My 1st bad, (?) virus: I don't even know where to start on this. I'm stuck...

[DennisT]

Finally, the Malware report.

Dennis

[recovering disk space - old attachment deleted by admin]

[DennisT]

Figured out how to bundle logs.

Rkill:

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as Dennis on 11/01/2010 at 16:37:32.


Services Stopped:


Processes terminated by Rkill or while it was running:


D:\rkill.exe


Rkill completed on 11/01/2010  at 16:37:42.

SASW:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 11/01/2010 at 11:58 AM

Application Version : 4.45.1000

Core Rules Database Version : 5767
Trace Rules Database Version: 3579

Scan type       : Complete Scan
Total Scan Time : 02:19:35

Memory items scanned      : 420
Memory threats detected   : 0
Registry items scanned    : 5972
Registry threats detected : 0
File items scanned        : 72252
File threats detected     : 90

Adware.Tracking Cookie
   C:\Documents and Settings\Dennis\Cookies\dennis@1071638897[1].txt
   C:\Documents and Settings\Dennis\Cookies\dennis@chitika[1].txt
   C:\Documents and Settings\Dennis\Cookies\dennis@belnk[1].txt
   C:\Documents and Settings\Dennis\Cookies\dennis@invitemedia[2].txt
   C:\Documents and Settings\Dennis\Cookies\[email protected][1].txt
   C:\Documents and Settings\Dennis\Cookies\dennis@adecn[2].txt
   C:\Documents and Settings\Dennis\Cookies\dennis@qksrv[2].txt
   C:\Documents and Settings\Dennis\Cookies\[email protected][2].txt
   C:\Documents and Settings\Dennis\Cookies\dennis@tribalfusion[2].txt
   C:\Documents and Settings\Dennis\Cookies\dennis@tracking[1].txt
   C:\Documents and Settings\Dennis\Cookies\[email protected][1].txt
   C:\Documents and Settings\Dennis\Cookies\[email protected][1].txt
   C:\Documents and Settings\Dennis\Cookies\dennis@revsci[2].txt
   C:\Documents and Settings\Dennis\Cookies\dennis@media6degrees[1].txt
   C:\Documents and Settings\Dennis\Cookies\dennis@bravenet[2].txt
   C:\Documents and Settings\Dennis\Cookies\dennis@xxxcounter[1].txt
   C:\Documents and Settings\Dennis\Cookies\[email protected][2].txt
   C:\Documents and Settings\Dennis\Cookies\[email protected][2].tx
   C:\Documents and Settings\Dennis\Cookies\dennis@realmedia[1].txt
   C:\Documents and Settings\Dennis\Cookies\[email protected][2].txt
   C:\Documents and Settings\Dennis\Cookies\dennis@imrworldwide[1].txt
   C:\Documents and Settings\Dennis\Cookies\[email protected][2].txt
   C:\Documents and Settings\Dennis\Cookies\dennis@bannerspace[2].txt
   C:\Documents and Settings\Dennis\Cookies\[email protected][1].txt
   C:\Documents and Settings\Dennis\Cookies\dennis@advertising[2].txt
   C:\Documents and Settings\Dennis\Cookies\[email protected][2].txt
   C:\Documents and Settings\Dennis\Cookies\[email protected][2].txt
   C:\Documents and Settings\Dennis\Cookies\[email protected][2].txt
   C:\Documents and Settings\Dennis\Cookies\dennis@dealtime[1].txt
   C:\Documents and Settings\Dennis\Cookies\[email protected][2].txt
   C:\Documents and Settings\Dennis\Cookies\dennis@toplist[1].txt
   C:\Documents and Settings\Dennis\Cookies\dennis@atwola[2].txt
   C:\Documents and Settings\Dennis\Cookies\[email protected][1].txt
   C:\Documents and Settings\Dennis\Cookies\[email protected][1].txt
   C:\Documents and Settings\Dennis\Cookies\dennis@atdmt[2].txt
   C:\Documents and Settings\Dennis\Cookies\dennis@nextag[2].txt
   C:\Documents and Settings\Dennis\Cookies\[email protected][1].txt
   C:\Documents and Settings\Dennis\Cookies\dennis@tripod[1].txt
   C:\Documents and Settings\Dennis\Cookies\dennis@serving-sys[1].txt
   C:\Documents and Settings\Dennis\Cookies\[email protected][1].txt
   C:\Documents and Settings\Dennis\Cookies\dennis@adprotraffic[2].txt
   C:\Documents and Settings\Dennis\Cookies\dennis@247realmedia[1].txt
   C:\Documents and Settings\Dennis\Cookies\dennis@adknowledge[1].txt
   C:\Documents and Settings\Dennis\Cookies\[email protected][2].txt
   C:\Documents and Settings\Dennis\Cookies\dennis@specificclick[1].txt
   C:\Documents and Settings\Dennis\Cookies\[email protected][2].txt
   C:\Documents and Settings\Dennis\Cookies\dennis@kanoodle[2].txt
   C:\Documents and Settings\Dennis\Cookies\[email protected][1].txt
   C:\Documents and Settings\Dennis\Cookies\dennis@rambler[1].txt
   C:\Documents and Settings\Dennis\Cookies\dennis@intellisrv[1].txt
   C:\Documents and Settings\Dennis\Cookies\[email protected][2].txt
   C:\Documents and Settings\Dennis\Cookies\[email protected][2].txt
   C:\Documents and Settings\Dennis\Cookies\dennis@overture[1].txt
   C:\Documents and Settings\Dennis\Cookies\dennis@advertpro[1].txt
   C:\Documents and Settings\Dennis\Cookies\dennis@2o7[2].txt
   C:\Documents and Settings\Dennis\Cookies\[email protected][2].txt
   C:\Documents and Settings\Dennis\Cookies\[email protected][1].txt
   C:\Documents and Settings\Dennis\Cookies\dennis@roiservice[1].txt
   C:\Documents and Settings\Dennis\Cookies\dennis@insightexpressai[2].txt
   C:\Documents and Settings\Dennis\Cookies\dennis@questionmarket[1].txt
   C:\Documents and Settings\Dennis\Cookies\dennis@trafficmp[2].txt
   C:\Documents and Settings\Dennis\Cookies\[email protected][1].txt
   C:\Documents and Settings\Dennis\Cookies\[email protected][1].txt
   C:\Documents and Settings\Dennis\Cookies\dennis@list[1].txt
   C:\Documents and Settings\Dennis\Cookies\[email protected][1].txt
   C:\Documents and Settings\Dennis\Cookies\dennis@xiti[1].txt
   C:\Documents and Settings\Dennis\Cookies\dennis@trafficholder[1].txt
   C:\Documents and Settings\Dennis\Cookies\dennis@ocxxx[2].txt
   core.insightexpressai.com [ C:\Documents and Settings\Dennis\Application Data\Macromedia\Flash Player\#SharedObjects\6LWYEY94 ]
   msntest.serving-sys.com [ C:\Documents and Settings\Dennis\Application Data\Macromedia\Flash Player\#SharedObjects\6LWYEY94 ]
   

Mal:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 5016

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

11/1/2010 2:42:14 PM
mbam-log-2010-11-01 (14-42-14).txt

Scan type: Full scan (C:\|)
Objects scanned: 205704
Time elapsed: 1 hour(s), 37 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{549b5ca7-4a86-11d7-a4df-000874180bb3} (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


CClean:

 Results of screen317's Security Check version 0.99.6 
 Windows XP Service Pack 3 
 Internet Explorer 7 Out of date!
``````````````````````````````
Antivirus/Firewall Check:
 Windows Firewall Enabled! 
 AVG 2011     
```````````````````````````````
Anti-malware/Other Utilities Check:
 Malwarebytes' Anti-Malware   
 Java 2 Runtime Environment, SE v1.4.2
Adobe Reader 7.0.8
Out of date Adobe Reader installed!
````````````````````````````````
Process Check: 
objlist.exe by Laurent
 AVG avgwdsvc.exe
 AVG avgtray.exe
 AVG avgrsx.exe
 AVG avgnsx.exe
 AVG avgemc.exe
````````````````````````````````
DNS Vulnerability Check:
 POOR! (Vulnerable to DNS cache poisoning!!-- Consider OPENDNS)

``````````End of Log````````````

[SuperDave]

Can you now get on the internet?If you can, please run these scans.

Please download: HiJackThis to your Desktop.

• Double Click the HijackThis icon, located on your Desktop.
  
• By Default, it will install to: C:\Program Files\Trend Micro\HijackThis
• Accept the license agreement.
• Click the Open the Misc Tools section button.
  
• Place a checkmark beside Calculate MD5 of files if possible. Then, click Back.
  
• Click Do a System Scan and Save a Logfile. Or, if you see a white screen, click Scan.
  
• Please post the log in your next reply.
  

**************************************
Download Security Check by screen317 from one of the following links and save it to your desktop.

Link 1
Link 2

* Unzip SecurityCheck.zip and a folder named Security Check should appear.
* Open the Security Check folder and double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.

Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.

If you still  can't access the Net, please run this and post the log. ps. You can save money by using CD-+RW's. There re-writable.

Please run Notepad (start > All Programs > Accessories >
Notepad) and copy and paste the text in the code box into a new file:

Code: [Select]

@echo off
>Log1.txt (
ipconfig /all
nslookup google.com
nslookup yahoo.com
ping -n 2 google.com
ping -n 2 yahoo.com
route print
)
start Log1.txt
del %0

•Go to the File menu at the top of the Notepad and select Save as.

•Select save in: desktop

•Fill in File name: test.bat

•Save as type: All file types (*.*)

•Click save.

•Close the Notepad.

•Locate and double-click test.bat on the desktop.

•A notepad opens, copy and paste the content it (log1.txt) to your reply.

[DennisT]

Whew.  I really appreciate your help SuperDave.  As clearly as you post instructions, I must admit I still struggle getting things lined up right.  ( ! )

Here we go:

Ahhhhhhhhhhhh.  This turned into a big mess for me.  I can paste the two logs into Notepad.  When I save as onto desktop the resulting icon I've never seen before.  Something like a gear.  All this done on this, my desktop machine, as laptop still cannot access the Net. 

If I click on resulting, "gear," icon, I get a black window with a lot of different stuff in it and the file name ends in, "cmd.exe."  It also seems to scroll quickly, and exit. 

I have to leave for a while.  When I get back I'll begin all over again.

Dennis

[SuperDave]

I can paste the two logs into Notepad

The logs are already created in Notepad. All you need to do it copy and paste them in your reply. If that doesn't work, just attach the logs to your reply.

[DennisT]

Here we go again:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:23:05 AM, on 11/3/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17091)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HPQ\One-Touch\OneTouch.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Location Finder\LocationFinder.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Program Files\AVG\AVG10\avgemcx.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:10293
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (filesize 63128 bytes, MD5 F17B2B264072B921FC66A0BE16626BAB)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG10\avgssie.dll (filesize 2922848 bytes, MD5 4B36A4C4E8BC9A6E64147F7B2A20CB94)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (filesize 1879896 bytes, MD5 022C2F6DCCDFA0AD73024D254E62AFAC)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeC:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime (filesize 98304 bytes, MD5 9B4C1812595C389AB9CCF1FF3B315248)
O4 - HKLM\..\Run: [TV Now] C:\Program Files\HPQ\Notebook Utilities\TvNow.exe /RK (filesize 282624 bytes, MD5 1CFC40FC03D3EC281C96B88245117FF7)
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s (filesize 45056 bytes, MD5 291822FC9D05FBBEFB0EC008FE2213F3)
O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXEC:\Program Files\HPQ\One-Touch\OneTouch.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exeC:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exeC:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" (filesize 65536 bytes, MD5 364784A6F653DF81B76424A39DBA237B)
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" (filesize 868352 bytes, MD5 6B7DA9DB5A15F762A7A56DF0006A531B)
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exeC:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe (filesize 4608 bytes, MD5 EA3BE7F5CDEF0FE4DF1BF6DBFE7ABDE0)
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exeC:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" (filesize 241664 bytes, MD5 B75B654EE1DA99876461B24597AE3FF3)
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exeC:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exeC:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG10\avgtray.exeC:\Program Files\AVG\AVG10\avgtray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (filesize 1695232 bytes, MD5 3E930C641079443D4DE036167A69CAA2)
O4 - HKCU\..\Run: [Microsoft Location Finder] "C:\Program Files\Microsoft Location Finder\LocationFinder.exe" (filesize 101080 bytes, MD5 7512EC7190DBEA84D34B5C21E7AFAD4C)
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeC:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exeC:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE (filesize 111376 bytes, MD5 6C23E670AC7B272F74910EB9BEE5E414)
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (filesize 29696 bytes, MD5 43362B96870CE8649F4F2EC893DA93F0)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll (filesize 65636 bytes, MD5 4ACFBF6AB1BBE79DBD665C186B3B5AFD)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll (filesize 65636 bytes, MD5 4ACFBF6AB1BBE79DBD665C186B3B5AFD)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (filesize 1879896 bytes, MD5 022C2F6DCCDFA0AD73024D254E62AFAC)
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (filesize 1879896 bytes, MD5 022C2F6DCCDFA0AD73024D254E62AFAC)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (filesize 558080 bytes, MD5 AAC1D4EE39DF138C5D30AC5883E3B59F)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (filesize 558080 bytes, MD5 AAC1D4EE39DF138C5D30AC5883E3B59F)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (filesize 1695232 bytes, MD5 3E930C641079443D4DE036167A69CAA2)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (filesize 1695232 bytes, MD5 3E930C641079443D4DE036167A69CAA2)
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30155.www3.hp.com/ediags/hpfix/sj/en/check/qdiagh.cab?326
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG10\avgpp.dll (filesize 201568 bytes, MD5 01F59CEB86096527A68137C2AAF97E7A)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLLC:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exeC:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
O23 - Service: AVG6 Service (AvgServ) - Unknown owner - C:\PROGRA~1\Grisoft\AVG6\avgserv.exe (file missing)
O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\avgwdsvc.exeC:\Program Files\AVG\AVG10\avgwdsvc.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exeC:\WINDOWS\System32\gearsec.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exeC:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exeC:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exeC:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Office Source Engine (ose) - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (file missing)

--
End of file - 11183 bytes
 Results of screen317's Security Check version 0.99.6 
 Windows XP Service Pack 3 
 Internet Explorer 7 Out of date!
``````````````````````````````
Antivirus/Firewall Check:
 Windows Firewall Enabled! 
 AVG 2011     
```````````````````````````````
Anti-malware/Other Utilities Check:
 Malwarebytes' Anti-Malware   
 HijackThis 2.0.2   
 CCleaner     
 Java 2 Runtime Environment, SE v1.4.2
Adobe Reader 7.0.8
Out of date Adobe Reader installed!
 Mozilla Firefox (3.6.12)
````````````````````````````````
Process Check: 
objlist.exe by Laurent
 AVG avgwdsvc.exe
 AVG avgtray.exe
 AVG avgrsx.exe
 AVG avgnsx.exe
 AVG avgemc.exe
````````````````````````````````
DNS Vulnerability Check:
 POOR! (Vulnerable to DNS cache poisoning!!-- Consider OPENDNS)

``````````End of Log````````````




Ahhhh.  That's the way I would have done it to begin with.  Hope this helps.

Meeting tonight; then back at it.  I think we're gaining. 

Dennis

[SuperDave]

Download

Disable/Remove Windows Messenger to the desktop to remove Windows Messenger.

Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Unzip the file on the desktop. Open the MessengerDisable.exe and choose the bottom box - Uninstall Windows Messenger and click Apply.

Exit out of MessengerDisable then delete the two files that were put on the desktop.

**********************************
Open HijackThis and select Do a system scan only

Place a check mark next to the following entries: (if there)

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:10293
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (filesize 1695232 bytes, MD5 3E930C641079443D4DE036167A69CAA2)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (filesize 1695232 bytes, MD5 3E930C641079443D4DE036167A69CAA2)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (filesize 1695232 bytes, MD5 3E930C641079443D4DE036167A69CAA2)
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
O23 - Service: Office Source Engine (ose) - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (file missing)

Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.
**********************************
Please download the newest version of Adobe Acrobat Reader from Adobe.com

Before installing: it is important to remove older versions of Acrobat Reader since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs.
Search in the list for all previous installed versions of Adobe Acrobat Reader. Uninstall/Remove each of them.

Once old versions are gone, please install the newest version.
****************************************
Please download ComboFix from BleepingComputer.com

Alternate link: GeeksToGo.com

Rename ComboFix.exe to commy.exe before you save it to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console[/list]

Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you.  Please include the contents of C:\ComboFix.txt in your next reply.

If you have problems with ComboFix usage, see How to use ComboFix

[DennisT]

Hi:
Out of caution, I decided to post this with a question.

First, when attempting to go on-line to the Net, I had once recently seen, "can't find proxy server," when trying to open IE.  In town yesterday I asked my ISP about proxy server and he said they don't use it and I shouldn't have it.  So in IE Tools, I found it checked; I unchecked it. I couldn't remember what I should have in the first place.

I can now access the Net. 

Next I just did everything on your last list stopping just before ComboFix.  (Deleted Messenger, removed old Adobe Reader and installed the latest version)  Using the laptop itself to do downloads.


I cannot find ComboFix on the BleepingComputer site at all.  I looked at GeeksToGo and found it under an alternate download site.  While doing that I noticed some forum comments, etc., that warned about not using ComboFix unless under highly trained supervision, (but that's you.)  And, as you admonished, warnings about turning off AV and spyware, etc.  Apparently someone was using ComboFix and thereafter could not boot up their computer.   

Now that I'm nervous after reading that, I am thinking of going into Control Panel and doing Removes for HiJack This and the other programs you suggested so far.  The restarting my laptop.  Then I'll, "turn off AVG and SpyBot." 

After all that I'll download ComboFix from an alternative site. 

As a side comment, now that I can go on-line to the Net, were I not otherwise aware, I'd think this laptop is running fine.  A long time ago I decided that even when I think a machine is running clean, I STILL don't trust that something hasn't inflitrated and is sitting in there waiting to do harm.  So I agree with continuing to purge this laptop, no matter how good it's beginning to look.

So should I fully delete your earlier download suggestions and continue with ComboFix after that as I stated above?

Dennis

[SuperDave]

After all that I'll download ComboFix from an alternative site.

When you click on the first download link you should just get a download box. What browser are you using? You may have to use Internet Explorer but I just tried it with FireFox and it works.

So should I fully delete your earlier download suggestions and continue with ComboFix after that as I stated above?

You can uninstall HJT. We are finished with it. Please run ComboFix and post the logs.

[DennisT]

Whew; again...

I'm using IE.  (I downloaded Firefox a day or so ago in case IE was un-fixable)

I disabled AVG for the 15 minutes, (which appears to be the maximum)  By the time I got under way, that time expired during ComboFix, but CF saw it and put up a warning.  I simply un-installed AVG.  Then I brought ComboFix back up and proceeded as you directed.  It came to a blue box with, "preparing to run."  I waited, and it asked to download Recovery Console, which I did.  Then, before I could type in the line you wanted ending in, "stepdel," it went into AutoScan.  Ran through some 50 processes.  I just let it go.  The end log is included here: 

ComboFix 10-11-03.04 - Dennis 11/04/2010  19:35:05.1.1 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.446.189 [GMT -7:00]
Running from: c:\documents and settings\Dennis\Desktop\commy.exe
.

(((((((((((((((((((((((((   Files Created from 2010-10-05 to 2010-11-05  )))))))))))))))))))))))))))))))
.

2010-11-04 06:12 . 2010-11-04 06:12   --------   d-----w-   c:\program files\Common Files\Adobe AIR
2010-11-03 14:17 . 2010-11-03 14:17   --------   d-----w-   c:\program files\Trend Micro
2010-11-01 23:33 . 2010-11-01 23:33   --------   d-----w-   c:\documents and settings\Dennis\Local Settings\Application Data\Mozilla
2010-11-01 19:52 . 2010-11-01 19:52   --------   d-----w-   c:\documents and settings\Dennis\Application Data\Malwarebytes
2010-11-01 19:52 . 2010-11-01 19:52   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
2010-11-01 16:27 . 2010-11-01 16:27   --------   d-----w-   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-11-01 01:00 . 2010-11-01 01:10   --------   d-----w-   C:\f5b763e5d84ff038215219e7ba16
2010-11-01 00:15 . 2010-09-18 06:53   954368   ------w-   c:\windows\system32\dllcache\mfc40.dll
2010-11-01 00:15 . 2010-09-18 06:53   953856   ------w-   c:\windows\system32\dllcache\mfc40u.dll
2010-11-01 00:15 . 2010-09-18 06:53   974848   ------w-   c:\windows\system32\dllcache\mfc42.dll
2010-11-01 00:14 . 2010-08-23 16:12   617472   ------w-   c:\windows\system32\dllcache\comctl32.dll
2010-10-31 23:47 . 2010-06-14 14:31   744448   ------w-   c:\windows\system32\dllcache\helpsvc.exe
2010-10-30 04:03 . 2010-10-30 04:03   --------   d-----w-   c:\documents and settings\Dennis\Application Data\AVG10
2010-10-30 03:57 . 2010-10-30 03:57   --------   d--h--w-   c:\documents and settings\All Users\Application Data\Common Files
2010-10-30 03:51 . 2010-11-05 02:23   --------   d-----w-   c:\documents and settings\All Users\Application Data\AVG10
2010-10-30 03:50 . 2010-10-30 03:50   --------   d-----w-   c:\program files\AVG
2010-10-30 03:18 . 2010-10-30 03:50   --------   d-----w-   c:\documents and settings\All Users\Application Data\MFAData

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-18 19:23 . 2003-03-31 02:00   974848   ----a-w-   c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2003-03-31 02:00   974848   ----a-w-   c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2003-03-31 02:00   954368   ----a-w-   c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2003-03-31 02:00   953856   ----a-w-   c:\windows\system32\mfc40u.dll
2010-09-09 13:38 . 2004-02-07 01:05   832512   ----a-w-   c:\windows\system32\wininet.dll
2010-09-09 13:38 . 2003-03-31 02:00   1830912   ----a-w-   c:\windows\system32\inetcpl.cpl
2010-09-09 13:38 . 2004-08-04 07:56   78336   ----a-w-   c:\windows\system32\ieencode.dll
2010-09-09 13:38 . 2003-03-31 02:00   17408   ----a-w-   c:\windows\system32\corpol.dll
2010-09-08 15:57 . 2004-08-04 05:59   389120   ----a-w-   c:\windows\system32\html.iec
2010-09-01 11:51 . 2003-03-31 02:00   285824   ----a-w-   c:\windows\system32\atmfd.dll
2010-08-31 13:42 . 2003-03-31 02:00   1852800   ----a-w-   c:\windows\system32\win32k.sys
2010-08-27 08:02 . 2003-03-31 02:00   119808   ----a-w-   c:\windows\system32\t2embed.dll
2010-08-27 05:57 . 2003-03-31 02:00   99840   ----a-w-   c:\windows\system32\srvsvc.dll
2010-08-26 13:39 . 2003-03-31 02:00   357248   ----a-w-   c:\windows\system32\drivers\srv.sys
2010-08-26 12:52 . 2009-05-15 01:50   5120   ----a-w-   c:\windows\system32\xpsp4res.dll
2010-08-23 16:12 . 2003-03-31 02:00   617472   ----a-w-   c:\windows\system32\comctl32.dll
2010-08-17 13:17 . 2003-03-31 02:00   58880   ----a-w-   c:\windows\system32\spoolsv.exe
2010-08-16 08:45 . 2004-05-22 02:54   590848   ----a-w-   c:\windows\system32\rpcrt4.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Location Finder"="c:\program files\Microsoft Location Finder\LocationFinder.exe" [2005-08-25 101080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-12-12 335872]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2004-01-16 229376]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-05-22 98304]
"TV Now"="c:\program files\HPQ\Notebook Utilities\TvNow.exe" [2003-01-30 282624]
"Display Settings"="c:\program files\HPQ\Notebook Utilities\hptasks.exe" [2002-08-15 45056]
"QT4HPOT"="c:\program files\HPQ\One-Touch\OneTouch.EXE" [2003-03-13 102400]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2003-05-22 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2003-05-22 610304]
"HPHmon05"="c:\windows\System32\hphmon05.exe" [2003-05-23 483328]
"RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-02 65536]
"RoxioDragToDisc"="c:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2003-07-19 868352]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2003-07-17 184412]
"CARPService"="carpserv.exe" [2003-05-21 4608]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb08.exe" [2003-03-12 172032]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 69632]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

c:\documents and settings\Dennis\Start Menu\Programs\Startup\
Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1996-12-9 111376]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\program files\Qualcomm\Eudora\EuShlExt.dll" [2005-06-08 86016]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\ATCS Monitor\\atcsmon.exe"=

R3 CALIAUD;Conexant AMC 3D ENVIRONMENTAL AUDIO;c:\windows\system32\drivers\caliaud.sys [5/21/2004 6:27 PM 291328]
R3 CALIHALA;CALIHALA;c:\windows\system32\drivers\calihal.sys [5/21/2004 6:27 PM 244608]
R3 DP83815;National Semiconductor Corp. DP83815/816 NDIS 5.0 Miniport Driver;c:\windows\system32\drivers\DP83815.sys [7/16/2003 6:01 PM 28280]
S2 AvgCore;AVG6 Kernel;\??\c:\progra~1\Grisoft\AVG6\avgcore.sys --> c:\progra~1\Grisoft\AVG6\avgcore.sys [?]
S2 AvgFsh;AVG6 Rezident Driver;\??\c:\progra~1\Grisoft\AVG6\avgfsh.sys --> c:\progra~1\Grisoft\AVG6\avgfsh.sys [?]
S2 AvgServ;AVG6 Service;c:\progra~1\Grisoft\AVG6\avgserv.exe --> c:\progra~1\Grisoft\AVG6\avgserv.exe [?]
S3 LEX_NIC_SERVICE;IEEE 802.11 Wireless NIC Win2000 Driver;c:\windows\system32\drivers\Express.sys [4/16/2003 6:00 PM 57344]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
uInternet Settings,ProxyOverride = <local>
FF - ProfilePath - c:\documents and settings\Dennis\Application Data\Mozilla\Firefox\Profiles\w8arz9zr.default\
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJPI142.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true);  // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true);  // Simplified
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-HPHUPD05 - c:\program files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-04 19:40
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe??4?5?4?0? ?deB???B?

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3088)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-11-04  19:44:58
ComboFix-quarantined-files.txt  2010-11-05 02:44

Pre-Run: 44,638,343,168 bytes free
Post-Run: 44,634,873,856 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - 855AE7DCFB7C6D1C7976972B2C5442BD

So did I do wrong by not finding a place or opportunity to type in that one line? 

Presently I have un-installed ALL my protection programs in preparation for ComboFix.  So when we finish, I'll need to begin all over to download everything I, or YOU suggest, I need.

Since this is now a defense-less laptop, I'll turn it off until I hear from you again.

I'm glad YOU understand these logs. 

Dennis

[SuperDave]

I simply un-installed AVG

Before we continue download and install a free antivirus.

Remember to only install one antivirus!
 
1) Avast! Home Edition
2) AVG Free Edition
3) Avira AntiVir Personal
4) Microsoft Security Essentials for Windows Vista\Windows 7 - 64 bit Download
4-a) Microsoft Security Essentials for Windows XP
5) Comodo Antivirus (Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage" if you choose this one)
6) PC Tools AntiVirus Free Edition

It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts. If you choose to install more than one antivirus program on your computer, then only one of them should be active in memory at a time.
********************************************

So did I do wrong by not finding a place or opportunity to type in that one line?

No. The log looks ok.

SysProt Antirootkit

Download
SysProt Antirootkit from the link below (you will find it at the bottom
of the page under attachments, or you can get it from one of the
mirrors).

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.

• Double click Sysprot.exe to start the program.
• Click on the Log tab.
• In the Write to log box select the following items.
• Process << Selected
  
• Kernel Modules << Selected
  
• SSDT << Selected
  
• Kernel Hooks << Selected
  
• IRP Hooks << NOT Selected
  
• Ports << NOT Selected
  
• Hidden Files << Selected
  
• At the bottom of the page
• Hidden Objects Only << Selected
  
• Click on the Create Log button on the bottom right.
• After a few seconds a new window should appear.
• Select Scan Root Drive. Click on the Start button.
• When it is complete a new window will appear to indicate that the scan is finished.
• The log will be saved automatically in the same folder Sysprot.exe was

extracted to. Open the text file and copy/paste the log here.
[/list]

[DennisT]

Good Morning.  I'm home again and back to work.

Yesterday I downloaded AVG 2011, installed it and updated it.  Then I re-booted, brought up AVG and updated it again.  I stopped when there were no more updates.

Here is the SysProtLog:

SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

No Hidden Processes found

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: EF9D4000
Module End: EF9EC000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS
Service Name: ---
Module Base: F7A89000
Module End: F7A8B000
Hidden: Yes

******************************************************************************************
******************************************************************************************
SSDT:
Function Name: ZwOpenProcess
Address: EF7166C0
Driver Base: EF714000
Driver End: EF71E000
Driver Name: \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys

Function Name: ZwTerminateProcess
Address: EF716770
Driver Base: EF714000
Driver End: EF71E000
Driver Name: \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys

Function Name: ZwTerminateThread
Address: EF716810
Driver Base: EF714000
Driver End: EF71E000
Driver Name: \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys

Function Name: ZwWriteVirtualMemory
Address: EF7168B0
Driver Base: EF714000
Driver End: EF71E000
Driver Name: \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys

******************************************************************************************
******************************************************************************************
No Kernel Hooks found

******************************************************************************************
******************************************************************************************
No IRP Hooks found

******************************************************************************************
******************************************************************************************
Ports:
Local Address: DENNISLAPTOP:NETBIOS-SSN
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING

Local Address: DENNISLAPTOP:1026
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\alg.exe
State: LISTENING

Local Address: DENNISLAPTOP:MICROSOFT-DS
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING

Local Address: DENNISLAPTOP:EPMAP
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\svchost.exe
State: LISTENING

Local Address: DENNISLAPTOP:1900
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: DENNISLAPTOP:138
Remote Address: NA
Type: UDP
Process: System
State: NA

Local Address: DENNISLAPTOP:NETBIOS-NS
Remote Address: NA
Type: UDP
Process: System
State: NA

Local Address: DENNISLAPTOP:123
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: DENNISLAPTOP:1900
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: DENNISLAPTOP:123
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: DENNISLAPTOP:4500
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\lsass.exe
State: NA

Local Address: DENNISLAPTOP:500
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\lsass.exe
State: NA

Local Address: DENNISLAPTOP:MICROSOFT-DS
Remote Address: NA
Type: UDP
Process: System
State: NA

******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\Qoobox\BackEnv\AppData.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Cache.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Cookies.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Desktop.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Favorites.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\History.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\LocalAppData.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\LocalSettings.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Music.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\NetHood.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Personal.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Pictures.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\PrintHood.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Profiles.Folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Profiles.Folder.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Programs.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Recent.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SendTo.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SetPath.bat
Status: Access denied

Object: C:\Qoobox\BackEnv\StartMenu.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\StartUp.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SysPath.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Templates.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\VikPev00
Status: Access denied

[SuperDave]

I'd like to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
•Click the button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

• Click on to download the ESET Smart Installer. Save it to your desktop.
  
• Double click on the icon on your desktop.
  

•Check
•Click the button.
•Accept any security warnings from your browser.
•Check
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push
•Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the button.
•Push
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

[DennisT]

OK:

I brought up this forum on the laptop.  Held control key and clicked the link once.  After a while nothing happened, so I did that over double-clicking.  Then I noticed an eset something running on top along the tool bar.  Now I have two of those listed up there.  (Probably should have walked away the first time and looked later to see what was happening)

Not sure I should hit, "back."  So I'll wait a while.

Using IE here, apparently I have two functions to perform:  Get the link up and click on the green ESET bar.  Then nothing I do until log appears. 

So far, I see no green bar.

Dennis

[DennisT]

I might be progressing........

Will report more soon.

Dennis