New rogue/antivirus infection - Please help

[justbeck]

Hi, I got a serious issue with my system. Somehow some Trojan/rogue has affected my system. It keeps flashing me virus alert and whenever i try to run any program it says "Application cannot be executed. The file  **** is infected......." (not even a command prompt, notepad, task manager etc can be opened.. but with multiple tries, sometimes i get the command prompt but it is ridiculous).


Also, I've read previous topics and threads about this same issue and I tried to follow the instruction given, but I've hit a wall when it comes to installing the anti-virus and scan software that were suggested. However, I was able to successfully install and run Malwarebytes' Anti-Malware several times. The first time I ran it, I was able to remove three infections- but since then I haven't found anything.



Keep in mind that I am highly noobish when it comes to certain instructions, so please go into detail about what I should do            

PLEASE HELP!

[justbeck]

I have run Malwarebytes' Anti-Malware &Rkill succesully several times.
I also have Hijackthis, SUPERAntiSpyware, and Spyware Doctor- but I was unable to fully install them due to the torjan closing them before I could install them.

I am running on a Windows XP and Firefox is my primary internet program

[justbeck]

I'm only able to run those listed programs when I restart my PC, and even then I have to have them open and running within seconds or they will get closed. I have yet to actually be able to run ComboFix, because it takes too many milliseconds to get running

[mario21lv]

sup, boot into safemode(F8). to get into safemode press f8 a lot of time after u see the computer logo. than go to safemode with networking. once in safemode run EDITED. Please do not advise a person to run this program. This is not a toy.

[SuperDave]

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer. I am working under the guidance of one of the specialist of this forum so it may take a bit longer to process your logs.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

Go to this link to create a Rescue CD or to this site to create a Rescue USB. Carefully follow all the instructions for whichever method you choose.

See if you can run SAS, MBAM and HJT after this.

[mario21lv]

sorry about that SuperDave......

[justbeck]

Hey, sorry for the delay of my response!

I had just run ComboFix when I  turned my PC back on and it says that it corrected several infections, and I haven't gotten a single pop-up or seen any symptoms of the rogue that I had become so familiar with in these last days. Should I still go through with your directions of the Rescue CD/USB ?

[mario21lv]

i would still go through with his advice. i got my way and he's got his way but he's one of the big guys on the forum and im just a member. glad to hear those things are gone though.

[SuperDave]

If you can download and run the SAS, MBAM and HJT and get me some logs don't bother with the rescue disk.

[justbeck]

Here are the completed logs I've done so farr!



ComboFix 10-03-20.01 - Compaq_Owner 03/20/2010  22:51:31.2.1 - x86
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.447.184 [GMT -4:00]
Running from: c:\documents and settings\Compaq_Owner\Desktop\ComboFix.exe
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\COMPAQ~1\LOCALS~1\Temp\IadHide5.dll
c:\documents and settings\Compaq_Owner\Local Settings\Application Data\ave.exe
c:\documents and settings\Compaq_Owner\Local Settings\temp\IadHide5.dll

.
(((((((((((((((((((((((((   Files Created from 2010-02-21 to 2010-03-21  )))))))))))))))))))))))))))))))
.

2010-03-16 19:09 . 2010-03-16 19:09   --------   d-----w-   C:\8d213983b851922cc
2010-03-16 18:53 . 2010-03-16 18:53   --------   d-----w-   C:\adad871fd64396d7d4a1a67d8a8baac9
2010-03-16 18:53 . 2010-03-16 18:53   --------   d-----w-   C:\44e88e89d0ebf39
2010-03-16 18:53 . 2010-03-16 18:53   --------   d-----w-   C:\21ee9e2511f33aa91
2010-03-16 18:53 . 2010-03-16 18:53   --------   d-----w-   C:\97cb9
2010-03-16 18:53 . 2010-03-16 18:53   --------   d-----w-   C:\7d9ed
2010-03-16 18:53 . 2010-03-16 18:53   --------   d-----w-   C:\f9a1eeaf6fd564a0bf99f3482ab8ae1e
2010-03-16 18:52 . 2010-03-16 18:52   --------   d-----w-   C:\da74a0117a4388da33d34d4d6b40c90
2010-03-16 18:52 . 2010-03-16 18:52   --------   d-----w-   C:\fa37cc519b9fb5172d30cf21d
2010-03-16 18:49 . 2010-03-16 18:49   --------   d-----w-   c:\program files\Trend Micro
2010-03-16 18:07 . 2010-03-16 18:07   --------   d-----w-   c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-03-16 18:04 . 2010-03-16 18:04   --------   d-----w-   c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2010-03-16 17:03 . 2010-02-05 13:17   233136   ----a-w-   c:\windows\system32\drivers\pctgntdi.sys
2010-03-16 17:03 . 2009-09-23 20:10   207280   ----a-w-   c:\windows\system32\drivers\PCTCore.sys
2010-03-16 17:03 . 2009-10-06 20:31   87784   ----a-w-   c:\windows\system32\drivers\PCTAppEvent.sys
2010-03-16 17:03 . 2010-02-05 13:25   70408   ----a-w-   c:\windows\system32\drivers\pctplsg.sys
2010-03-16 17:03 . 2010-03-16 18:39   --------   d-----w-   c:\program files\Spyware Doctor
2010-03-16 17:03 . 2010-03-16 17:03   --------   d-----w-   c:\program files\Common Files\PC Tools
2010-03-16 17:03 . 2010-03-16 17:03   --------   d-----w-   c:\documents and settings\Compaq_Owner\Application Data\PC Tools
2010-03-16 17:03 . 2010-03-16 17:03   --------   d-----w-   c:\documents and settings\All Users\Application Data\PC Tools
2010-03-16 17:03 . 2010-03-16 18:39   --------   d---a-w-   c:\documents and settings\All Users\Application Data\TEMP
2010-03-16 16:34 . 2010-03-16 16:34   --------   d-----w-   c:\program files\Common Files\Wise Installation Wizard
2010-03-16 16:26 . 2010-03-16 16:26   --------   d-----w-   c:\documents and settings\Compaq_Owner\Application Data\Malwarebytes
2010-03-16 16:25 . 2009-12-30 18:55   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-16 16:25 . 2010-03-16 16:25   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-16 16:25 . 2010-03-16 16:26   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-03-16 16:25 . 2009-12-30 18:54   19160   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-03-16 16:16 . 2010-03-16 16:16   202752   --sha-w-   c:\documents and settings\Compaq_Owner\Local Settings\Application Data\1732168344.dll
2010-03-16 02:31 . 2010-03-16 02:31   552   ----a-w-   c:\windows\system32\d3d8caps.dat
2010-03-16 02:31 . 2010-03-16 18:36   1324   ----a-w-   c:\windows\system32\d3d9caps.dat
2010-03-16 02:30 . 2010-03-16 02:31   --------   d-----w-   c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-03-15 07:27 . 2010-03-15 07:27   --------   d--h--w-   c:\windows\PIF
2010-03-09 03:51 . 2010-03-09 03:51   --------   d-----w-   C:\7468ab8a25277b18b2ce12c422
2010-02-21 09:11 . 2010-02-21 09:11   152576   ----a-w-   c:\documents and settings\Compaq_Owner\Application Data\Sun\Java\jre1.6.0_17\lzma.dll

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-16 16:37 . 2009-12-15 03:55   --------   d-----w-   c:\documents and settings\Compaq_Owner\Application Data\BitTorrent
2010-02-23 04:58 . 2009-06-17 00:04   --------   d-----w-   c:\program files\AIMTunes
2010-02-21 09:12 . 2004-08-09 06:12   --------   d-----w-   c:\program files\Java
2010-02-21 09:11 . 2009-11-25 18:17   79488   ----a-w-   c:\documents and settings\Compaq_Owner\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-02-21 04:26 . 2008-09-05 01:23   --------   d-----w-   c:\documents and settings\Compaq_Owner\Application Data\Apple Computer
2010-02-18 19:48 . 2010-02-18 19:47   --------   d-----w-   c:\program files\iTunes
2010-02-18 19:47 . 2010-02-18 19:47   --------   d-----w-   c:\program files\iPod
2010-02-18 19:47 . 2009-03-11 22:52   --------   d-----w-   c:\program files\Common Files\Apple
2010-02-18 19:42 . 2010-02-18 19:42   72488   ----a-w-   c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-02-03 04:43 . 2009-11-11 16:22   --------   d-----w-   c:\program files\World of Warcraft
2010-02-03 04:41 . 2009-11-21 20:29   --------   d-----w-   c:\program files\World of Warcraft Public Test
2010-01-28 06:47 . 2008-12-15 20:38   64624   ----a-w-   c:\documents and settings\Compaq_Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-05 10:00 . 2004-08-09 04:28   832512   ------w-   c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2004-08-09 04:28   78336   ----a-w-   c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2004-08-09 04:28   17408   ----a-w-   c:\windows\system32\corpol.dll
2010-01-04 21:09 . 2009-09-17 22:17   8892928   -c--a-w-   c:\documents and settings\All Users\Application Data\atscie.msi
2009-12-31 16:14 . 2004-08-09 04:28   352640   ----a-w-   c:\windows\system32\drivers\srv.sys
.

(((((((((((((((((((((((((((((   SnapShot@2010-03-18_03.49.30   )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-03-21 02:57 . 2010-03-21 02:57   16384              c:\windows\Temp\Perflib_Perfdata_ac.dat
+ 2004-08-09 04:28 . 2010-03-18 03:52   54280              c:\windows\system32\perfc009.dat
- 2004-08-09 04:28 . 2010-03-15 03:07   54280              c:\windows\system32\perfc009.dat
+ 2004-08-09 04:28 . 2010-03-18 03:52   384596              c:\windows\system32\perfh009.dat
- 2004-08-09 04:28 . 2010-03-15 03:07   384596              c:\windows\system32\perfh009.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-12 61440]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-15 233472]
"VTTimer"="VTTimer.exe" [2004-10-22 53248]
"PS2"="c:\windows\system32\ps2.exe" [2003-09-13 98304]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-23 141608]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Compaq Connections.lnk - c:\program files\Compaq Connections\6750491\Program\Compaq Connections.exe [2004-8-9 16423]
Push Client.LNK - c:\program files\Interwise\Participant\pull.exe [2009-9-15 886000]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Compaq Connections\\6750491\\Program\\Compaq Connections.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.2.10482-to-3.2.2.10505-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft Public Test\\WoW-0.3.0.10522-enUS-ptr-downloader.exe"=
"c:\\Program Files\\World of Warcraft Public Test\\WoW-0.3.0.10522-to-0.3.0.10554-enUS-ptr-downloader.exe"=
"c:\\Program Files\\World of Warcraft Public Test\\Launcher.exe"=
"c:\\Program Files\\World of Warcraft Public Test\\WoW-0.3.0.10554-to-0.3.0.10571-enUS-ptr-downloader.exe"=
"c:\\Program Files\\World of Warcraft Public Test\\WoW-0.3.0.10571-to-0.3.0.10596-enUS-ptr-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"58964:TCP"= 58964:TCP:Pando Media Booster
"58964:UDP"= 58964:UDP:Pando Media Booster
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [3/16/2010 1:03 PM 207280]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/19/2009 2:00 PM 24652]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [3/16/2010 12:25 PM 38224]
.
Contents of the 'Scheduled Tasks' folder

2010-03-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2007-09-04 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2004-08-10 08:38]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q404&bd=presario&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=presario&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=presario&pf=desktop
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\fte4u602.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut. enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency",   1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug",            false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight",       2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize",       1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight",   25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight",     5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugi n", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

AddRemove-AVS Update Manager_is1 - c:\program files\AVS4YOU\AVSUpdateManager\unins000.exe
AddRemove-AVS4YOU Software Navigator_is1 - c:\program files\AVS4YOU\AVSSoftwareNavigator\unins000.exe
AddRemove-AVS4YOU Video Converter 6_is1 - c:\program files\AVS4YOU\AVSVideoConverter6\unins000.exe
AddRemove-Burn4Free - c:\program files\Burn4Free\uninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-20 22:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3472)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\VTTimer.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-03-20  23:01:25 - machine was rebooted
ComboFix-quarantined-files.txt  2010-03-21 03:01
ComboFix2.txt  2010-03-18 03:53

Pre-Run: 71,883,866,112 bytes free
Post-Run: 71,854,149,632 bytes free

- - End Of File - - 48CF55404A7D2ED52DA89BC54DEDE860

[justbeck]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:01:39 PM, on 3/20/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16981)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=presario&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q404&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
O4 - Global Startup: Push Client.LNK = C:\Program Files\Interwise\Participant\pull.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 4617 bytes

[justbeck]

Malwarebytes' Anti-Malware 1.44
Database version: 3889
Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.13

3/20/2010 11:19:32 PM
mbam-log-2010-03-20 (23-19-32).txt

Scan type: Quick Scan
Objects scanned: 130454
Time elapsed: 4 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[SuperDave]

Looking over your log it seems you don't have any Anti-Virus software.

Before we continue download and install a free antivirus.

Remember to only install one Anti-Virus!
I, personally, prefer MSE.
 
1) Avast! Home Edition
2) AVG Free Edition
3) Avira AntiVir Personal
4) Microsoft Security Essentials for Windows Vista\Windows 7 - 64 bit Download
4-a) Microsoft Security Essentials for Windows XP
5) Comodo Antivirus (Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage" if you choose this one)
6) PC Tools AntiVirus Free Edition

It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts. If you choose to install more than one antivirus program on your computer, then only one of them should be active in memory at a time.

==============================================
You have Viewpoint installed.

Viewpoint Media Player/Manager/Toolbar is considered as Foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad".

More information:

* ViewMgr.exe - Useless
* Viewpoint to Plunge Into Adware

It is suggested to remove the program now. Go to Start > Control Panel > Add/Remove Programs - (Vista & Win7 is Programs and Features) and remove the following programs if present.

* Viewpoint
* Viewpoint Manager
* Viewpoint Media Player
* Viewpoint Toolbar
* Viewpoint Experience Technology

=================================
Download Disable/Remove Windows Messenger to the desktop to remove Windows Messenger.

Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Unzip the file on the desktop. Open the MessengerDisable.exe and choose the bottom box - Uninstall Windows Messenger and click Apply.

Exit out of MessengerDisable then delete the two files that were put on the desktop.

=====================================
P2P - I see you have P2P software installed on your machine. (BitTorrent & LimeWire) We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It is certainly contributing to your current situation.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

I would strongly recommend that you uninstall them, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.

=====================================
Open HijackThis and select Do a system scan only

Place a check mark next to the following entries: (if there)

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555

Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.
====================================
Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]

KillAll::

DDS::

uInternet Settings,ProxyServer = http=127.0.0.1:5555

File::

C:\8d213983b851922cc
C:\adad871fd64396d7d4a1a67d8a8baac9
C:\44e88e89d0ebf39
C:\21ee9e2511f33aa91
C:\97cb9
C:\7d9ed
C:\f9a1eeaf6fd564a0bf99f3482ab8ae1e
C:\da74a0117a4388da33d34d4d6b40c90
C:\fa37cc519b9fb5172d30cf21d
C:\7468ab8a25277b18b2ce12c422
c:\documents and settings\Compaq_Owner\Local Settings\Application Data\1732168344.dll


3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

[justbeck]

Okay I've followed all of your instructions and did the following :

- installed Microsoft Security Essentials for Windows XP [I updated the program and scanned my computer, resulting in no issues]
- removed  Viewpoint Media Player
- uninstalled Windows Messenger
- uninstalled LimeWire
- Fixed the entry that you directed me to
- &ran ComboFix with the Script

[SuperDave]

Did you see a ComboFix log?  It should be on your C drive under ComboFix. Please post it here.