8-30 27136]
PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-8-30 27136]

c:\documents and settings\Compaq_Administrator\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2009-5-22 139776]
Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture

Utility\VolumeWatcher\SPUVolumeWatcher.exe [2008-3-9 344064]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Compaq Connections.lnk - c:\program files\Compaq Connections\5577497\Program\Compaq Connections.exe [2006-8-30

36903]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-10-17 00:35 87352 ----a-w- c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"=
"c:\\Program Files\\Microsoft Games\\Rise of Nations\\thrones.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"c:\\Program Files\\Stardock Games\\Sins of a Solar Empire\\Sins of a Solar Empire.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\empire total war\\Empire.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10/24/2009 8:26 PM 96520]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [10/24/2009 8:26 PM 873752]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [10/24/2009 8:26 PM 231192]
R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [10/24/2009 8:26 PM 76040]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [8/14/2009 10:26 PM

47640]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe

[10/16/2007 2:27 PM 24652]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592]
S1 qquqoykj;qquqoykj;\??\c:\windows\system32\drivers\qquqoykj.sys --> c:\windows\system32\drivers\qquqoykj.sys [?]
S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\x86\RaInfo.sys --> c:\program

files\LogMeIn\x86\RaInfo.sys [?]
S3 Dot4Usb HPH09;Dot4Usb HPH09;c:\windows\system32\drivers\hphius09.sys [2/18/2007 6:09 AM 18864]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop

Search\GoogleDesktop.exe [4/28/2008 12:11 PM 29744]
S3 mfsdisk;mfsdisk;c:\windows\system32\mfsdisk.sys [8/9/2004 5:00 PM 2304]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-10-26 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 22:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://www.google.com
mStart Page = hxxp://www.google.com
mSearch Bar = hxxp://www.google.com
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM

Toolbar\ieToolbar\resources\en-US\local\search.html
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Compaq_Administrator\Start

Menu\Programs\Games\IMVU\Run IMVU.lnk
Trusted Zone: trymedia.com
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://game10.zylom.com/activex/zylomgamesplayer.cab
FF - ProfilePath - c:\documents and settings\Compaq_Administrator\Application

Data\Mozilla\Firefox\Profiles\47nyzlzo.default\
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-PCDrProfiler - (no file)
AddRemove-AIM Toolbar - c:\program files\AIM Toolbar\uninstall.exe
AddRemove-HijackThis - c:\docume~1\COMPAQ~1\LOCALS~1\Temp\HijackThis.exe



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
SGPUpdater = c:\program files\Search Guard PlusU\sgpUpdaters.exe??o?????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\kbiwkmnsxmppje]
"imagepath"="\systemroot\system32\drivers\kbiwkmuwrusokl.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\kbiwkmnsxmppje]
@DACL=(02 0000)
"start"=dword:00000001
"type"=dword:00000001
"group"="file system"
"imagepath"=expand:"\\systemroot\\system32\\drivers\\kbiwkmuwrusokl.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(752)
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll

- - - - - - - > 'explorer.exe'(1808)
c:\windows\system32\WININET.dll
c:\docume~1\COMPAQ~1\LOCALS~1\Temp\IadHide5.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\arservice.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\windows\ehome\mcrdsvc.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\combofix\CF11090.exe
c:\windows\eHome\ehmsas.exe
c:\program files\DISC\DiscStreamHub.exe
c:\program files\iPod\bin\iPodService.exe
c:\combofix\PEV.cfxxe
.
**************************************************************************
.
Completion time: 2009-10-26 14:52 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-26 18:52

Pre-Run: 142,884,900,864 bytes free
Post-Run: 145,796,820,992 bytes free

- - End Of File - - D9959642BC9A6B85404DC6F4FE2482E4


Thanks for helping out. Back to work for now.

[Ried]

Hi Edward1,

While it was a struggle, it was effective. What we need to do now is run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner

**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs
• Turn off the real time scanner of any existing antivirus program while performing the online scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.

• Click Run at the Security prompt.
• The program will then begin downloading and installing and will also update the database.
• Please be patient as this can take several minutes.
• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
• Click the Save Report As... button.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

[Edward1]

Thank you for the help so far Ried.

As requested, here is the log produced by Kaspersky's online scan:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Wednesday, October 28, 2009
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Tuesday, October 27, 2009 23:57:12
Records in database: 3091792
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
G:\
H:\
I:\
J:\

Scan statistics:
Objects scanned: 288172
Threats found: 17
Infected objects found: 27
Suspicious objects found: 1
Scan duration: 04:38:22


File name / Threat / Threats count
C:\Documents and Settings\Compaq_Administrator\Application Data\Sun\Java\Deployment\cache\6.0\60\59af077c-23361c0b Infected: Trojan-Downloader.Java.OpenConnection.at 1
C:\Documents and Settings\Compaq_Administrator\Desktop\呜浥p䵔㵐㩃䑜䍏䵕繅就佃偍允ㅾ䱜䍏䱁繓就敔灭唀䕓䑒䵏䥁㵎佈偏3单剅䅎䕍䌽浯慰影摁業楮瑳慲潴r单剅剐䙏䱉㵅㩃䑜捯浵湥獴愠摮匠瑥楴杮屳潃灭煡䅟浤湩獩牴瑡牯眀湩楤㵲㩃坜义佄南 Infected: Trojan.Win32.Buzus.bvml 1
C:\Documents and Settings\Compaq_Administrator\My Documents\LimeWire\Saved\all american rejects fallin.wma Infected: Trojan-Downloader.WMA.Wimad.y 1
C:\Documents and Settings\Compaq_Administrator\My Documents\LimeWire\Saved\All-American Rejects - Eyelash Wishes.wma Infected: Trojan-Downloader.WMA.Wimad.u 1
C:\Documents and Settings\Compaq_Administrator\My Documents\LimeWire\Saved\rocketshiptothemoon.wma Infected: Trojan-Downloader.WMA.Wimad.y 1
C:\Documents and Settings\Compaq_Administrator\My Documents\LimeWire\Saved\rocketshiptothemoon3 greatest hit 2009.wma Infected: Trojan-Downloader.WMA.Wimad.u 1
C:\Documents and Settings\Compaq_Administrator\My Documents\LimeWire\Saved\violet hill (new album).mp3 Infected: Trojan-Downloader.WMA.GetCodec.u 1
C:\Documents and Settings\Emily\Application Data\twext.exe Infected: Packed.Win32.Krap.af 1
C:\Documents and Settings\Emily\Local Settings\Temp\OBCK.VIR Infected: Trojan.Win32.TDSS.anaa 1
C:\hp\bin\wbug\CompaqPresario_Spring06.exe Infected: not-a-virus:AdWare.Win32.WeatherBug.a 1
C:\Program Files\Gamevance\gvun.exe Infected: not-a-virus:AdWare.Win32.Gamevance.bia 1
C:\Qoobox\Quarantine\C\Program Files\Common\_helper.dll.vir Infected: Trojan.Win32.ExeDot.is 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\6to4v32.dll.vir Infected: Backdoor.Win32.Agent.alhw 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\critical_warning.html.vir Infected: Trojan.HTML.Fraud.b 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\kbiwkmuwrusokl.sys.vir Infected: Packed.Win32.TDSS.z 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\kbiwkmlqcwpcja.dll.vir Infected: Packed.Win32.TDSS.z 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\kbiwkmturxsnoo.dll.vir Infected: Packed.Win32.TDSS.z 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\net.net.vir Suspicious: Packed.Win32.PECompact 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\twext.exe.vir Infected: Packed.Win32.Krap.af 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACaytnskexem.dll.vir Infected: Trojan.Win32.Tdss.anrc 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACejlitpgbit.dll.vir Infected: Packed.Win32.TDSS.y 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACojrpwrcnrm.dll.vir Infected: Packed.Win32.TDSS.y 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACwqgdkmloxl.dll.vir Infected: Packed.Win32.TDSS.y 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\wscsvc32.exe.vir Infected: Packed.Win32.TDSS.y 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\94G53JFY\PersScan-f65e080_2005-10[1].exe Infected: Packed.Win32.Krap.ae 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\II6RRP9G\PersScan-fa6b_2005-10[1].exe Infected: Packed.Win32.Krap.ae 1
D:\I386\APPS\APP17392\src\CompaqPresario_Spring06.exe Infected: not-a-virus:AdWare.Win32.WeatherBug.a 1
D:\I386\APPS\APP17392\src\HPPavillion_Spring06.exe Infected: not-a-virus:AdWare.Win32.WeatherBug.a 1

Selected area has been scanned.

[Ried]

There's the source of all the problems here - the Limewire downloads. Please be sure your cousing takes the time to educate himself/herself and anyone else using this PC about the Perils of P2P File Sharing.


Open Notepad and copy/paste the contents in the quote box below, into Notepad.

Quote:

@echo off
if exist "%temp%\log.txt" del "%temp%\log.txt"
for %%g in (
"C:\Documents and Settings\Compaq_Administrator\Application Data\Sun\Java\Deployment\cache\6.0\60\59af077c-23361c0b"
"C:\Documents and Settings\Compaq_Administrator\My Documents\LimeWire\Saved\all american rejects fallin.wma"
"C:\Documents and Settings\Compaq_Administrator\My Documents\LimeWire\Saved\All-American Rejects - Eyelash Wishes.wma"
"C:\Documents and Settings\Compaq_Administrator\My Documents\LimeWire\Saved\rocketshiptothemoon.wma"
"C:\Documents and Settings\Compaq_Administrator\My Documents\LimeWire\Saved\rocketshiptothemoon3 greatest hit 2009.wma"
"C:\Documents and Settings\Compaq_Administrator\My Documents\LimeWire\Saved\violet hill (new album).mp3"
"C:\Documents and Settings\Emily\Application Data\twext.exe"
"C:\Documents and Settings\Emily\Local Settings\Temp\OBCK.VIR"
"C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\94G53JFY\PersScan-f65e080_2005-10[1].exe"
"C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\II6RRP9G\PersScan-fa6b_2005-10[1].exe"
) do (
del /a/f %%g >nul 2>&1
if exist %%g echo.%%~g>>"%temp%\log.txt"
)
if exist "%temp%\log.txt" ( start notepad "%temp%\log.txt"
) else echo.Deleted Successfully !!

Save this as delete.bat Choose to "Save type as - All Files"
It should look like this:

Double click on delete.bat & allow it to run. Post back and tell me what it says. Also, how is the system behaving now?

[Edward1]

Ried,

Thanks again for helping. I copied the quote and pasted it into notepad, then saved it as delete.bat with All file types selected and ANSI encoding. When I ran the batch file, it flashes up a command window (C:\Windows\System32\cmd.exe is the title) and then instantly closes. No report file was saved and the files are still there.

Should I manually delete them?

The computer seems to be runnung alright. I need to clean up the start-up
so she doesn't have so many things running among other things.

Edward1

[Edward1]

Looks like I spoke too soon.

AVG's resident shield found a Trojan identified as:

Generic14.AJZS

Located in C:\Program Files\Windows Defender\MsMpEng.exe

I chose to heal the threat. Will keep you posted on anything else that comes up

[Ried]

It's running too quickly. Delete the batch file you created and use this one. It is a bit different. Copy the contents inside the quote box (do not include the word quote) Name it and save it the same as before.

Quote:

@echo off
if exist "%temp%\log.txt" del "%temp%\log.txt"
for %%g in (
"C:\Documents and Settings\Compaq_Administrator\Application Data\Sun\Java\Deployment\cache\6.0\60\59af077c-23361c0b"
"C:\Documents and Settings\Compaq_Administrator\My Documents\LimeWire\Saved\all american rejects fallin.wma"
"C:\Documents and Settings\Compaq_Administrator\My Documents\LimeWire\Saved\All-American Rejects - Eyelash Wishes.wma"
"C:\Documents and Settings\Compaq_Administrator\My Documents\LimeWire\Saved\rocketshiptothemoon.wma"
"C:\Documents and Settings\Compaq_Administrator\My Documents\LimeWire\Saved\rocketshiptothemoon3 greatest hit 2009.wma"
"C:\Documents and Settings\Compaq_Administrator\My Documents\LimeWire\Saved\violet hill (new album).mp3"
"C:\Documents and Settings\Emily\Application Data\twext.exe"
"C:\Documents and Settings\Emily\Local Settings\Temp\OBCK.VIR"
"C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\94G53JFY\PersScan-f65e080_2005-10[1].exe"
"C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\II6RRP9G\PersScan-fa6b_2005-10[1].exe"
) do (
del /a/f %%g >nul 2>&1
if exist %%g echo.%%~g>>"%temp%\log.txt"
)
if exist "%temp%\log.txt" ( start notepad "%temp%\log.txt"
) else echo.Deleted Successfully !!
nircmd wait 7000

Post back and tell me what it says.

Also - what is this file on the desktop? Are you able to delete it?

C:\Documents and Settings\Compaq_Administrator\Desktop\呜浥p䵔㵐㩃䑜䍏䵕繅就佃偍允ㅾ䱜䍏䱁繓就敔灭唀䕓䑒䵏䥁㵎佈偏3单剅䅎䕍䌽浯慰影摁業楮瑳慲潴r单剅剐䙏䱉㵅㩃䑜捯浵湥獴愠摮匠瑥楴杮屳潃灭煡䅟浤湩獩牴瑡牯眀湩楤㵲㩃坜义佄南

[Edward1]

Hello Ried,

The result was all deletions were successfull.

As for the file located on the desktop, I have no ides what is.

Edward

[Ried]

Based on the online scan results, that file should be deleted. You may have difficulty deleting it due to the long, unconventional file name. Let me know.

[Edward1]

Ried,

I have noticed that the system has been running better than normal, so I began to look into the Sticky regarding computer maintenance. I installed Spyware Blaster last night, updated it and performed a scan. 10 objects were located, 9 were removed when I cleased, and the final one reqired a restart. I have attached the logfile for your knowledge.

Edward1

[Ried]

Thanks, Edward1. Your logs are clean. If there aren't any more problems, please continue with these final instructions and helpful links:

The following procedure will implement some cleanup procedures. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point.


Click Start > Run and copy/paste, or type the following bolded text into the Run box and click OK:

ComboFix /uninstall

--------------------------------------------------------------------

Should you wish to contribute to the ongoing development of ComboFix, donations are being accepted via PayPal.

You've already installed additional protection I would have advise, another one I highly recommend is
WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

• Green to go
• Yellow for caution
• Red to stop

WOT has an addon available for both Firefox and IE.


- Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer

- Update, and scan with your onboard Anti Malware and Anti Virus programs regularly. Without regular updates you will not be protected when new malicious programs are released.


You may also find the following articles of interest:

• How did I get infected in the first place?
  
• Think Prevention

-----------------------------------------------------


**Kindly respond one more time and let me know if we may consider this thread resolved.

[Edward1]

Ried,

Thanks again for the help here. I ran the uninstall procedure for combofix as instructed then ran the secunia online scan. over 10 applications that were outdated, some by over a year. Thanks for turning me on to that, I ended up installing the PSI version, and I'm in the process of updating all the software. I uninstalled AVG 8.0 and installed Kasperky 2010. I updated the definitions and performed a full system scan. The results were:

Full Scan: completed 2 minutes ago (events: 11, objects: 625420, time: 01:53:06)
10/31/2009 7:52:09 PM Task started
10/31/2009 8:12:46 PM Detected: Trojan.HTML.Fraud.l C:\Documents and Settings\Emily\Local Settings\Temporary Internet Files\Content.IE5\7TO86H3E\1[1].htm
10/31/2009 8:15:24 PM Deleted: Trojan.HTML.Fraud.l C:\Documents and Settings\Emily\Local Settings\Temporary Internet Files\Content.IE5\7TO86H3E\1[1].htm
10/31/2009 8:17:12 PM Detected: Trojan.HTML.Fraud.l C:\Documents and Settings\Emily\Local Settings\Temporary Internet Files\Content.IE5\RSQHX06A\1[1].htm
10/31/2009 8:17:46 PM Deleted: Trojan.HTML.Fraud.l C:\Documents and Settings\Emily\Local Settings\Temporary Internet Files\Content.IE5\RSQHX06A\1[1].htm
10/31/2009 9:30:52 PM Detected: HEUR:Virus.Script.Generic C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YDOJ7BCD\s_code_remote[1].js
10/31/2009 9:39:07 PM Detected: not-a-virus:AdWare.Win32.WeatherBug.a D:\I386\APPS\APP17392\src\CompaqPresario_Spring06.exe/WiseSFXDropper/WISE0015.BIN
10/31/2009 9:39:08 PM Untreated: not-a-virus:AdWare.Win32.WeatherBug.a D:\I386\APPS\APP17392\src\CompaqPresario_Spring06.exe/WiseSFXDropper/WISE0015.BIN Write not supported
10/31/2009 9:39:13 PM Detected: not-a-virus:AdWare.Win32.WeatherBug.a D:\I386\APPS\APP17392\src\HPPavillion_Spring06.exe/WiseSFXDropper/WISE0015.BIN
10/31/2009 9:39:14 PM Untreated: not-a-virus:AdWare.Win32.WeatherBug.a D:\I386\APPS\APP17392\src\HPPavillion_Spring06.exe/WiseSFXDropper/WISE0015.BIN Write not supported
10/31/2009 9:45:15 PM Task completed

I'm not sure if these are just some remaining useless files that the infection(s) were using or not, but wanted to make you aware of them. Also, there is a limited user profile named "Emily" that hangs when I try to log on. I think I may just delete the profile and be done with it, but do you have any suggestions? Not that there seems to be any issues with Kaspersky and WOT, I was curious if this would interfere with AVG's similar service? At any rate if you feel that this thread is ready to be closed then by all means do so.

Thanks again,

Edward

[Ried]

Hi Edward,

Kaspersky is reporting items in IE temp internet cache. Simply clearing the temp internet file cache via IE>Tools>Internet Options will take care of that.

The remaining findings are all on the D: drive which is the Recovery Partition. As you can see, those files aren't viruses, they are minor AdWare. Kaspersky is doing it's job by reporting it but we won't be acting on them since they came with the purchase of the machine.

WOT is an excellent resource and no, since it is a browser add-on, it shouldn't conflict with AVG's similar program.