I am trying to clean up an HP Pavilion 7915,1.1 Ghz, 256Mb Ram, Win XP Home SP2 for my
daughters brother-in-law who is about 35 and mentally impaired (= a young teen???). He does
live on his own and I try to protect his system with freebies like AVG without locking it
down with something like Net Nanny or K9. The new AVG8 seems to really slow things down but
it does provide antivirus and antispyware combined. There is no 3rd party firewall installed.
Regardless, popups are a challenge for him. He knows to just close the windows via the top
right X but there is no guarantee he won't select the wrong option.

Anyway, Problems encountered:

Multiple popups with references to Virus Remover 2008, PC Privacy Cleaner, XP Antivirus 2008.
The task bar shows 'Virus Alert!' next to the time.

The standard Start Menu does not show 'Programs' but switching to Classic Start Menu does.
There is no access to Control Panel in the Classic Start Menu but is in the standard Start Menu.

Neither Start Menu configuration has a Log Off option (Turn off Computer is still there) but
the Windows-L function takes you back to the Logon screen which shows the user as 'Logged On'
Clicking on the user immediately brings you back to the desktop.

There is absolutely no access to the C: Drive unless in Safe Mode

When logging in, the desktop wallpaper shows but disappears just prior to the desktop icons
appearing leaving the default white background. The right click function on the desktop is
disabled and accessing Display in the Control Panel returns a pop up saying "Your system
administrator disabled the Display control panel"

I am not sure what else might be going on. He said the problems started about a week ago but
all the restore points appear to be gone (I set one about 6 months ago the last time I cleaned
his computer for him). The System Restore Wizard calendar does not go back to past months when
clicking the back arrow for past months.

What I have done:

1) I have CCleaner installed but went ahead and ran ATF-Cleaner in Safe Mode.
2) Installed and ran SuperAntiSpyware Free in Safe Mode.
3) Upgraded from AVG 7.xxx to AVG8 Free vsn (not in Safe Mode)
4) Installed and ran most current HijackThis
5) Ran DSS per preparation guide

Note: At present I cannot connect his computer to the internet since I brought it to my house to
work on. His computer only has USB, no ethernet nor WiFi card. His is specifically matched to
his Cox Cable modem and my router only takes CAT5 ethernet or WiFi. So I use my system to download
anything I need to a USB thumb drive then port it over to his system, then reverse that to upload
the HijackThis file. Hmmm ??? split my Cox cable and bring his modem over for a direct connection?

Anyway, enough blather ... The popups have discontinued for now (lack of internet access?) but all
of the configuration issues above persist as does the 'Virus Alert' next to the time. Here is the
DSS/HijackThis Log.


Deckard's System Scanner v20071014.68
Run by Owner on 2008-08-04 10:57:18
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 255 MiB (512 MiB recommended).


-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:57: VIRUS ALERT!, on 8/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Owner\Desktop\virus_adware protection\Dekards System Scanner\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tucson.cox.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://as.starware.com/dp/search?x=wKX1ILE...U2uWLftL7jx0PY=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
O2 - BHO: - {03488F0D-7152-4FB0-8149-06D714D3EFC2} - C:\WINDOWS\System32\l.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {BB20260D-7705-4A27-B5FC-1A7E43D2C19B} - C:\WINDOWS\System32\hdkmnia.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...81/mcinsctl.cab
O16 - DPF: {B030900C-746A-47BF-8B1D-EA3FB3395563} (CoxFastConnect20 Control) - https://fastconnect.cox.net/cd20/CoxFastConnect20.ocx
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,19/mcgdmgr.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WinCtrl32 - WinCtrl32.dll (file missing)
O21 - SSODL: eqvwamkl - {8DA657F1-459D-4D80-9AF4-EC9487981C95} - C:\WINDOWS\eqvwamkl.dll (file missing)
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 5269 bytes

-- Files created between 2008-07-04 and 2008-08-04 -----------------------------

2008-08-04 10:43:48 0 d-------- C:\Program Files\Trend Micro
2008-08-04 00:25:01 0 d--h----- C:\$AVG8.VAULT$
2008-08-04 00:19:06 0 d-------- C:\WINDOWS\system32\drivers\Avg
2008-08-04 00:18:45 0 d-------- C:\Program Files\AVG
2008-08-04 00:18:44 0 d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-08-03 21:21:12 0 d-------- C:\Documents and Settings\Administrator.CLASHT.000\Application Data\SUPERAntiSpyware.com
2008-08-03 20:56:56 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-08-03 20:56:39 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-08-03 20:56:39 0 d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-08-03 20:55:44 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-03 19:33:14 0 d-------- C:\Documents and Settings\Administrator.CLASHT.000\Application Data\InterTrust
2008-08-03 19:33:14 0 d-------- C:\Documents and Settings\Administrator.CLASHT.000\Application Data\Identities
2008-08-03 19:33:14 0 d-------- C:\Documents and Settings\Administrator.CLASHT.000\Application Data\Adobe
2008-08-03 19:33:13 0 d-------- C:\Documents and Settings\Administrator.CLASHT.000\WINDOWS
2008-08-03 19:33:13 0 d--h----- C:\Documents and Settings\Administrator.CLASHT.000\Templates
2008-08-03 19:33:13 0 dr------- C:\Documents and Settings\Administrator.CLASHT.000\Start Menu
2008-08-03 19:33:13 0 dr-h----- C:\Documents and Settings\Administrator.CLASHT.000\SendTo
2008-08-03 19:33:13 0 dr-h----- C:\Documents and Settings\Administrator.CLASHT.000\Recent
2008-08-03 19:33:13 0 d--h----- C:\Documents and Settings\Administrator.CLASHT.000\PrintHood
2008-08-03 19:33:13 0 d--h----- C:\Documents and Settings\Administrator.CLASHT.000\NetHood
2008-08-03 19:33:13 0 dr------- C:\Documents and Settings\Administrator.CLASHT.000\My Documents
2008-08-03 19:33:13 0 d--h----- C:\Documents and Settings\Administrator.CLASHT.000\Local Settings
2008-08-03 19:33:13 0 dr------- C:\Documents and Settings\Administrator.CLASHT.000\Favorites
2008-08-03 19:33:13 0 d-------- C:\Documents and Settings\Administrator.CLASHT.000\Desktop
2008-08-03 19:33:13 0 d--hs---- C:\Documents and Settings\Administrator.CLASHT.000\Cookies
2008-08-03 19:33:13 0 dr-h----- C:\Documents and Settings\Administrator.CLASHT.000\Application Data
2008-08-03 19:33:13 0 d---s---- C:\Documents and Settings\Administrator.CLASHT.000\Application Data\Microsoft
2008-08-03 19:33:12 737280 --a------ C:\Documents and Settings\Administrator.CLASHT.000\NTUSER.DAT
2008-08-03 15:54:06 0 dr-h----- C:\Documents and Settings\Owner\Recent
2008-08-02 11:17:26 0 d-------- C:\Program Files\Windows Media Connect 2
2008-08-02 11:12:58 0 d-------- C:\WINDOWS\system32\LogFiles
2008-08-02 11:12:58 0 d-------- C:\WINDOWS\system32\drivers\UMDF
2008-07-27 17:17:59 0 d-------- C:\Program Files\PCPrivacyCleaner
2008-07-27 09:45:39 0 d-------- C:\Documents and Settings\Owner\Application Data\TmpRecentIcons
2008-07-27 09:43:32 86016 --a------ C:\WINDOWS\grswptdl.exe
2008-07-27 09:42:49 139264 --a------ C:\WINDOWS\eovp.exe
2008-07-27 09:42:11 0 d-------- C:\Program Files\VAV
2008-07-27 09:41:44 0 d-------- C:\Program Files\PCHealthCenter
2008-07-25 23:03:28 0 d-------- C:\Documents and Settings\Owner\Application Data\Talkback
2008-07-25 22:03:05 0 d-------- C:\Program Files\Common Files\xing shared
2008-07-25 21:43:41 0 d-------- C:\Documents and Settings\Owner\Application Data\Mozilla


-- Find3M Report ---------------------------------------------------------------

2008-08-03 20:55:44 0 d-------- C:\Program Files\Common Files
2008-07-25 22:09:49 0 d-------- C:\Documents and Settings\Owner\Application Data\Real
2008-07-25 22:01:42 0 d-------- C:\Program Files\Common Files\Real


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{03488F0D-7152-4FB0-8149-06D714D3EFC2}]
09/10/2004 21:19: VIRUS ALERT! 19116 --a------ C:\WINDOWS\System32\l.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BB20260D-7705-4A27-B5FC-1A7E43D2C19B}]
C:\WINDOWS\System32\hdkmnia.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [05/07/1998 09:04: VIRUS ALERT!]
"KBD"="C:\HP\KBD\KBD.EXE" [07/06/2001 14:56: VIRUS ALERT!]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [06/15/2001 15:34: VIRUS ALERT!]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [08/07/2001 17:25: VIRUS ALERT!]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [08/07/2001 16:36: VIRUS ALERT!]
"PS2"="C:\WINDOWS\system32\ps2.exe" [07/03/2001 14:13: VIRUS ALERT!]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [08/04/2008 00:18: VIRUS ALERT!]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [05/28/2008 10:33: VIRUS ALERT!]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"DisableTaskMgr"=0 (0x0)
"NoDispCPL"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"SpecifyDefaultButtons"=0 (0x0)
"Btn_Search"=0 (0x0)
"NoBandCustomize"=0 (0x0)
"NoToolbarCustomize"=0 (0x0)
"StartMenuLogoff"=1 (0x1)
"NoStartMenuMorePrograms"=1 (0x1)
"NoSetFolders"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [05/13/2008 10:13: VIRUS ALERT! 77824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"eqvwamkl"= {8DA657F1-459D-4D80-9AF4-EC9487981C95} - C:\WINDOWS\eqvwamkl.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 13:41: VIRUS ALERT! 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WinCtrl32]
WinCtrl32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winlq48.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winmr85.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\23089741598192517752780679391111]
C:\Program Files\XP Antivirus\xpa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\A1Edqde2]
C:\WINDOWS\botvk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\advap32]
C:\DOCUME~1\Owner\LOCALS~1\Temp\scksexde.exe/r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
C:\Program Files\Microsoft Works\WkDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyStartUp]
C:\Program Files\Microsoft Money\System\Money Startup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tqvwtmd]
C:\WINDOWS\tqvwtmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wnqretuh]
C:\WINDOWS\wnqretuh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorkFlow]
D:\Install\WorkFlow.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\yznwslidgtcdj]
C:\WINDOWS\System32\vvpoona.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\¢‰¸u0Ô@ÔÁß]­ú"ü‰¸u0C:]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\¢‰¸u0Ô@ÔÁß]­ú"ü‰¸u0C:\Program Files]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\¢‰¸u0Ô@ÔÁß]­ú"ü‰¸u0C:\Program Files\ISTsvc]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\¢‰¸u0Ô@ÔÁß]­ú"ü‰¸u0C:\Program Files\ISTsvc\istsvc.exe]
C:\WINDOWS\botvk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\¢‰¸u0Ô@ÔÁß]­ú"ü‰üžiC:]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\¢‰¸u0Ô@ÔÁß]­ú"ü‰üžiC:\Program Files]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\¢‰¸u0Ô@ÔÁß]­ú"ü‰üžiC:\Program Files\ISTsvc]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\¢‰¸u0Ô@ÔÁß]­ú"ü‰üžiC:\Program Files\ISTsvc\istsvc.exe]
C:\WINDOWS\botvk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\¢‰¸u0ÔÁß]­ú"ü‰üžigÝC:]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\¢‰¸u0ÔÁß]­ú"ü‰üžigÝC:\Program Files]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\¢‰¸u0ÔÁß]­ú"ü‰üžigÝC:\Program Files\ISTsvc]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\¢‰¸u0ÔÁß]­ú"ü‰üžigÝC:\Program Files\ISTsvc\istsvc.exe]
C:\WINDOWS\botvk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\¢‰¸u0–4C]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\¢‰¸u0–4C]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\¢‰¸u0–4C]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\¢‰¸u0–4C]
C:\WINDOWS\botvk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\¢‰¸u0–4C]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\¢‰¸u0–4C]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\¢‰¸u0–4C]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\¢‰¸u0–4C]
C:\WINDOWS\botvk.exe




-- End of Deckard's System Scanner: finished at 2008-08-04 10:58:05 ------------


Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel Celeron processor
Percentage of Memory in Use: 65%
Physical Memory (total/avail): 254.48 MiB / 87.64 MiB
Pagefile Memory (total/avail): 433.5 MiB / 148.74 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1936.99 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 32.85 GiB total, 25.55 GiB free.
D: is CDROM (No Media)
E: is Removable (FAT32)

\\.\PHYSICALDRIVE0 - ST340810A - 37.27 GiB - 2 partitions
\PARTITION0 - Unknown - 4.41 GiB
\PARTITION1 (bootable) - Installable File System - 32.85 GiB - C:

\\.\PHYSICALDRIVE1 - USB 2.0 USB Flash Drive USB Device - 3.78 GiB - 1 partition
\PARTITION0 (bootable) - Unknown - 3.78 GiB - E:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

AV: AVG Anti-Virus Free v8.0 (AVG Technologies) Outdated

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\America Online 9.0a\\waol.exe"="C:\\Program Files\\America Online 9.0a\\waol.exe:*:Enabled:America Online 9.0a"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\America Online 9.0a\\waol.exe"="C:\\Program Files\\America Online 9.0a\\waol.exe:*:Enabled:America Online 9.0a"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Disabled:RealPlayer"
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"="C:\\Program Files\\AVG\\AVG8\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Owner\Application Data
CLASSPATH=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=CLASHT
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Owner
LOGONSERVER=\\CLASHT
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program files\PC-Doctor for Windows XP\WINDSAPI;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 8 Stepping 10, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=080a
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\QuickTime\QTSystem\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
TMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
USERDOMAIN=CLASHT
USERNAME=Owner
USERPROFILE=C:\Documents and Settings\Owner
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Owner (admin)
Administrator.CLASHT.000 (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware SE Personal --> C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
Adobe Acrobat 5.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
AdWare & SpyWare --> "C:\Program Files\Internet Explorer\IEXPLORE.EXE" "http://www.adwareremovergold.com/?revid=31418&s=1"
Apple Software Update --> MsiExec.exe /I{A50C25D7-62E9-4511-AD70-8E2DA5E79B7D}
AusLogics Disk Defrag --> "C:\Program Files\AusLogics Disk Defrag\unins000.exe"
AVG Free 8.0 --> C:\Program Files\AVG\AVG8\setup.exe /UNINSTALL
Belarc Advisor 7.2 --> C:\PROGRA~1\Belarc\Advisor\Uninstall.exe C:\PROGRA~1\Belarc\Advisor\INSTALL.LOG
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
EVEREST Home Edition v1.51 --> "C:\Program Files\Lavalys\EVEREST Home Edition\unins000.exe"
Gold Miner: Vegas (remove only) --> "C:\Program Files\Gold Miner Vegas\Uninstall.exe"
Google Toolbar for Internet Explorer --> MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar1.dll"
HijackThis 1.99.1 --> C:\Documents and Settings\Owner\Desktop\virus_adware protection\hijackthis\HijackThis.exe /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
hp center --> C:\WINDOWS\BWUnin-6.1.0.153.exe -AppId 137903
HP Instant Support --> C:\PROGRA~1\HPINST~1\UNWISE.EXE C:\PROGRA~1\HPINST~1\INSTALL.LOG
HP Photo Printing Software --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Printing\Uninstall.isu" -c"C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Printing\hpiunPC.dll
Inactive HP Printer Drivers (Remove only) --> RunDll32 hpuninst.dll,InstallHinfSection UninstDefault 132 prntunin.inf
Inactive HP ScanJet Drivers (Remove only) --> RunDll32 hpuninst.dll,InstallHinfSection UninstDefault 132 sjunin.inf
Internet Explorer Q903235 --> C:\WINDOWS\ieuninst.exe C:\WINDOWS\INF\Q903235.inf
iTunes --> MsiExec.exe /I{446DBFFA-4088-48E3-8932-74316BA4CAE4}
KazooStudio --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Kazoo3D\KazooStudio\Uninst.isu" -c"C:\Program Files\Kazoo3D\KazooStudio\UnInst.dll"
KBD --> C:\HP\KBD\KBD.EXE uninstalled
Learn2 Player (Uninstall Only) --> C:\Program Files\Learn2.com\StRunner\stuninst.exe
Lernout & Hauspie TruVoice American English TTS Engine --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\tv_enua.inf, Uninstall
Macromedia Flash Player 8 --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\swflash.inf,DefaultUninstall,5
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Works 6.0 --> MsiExec.exe /I{F8D0829C-9C6F-11D3-8080-00C04FA329AA}
Microsoft Works and Money 2001 Setup Launcher --> C:\Program Files\Microsoft Works and Money 2001\Setup\Launcher.exe d:\
Move Networks Media Player for Internet Explorer --> C:\Documents and Settings\Owner\Application Data\Move Networks\ie_bin\Uninst.exe
Mozilla Firefox (2.0) --> C:\Program Files\Mozilla Firefox\uninstall\uninst.exe
My Photo Center --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\ArcSoft\My Photo Center\Uninst.isu"
PC-Doctor for Windows --> C:\WINDOWS\UNWISE.EXE C:\PROGRA~1\PC-DOC~1\INSTALL.LOG
Private Eye - Greatest Unsolved Mysteries (remove only) --> "C:\Program Files\Private Eye - Greatest Unsolved Mysteries\Uninstall.exe"
PS2 --> C:\WINDOWS\system32\ps2.exe uninstall
QuickTime --> MsiExec.exe /I{5E863175-E85D-44A6-8968-82507D34AE7F}
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
S3 Gamma --> s3uninst.exe -reg 5 'HKLM\Software\S3\S3Uninst\S3 Gamma'
S3 Savage4 Family Display Switch2 Utility --> S3Uninst.exe -reg 5 HKLM\SOFTWARE\S3\S3Uninst\S3Switch2
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Viewpoint Manager (Remove Only) --> C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgrInstaller.exe /u /k
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"


-- Application Event Log -------------------------------------------------------

Event Record #/Type6644 / Warning
Event Submitted/Written: 08/04/2008 08:12:45 AM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type6637 / Warning
Event Submitted/Written: 08/03/2008 09:11:51 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type6634 / Warning
Event Submitted/Written: 08/03/2008 07:37:53 PM
Event ID/Source: 1015 / MsiInstaller
Event Description:
Failed to connect to server. Error: 0x8007043C

Event Record #/Type6629 / Error
Event Submitted/Written: 08/03/2008 00:39:09 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application xpa.exe, version 0.0.0.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type6628 / Error
Event Submitted/Written: 08/03/2008 00:39:08 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application xpa.exe, version 0.0.0.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type50037 / Error
Event Submitted/Written: 08/04/2008 10:41:35 AM
Event ID/Source: 7 / Disk
Event Description:
The device, \Device\Harddisk1\D, has a bad block.

Event Record #/Type50036 / Error
Event Submitted/Written: 08/04/2008 10:41:21 AM
Event ID/Source: 7 / Disk
Event Description:
The device, \Device\Harddisk1\D, has a bad block.

Event Record #/Type50035 / Error
Event Submitted/Written: 08/04/2008 10:21:40 AM / 08/04/2008 10:21:41 AM
Event ID/Source: 7 / Disk
Event Description:
The device, \Device\Harddisk1\D, has a bad block.

Event Record #/Type50020 / Error
Event Submitted/Written: 08/04/2008 08:13:50 AM / 08/04/2008 08:14:54 AM
Event ID/Source: 4 / ACPI
Event Description:
AMLI: ACPI BIOS is attempting to read from an illegal IO port address (0x71), which lies in the 0x70 - 0x71 protected
address range. This could lead to system instability. Please contact your system vendor for technical assistance.

Event Record #/Type50019 / Error
Event Submitted/Written: 08/04/2008 08:13:50 AM / 08/04/2008 08:14:54 AM
Event ID/Source: 5 / ACPI
Event Description:
AMLI: ACPI BIOS is attempting to write to an illegal IO port address (0x70), which lies in the 0x70 - 0x71 protected
address range. This could lead to system instability. Please contact your system vendor for technical assistance.


-- End of Deckard's System Scanner: finished at 2008-08-04 10:50:02 ------------

Thanks and looking forward to your help

Hi,

First of all, read and perform the instructions I have posted here:
http://miekiemoes.blogspot.com/2008/05/vir...to-restore.html

Then, when you're done, * Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

Hi Miekiemoes

Thank you for the reply. I had to get the cable modem that was matched to the computer I am working to fix. Your help has been invaluable. The registry fixes and varestorepolicies went fine. I downloaded the recovery console, used combo fix to install it then turned virus, spyware and firewall off and let Combofix do its thing. Ran a new Hijackthis. Here are both logs. Let me know if there is anything else we need to take care of. Thanks again!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:51:01 AM, on 8/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\fxssvc.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wwe.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: - {03488F0D-7152-4FB0-8149-06D714D3EFC2} - C:\WINDOWS\System32\l.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...81/mcinsctl.cab
O16 - DPF: {B030900C-746A-47BF-8B1D-EA3FB3395563} (CoxFastConnect20 Control) - https://fastconnect.cox.net/cd20/CoxFastConnect20.ocx
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,19/mcgdmgr.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 4571 bytes

ComboFix 08-08-03.03 - Owner 2008-08-07 11:31:43.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.80 [GMT -7:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\License_Manager
C:\Program Files\PCHealthCenter
C:\Program Files\PCHealthCenter\0.gif
C:\Program Files\PCHealthCenter\2.gif
C:\Program Files\PCHealthCenter\3.gif
C:\Program Files\PCPrivacyCleaner
C:\Program Files\VAV
C:\Program Files\VAV\vav.ooo
C:\Program Files\VAV\vav0.dat
C:\Program Files\VAV\vav1.dat
C:\WINDOWS\eovp.exe
C:\WINDOWS\grswptdl.exe
C:\WINDOWS\system\oeminfo.ini
C:\WINDOWS\system32\ncase.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_GB


((((((((((((((((((((((((( Files Created from 2008-07-07 to 2008-08-07 )))))))))))))))))))))))))))))))
.

2008-08-04 10:46 . 2008-08-04 10:46 <DIR> d-------- C:\Deckard
2008-08-04 10:43 . 2008-08-04 10:43 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-04 00:25 . 2008-08-07 02:17 <DIR> d--h----- C:\$AVG8.VAULT$
2008-08-04 00:19 . 2008-08-06 23:09 <DIR> d-------- C:\WINDOWS\SYSTEM32\drivers\Avg
2008-08-04 00:19 . 2008-08-04 00:19 96,520 --a------ C:\WINDOWS\SYSTEM32\drivers\avgldx86.sys
2008-08-04 00:19 . 2008-08-04 00:19 76,040 --a------ C:\WINDOWS\SYSTEM32\drivers\avgtdix.sys
2008-08-04 00:19 . 2008-08-04 00:19 10,520 --a------ C:\WINDOWS\SYSTEM32\avgrsstx.dll
2008-08-04 00:18 . 2008-08-04 00:18 <DIR> d-------- C:\Program Files\AVG
2008-08-04 00:18 . 2008-08-04 00:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-08-03 21:21 . 2008-08-03 21:21 <DIR> d-------- C:\Documents and Settings\Administrator.CLASHT.000\Application Data\SUPERAntiSpyware.com
2008-08-03 20:56 . 2008-08-03 20:56 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-08-03 20:56 . 2008-08-03 20:56 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-08-03 20:56 . 2008-08-03 20:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-08-03 20:55 . 2008-08-03 20:55 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-03 19:33 . 2004-04-28 15:40 <DIR> d-------- C:\Documents and Settings\Administrator.CLASHT.000\WINDOWS
2008-08-03 19:33 . 2004-04-28 15:39 <DIR> d-------- C:\Documents and Settings\Administrator.CLASHT.000\Application Data\InterTrust
2008-08-03 19:33 . 2008-08-05 10:17 <DIR> d-------- C:\Documents and Settings\Administrator.CLASHT.000
2008-08-02 11:18 . 2006-10-04 07:06 1,197,294 --------- C:\WINDOWS\SYSTEM32\dllcache\sysmain.sdb
2008-08-02 11:18 . 2006-10-04 07:06 764,868 --------- C:\WINDOWS\SYSTEM32\dllcache\apph_sp.sdb
2008-08-02 11:18 . 2006-10-04 07:06 217,118 --------- C:\WINDOWS\SYSTEM32\dllcache\apphelp.sdb
2008-08-02 11:17 . 2008-08-02 11:17 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-08-02 11:12 . 2008-08-02 11:12 <DIR> d-------- C:\WINDOWS\SYSTEM32\LogFiles
2008-08-02 11:12 . 2008-08-02 11:14 <DIR> d-------- C:\WINDOWS\SYSTEM32\drivers\UMDF
2008-07-25 23:03 . 2008-07-25 23:03 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Talkback
2008-07-25 22:03 . 2008-07-25 22:03 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-07-21 13:29 . 2008-06-13 06:10 272,128 --------- C:\WINDOWS\SYSTEM32\dllcache\bthport.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-04 02:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-07-26 05:01 --------- d-----w C:\Program Files\Common Files\Real
2008-07-13 19:43 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\SYSTEM32\mswsock.dll
2008-06-20 17:41 245,248 ------w C:\WINDOWS\SYSTEM32\dllcache\mswsock.dll
2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\SYSTEM32\dllcache\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\SYSTEM32\dllcache\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 10:44 138,368 ------w C:\WINDOWS\SYSTEM32\dllcache\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\SYSTEM32\dllcache\tcpip6.sys
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\SYSTEM32\dllcache\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\SYSTEM32\quartz.dll
2008-05-07 05:18 1,287,680 ------w C:\WINDOWS\SYSTEM32\dllcache\quartz.dll
2001-07-22 02:45 94,784 --sh--w C:\WINDOWS\twain.dll
2004-08-04 07:56 50,688 --sh--w C:\WINDOWS\twain_32.dll
2004-08-04 07:56 1,028,096 --sh--w C:\WINDOWS\SYSTEM32\mfc42.dll
2004-08-04 07:56 54,784 --sha-w C:\WINDOWS\SYSTEM32\msvcirt.dll
2004-08-04 07:56 413,696 --sha-w C:\WINDOWS\SYSTEM32\msvcp60.dll
2004-08-04 07:56 343,040 --sha-w C:\WINDOWS\SYSTEM32\msvcrt.dll
2007-12-04 18:38 550,912 --sh--w C:\WINDOWS\SYSTEM32\oleaut32.dll
2004-08-04 07:56 83,456 --sh--w C:\WINDOWS\SYSTEM32\olepro32.dll
2004-08-04 07:56 11,776 --sh--w C:\WINDOWS\SYSTEM32\regsvr32.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{03488F0D-7152-4FB0-8149-06D714D3EFC2}]
2004-09-10 21:19 19116 --a------ C:\WINDOWS\System32\l.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 09:04 52736]
"KBD"="C:\HP\KBD\KBD.EXE" [2001-07-06 14:56 61440]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2001-06-15 15:34 212992]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2001-08-07 17:25 143360]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2001-08-07 16:36 90112]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2001-07-03 14:13 81920]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-08-04 00:18 1232152]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"SpecifyDefaultButtons"= 0 (0x0)
"Btn_Search"= 0 (0x0)
"NoBandCustomize"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winlq48.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winmr85.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\advap32]
C:\DOCUME~1\Owner\LOCALS~1\Temp\scksexde.exe/r [X]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\¢‰¸u0Ô@ÔÁß]­úü‰¸u0C:
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\¢‰¸u0Ô@ÔÁß]­úü‰¸u0C:\Program Files
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\¢‰¸u0Ô@ÔÁß]­úü‰¸u0C:\Program Files\ISTsvc
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\¢‰¸u0Ô@ÔÁß]­úü‰üžiC:
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\¢‰¸u0Ô@ÔÁß]­úü‰üžiC:\Program Files
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\¢‰¸u0Ô@ÔÁß]­úü‰üžiC:\Program Files\ISTsvc
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\¢‰¸u0ÔÁß]­úü‰üžigÝC:
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\¢‰¸u0ÔÁß]­úü‰üžigÝC:\Program Files
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\¢‰¸u0ÔÁß]­úü‰üžigÝC:\Program Files\ISTsvc
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\¢‰¸u0–4C
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\¢‰¸u0–4C
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\¢‰¸u0–4C
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\¢‰¸u0–4C
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\¢‰¸u0–4C
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\¢‰¸u0–4C

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
--------- 2000-08-15 17:25 28739 C:\Program Files\Microsoft Works\WkDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-02-16 10:54 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
--a------ 2005-05-31 01:04 1415824 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-07-25 21:57 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-08-04 00:19]
R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-04 00:18]
R2 AvgTdiX;AVG Free8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-08-04 00:19]
R2 NwSapAgent;SAP Agent;C:\WINDOWS\System32\svchost.exe [2004-08-04 00:56]
S2 avg8emc;AVG Free8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-08-04 00:18]
S2 YNPLVOHD;YNPLVOHD;C:\WINDOWS\system32\ynplvohd.rty []
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

BHO-{BB20260D-7705-4A27-B5FC-1A7E43D2C19B} - C:\WINDOWS\System32\hdkmnia.dll
MSConfigStartUp-23089741598192517752780679391111 - C:\Program Files\XP Antivirus\xpa.exe
MSConfigStartUp-A1Edqde2 - C:\WINDOWS\botvk.exe
MSConfigStartUp-MoneyStartUp - C:\Program Files\Microsoft Money\System\Money Startup.exe
MSConfigStartUp-tqvwtmd - C:\WINDOWS\tqvwtmd.exe
MSConfigStartUp-wnqretuh - C:\WINDOWS\wnqretuh.exe
MSConfigStartUp-WorkFlow - D:\Install\WorkFlow.exe
MSConfigStartUp-yznwslidgtcdj - C:\WINDOWS\System32\vvpoona.exe
MSConfigStartUp-istsvc - C:\WINDOWS\botvk.exe
MSConfigStartUp-istsvc - C:\WINDOWS\botvk.exe
MSConfigStartUp-istsvc - C:\WINDOWS\botvk.exe
MSConfigStartUp-¢‰¸u0–4C - C:\WINDOWS\botvk.exe
MSConfigStartUp-¢‰¸u0–4C - C:\WINDOWS\botvk.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\okqxeq5c.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.wwe.com/


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-07 11:39:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\YNPLVOHD]
"ImagePath"="\??\C:\WINDOWS\system32\ynplvohd.rty"
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\fxssvc.exe
C:\WINDOWS\SYSTEM32\wscntfy.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
.
**************************************************************************
.
Completion time: 2008-08-07 11:47:49 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-07 18:47:15

Pre-Run: 27,196,973,056 bytes free
Post-Run: 27,154,358,272 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows Whistler Personal" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

210 --- E O F --- 2008-08-06 10:07:20

Hi,

We're not finished yet...

I also see that there are some entries you have disabled via msconfig including some malware related entries which contains strange characters.
Using a regfix with these strange characters in it won't work. In such cases, I always delete the entire startupregkey and rebuild it again with the legitimate ones, but for that I need a full export of the startupreg here. And in your case, I see you have only a few legitimate entries in your msconfig > startup and as a matter of fact, they are not really needed to start up with Windows anyway, so they may stay disabled and can actually be deleted. The only legitimate one that you may enable in the future again will be Teatimer, but we'll delete it anyway as well since Spybot S&D will come with a new update soon, so you'll have to reinstall it anyway again.

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:



Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



This will start ComboFix again. * it will create a zipped file on your Desktop - [8]-Submit_Date_Time.zip
* another file will be present on your desktop: CF-Submit.htm which will open after you ran Combofix.
* Where it says: "Submit files for further analysis", click OK and a browser Window will open. There you'll see: "copy/paste filepath into the box & click OK". You'll find the filepath below, so copy and paste this in the above field and click OK.
If the window didn't open, just submit the [8]-Submit_Date_Time.zip file here

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.

Thanks Miekemoes

I understand what you want me to do but the following took place before I saw your post and I want to wait on your response:
So based on your observations, even though the startup items were disabled, they could have caused the following?

I started to reset the home page for IExplorer and for Firefox to his favorite www.WWE.com. IE went just fine. When I opened Firefox and set the home page to WWE, it came up saying that the flash player needed updating. Ok, no problem as I do this for him periodically. I exited Firefox and typed www.adobe.com/products/flashplayer into IE7 and installed the most recent (from ....115 to ....124 I think). Again no problem I thought. both versions of flashplayer for IE7 and firefox were listed with the same vsn number, yet when I exited IE7 and went back into firefox, it was still calling for a player update, so this time I typed in the adobe address in the firefox address bar and selected to download the firefox version directly from the Adobe web site. This time it acted like a brand new install and wanted me to accept the terms. I closed the dialogue box without responding and exited adobe and firefox. Guess what! I now have PCPrivacyCleaner, VirusRemover, Vista Antivirus 2008 and XP Antivirus 2008 ICONS on the desktop again.

Not sure what else might have been changed. I also immediately turned off the modem pending further action.

Where to go from here? This time I will sit on my hands until the all clear is sounded. Thank you. Thank you.

Hi,

Please do not set the startpage to www.WWE.com again, because it's infected with this fake message to update the flashplayer. If you indeed click it, you'll get infected.
So, please perform the steps with Combofix first. It shall display the log aterwards and then I can see what other malware installed in between, so we can tackle it afterwards as well.

Good Day!

Before I drag CFScript onto Combofix, will I be able to save or rebuild the following startup entries?

1. This computer is an older HP Pavilion 7915 with one of the specialty keyboards and its functionality may be affected by the removal of HPSYSDRV, KBD, PS2 and possibly HKCMD. I would like to either keep or be able to rebuild these although I think disabling or removing HKCMD will probably be ok. Pretty sure he won't be performing tasks that require it.

2. I am very concerned about removing RECGUARD. On HP computers, Recguard prevents the deletion or corruption of the WinXP Recovery Partition. Without it enabled, it is possible to completely knock out the partition which may require sending the PC back to HP for a re-image.

On my way to work, look forward to your post later

Hi,

The script doesn't remove any startup entries which are currently enabled. Only the ones which you have disabled via msconfig previously (and which are not required to run anyway).
These are the entries that the script is going to remove:

Miekiemoes

Sorry I misunderstood your previous post. Thanks for the clarification. Drug cfscript to combofix and copied and pasted the link for the zip file to be sent (successfully). Reran HijackThis. Here are the combofix and Hijackthis logs for when you have time. Thank you.

ComboFix 08-08-03.03 - Owner 2008-08-09 17:30:29.2 - NTFSx86
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Owner\Desktop\PCPrivacyCleaner.lnk
C:\Documents and Settings\Owner\Desktop\Vista Antivirus 2008.lnk
C:\Documents and Settings\Owner\Desktop\XP Antivirus 2008.lnk
C:\WINDOWS\System32\l.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_YNPLVOHD
-------\Service_YNPLVOHD


((((((((((((((((((((((((( Files Created from 2008-07-10 to 2008-08-10 )))))))))))))))))))))))))))))))
.

2008-08-04 10:46 . 2008-08-04 10:46 <DIR> d-------- C:\Deckard
2008-08-04 10:43 . 2008-08-04 10:43 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-04 00:25 . 2008-08-07 02:17 <DIR> d--h----- C:\$AVG8.VAULT$
2008-08-04 00:19 . 2008-08-07 12:47 <DIR> d-------- C:\WINDOWS\SYSTEM32\drivers\Avg
2008-08-04 00:19 . 2008-08-04 00:19 96,520 --a------ C:\WINDOWS\SYSTEM32\drivers\avgldx86.sys
2008-08-04 00:19 . 2008-08-04 00:19 76,040 --a------ C:\WINDOWS\SYSTEM32\drivers\avgtdix.sys
2008-08-04 00:19 . 2008-08-04 00:19 10,520 --a------ C:\WINDOWS\SYSTEM32\avgrsstx.dll
2008-08-04 00:18 . 2008-08-04 00:18 <DIR> d-------- C:\Program Files\AVG
2008-08-04 00:18 . 2008-08-04 00:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-08-03 21:21 . 2008-08-03 21:21 <DIR> d-------- C:\Documents and Settings\Administrator.CLASHT.000\Application Data\SUPERAntiSpyware.com
2008-08-03 20:56 . 2008-08-03 20:56 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-08-03 20:56 . 2008-08-03 20:56 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-08-03 20:56 . 2008-08-03 20:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-08-03 20:55 . 2008-08-03 20:55 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-03 19:33 . 2004-04-28 15:40 <DIR> d-------- C:\Documents and Settings\Administrator.CLASHT.000\WINDOWS
2008-08-03 19:33 . 2004-04-28 15:39 <DIR> d-------- C:\Documents and Settings\Administrator.CLASHT.000\Application Data\InterTrust
2008-08-03 19:33 . 2008-08-05 10:17 <DIR> d-------- C:\Documents and Settings\Administrator.CLASHT.000
2008-08-02 11:18 . 2006-10-04 07:06 1,197,294 --------- C:\WINDOWS\SYSTEM32\dllcache\sysmain.sdb
2008-08-02 11:18 . 2006-10-04 07:06 764,868 --------- C:\WINDOWS\SYSTEM32\dllcache\apph_sp.sdb
2008-08-02 11:18 . 2006-10-04 07:06 217,118 --------- C:\WINDOWS\SYSTEM32\dllcache\apphelp.sdb
2008-08-02 11:17 . 2008-08-02 11:17 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-08-02 11:12 . 2008-08-02 11:12 <DIR> d-------- C:\WINDOWS\SYSTEM32\LogFiles
2008-08-02 11:12 . 2008-08-02 11:14 <DIR> d-------- C:\WINDOWS\SYSTEM32\drivers\UMDF
2008-07-25 23:03 . 2008-07-25 23:03 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Talkback
2008-07-25 22:03 . 2008-07-25 22:03 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-07-21 13:29 . 2008-06-13 06:10 272,128 --------- C:\WINDOWS\SYSTEM32\dllcache\bthport.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-04 02:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-07-26 05:01 --------- d-----w C:\Program Files\Common Files\Real
2008-07-13 19:43 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\SYSTEM32\mswsock.dll
2008-06-20 17:41 245,248 ------w C:\WINDOWS\SYSTEM32\dllcache\mswsock.dll
2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\SYSTEM32\dllcache\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\SYSTEM32\dllcache\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 10:44 138,368 ------w C:\WINDOWS\SYSTEM32\dllcache\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\SYSTEM32\dllcache\tcpip6.sys
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2001-07-22 02:45 94,784 --sh--w C:\WINDOWS\twain.dll
2004-08-04 07:56 50,688 --sh--w C:\WINDOWS\twain_32.dll
2004-08-04 07:56 1,028,096 --sh--w C:\WINDOWS\SYSTEM32\mfc42.dll
2004-08-04 07:56 54,784 --sha-w C:\WINDOWS\SYSTEM32\msvcirt.dll
2004-08-04 07:56 413,696 --sha-w C:\WINDOWS\SYSTEM32\msvcp60.dll
2004-08-04 07:56 343,040 --sha-w C:\WINDOWS\SYSTEM32\msvcrt.dll
2007-12-04 18:38 550,912 --sh--w C:\WINDOWS\SYSTEM32\oleaut32.dll
2004-08-04 07:56 83,456 --sh--w C:\WINDOWS\SYSTEM32\olepro32.dll
2004-08-04 07:56 11,776 --sh--w C:\WINDOWS\SYSTEM32\regsvr32.exe
.

((((((((((((((((((((((((((((( snapshot@2008-08-07_11.45.57.46 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-03-25 02:32:44 218,496 ----a-r C:\WINDOWS\SYSTEM32\Macromed\Flash\FlashUtil9f.exe
- 2007-12-20 23:23:22 74,649 ----a-w C:\WINDOWS\SYSTEM32\Macromed\Flash\uninstall_activeX.exe
+ 2008-08-07 19:34:25 74,649 ----a-w C:\WINDOWS\SYSTEM32\Macromed\Flash\uninstall_activeX.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 09:04 52736]
"KBD"="C:\HP\KBD\KBD.EXE" [2001-07-06 14:56 61440]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2001-06-15 15:34 212992]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2001-08-07 17:25 143360]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2001-08-07 16:36 90112]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2001-07-03 14:13 81920]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-08-04 00:18 1232152]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"SpecifyDefaultButtons"= 0 (0x0)
"Btn_Search"= 0 (0x0)
"NoBandCustomize"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-08-04 00:19]
R2 avg8emc;AVG Free8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-08-04 00:18]
R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-04 00:18]
R2 AvgTdiX;AVG Free8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-08-04 00:19]
R2 NwSapAgent;SAP Agent;C:\WINDOWS\System32\svchost.exe [2004-08-04 00:56]
.
Contents of the 'Scheduled Tasks' folder
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-09 17:38:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\fxssvc.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
.
**************************************************************************
.
Completion time: 2008-08-09 17:47:34 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-10 00:46:56
ComboFix2.txt 2008-08-07 18:47:53

Pre-Run: 27,094,630,400 bytes free
Post-Run: 27,094,138,880 bytes free

141 --- E O F --- 2008-08-06 10:07:20


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:56:20 PM, on 8/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\fxssvc.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\explorer.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wwe.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...81/mcinsctl.cab
O16 - DPF: {B030900C-746A-47BF-8B1D-EA3FB3395563} (CoxFastConnect20 Control) - https://fastconnect.cox.net/cd20/CoxFastConnect20.ocx
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,19/mcgdmgr.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 4450 bytes

Hi,

Combofix already took care of this as well


* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wwe.com/ <== checking this will restore the startpage to the default startpage (msn), but you can change that afterwards again. As long as you don't set it to wwe.com again since this site appears to be vulnerable currently. I didn't check it yet if it has been resolved.
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Then, * Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.

Lookin' Great! Thanks!

Ran HijackThis then uninstalled combo fix. Still have one desktop icon "VirusRemover2008" but the path for it at C:\Program Files\VirusRemover2008\VRM2008.exe is gone. I should be able to just delete the icon.

Is there a source I can check to verify when the site vulnerability for WWE.com has been resolved? The computer owner's primary use of the computer revolves around this web site (the only other thing I have to do is keep his brother off the computer -- he visits the xxx sites where half my problems arise).

I have a whole lotta questions but I know this isn't the forum. I have looked through the tutorials and would like to learn more about detailed spyware removal. Can you point me to a starting point?

Take care, your help has been much appreciated.

Hi;

Yes, delete that icon.

I see wwe.com is OK now.

Whoever the computer owner is, make sure he reads my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

To learn more about a detailed malware removal, you can ask the forum admin (Grinler) if there's still a place in the training school here.
If not, then register at Spywareinfo and post in thread to get access to the bootcamp there. I'm active there as well. :-)

Happy Surfing again!

One last thank you and I will definitely check out the references you posted for me.

See Y'all next time

You're most welcome

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.