Windows XP sp2 "XP 2008 Antivirus" and more........

[Nate G.]

Hi:

I'm new and hope you can help.
The pop-ups, "XP 2008 Antivirus" are taking over and I can't access my Display or Control, Menu or "C Drive".  It says that "I" disabled those functions.  Not.

In following Malware removal steps, I downloaded Java Run Time Environment, but I couldn't access it because the pc doesn't have ImMapiU.dll

Can this be downloaded from MS sites?

Also, a "Hewlett-Packard Secure Certificate, Authority RS Data Security Inc. U.S."  needs me to update its Secure Server Certificate, lapsed in March/05.  I didn't know I had it.

So, I'm having trouble installing the software to clean the pc and would like to ask if this can be done in Safe Mode?

Thanks so much!

Nate G.

[Broni]

Go here: http://www.computerhope.com/forum/index.php/topic,46313.0.html

[Nate G.]

Thanks, Broni:

I've followed the Cleaning proceedure up to Install Malwarebyte's download. It's been 'running' all night and today and when I check on it - I get "Runtime Error 372. Fail to load - check vblsgrid6.ocx"

Whatever that means - I've no idea, but I'd really like to continue with this Cleaning; I'm getting closer and the pc is getting slower.

Whatever is the Hewlett-Packard License Renewal, from 1995 - another virus?  It's really hard to get it off the screen.

Thanks a lot
Nate G.

[Carbon Dudeoxide]

I merged the two topics. Please reply in this topic,  Nate G. 

Also, I am moving this to the Computer Virus and Spyware Forum.

Nate G, please post the three logs here for our Malware Specialists to have a look at and help clean up your computer.

[Nate G.]

Hi Carbon:

I ran the Ccleaner, SAS but couldn't download MalwareBytes.

There are no logs for me to send.

I tried to download DSR to see where the logs were but it wouldn't D/L either.

Again, in All Programs, there's nothing listed and in My Doc's, instead of showing "C" drive, I get ( ).  If you remember, the xp 2008 antivirus has locked me out of "C" as well as "Dispaly", saying I did that.  In the Registry, there's no mention of Ccleaner of SAS.

Thanks for your help.  What can I do next?

Nate G.

[evilfantasy]

Post a HijackThis log.

[Nate G.]

Hi:

I believe I re-set Windows - no sign of xp 2008 antivirus, but I would ask that you please tell me how to Post the HiJack Log and the HJT - 2.0.2?

The original Firewall was Norton - I Deleted it, but it still says it's here, but is Disabled.

I have the file Log in Notebook/Documents, but I don't know, (As there's no 'File - Save As) to click on, with the list of things that have to be checked-off.

Thank you so much.  I've gotten this far - I hope you can tell me how to forward the HJT posts.

Thanks,

Nate G.

[evilfantasy]

Posting a log.

• From the desktop open HijackThis.
• Important! If using Windows Vista, Right-click and Run As Administrator
  
• Click on the Do a system scan and save a log file button
  
• HijackThis will scan and then a log will open in notepad.
• Copy and then paste the entire contents of the log in your post.
  
• Do not have HijackThis fix anything yet. Most of what it finds will be harmless or even required.

[Nate G.]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:00:52 PM, on 9/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\COMODO\SafeSurf\cssurf.exe
C:\Program Files\Comodo\Firewall\cfp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=desktop
R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: Ask Search Assistant BHO - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - c:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IS CfgWiz] c:\Program Files\Common Files\Symantec Shared\cfgwiz.exe /GUID NIS /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [COMODO SafeSurf] "C:\Program Files\COMODO\SafeSurf\cssurf.exe" -s
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\cfp.exe" -h
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs:  C:\WINDOWS\system32\guard32.dll C:\WINDOWS\system32\cssdll32.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

--
End of file - 7246 bytes


Thank you!

I hope this will tell you what shape the pc's in, now.

It's very slow, but there's no sign of xp 2008 antivirus or Hewlett Packard Official Certificate re-issue.

Again, thanks.

Nate G.

[evilfantasy]

Go to Add or Remove Programs and uninstall Comodo firewall. There is no need for it since you have the Norton Security Suite running.

Download ComboFix by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note:  It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.
 
Double click combofix.exe & follow the prompts.
When finished ComboFix will produce a log for you.
Post the ComboFix log and a new HijackThis log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

[ChrisXPPro]

I haven't dug deep here but just read about this malware ......

A dangerous new virus is making the rounds in the guise of a legitimate antivirus program. Going by such names as "Antivirus XP 2008" and "XP Antivirus 2009," this malware, as described in a recent Computer Associates advisory, succeeds by looking like a legitimate Windows program.

Thought I'd just post this bit of quote and its link as an FYI.

[Nate G.]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:23:42 PM, on 9/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\COMODO\SafeSurf\cssurf.exe
C:\Program Files\Comodo\Firewall\cfp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=desktop
R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: Ask Search Assistant BHO - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [COMODO SafeSurf] "C:\Program Files\COMODO\SafeSurf\cssurf.exe" -s
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\cfp.exe" -h
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 4904 bytes

Hope you got it all.

Thanks,

Nate G.

[evilfantasy]

Did you run ComboFix?

The log will be in C:\combofix.txt

[Nate G.]

ComboFix 08-09-04.09 - Compaq_Owner 2008-09-05 16:12:11.1 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.174 [GMT -7:00]
Running from: C:\Documents and Settings\Compaq_Owner\Desktop\ComboFix.exe
 * Created a new restore point
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited
C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\Documents and Settings\Guest\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\Documents and Settings\oi\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\Program Files\msconfigs
C:\Program Files\XP Antivirus
C:\Program Files\XP Antivirus\xpa.exe
C:\WINDOWS\eslb.exe
C:\WINDOWS\ksendlbttla.dll
C:\WINDOWS\neltabxw.exe
C:\WINDOWS\vrmdtneg.dll
C:\WINDOWS\xvorfwbd.dll
D:\Autorun.inf

.
(((((((((((((((((((((((((   Files Created from 2008-08-05 to 2008-09-05  )))))))))))))))))))))))))))))))
.

2008-09-05 14:20 . 2008-09-05 14:20   <DIR>   d--------   C:\WINDOWS\system32\LogFiles
2008-09-05 13:55 . 2008-09-05 13:55   <DIR>   d--------   C:\Program Files\AskSBar
2008-09-05 13:55 . 2008-09-05 13:55   249,592   --a------   C:\WINDOWS\system32\cssdll32.dll
2008-09-05 13:54 . 2008-09-05 13:54   <DIR>   d--------   C:\Documents and Settings\Compaq_Owner\Application Data\Comodo
2008-09-05 13:54 . 2008-09-05 13:54   143,104   --a------   C:\WINDOWS\system32\guard32.dll
2008-09-05 13:54 . 2008-09-05 13:54   87,056   --a------   C:\WINDOWS\system32\drivers\cmdguard.sys
2008-09-05 13:54 . 2008-09-05 13:54   24,208   --a------   C:\WINDOWS\system32\drivers\cmdhlp.sys
2008-09-05 13:33 . 2008-09-05 13:33   <DIR>   d--------   C:\Program Files\Trend Micro
2008-09-04 17:24 . 2008-09-04 17:24   <DIR>   d--------   C:\Documents and Settings\Compaq_Owner\Application Data\Talkback
2008-09-04 17:19 . 2004-08-04 05:00   221,184   --a------   C:\WINDOWS\system32\wmpns.dll
2008-09-04 17:19 . 2008-09-04 17:19   1,849   -rahs----   C:\WINDOWS\system32\drivers\103C_HP_CPC_PP158AA-ABA SR1320NX NA510_YC_0Pres_QCNH448_E51NAheRED3_47_I Salmon_SASUSTek Computer INC._V1.04_B3.04_T041029_WXH2_L409_M448 _J80_7AMD_8Sempron_91.81_#050226_N10390900_Z11C1048C_G10396330.MRK
2008-09-04 17:18 . 2004-10-20 07:47   <DIR>   d--------   C:\Documents and Settings\Compaq_Owner\WINDOWS
2008-09-04 17:18 . 2004-10-21 03:13   <DIR>   d--------   C:\Documents and Settings\Compaq_Owner\Application Data\Symantec
2008-09-04 17:18 . 2004-10-20 23:40   <DIR>   d--------   C:\Documents and Settings\Compaq_Owner\Application Data\Sonic
2008-09-04 17:18 . 2004-10-20 23:40   <DIR>   d--------   C:\Documents and Settings\Compaq_Owner\Application Data\SampleView
2008-09-04 17:18 . 2004-10-20 07:31   <DIR>   d--------   C:\Documents and Settings\Compaq_Owner\Application Data\Intervideo
2008-09-04 17:18 . 2004-10-20 07:47   <DIR>   d--------   C:\Documents and Settings\Compaq_Owner\Application Data\Apple Computer
2008-09-04 17:18 . 2008-09-05 16:06   <DIR>   d--------   C:\Documents and Settings\Compaq_Owner
2008-09-04 17:15 . 2004-10-20 07:47   <DIR>   d--------   C:\WINDOWS\system32\config\systemprofile\WINDOWS
2008-09-04 17:14 . 2003-09-10 23:36   21,060   ---------   C:\WINDOWS\system32\drivers\iviaspi.sys
2008-09-04 17:14 . 2003-09-19 01:47   10,368   ---------   C:\WINDOWS\system32\drivers\pfc.sys
2008-09-04 17:09 . 2008-09-04 17:10   <DIR>   d--------   C:\Program Files\SiS VGA Utilities V3.63
2008-09-04 17:02 . 2004-08-03 23:10   61,056   --a------   C:\WINDOWS\system32\drivers\ohci1394.sys
2008-09-04 17:02 . 2004-08-03 23:10   53,248   --a------   C:\WINDOWS\system32\drivers\1394bus.sys
2008-09-04 17:02 . 2004-08-03 22:58   7,552   --a------   C:\WINDOWS\system32\drivers\MSKSSRV.sys
2008-09-04 17:02 . 2001-08-17 13:46   6,400   --a------   C:\WINDOWS\system32\drivers\enum1394.sys
2008-09-04 17:02 . 2004-08-03 22:58   5,376   --a------   C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2008-09-04 17:02 . 2004-08-03 22:58   4,992   --a------   C:\WINDOWS\system32\drivers\MSPQM.sys
2008-09-04 17:01 . 2008-09-04 17:09   <DIR>   d--------   C:\WINDOWS\system32\trayres
2008-09-04 17:01 . 2004-09-24 02:47   331,776   --a------   C:\WINDOWS\system32\sistray.exe
2008-09-04 17:01 . 2004-09-24 09:44   184,320   ---------   C:\WINDOWS\system32\SiSApCom.dll
2008-09-04 17:01 . 2004-09-24 09:49   110,592   ---------   C:\WINDOWS\system32\TVMode.dll
2008-09-04 16:39 . 2008-09-04 16:48   <DIR>   dr-h-----   C:\MSOCache
2008-09-04 16:37 . 2008-09-04 17:17   <DIR>   dr-hsc---   C:\WINDOWS\system32\dllcache
2008-09-04 11:30 . 2008-09-04 11:30   <DIR>   d--------   C:\WINDOWS\privacy_danger
2008-09-04 11:11 . 2008-09-04 11:11   <DIR>   d--------   C:\Program Files\Foxit Software
2008-09-04 08:04 . 2008-09-04 08:05   296,462   --a------   C:\WINDOWS\~DFE6AE.tmp
2008-09-03 17:36 . 2008-09-03 17:36   296,462   --a------   C:\WINDOWS\~DF2FDF.tmp
2008-09-03 17:34 . 2008-09-03 17:35   296,462   --a------   C:\WINDOWS\~DFCE9C.tmp
2008-09-03 15:43 . 2008-09-03 15:43   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-03 15:42 . 2008-09-03 17:32   <DIR>   d--------   C:\Program Files\Malwarebytes' Anti-Malware
2008-09-03 12:12 . 2008-09-03 12:12   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-09-03 12:11 . 2008-09-03 12:11   <DIR>   d--------   C:\Program Files\SUPERAntiSpyware
2008-09-01 14:17 . 2008-09-01 14:17   <DIR>   d--------   C:\TEMP
2008-09-01 14:17 . 2008-09-01 14:17   <DIR>   d--------   C:\Sun
2008-08-30 10:51 . 2008-08-30 10:51   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-08-30 10:49 . 2008-08-30 10:49   <DIR>   d--------   C:\Program Files\Yahoo!
2008-08-30 10:49 . 2008-08-30 10:49   <DIR>   d--------   C:\Program Files\GamingSquared
2008-08-30 10:49 . 2008-08-30 10:49   <DIR>   d--------   C:\Program Files\7-Zip
2008-08-30 10:49 . 2008-08-30 10:49   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\GamingSquared

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-05 23:09   ---------   d-----w   C:\Program Files\Symantec
2008-09-05 23:09   ---------   d-----w   C:\Program Files\Common Files\Symantec Shared
2008-09-05 23:05   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Symantec
2008-09-05 20:55   ---------   d-----w   C:\Program Files\Comodo
2008-09-05 00:22   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\QuickTime
2008-09-05 00:15   ---------   d--h--w   C:\Program Files\InstallShield Installation Information
2008-09-04 20:30   90,112   ----a-w   C:\WINDOWS\DUMP32b8.tmp
2008-09-04 20:28   90,112   ----a-w   C:\WINDOWS\DUMP4d74.tmp
2008-09-04 20:27   90,112   ----a-w   C:\WINDOWS\DUMP53c2.tmp
2008-09-04 20:26   90,112   ----a-w   C:\WINDOWS\DUMP53c1.tmp
2008-09-04 20:25   90,112   ----a-w   C:\WINDOWS\DUMP5303.tmp
2008-09-04 20:23   90,112   ----a-w   C:\WINDOWS\DUMP4dd1.tmp
2008-09-04 20:22   90,112   ----a-w   C:\WINDOWS\DUMP52b3.tmp
2008-09-04 20:19   90,112   ----a-w   C:\WINDOWS\DUMP53ad.tmp
2008-09-04 20:18   90,112   ----a-w   C:\WINDOWS\DUMP543a.tmp
2008-09-04 20:17   90,112   ----a-w   C:\WINDOWS\DUMP5498.tmp
2008-09-04 20:15   90,112   ----a-w   C:\WINDOWS\DUMP5342.tmp
2008-09-04 20:14   90,112   ----a-w   C:\WINDOWS\DUMP5360.tmp
2008-09-04 20:13   90,112   ----a-w   C:\WINDOWS\DUMP53c0.tmp
2008-09-04 20:11   90,112   ----a-w   C:\WINDOWS\DUMP52e4.tmp
2008-09-04 20:10   90,112   ----a-w   C:\WINDOWS\DUMP52d5.tmp
2008-09-04 20:09   90,112   ----a-w   C:\WINDOWS\DUMP53bf.tmp
2008-09-04 20:07   90,112   ----a-w   C:\WINDOWS\DUMP53cd.tmp
2008-09-04 20:06   90,112   ----a-w   C:\WINDOWS\DUMP52e3.tmp
2008-09-04 20:03   90,112   ----a-w   C:\WINDOWS\DUMP5351.tmp
2008-09-04 20:01   90,112   ----a-w   C:\WINDOWS\DUMP5323.tmp
2008-09-04 19:59   90,112   ----a-w   C:\WINDOWS\DUMP5322.tmp
2008-09-04 19:58   90,112   ----a-w   C:\WINDOWS\DUMP52f2.tmp
2008-09-04 19:57   90,112   ----a-w   C:\WINDOWS\DUMP536f.tmp
2008-09-04 19:55   90,112   ----a-w   C:\WINDOWS\DUMP5350.tmp
2008-09-04 19:54   90,112   ----a-w   C:\WINDOWS\DUMP52d4.tmp
2008-09-04 19:51   90,112   ----a-w   C:\WINDOWS\DUMP4d26.tmp
2008-09-04 19:50   90,112   ----a-w   C:\WINDOWS\DUMP53fc.tmp
2008-09-04 19:49   90,112   ----a-w   C:\WINDOWS\DUMP54f6.tmp
2008-09-04 19:47   90,112   ----a-w   C:\WINDOWS\DUMP540b.tmp
2008-09-04 19:46   90,112   ----a-w   C:\WINDOWS\DUMP53be.tmp
2008-09-04 19:45   90,112   ----a-w   C:\WINDOWS\DUMP5380.tmp
2008-09-04 19:43   90,112   ----a-w   C:\WINDOWS\DUMP5469.tmp
2008-09-04 19:42   90,112   ----a-w   C:\WINDOWS\DUMP5341.tmp
2008-09-04 19:41   90,112   ----a-w   C:\WINDOWS\DUMP5321.tmp
2008-09-04 19:39   90,112   ----a-w   C:\WINDOWS\DUMP537f.tmp
2008-09-04 19:38   90,112   ----a-w   C:\WINDOWS\DUMP539f.tmp
2008-09-04 19:37   90,112   ----a-w   C:\WINDOWS\DUMP4cf7.tmp
2008-09-04 19:35   90,112   ----a-w   C:\WINDOWS\DUMP53bd.tmp
2008-09-04 19:34   90,112   ----a-w   C:\WINDOWS\DUMP5330.tmp
2008-09-04 19:33   90,112   ----a-w   C:\WINDOWS\DUMP5488.tmp
2008-09-04 19:30   90,112   ----a-w   C:\WINDOWS\DUMP52d3.tmp
2008-09-04 19:27   90,112   ----a-w   C:\WINDOWS\DUMP541c.tmp
2008-09-04 19:26   90,112   ----a-w   C:\WINDOWS\DUMP55d0.tmp
2008-09-04 19:24   90,112   ----a-w   C:\WINDOWS\DUMP5340.tmp
2008-09-04 19:23   90,112   ----a-w   C:\WINDOWS\DUMP541b.tmp
2008-09-04 19:22   90,112   ----a-w   C:\WINDOWS\DUMP5505.tmp
2008-09-04 19:20   90,112   ----a-w   C:\WINDOWS\DUMP52e2.tmp
2008-09-04 19:19   90,112   ----a-w   C:\WINDOWS\DUMP5302.tmp
2008-09-04 19:18   90,112   ----a-w   C:\WINDOWS\DUMP544a.tmp
2008-09-04 19:16   90,112   ----a-w   C:\WINDOWS\DUMP539e.tmp
2008-09-04 19:15   90,112   ----a-w   C:\WINDOWS\DUMP5311.tmp
2008-09-04 19:14   90,112   ----a-w   C:\WINDOWS\DUMP4cd8.tmp
2008-09-04 19:12   90,112   ----a-w   C:\WINDOWS\DUMP535f.tmp
2008-09-04 19:09   90,112   ----a-w   C:\WINDOWS\DUMP4e8d.tmp
2008-09-04 19:08   90,112   ----a-w   C:\WINDOWS\DUMP4cd7.tmp
2008-09-04 19:03   90,112   ----a-w   C:\WINDOWS\DUMP4db2.tmp
2008-09-04 18:58   90,112   ----a-w   C:\WINDOWS\DUMP416e.tmp
2008-09-04 18:57   90,112   ----a-w   C:\WINDOWS\DUMP4759.tmp
2008-09-04 18:56   90,112   ----a-w   C:\WINDOWS\DUMP4a86.tmp
2008-09-04 18:53   90,112   ----a-w   C:\WINDOWS\DUMP5582.tmp
2008-09-04 13:39   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Google Updater
2008-09-03 19:09   ---------   d-----w   C:\Program Files\Common Files\Wise Installation Wizard
2008-08-31 22:29   ---------   d-----w   C:\Program Files\Common Files\Adobe
2008-08-31 22:23   ---------   d-----w   C:\Program Files\Spybot - Search & Destroy
2008-08-31 22:23   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-31 22:22   ---------   d-----w   C:\Program Files\MsgThemes
2008-08-30 19:48   ---------   d---a-w   C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-30 17:36   ---------   d-----w   C:\Program Files\a-squared Free
2008-08-13 20:34   ---------   d-----w   C:\Program Files\Google
2006-11-27 18:20   314   ----a-w   C:\Program Files\INSTALL.LOG
2006-11-10 15:44   774,144   ----a-w   C:\Program Files\RngInterstitial.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2}"= "C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL" [2008-09-05 66912]

[HKEY_CLASSES_ROOT\clsid\{0579b4b6-0293-4d73-b02d-5ebb0ba0f0a2}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}]
2008-09-05 13:55   66912   --a------   C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 61440]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-10-20 180269]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-04-17 196608]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-04-13 69632]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2004-06-04 286720]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2004-04-14 233472]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-08-20 155648]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2003-09-12 98304]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 253952]
"Reminder"="C:\Windows\Creator\Remind_XP.exe" [2003-12-18 118784]
"COMODO SafeSurf"="C:\Program Files\COMODO\SafeSurf\cssurf.exe" [2008-09-05 278264]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\cfp.exe" [2008-09-05 1655552]
"SiSPower"="SiSPower.dll" [2004-09-24 C:\WINDOWS\system32\SiSPower.dll]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 C:\WINDOWS\AGRSMMSG.exe]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 C:\WINDOWS\ALCXMNTR.EXE]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Compaq Connections.lnk - C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe [2004-10-20 45056]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2008-01-11 125624]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Compaq Connections\\6750491\\Program\\Compaq Connections.exe"=

R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;C:\WINDOWS\system32\DRIVERS\cmdguard.sys [2008-09-05 87056]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;C:\WINDOWS\system32\DRIVERS\cmdhlp.sys [2008-09-05 24208]
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-VTTimer - VTTimer.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\wwzh41zb.default\
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-05 16:17:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-09-05 16:21:38 - machine was rebooted
ComboFix-quarantined-files.txt  2008-09-05 23:21:34

Pre-Run: 58,208,714,752 bytes free
Post-Run: 58,200,678,400 bytes free

I think the ComboFix is on the top of this page.

Was this file too big? 

I hope this is right, now.

Thanks,

Nate G.

[evilfantasy]

Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]

KillAll::

Folder::
C:\Documents and Settings\Compaq_Owner\Application Data\Symantec
C:\Program Files\AskSBar
C:\WINDOWS\privacy_danger

File::
C:\WINDOWS\system32\drivers\103C_HP_CPC_PP158AA-ABA SR1320NX NA510_YC_0Pres_QCNH448_E51NAheRED3_47_I Salmon_SASUSTek Computer INC._V1.04_B3.04_T041029_WXH2_L409_M448 _J80_7AMD_8Sempron_91.81_#050226_N10390900_Z11C1048C_G10396330.MRK
C:\WINDOWS\~DFE6AE.tmp
C:\WINDOWS\~DF2FDF.tmp
C:\WINDOWS\~DFCE9C.tmp

Registry::
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

[-HKEY_CLASSES_ROOT\clsid\{0579b4b6-0293-4d73-b02d-5ebb0ba0f0a2}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AlcxMonitor"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

----------

Download the Norton Removal Tool (SymNRT) to your Desktop.

Once downloaded please close ALL open browsers, also save any work because this may require a restart.

• Go to your desktop and double click on the removal tool and then click Setup.
  
• Once open Click Next
  
• Accept the license agreement and click Next
  
• Type in the letters/numbers that you see into the text box then click Next.
  
• Then click Next and the tool will start running.
  
• Once finished restart the PC and run the tool again to ensure everything has been removed.

----------

Before we continue download and install a free anti-virus software.

Remember to only install one antivirus!
 
1) Avast! Home Free Edition
2) AVG Free Edition
3) Avira AntiVir Personal
4) Comodo Antivirus
5) PC Tools AntiVirus Free Edition

It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts. If you choose to install more than one antivirus program on your computer, then only one of them should be active in memory at a time.

After that, please post a fresh HijackThis log and let me know how things are now.