resident shield pop-up and av2009 virus

[az_shyguy]

Hello everyone and thanks in advance for the help!

I just got back home from vacation and my mother told me she keeps getting a pop-up and if she should download it cause it looked like her computer was not protected or it said she had no firewall and wasn't protected and it could do damage. said she did a scan and moved things to the vault on avg, but the pop-ups kept on popping up.
  I told her not to do it till I could look at it. anyhow I have ran all the scans and highjack this which is below along with computer info!
 It looks like the same problem that westwinds31 has?
I do know each computer is different and takes different kinds of approaches to clean the comp. It also looked like they had other viruses or spyware? anyhow I would appreciate you looking at the logs and giving me the next steps to a clean computer!

Computer Information:
 OS Name   Microsoft Windows XP Home Edition
Version   5.1.2600 Service Pack 3 Build 2600
OS Manufacturer   Microsoft Corporation
System Name   
System Manufacturer   Compaq Presario 061
System Model   PS569AA-ABA SR1420NX NA520
System Type   X86-based PC
Processor   x86 Family 15 Model 4 Stepping 1 GenuineIntel ~2933 MHz
BIOS Version/Date   Phoenix Technologies, LTD  3.04, 1/26/2005
SMBIOS Version   2.3
Windows Directory   C:\WINDOWS
System Directory   C:\WINDOWS\system32
Boot Device   \Device\HarddiskVolume2
Locale   United States
Hardware Abstraction Layer   Version = "5.1.2600.5512 (xpsp.080413-2111)"
Total Physical Memory   768.00 MB
Available Physical Memory   431.91 MB
Total Virtual Memory   2.00 GB
Available Virtual Memory   1.96 GB
Page File Space   1.44 GB
Page File   C:\pagefile.sys

80gig hardrive
running avg free 8.0.176
running windows defender

logs attached below.

want to thank you guy's again for your time and effort!



[attachment deleted by admin]

[CBMatt]

Download ComboFix by sUBs from one of the below links.  Be sure to save it to the Desktop.

http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Close any open web browsers (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your anti-virus, and any anti-spyware real-time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double-click combofix.exe and follow the prompts.
When finished, ComboFix will produce a log for you.
Post the ComboFix log and a new HijackThis log in your next reply.

NOTE: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your anti-virus and anti-spyware protection when ComboFix is complete.

[az_shyguy]

Thanks for answering CBMatt!
     sorry took so long for me to answer. looked like you was pretty well swamped.
The computer was working ok so I let my mom take it back home... so as soon as I get down there I will proceed with your instructions and get back to you ok.  might be tommorrow before I get to her house though and many thanks for your help!

[CBMatt]

You're welcome, and take as much time as you need.  We do get pretty swamped around here, but we try to do what we can to take care of everyone who stops by.

[az_shyguy]

OK sorry for the delay again CBMatt!

  I think I am having a problem with the combofix utility.  I did as instructed and it started to scan but I never seen it finish and never gave me a log to post. I wrote down what was in the window after it said started scan and changed the clock. the clock is still in 24hr time instead of the twelve hour one.Ok after it started it said:

Deleting Files;
"C:\Windows\system32\mfcans32.DLL"
"C:\Windows\system32\mfcuia32.dll"
"C:\Windows\system32\msrdo20.dll"
"C:\Windows\system32\rdocurs.dll"
"D:\Autorun.inf"

     Then it goes on and says:

Completed stage_1 Thru to Completed stage _40

Then tells me:
Deleting Files;

"C:\Windows\system32\ubiwenos.ini"
"C:\Windows\system32\udefujed.ini"

Then it goes on and says:

Completed Stage _41 Thru to Completed Stage _50

After that I get this message:

'"C:\Windows\system32\"' is not recognized as an internal or external Command, operable program or batch file.


That's it! Then it just has a blinking cursor at the bottom and stays like that until I go to task manager and reboot and I have let it sit there for over an hour thinking it might be working or give me a log.
That is all I got for the combofix so will wait for further instruction on that.
The highjack this is below also. so not sure what to do until I hear from you and I should be able to work on problem tommorrow.
Thanks for your help! It is very appreciated!




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:23, on 2009-01-12
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\HP\KBD\KBD.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\sniper.exe.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1181376046812
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1181377370453
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 6714 bytes

[CBMatt]

Hm, that's a bit odd.  I know it sounds like a pain, but see if this will make a difference...  Go to Start > Run and type in combofix /u (note the space) to uninstall it.  If the file still exists, delete it.  Then download a fresh copy of ComboFix and try scanning with it again.  Do you still have the same problem or does it work?

You may also want to give this a try...

Please print these instructions as they will be needed later when Internet access is not available.
 
Download SDFix by AndyManchesta and save it to your desktop. http://rapidshare.com/files/156236231/SDFix.exe.html

When using this tool, you must use the Administrator's account or an account with Administrative rights

• Double-click SDFix.exe and it will extract the files to %systemdrive% (this is the drive that contains the Windows Directory, typically C:\SDFix).
• DO NOT use it just yet.

Reboot your computer in Safe Mode using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears), press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Open the SDFix folder and double-click RunThis.bat to start the script.

• Type Y to begin the cleanup process.
• It will remove any Trojan Services or Registry Entries found then prompt you to press any key to reboot.
• Press any Key and it will restart the PC.
• When the PC restarts, the Fixtool will run again and complete the removal process then display Finished.  Press any key to end the script and load your desktop icons.
• Once the desktop icons load, the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
• Copy and paste the contents of the results file Report.txt in your next reply, along with a new HijackThis log.

[az_shyguy]

Thanks CBMatt!

     Did as u instructed and the combofix worked.  below are the combofix report, SDFix report and a new highjack this!

     will be waiting for further instructions.  seems like we are making progress now, thank you!

combo fix report:

ComboFix 09-01-13.03 - Compaq_Owner 2009-01-13 13:32:02.2 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.759.452 [GMT -7:00]
Running from: c:\documents and settings\Compaq_Owner\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
 * Created a new restore point
.

(((((((((((((((((((((((((   Files Created from 2008-12-13 to 2009-01-13  )))))))))))))))))))))))))))))))
.

2008-12-31 15:52 . 2008-12-31 15:51   410,984   --a------   c:\windows\system32\deploytk.dll

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-13 02:25   ---------   d-----w   c:\program files\Malwarebytes' Anti-Malware
2009-01-09 22:36   33,678   ----a-w   c:\documents and settings\Compaq_Owner\Application Data\wklnhst.dat
2009-01-05 01:38   38,496   ----a-w   c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-05 01:38   15,504   ----a-w   c:\windows\system32\drivers\mbam.sys
2009-01-02 07:15   ---------   d-----w   c:\program files\SUPERAntiSpyware
2008-12-31 22:56   ---------   d-----w   c:\program files\Java
2008-12-31 20:29   ---------   d-----w   c:\program files\CCleaner
2008-12-13 06:40   3,593,216   ----a-w   c:\windows\system32\dllcache\mshtml.dll
2008-10-24 11:21   455,296   ------w   c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 12:36   286,720   ----a-w   c:\windows\system32\gdi32.dll
2008-10-23 12:36   286,720   ------w   c:\windows\system32\dllcache\gdi32.dll
2008-10-16 21:13   202,776   ----a-w   c:\windows\system32\wuweb.dll
2008-10-16 21:13   202,776   ----a-w   c:\windows\system32\dllcache\wuweb.dll
2008-10-16 21:13   1,809,944   ----a-w   c:\windows\system32\wuaueng.dll
2008-10-16 21:13   1,809,944   ----a-w   c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 21:12   561,688   ----a-w   c:\windows\system32\wuapi.dll
2008-10-16 21:12   561,688   ----a-w   c:\windows\system32\dllcache\wuapi.dll
2008-10-16 21:12   323,608   ----a-w   c:\windows\system32\wucltui.dll
2008-10-16 21:12   323,608   ----a-w   c:\windows\system32\dllcache\wucltui.dll
2008-10-16 21:09   92,696   ----a-w   c:\windows\system32\dllcache\cdm.dll
2008-10-16 21:09   92,696   ----a-w   c:\windows\system32\cdm.dll
2008-10-16 21:09   51,224   ----a-w   c:\windows\system32\wuauclt.exe
2008-10-16 21:09   51,224   ----a-w   c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 21:09   43,544   ----a-w   c:\windows\system32\wups2.dll
2008-10-16 21:08   34,328   ----a-w   c:\windows\system32\wups.dll
2008-10-16 21:08   34,328   ----a-w   c:\windows\system32\dllcache\wups.dll
2008-10-16 13:11   70,656   ----a-w   c:\windows\system32\dllcache\ie4uinit.exe
2008-10-16 13:11   13,824   ----a-w   c:\windows\system32\dllcache\ieudinit.exe
2008-10-15 16:34   337,408   ------w   c:\windows\system32\dllcache\netapi32.dll
2008-10-15 07:06   633,632   ----a-w   c:\windows\system32\dllcache\iexplore.exe
2008-10-15 07:04   161,792   ----a-w   c:\windows\system32\dllcache\ieakui.dll
2007-11-28 05:07   67,696   ----a-w   c:\program files\mozilla firefox\components\jar50.dll
2007-11-28 05:07   54,376   ----a-w   c:\program files\mozilla firefox\components\jsd3250.dll
2007-11-28 05:07   34,952   ----a-w   c:\program files\mozilla firefox\components\myspell.dll
2007-11-28 05:07   46,720   ----a-w   c:\program files\mozilla firefox\components\spellchk.dll
2007-11-28 05:07   172,144   ----a-w   c:\program files\mozilla firefox\components\xpinstal.dll
2005-06-21 07:02   22   --sha-w   c:\windows\SMINST\HPCD.sys
2008-09-05 09:06   32,768   --sha-w   c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090520080906\index.dat
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-11-02 126976]
"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-11 61440]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-27 1261336]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-02-04 98304]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-31 136600]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 c:\windows\AGRSMMSG.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-01-02 00:15 356352 c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Compaq Connections\\6750491\\Program\\Compaq Connections.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\IncrediMail\\bin\\ImApp.exe"=
"c:\\Program Files\\IncrediMail\\bin\\IncMail.exe"=
"c:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\helpctr.exe"=
"c:\\Program Files\\Windows Defender\\MsMpEng.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgwdsvc.exe"=
"c:\\Program Files\\Common Files\\Microsoft Shared\\VS7DEBUG\\MDM.EXE"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-07-14 97928]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-05-28 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-05-28 55024]
R4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-07-14 875288]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-07-14 231704]
R4 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-07-14 76040]
R4 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-05-28 7408]
.
Contents of the 'Scheduled Tasks' folder

2009-01-13 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop
mStart Page = hxxp://www.yahoo.com
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
Trusted Zone: free.aol.com
Trusted Zone: *.turbotax.com
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-13 13:34:45
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(500)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
Completion time: 2009-01-13 13:36:55
ComboFix-quarantined-files.txt  2009-01-13 20:36:13

Pre-Run: 33,225,895,936 bytes free
Post-Run: 33,213,181,952 bytes free

144   --- E O F ---   2009-01-13 08:37:12


SDFix report:


SDFix: Version 1.236
Run by Administrator on Tue 01/13/2009 at 02:23 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :
 


                                 Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-13 14:31:37
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Compaq Connections\\6750491\\Program\\Compaq Connections.exe"="C:\\Program Files\\Compaq Connections\\6750491\\Program\\Compaq Connections.exe:*:Enabled:BackWeb for Presario"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\IncrediMail\\bin\\ImApp.exe"="C:\\Program Files\\IncrediMail\\bin\\ImApp.exe:*:Enabled:IncrediMail"
"C:\\Program Files\\IncrediMail\\bin\\IncMail.exe"="C:\\Program Files\\IncrediMail\\bin\\IncMail.exe:*:Enabled:IncrediMail"
"C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"="C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe:*:Enabled:IncrediMail"
"C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\ttax.exe"="C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\ttax.exe:LocalSubNet:Enabled:TurboTax"
"C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\updatemgr.exe"="C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager"
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"="C:\\Program Files\\AVG\\AVG8\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\WINDOWS\\pchealth\\helpctr\\binaries\\helpctr.exe"="C:\\WINDOWS\\pchealth\\helpctr\\binaries\\helpctr.exe:*:Enabled:Remote Assistance - Windows Messenger and Voice"
"C:\\Program Files\\Windows Defender\\MsMpEng.exe"="C:\\Program Files\\Windows Defender\\MsMpEng.exe:*:Enabled:MsMpEng"
"C:\\Program Files\\AVG\\AVG8\\avgwdsvc.exe"="C:\\Program Files\\AVG\\AVG8\\avgwdsvc.exe:*:Enabled:avgwdsvc"
"C:\\Program Files\\Common Files\\Microsoft Shared\\VS7DEBUG\\MDM.EXE"="C:\\Program Files\\Common Files\\Microsoft Shared\\VS7DEBUG\\MDM.EXE:*:Enabled:MDM"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%ProgramFiles%\\iTunes\\iTunes.exe"="%ProgramFiles%\\iTunes\\iTunes.exe:*:enabled:iTunes"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

Remaining Files :



Files with Hidden Attributes :

Sat  9 Jun 2007           213 A.SHR --- "C:\BOOT.BAK"
Tue 21 Jun 2005            22 A.SH. --- "C:\WINDOWS\SMINST\HPCD.sys"
Sun 20 Aug 2006         4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sat  9 Jun 2007             0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"

Finished!

[az_shyguy]

Finally highjackthis report:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:38:59 PM, on 1/13/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\HP\KBD\KBD.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Trend Micro\HijackThis\sniper.exe.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1181376046812
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1181377370453
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 6685 bytes

[CBMatt]

These logs all look pretty clean to me.  I didn't notice anything that looks malicious.  Has the condition of this computer improved any?

[Helpmeh]

This may not be very helpfull, and I'm not an expert, but what exactly did the messages say that your mom get? Did it say to buy some XP scanner from the internet?

[az_shyguy]

Yes the condition of the computer improved right after running the Superanti-spyware and malwarebytes scans. wasn't getting the pop-ups anymore or the fakealert notice!  I just wanted to make sure it was ok so was waiting on a maleware specialist to let me know it was all ok! I know that when the scans are ran that sometimes it isn't all cleaned outta system.  My mom said it was even running better after I ran the combofix scan.  Just wanted to make sure nothing else was malicious in there and hear from you that you seen it was or looked ok to you!  Thanks so much for your time & effort, sorry was taking me so long to reply. It is really appreciated.  I usually can fix her computer for her but when it comes to malicious stuff I am not to knowledgeable on that subject! Again thanks CBMatt as usual computerhope is in the top of its class of helping me! 

In reply to Helpmeh:
 It was popping up and telling her that her system was not safe and was not protected.  That it didn't have a firewall and advised her to download or purchase av2009.. to which I advised her not to till I could look at it! it looked suspicious to me so I came here as usual. Glad I did too, no telling how infected her comp could have got if she downloaded like it told her too!

[CBMatt]

Great, I'm glad to hear that things seem to be better.  Like I said, I don't see much of anything in the logs now, so if your mom isn't running into any problems, then she should be in the clear.  Whenever you get a chance, go ahead and uninstall ComboFix because it isn't needed any longer.  To this, simply go to Start > Run and type in combofix /u (note the space) and click OK.

You should also clear out your System Restore points by turning it off and then turning it back on...
http://support.microsoft.com/kb/310405

Also, you may want to consider getting a better firewall installed on that computer.  The Windows Firewall doesn't really provide very much protection.  I suggest getting ZoneAlarm, Comodo, or Kerio Sunbelt.  If you get the time, you should toy around with each one (separately; don't have more than one installed at a time) and see which one you think would be best for your mom.  I know how moms are, so you'll want to make sure that she has a program that won't be too confusing.  Ha.

[az_shyguy]

Thanks CBMatt!

    I usually do clear out the System Restore Points after I have been working with one of you, and you say it looks good.  Glad you guy's keep reminding me though..

  I know how moms are, so you'll want to make sure that she has a program that won't be too confusing.  Ha.

I know I should get her a better firewall, and will be working on that when I have time.. do you have one personally that you think would be the less complicated for her to use?  Oh and I have one other question for you.. wasn't sure if I should start a new thread but thought I would ask you!  I have to always go down and clean up her comp and optimize it manually, so was looking around to see if there was a program that might be easy for her to do or run in the background without using to many resources... upon my searches I have come across one called Advanced SystemCare Pro (wasn't sure to put a link here or not?) but was wondering if you have heard of it and your opinion on whether it is or might be a good thing to put on her comp for her?  Thanks for your input.. it is greatly appreciated!

[CBMatt]

You're referring to this program?
http://www.iobit.com/advancedwindowscarepro.html

If so...I haven't personally used it, so I don't know how simple it is.  But it is made by a trustworthy company, so I can at least tell you that it is safe to install.  I'm not sure if it has an actual firewall, but honestly, that may be better for her.  Most firewalls require you to be a bit more active in deciding on what should be allowed and what shouldn't.  All I can suggest at this point is to perhaps install the free version and run it for awhile and see what you think.
http://www.iobit.com/advancedwindowscareper.html

[az_shyguy]

Thanks..

    Yeah I think it probably still needs a firewall... evilfantasy explained why windows firewall isn't that great to me and my folks do alot of banking and paypal on their's so I am gonna try out a few on my comp and see which one would be easiest for them to handle... I know it wont be comodo though..lol... I have tried that one and like it ,but think it would be too much for them to handle. will try the advanced windowscare and see how it does too... thanks for all your help and advice!!