Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads

User Tag List

Windows update won't load, windows running slow NEED HELP.....PLEASE!

This is a discussion on Windows update won't load, windows running slow NEED HELP.....PLEASE! within the Resolved HJT Threads forums, part of the Tech Support Forum category. Wouldn't even let me post a message to this forum. Testing again!


 
 
Thread Tools Search this Thread
Old 07-29-2010, 08:05 PM   #1
Registered Member
 
Join Date: Jul 2010
Posts: 47
OS: XP SP3



Wouldn't even let me post a message to this forum.


Testing again!
cbrynolf is offline  
Sponsored Links
Advertisement
 
Old 07-29-2010, 08:10 PM   #2
Registered Member
 
Join Date: Jul 2010
Posts: 47
OS: XP SP3



Why can't I post anything other than simple stuff????????
cbrynolf is offline  
Old 07-29-2010, 08:12 PM   #3
Registered Member
 
Join Date: Jul 2010
Posts: 47
OS: XP SP3



When I paste the DDS scan it won't post the message! Here are the two text files....will keep trying.
Attached Files
File Type: zip ark.zip (70.4 KB, 28 views)
File Type: zip Attach.zip (5.0 KB, 22 views)
cbrynolf is offline  
Sponsored Links
Advertisement
 
Old 07-29-2010, 08:15 PM   #4
Registered Member
 
Join Date: Jul 2010
Posts: 47
OS: XP SP3



Ok so still can't post DDS scan info or attach the DDS.txt file. Says webpage is temporarily down or blah blah blah.....is this related to the virus or something. What can I do?
cbrynolf is offline  
Old 07-29-2010, 08:28 PM   #5
Registered Member
 
Join Date: Jul 2010
Posts: 47
OS: XP SP3



problem is windows update service won't start. Windows update comes up page down or moved. through google search get similar message. Computer runs slow....frequent high CPU usage. Norton didn't find anything at first but then found backdoor.tidserv!inf but couldnt' remove. Another program found rootkit.win32.tdss and supposedly removed it.

Need help?

Thanks!

Chris
cbrynolf is offline  
Old 07-30-2010, 12:42 AM   #6
TSF Security Manager
Emeritus
 
Ried's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,837
OS: WinXP Home, Vista, Windows 7 64bit



Hello Chris,

I need to see the dds.txt. Is there another computer you can use to post the log? Run the scan again and save the dds.txt to a flash drive. Bring the flash drive to a working computer to post the log.
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Old 07-31-2010, 06:55 AM   #7
Registered Member
 
Join Date: Jul 2010
Posts: 47
OS: XP SP3



did it from another computer as it still would not let me post from my computer.....was just afraid I might transfer virus to this computer!



DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 19:10:52.54 on Thu 07/29/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.110 [GMT -5:00]

AV: Norton AntiVirus *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}

============== Running Processes ===============

C:\WINNT\system32\svchost -k DcomLaunch
svchost.exe
C:\WINNT\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
svchost.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINNT\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINNT\System32\svchost.exe -k HPZ12
C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.8.0.41\ccSvcHst.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\System32\svchost.exe -k HPZ12
C:\WINNT\System32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
c:\WINNT\system32\ZuneBusEnum.exe
C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.8.0.41\ccSvcHst.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\svchost.exe -k HTTPFilter
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\PhoneTools\CapFax.EXE
C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\QUICKENW\QAGENT.EXE
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINNT\system32\mrtMngr.EXE
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\iTunes\iTunesHelper.exe
D:\Zune\ZuneLauncher.exe
C:\WINNT\system32\CTHELPER.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
C:\Program Files\DNA\btdna.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\WINNT\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINNT\system32\ntvdm.exe
C:\OPLIMIT\ocrawr32.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\WINNT\System32\svchost.exe -k netsvcs
C:\WINNT\System32\MDM.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = www.google.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton antivirus\norton antivirus\engine\16.8.0.41\IPSBHO.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: ChromeFrame BHO: {ecb3c477-1a0a-44bd-bb57-78f9efe34fa7} - c:\program files\google\chrome frame\application\5.0.375.125\npchrome_frame.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: &Discuss: {bdeade7f-c265-11d0-bced-00a0c90ab50f} - shdocvw.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Gadwin PrintScreen] c:\program files\gadwin systems\printscreen\PrintScreen.exe /nosplash
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
uRun: [Google Update] "c:\documents and settings\owner\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [NvMediaCenter] RUNDLL32.EXE c:\winnt\system32\NVMCTRAY.DLL,NvTaskbarInit
uRun: [ctfmon.exe] c:\winnt\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [AdaptecDirectCD] "c:\program files\adaptec\easy cd creator 5\directcd\DirectCD.exe"
mRun: [USSShReg] c:\progra~1\uleads~1\uleadp~1.2\ssaver\Ussshreg.exe /r
mRun: [WinampAgent] "c:\program files\winamp\Winampa.exe"
mRun: [CapFax] c:\program files\phonetools\CapFax.EXE
mRun: [WinPatrol] c:\progra~1\billps~1\winpat~1\WinPatrol.exe
mRun: [Microsoft Works Update Detection] c:\program files\common files\microsoft shared\works shared\WkUFind.exe
mRun: [QAGENT] c:\program files\quickenw\QAGENT.EXE
mRun: [WD Drive Manager] c:\program files\western digital\wd drive manager\WDBtnMgrUI.exe
mRun: [MP10_EnsureFileVer] c:\winnt\inf\unregmp2.exe /EnsureFileVersions
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimagehome\TrueImageMonitor.exe
mRun: [AcronisTimounterMonitor] c:\program files\acronis\trueimagehome\TimounterMonitor.exe
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Zune Launcher] "d:\zune\ZuneLauncher.exe"
mRun: [nwiz] nwiz.exe /install
mRun: [CTHelper] CTHELPER.EXE
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\ocraware.lnk - c:\oplimit\OCRAWARE.EXE
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\setup_~1.lnk - c:\documents and settings\owner\desktop\virus removal tool\setup_9.0.0.722_27.07.2010_09-30\startup.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
uPolicies-explorer: NoRecentDocsNetHood = 01000000
uPolicies-explorer: NoSMMyDocs = 00000000
uPolicies-explorer: NoSMMyPictures = 00000000
uPolicies-explorer: NoNetworkConnections = 01000000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\winnt\system32\Shdocvw.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {301DA1EE-F65C-4188-A417-9E915CC8FBFA} - c:\program files\microsoft money\system\mnyviewer.dll
DPF: Microsoft XML Parser for Java - file://c:\winnt\java\classes\xmldso.cab
DPF: {0000000A-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmsp9dmo.cab
DPF: {00000075-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/voxmsdec.CAB
DPF: {00000161-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/msaudio.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} - hxxp://housecall60.trendmicro.com/housecall/xscan60.cab
DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} - hxxp://www.crackerbarrel.com/CFIDE/classes/CFJava.cab
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://support.gateway.com/support/profiler/PCPitStop.CAB
DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} - hxxp://www.ipix.com/viewers/ipixx.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
DPF: {22CF0C35-80CE-11D3-9354-00105AA793BF} - hxxp://www.immdesign.com/webview/IPAWebView.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {2357B3CF-7F8D-4451-8D81-FD6097610AEE} - hxxp://activex.camfrogweb.com/advanced/2.0.2.3/cfweb_activex.camfrogweb.com-advanced-2.0.2.3_instmodule.exe
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {33363249-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/i263_32.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmv9dmo.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www2.snapfish.com/SnapfishActivia.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} - hxxp://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-12.cab
DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} - hxxp://office.microsoft.com/productupdates/content/opuc.cab
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} - hxxp://photoservices.van.fedex.com/software/ImageUploader4.cab
DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} - hcp://system/RunExeActiveX.CAB
DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - hxxp://www.nick.com/common/groove/gx/GrooveAX27.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - hxxp://toolbar.google.com/data/GoogleActivate.cab
DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} - hcp://system/StartFirstControl.CAB
DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} - hxxp://support.gateway.com/support/serialharvest/gwCID.CAB
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37602.7603009259
DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} - hxxp://woodmansdigitalphoto.lifepics.com/common/UserUpload/ImageUploader3.cab
DPF: {A8683C98-5341-421B-B23C-8514C05354F1} - hxxp://woodmansphoto.digitalcameradeveloping.com/upload/FujifilmUploadClient.cab
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} - hxxp://carpoint.msn.com/Components/Ocx/Exterior/Outside.cab
DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} - hxxp://a532.g.akamai.net/f/532/6712/4h/player.virtools.com/downloads/player/Install3.0/Installer.exe
DPF: {C9B08199-657A-468D-A26B-692137572131} - hxxp://www.focusfocus.com/download/windows/ffhost.cab
DPF: {CAFEEFAC-0014-0002-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - hxxp://3dlifeplayer.dl.3dvia.com/player/install/3DVIA_player_installer.exe
DPF: {D59931FE-DC91-11D2-88D5-000000000000} - hxxp://www.focusfocus.com/download/windows/ffcall.cab
DPF: {DADE1C2F-5A48-445C-82B5-3A5F102E84DF} - hxxp://woodmansdigitalphoto.lifepics.com/common/UserUpload/LifePicsUploader.CAB
DPF: {DED22F57-FEE2-11D0-953B-00C04FD9152D} - hxxp://carpoint.msn.com/components/ocx/autopricer/autopricer.cab
DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} - hxxp://h30043.www3.hp.com/sj/en/check/qdiagh.cab?319
Handler: gcf - {9875BFAF-B04D-445E-8A69-BE36838CDE3E} - c:\program files\google\chrome frame\application\5.0.375.125\npchrome_frame.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\winnt\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R0 93434982;93434982 Boot Guard Driver;c:\winnt\system32\drivers\93434982.sys [2010-7-27 37392]
R0 tdrpman140;Acronis Try&Decide and Restore Points filter (build 140);c:\winnt\system32\drivers\tdrpm140.sys [2009-4-2 971168]
R1 93434981;93434981;c:\winnt\system32\drivers\93434981.sys [2010-7-27 128016]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20100728.001\IDSXpx86.sys [2010-7-29 331640]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R1 setup_9.0.0.722_27.07.2010_09-30drv;setup_9.0.0.722_27.07.2010_09-30drv;c:\winnt\system32\drivers\9343498.sys [2010-7-27 315408]
R2 mrtRate;mrtRate;c:\winnt\system32\drivers\MrtRate.sys [2002-7-17 34712]
R2 Norton AntiVirus;Norton AntiVirus;c:\program files\norton antivirus\norton antivirus\engine\16.8.0.41\ccSvcHst.exe [2010-1-27 117640]
R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-7-22 1251720]
R2 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\western digital\wd drive manager\WDBtnMgrSvc.exe [2008-2-19 106496]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-6-18 102448]
R3 EuMusDesignVirtualAudioCableWdm_s2x;Sound2x Audio Cable (WDM);c:\winnt\system32\drivers\vacs2xkd.sys [2010-1-8 42880]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100729.002\NAVENG.SYS [2010-7-29 85424]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100729.002\NAVEX15.SYS [2010-7-29 1362608]
S0 SymEFA;Symantec Extended File Attributes;c:\winnt\system32\drivers\nav\1008000.029\symefa.sys --> c:\winnt\system32\drivers\nav\1008000.029\SYMEFA.SYS [?]
S1 BHDrvx86;Symantec Heuristics Driver;c:\winnt\system32\drivers\nav\1008000.029\BHDrvx86.sys [2010-1-27 259632]
S1 ccHP;Symantec Hash Provider;c:\winnt\system32\drivers\nav\1008000.029\cchpx86.sys [2010-1-27 482432]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-28 135664]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\winnt\system32\drivers\ASPI32.SYS [2010-1-8 16512]
S3 HDDirect;Hard Disk Direct Control;c:\winnt\system32\drivers\hddirect.sys [2010-7-27 12552]
S3 HitmanPro35Crusader;Hitman Pro 3.5 Crusader;c:\documents and settings\owner\my documents\downloads\HitmanPro35.exe [2010-7-27 6084416]
S3 MusCAudio;MusCAudio;c:\winnt\system32\drivers\MusCAudio.sys [2009-2-1 23096]
S3 MusCVideo;MusCVideo;c:\winnt\system32\drivers\MusCVideo.sys [2009-2-1 3768]
S3 PacketNTx;Packet helper driver;c:\winnt\system32\drivers\PacketNTx.sys [2002-7-23 24544]
S3 pc22nd5;Toshiba PCX2200 USB Cable Modem networking driver (NDIS);c:\winnt\system32\drivers\pc22nd5.sys [2002-7-23 17648]
S3 pc22unic;Toshiba PCX2200 USB Cable Modem WDM driver;c:\winnt\system32\drivers\pc22unic.sys [2002-7-23 69744]

=============== Created Last 30 ================

2010-07-28 01:52:12 12552 ----a-w- c:\winnt\system32\drivers\hddirect.sys
2010-07-28 01:37:25 12872 ----a-w- c:\winnt\system32\bootdelete.exe
2010-07-28 01:37:24 324 ----a-w- c:\winnt\system32\bootdelete.lst
2010-07-28 01:24:11 37392 ----a-w- c:\winnt\system32\drivers\93434982.sys
2010-07-28 01:24:11 315408 ----a-w- c:\winnt\system32\drivers\9343498.sys
2010-07-28 01:24:11 128016 ----a-w- c:\winnt\system32\drivers\93434981.sys
2010-07-28 01:23:32 16968 ----a-w- c:\winnt\system32\drivers\hitmanpro35.sys
2010-07-28 01:23:12 0 d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2010-07-28 01:23:11 0 d-----w- c:\program files\Hitman Pro 3.5
2010-07-26 10:46:53 54016 ----a-w- c:\winnt\system32\drivers\ltlk.sys
2010-07-26 02:33:24 411368 ----a-w- c:\winnt\system32\deployJava1.dll
2010-07-26 02:30:16 0 d-----w- c:\docume~1\owner\applic~1\SUPERAntiSpyware.com
2010-07-26 02:30:16 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-07-26 02:30:02 0 d-----w- c:\program files\SUPERAntiSpyware
2010-07-26 01:50:59 0 d---a-w- c:\program files\Norton Support
2010-07-25 22:33:44 77312 ----a-w- c:\winnt\MBR.exe
2010-07-25 22:33:44 256512 ----a-w- c:\winnt\PEV.exe
2010-07-25 02:51:50 1324 ----a-w- c:\winnt\system32\d3d9caps.dat
2010-07-23 02:32:25 0 d-sha-r- C:\cmdcons
2010-07-23 00:53:19 0 d-----w- c:\docume~1\alluse~1\applic~1\RegCure
2010-07-22 23:21:12 130183 ----a-w- c:\documents and settings\owner\Services.html
2010-07-20 02:08:28 0 d-----w- c:\docume~1\owner\applic~1\5D799B10E0DAD5352612EAEAE006B5F8
2010-07-13 19:37:42 744448 ------w- c:\winnt\system32\dllcache\helpsvc.exe
2010-07-11 22:22:57 3162278 ------w- c:\winnt\{00000002-00000000-0000000C-00001102-00000004-00581102}.BAK
2010-07-11 22:18:30 86016 ----a-w- c:\winnt\system32\cttele.dll
2010-07-11 21:51:33 6752 ----a-w- c:\winnt\system32\PfModNT.sys
2010-07-11 20:53:14 3162278 ----a-w- c:\winnt\{00000002-00000000-0000000C-00001102-00000004-00581102}.CDF
2010-07-11 20:50:46 30096 ----a-w- c:\winnt\system32\BMXStateBkp-{00000002-00000000-0000000C-00001102-00000004-00581102}.rfx
2010-07-11 20:50:46 30096 ----a-w- c:\winnt\system32\BMXState-{00000002-00000000-0000000C-00001102-00000004-00581102}.rfx
2010-07-11 20:50:46 27240 ----a-w- c:\winnt\system32\BMXCtrlState-{00000002-00000000-0000000C-00001102-00000004-00581102}.rfx
2010-07-11 20:50:46 27240 ----a-w- c:\winnt\system32\BMXBkpCtrlState-{00000002-00000000-0000000C-00001102-00000004-00581102}.rfx
2010-07-11 20:50:46 11564 ----a-w- c:\winnt\system32\DVCState-{00000002-00000000-0000000C-00001102-00000004-00581102}.rfx
2010-07-11 20:49:25 4174814 ------w- c:\winnt\system32\CT4MGM.SF2
2010-07-11 20:49:20 0 d-----w- c:\winnt\system32\Defaults
2010-07-11 20:48:15 409600 ----a-w- c:\winnt\system32\wrap_oal.dll
2010-07-11 20:48:15 114688 ----a-w- c:\winnt\system32\OpenAL32.dll
2010-07-11 20:47:30 3072 ----a-w- c:\winnt\CTXFIRES.DLL
2010-07-11 16:09:51 0 d-----w- C:\fixit

==================== Find3M ====================

2010-07-23 00:28:36 14336 ----a-w- c:\winnt\system32\svchost.exe
2010-05-04 12:39:27 70656 ----a-w- c:\winnt\system32\dllcache\ie4uinit.exe
2010-05-04 12:39:27 13824 ----a-w- c:\winnt\system32\dllcache\ieudinit.exe
2010-05-02 05:22:50 1851264 ----a-w- c:\winnt\system32\win32k.sys
2010-05-02 05:22:50 1851264 ------w- c:\winnt\system32\dllcache\win32k.sys
2010-01-25 01:12:33 245760 --sha-w- c:\winnt\system32\config\systemprofile\ietldcache\index.dat
2008-10-01 01:50:45 32768 --sha-w- c:\winnt\system32\config\systemprofile\local settings\history\history.ie5\mshist012008093020081001\index.dat

============= FINISH: 19:14:07.25 ===============
cbrynolf is offline  
Old 07-31-2010, 07:31 AM   #8
TSF Security Manager
Emeritus
 
Ried's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,837
OS: WinXP Home, Vista, Windows 7 64bit



What happened when you ran ComboFix? Please post the log it produced - you'll find it at C:\ComboFix.txt
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Old 07-31-2010, 07:42 AM   #9
Registered Member
 
Join Date: Jul 2010
Posts: 47
OS: XP SP3



I ran some other type of virus utility and I believe it removed combofix from the computer. I had to reboot it because it locked up. Doesn't look like any of its there anymore.
cbrynolf is offline  
Old 07-31-2010, 07:47 AM   #10
TSF Security Manager
Emeritus
 
Ried's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,837
OS: WinXP Home, Vista, Windows 7 64bit



You must disable all your AV's and Anti Malware programs - particularly HitManPro or they will interfere with the tool.

It will require more than 1 round to clean the system. Please stay with me until given the 'all clear' even if symptoms seem to abate.


Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT- Save ComboFix.exe to your Desktop

====================================================


Disable your AntiVirus and AntiSpyware applications as they will interfere with our tools and the removal. If you are unsure how to do this, please refer to our sticky topic How to disable your security applications


====================================================


Double click on combofix.exe & follow the prompts.


When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Old 07-31-2010, 10:01 AM   #11
Registered Member
 
Join Date: Jul 2010
Posts: 47
OS: XP SP3



here it is. By the way thanks for the help! It also said found rootkit activity and asked to be rebooted....then ran again on startup.....here is the result.


ComboFix 10-07-30.04 - Owner 07/31/2010 10:28:03.3.1 - x86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.362 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: Norton AntiVirus *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
.

((((((((((((((((((((((((( Files Created from 2010-06-28 to 2010-07-31 )))))))))))))))))))))))))))))))
.

2010-07-31 13:58 . 2010-07-31 13:58 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Identities
2010-07-28 01:52 . 2010-07-28 01:52 12552 ----a-w- c:\winnt\system32\drivers\hddirect.sys
2010-07-28 01:37 . 2010-07-28 01:37 12872 ----a-w- c:\winnt\system32\bootdelete.exe
2010-07-28 01:35 . 2010-07-28 01:47 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\NPE
2010-07-28 01:24 . 2009-10-22 18:54 37392 ----a-w- c:\winnt\system32\drivers\93434982.sys
2010-07-28 01:24 . 2009-10-10 04:31 315408 ----a-w- c:\winnt\system32\drivers\9343498.sys
2010-07-28 01:24 . 2009-09-25 22:59 128016 ----a-w- c:\winnt\system32\drivers\93434981.sys
2010-07-28 01:23 . 2010-07-29 23:15 16968 ----a-w- c:\winnt\system32\drivers\hitmanpro35.sys
2010-07-28 01:23 . 2010-07-28 01:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-07-28 01:23 . 2010-07-28 01:23 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-07-26 10:46 . 2010-07-26 10:46 54016 ----a-w- c:\winnt\system32\drivers\ltlk.sys
2010-07-26 02:33 . 2010-07-26 02:33 503808 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-65c78599-n\msvcp71.dll
2010-07-26 02:33 . 2010-07-26 02:33 499712 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-65c78599-n\jmc.dll
2010-07-26 02:33 . 2010-07-26 02:33 12800 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-1ad0cb0c-n\decora-d3d.dll
2010-07-26 02:33 . 2010-07-26 02:33 61440 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-1ad0cb0c-n\decora-sse.dll
2010-07-26 02:33 . 2010-07-26 02:33 348160 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-65c78599-n\msvcr71.dll
2010-07-26 02:33 . 2010-04-12 22:29 411368 ----a-w- c:\winnt\system32\deployJava1.dll
2010-07-26 02:30 . 2010-07-29 23:21 63488 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-07-26 02:30 . 2010-07-26 02:30 52224 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-07-26 02:30 . 2010-07-29 23:20 117760 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-07-26 02:30 . 2010-07-26 02:30 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2010-07-26 02:30 . 2010-07-26 02:30 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-07-26 02:30 . 2010-07-26 02:30 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-07-26 01:50 . 2010-07-26 01:51 -------- d---a-w- c:\program files\Norton Support
2010-07-25 02:53 . 2010-07-25 02:53 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\vevclkfib
2010-07-25 02:51 . 2010-07-30 06:25 1324 ----a-w- c:\winnt\system32\d3d9caps.dat
2010-07-23 00:53 . 2010-07-23 01:08 -------- d-----w- c:\documents and settings\All Users\Application Data\RegCure
2010-07-23 00:53 . 2010-07-23 01:07 -------- d-----w- c:\program files\RegCure
2010-07-20 23:34 . 2010-07-20 23:34 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Symantec
2010-07-20 02:08 . 2010-07-20 02:08 -------- d-----w- c:\documents and settings\Owner\Application Data\5D799B10E0DAD5352612EAEAE006B5F8
2010-07-13 19:37 . 2010-06-14 14:31 744448 ------w- c:\winnt\system32\dllcache\helpsvc.exe
2010-07-11 22:18 . 2006-11-14 12:28 86016 ----a-w- c:\winnt\system32\cttele.dll
2010-07-11 21:51 . 1999-12-17 06:00 6752 ----a-w- c:\winnt\system32\PfModNT.sys
2010-07-11 20:49 . 2010-07-11 22:23 -------- d-----w- c:\winnt\system32\Defaults
2010-07-11 20:48 . 2010-07-11 22:17 409600 ----a-w- c:\winnt\system32\wrap_oal.dll
2010-07-11 20:48 . 2010-07-11 22:17 114688 ----a-w- c:\winnt\system32\OpenAL32.dll
2010-07-11 20:48 . 2010-07-11 22:17 -------- d-----w- c:\documents and settings\Owner\Application Data\Creative
2010-07-11 20:47 . 2006-08-11 19:56 3072 ----a-w- c:\winnt\CTXFIRES.DLL
2010-07-11 16:09 . 2010-07-11 19:35 -------- d-----w- C:\fixit

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-31 15:18 . 2009-04-04 23:35 -------- d-----w- c:\documents and settings\Owner\Application Data\DNA
2010-07-31 14:52 . 2009-04-04 23:35 -------- d-----w- c:\program files\DNA
2010-07-28 01:44 . 2008-10-22 00:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-07-26 02:34 . 2004-04-24 19:54 -------- d-----w- c:\program files\Common Files\Java
2010-07-26 02:33 . 2004-04-24 19:54 -------- d-----w- c:\program files\Java
2010-07-26 02:17 . 2008-01-09 23:20 -------- d-----w- c:\program files\Norton Security Scan
2010-07-26 02:17 . 2002-07-17 17:53 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-07-25 19:47 . 2003-08-09 23:45 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-07-24 12:48 . 2002-07-17 17:57 -------- d-----w- c:\program files\PC-Doctor for Windows
2010-07-23 00:28 . 1980-01-01 05:00 14336 ----a-w- c:\winnt\system32\svchost.exe
2010-07-21 21:54 . 2008-12-14 00:00 -------- d-----w- c:\program files\Common Files\Apple
2010-07-20 02:24 . 2009-04-04 23:35 -------- d-----w- c:\documents and settings\Owner\Application Data\BitTorrent
2010-07-20 01:55 . 2009-04-04 14:22 -------- d-----w- c:\documents and settings\Owner\Application Data\FileZilla
2010-07-11 21:40 . 2002-07-17 17:51 -------- d-----w- c:\program files\Creative
2010-07-11 20:49 . 2002-07-17 17:51 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-07-11 20:34 . 2002-07-17 17:53 -------- d-----w- c:\program files\Gateway
2010-07-04 13:36 . 2010-03-13 20:11 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-25 12:43 . 2010-06-25 12:43 -------- d-----w- c:\documents and settings\Owner\Application Data\Unity
2010-06-23 22:54 . 2009-10-04 10:03 -------- d-----w- c:\documents and settings\Owner\Application Data\FreeFLVConverter
2010-06-14 14:31 . 2002-10-13 15:32 744448 ----a-w- c:\winnt\PCHEALTH\HELPCTR\Binaries\helpsvc.exe
2010-05-04 17:20 . 2004-02-06 23:05 832512 ----a-w- c:\winnt\system32\wininet.dll
2010-05-04 17:20 . 2009-07-14 21:42 78336 ----a-w- c:\winnt\system32\ieencode.dll
2010-05-04 17:20 . 1980-01-01 05:00 17408 ----a-w- c:\winnt\system32\corpol.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-01 68856]
"Gadwin PrintScreen"="c:\program files\Gadwin Systems\PrintScreen\PrintScreen.exe" [2008-12-09 495616]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-10-02 323392]
"Google Update"="c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-01-28 135664]
"NvMediaCenter"="c:\winnt\system32\NVMCTRAY.DLL" [2003-07-28 49152]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-07-19 2403568]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdaptecDirectCD"="c:\program files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-02-28 675840]
"USSShReg"="c:\progra~1\ULEADS~1\ULEADP~1.2\SSaver\Ussshreg.exe" [1997-11-23 20992]
"WinampAgent"="c:\program files\Winamp\Winampa.exe" [2002-04-26 12288]
"CapFax"="c:\program files\PhoneTools\CapFax.EXE" [2001-11-07 20480]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2001-08-16 28738]
"QAGENT"="c:\program files\QUICKENW\QAGENT.EXE" [2001-08-01 94208]
"WD Drive Manager"="c:\program files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe" [2008-02-19 438272]
"MP10_EnsureFileVer"="c:\winnt\inf\unregmp2.exe" [2008-04-14 208896]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2008-10-04 4344472]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2008-10-04 960376]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2008-10-04 165144]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-07-25 2027792]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-07-25 563984]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"Zune Launcher"="d:\zune\ZuneLauncher.exe" [2010-01-07 158448]
"nwiz"="nwiz.exe" [2003-07-28 323584]
"CTHelper"="CTHELPER.EXE" [2007-04-09 19456]
"CTxfiHlp"="CTXFIHLP.EXE" [2007-04-09 19968]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
OCRAWARE.lnk - c:\oplimit\OCRAWARE.EXE [2002-7-21 51360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 01000000
"NoSMMyDocs"= 00000000
"NoSMMyPictures"= 00000000
"NoNetworkConnections"= 01000000

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HDDirect.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^setup_9.0.0.722_27.07.2010_09-30.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\setup_9.0.0.722_27.07.2010_09-30.lnk
backup=c:\winnt\pss\setup_9.0.0.722_27.07.2010_09-30.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 21:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINNT\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\FileZilla FTP Client\\filezilla.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 93434982;93434982 Boot Guard Driver;c:\winnt\system32\drivers\93434982.sys [7/27/2010 8:24 PM 37392]
R0 tdrpman140;Acronis Try&Decide and Restore Points filter (build 140);c:\winnt\system32\drivers\tdrpm140.sys [4/2/2009 6:20 PM 971168]
S0 SymEFA;Symantec Extended File Attributes;c:\winnt\system32\drivers\NAV\1008000.029\SYMEFA.SYS --> c:\winnt\system32\drivers\NAV\1008000.029\SYMEFA.SYS [?]
S1 93434981;93434981;c:\winnt\system32\drivers\93434981.sys [7/27/2010 8:24 PM 128016]
S1 BHDrvx86;Symantec Heuristics Driver;c:\winnt\system32\drivers\NAV\1008000.029\BHDrvx86.sys [1/27/2010 7:21 PM 259632]
S1 ccHP;Symantec Hash Provider;c:\winnt\system32\drivers\NAV\1008000.029\cchpx86.sys [1/27/2010 7:21 PM 482432]
S1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100730.001\IDSXpx86.sys [7/31/2010 7:56 AM 331640]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 1:25 PM 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 1:41 PM 67656]
S1 setup_9.0.0.722_27.07.2010_09-30drv;setup_9.0.0.722_27.07.2010_09-30drv;c:\winnt\system32\drivers\9343498.sys [7/27/2010 8:24 PM 315408]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/28/2010 6:35 PM 135664]
S2 mrtRate;mrtRate;c:\winnt\system32\drivers\MrtRate.sys [7/17/2002 12:54 PM 34712]
S2 Norton AntiVirus;Norton AntiVirus;c:\program files\Norton AntiVirus\Norton AntiVirus\Engine\16.8.0.41\ccSvcHst.exe [1/27/2010 7:21 PM 117640]
S2 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe [2/19/2008 2:15 AM 106496]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\winnt\system32\drivers\ASPI32.SYS [1/8/2010 8:15 PM 16512]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/18/2010 1:51 AM 102448]
S3 EuMusDesignVirtualAudioCableWdm_s2x;Sound2x Audio Cable (WDM);c:\winnt\system32\drivers\vacs2xkd.sys [1/8/2010 8:15 PM 42880]
S3 HDDirect;Hard Disk Direct Control;c:\winnt\system32\drivers\hddirect.sys [7/27/2010 8:52 PM 12552]
S3 HitmanPro35Crusader;Hitman Pro 3.5 Crusader;c:\documents and settings\Owner\My Documents\Downloads\HitmanPro35.exe [7/27/2010 8:21 PM 6084416]
S3 MusCAudio;MusCAudio;c:\winnt\system32\drivers\MusCAudio.sys [2/1/2009 3:02 PM 23096]
S3 MusCVideo;MusCVideo;c:\winnt\system32\drivers\MusCVideo.sys [2/1/2009 3:02 PM 3768]
S3 PacketNTx;Packet helper driver;c:\winnt\system32\drivers\PacketNTx.sys [7/23/2002 6:22 PM 24544]
S3 pc22nd5;Toshiba PCX2200 USB Cable Modem networking driver (NDIS);c:\winnt\system32\drivers\pc22nd5.sys [7/23/2002 6:21 PM 17648]
S3 pc22unic;Toshiba PCX2200 USB Cable Modem WDM driver;c:\winnt\system32\drivers\pc22unic.sys [7/23/2002 6:21 PM 69744]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - NMSSVC

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-07-31 c:\winnt\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-28 23:35]

2010-07-31 c:\winnt\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-28 23:35]

2010-07-27 c:\winnt\Tasks\GoogleUpdateTaskUserS-1-5-21-1567011825-3825283475-173008773-1003Core.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-02-14 23:35]

2010-07-30 c:\winnt\Tasks\GoogleUpdateTaskUserS-1-5-21-1567011825-3825283475-173008773-1003UA.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-02-14 23:35]

2010-07-27 c:\winnt\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2010-05-19 23:20]

2010-07-23 c:\winnt\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2010-05-19 23:20]
.
.
------- Supplementary Scan -------
.
uStart Page = www.google.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
DPF: {22CF0C35-80CE-11D3-9354-00105AA793BF} - hxxp://www.immdesign.com/webview/IPAWebView.cab
DPF: {2357B3CF-7F8D-4451-8D81-FD6097610AEE} - hxxp://activex.camfrogweb.com/advanced/2.0.2.3/cfweb_activex.camfrogweb.com-advanced-2.0.2.3_instmodule.exe
DPF: {C9B08199-657A-468D-A26B-692137572131} - hxxp://www.focusfocus.com/download/windows/ffhost.cab
DPF: {D59931FE-DC91-11D2-88D5-000000000000} - hxxp://www.focusfocus.com/download/windows/ffcall.cab
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-HDDirect



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, https://www.gmer.net
Rootkit scan 2010-07-31 10:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTHelper = CTHELPER.EXE?
CTxfiHlp = CTXFIHLP.EXE?

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, https://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x836B5B4C]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf860af28
\Driver\ACPI -> ACPI.sys @ 0xf856dcb8
\Driver\atapi -> atapi.sys @ 0xf8525852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0615
ParseProcedure -> ntoskrnl.exe @ 0x8056c3ac
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0615
ParseProcedure -> ntoskrnl.exe @ 0x8056c3ac
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Norton AntiVirus]
"ImagePath"="\"c:\program files\Norton AntiVirus\Norton AntiVirus\Engine\16.8.0.41\ccSvcHst.exe\" /s \"Norton AntiVirus\" /m \"c:\program files\Norton AntiVirus\Norton AntiVirus\Engine\16.8.0.41\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(364)
c:\winnt\system32\WININET.dll
c:\program files\SUPERAntiSpyware\SASWINLO.DLL

- - - - - - - > 'lsass.exe'(424)
c:\winnt\system32\WININET.dll
.
Completion time: 2010-07-31 10:50:03
ComboFix-quarantined-files.txt 2010-07-31 15:49

Pre-Run: 423,413,059,584 bytes free
Post-Run: 423,556,599,808 bytes free

- - End Of File - - C611D1D0A1F69AD0753BC21D68F06EB4
Attached Files
File Type: txt ComboFix.txt (19.4 KB, 31 views)
cbrynolf is offline  
Old 07-31-2010, 10:47 AM   #12
TSF Security Manager
Emeritus
 
Ried's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,837
OS: WinXP Home, Vista, Windows 7 64bit



Click Start>Run and copy/paste the following bolded text into the Run box and click OK:

C:\Qoobox\ComboFix-quarantined-files.txt

A report should pop open for you. Please post the contents in your next reply.


I'd also like to see a new log from gmer. Please run it again using the following configuration:

Double click to run the tool. An initial scan will automatically begin.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.

  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show All (don't miss this one)

  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "ark2.txt" or it will save as a .log file which cannot be uploaded to your post.

Save it where you can easily find it, such as your desktop


**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries



Please attach the ark2.txt in your next reply
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Old 07-31-2010, 05:37 PM   #13
Registered Member
 
Join Date: Jul 2010
Posts: 47
OS: XP SP3



combofix-quarantined-files.txt

2010-07-31 15:47:47 . 2010-07-31 15:47:47 542 ----a-w- C:\Qoobox\Quarantine\Registry_backups\SafeBoot-HDDirect.reg.dat
2010-07-31 15:37:53 . 2010-07-31 15:37:53 6,985 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2010-07-31 14:07:20 . 2010-07-31 15:26:22 204 ----a-w- C:\Qoobox\Quarantine\catchme.log
cbrynolf is offline  
Old 07-31-2010, 07:15 PM   #14
TSF Security Manager
Emeritus
 
Ried's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,837
OS: WinXP Home, Vista, Windows 7 64bit



Are you having difficulty running gmer? Please refer to my previous post for instructions on running that scan. :)
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Old 08-01-2010, 05:37 AM   #15
Registered Member
 
Join Date: Jul 2010
Posts: 47
OS: XP SP3



GMER 1.0.15.15281 - https://www.gmer.net
Rootkit scan 2010-08-01 06:31:31
Windows 5.1.2600 Service Pack 3
Running: ge3hll51.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\uwtdqpog.sys


---- User code sections - GMER 1.0.15 ----

.text C:\WINNT\System32\svchost.exe[992] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 3 Bytes JMP 0091000A
.text C:\WINNT\System32\svchost.exe[992] ntdll.dll!NtProtectVirtualMemory + 4 7C90D6F2 1 Byte [84]
.text C:\WINNT\System32\svchost.exe[992] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0092000A
.text C:\WINNT\System32\svchost.exe[992] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0090000C
.text C:\WINNT\System32\svchost.exe[992] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 019D000A
.text C:\WINNT\System32\svchost.exe[992] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00E5000A
.text C:\WINNT\Explorer.EXE[1668] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B7000A
.text C:\WINNT\Explorer.EXE[1668] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00BD000A
.text C:\WINNT\Explorer.EXE[1668] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B6000C

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs tdrpm140.sys (Acronis Try&Decide Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 tdrpm140.sys (Acronis Try&Decide Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 tdrpm140.sys (Acronis Try&Decide Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device ACPI.sys (ACPI Driver for NT/Microsoft Corporation)

AttachedDevice \FileSystem\Fastfat \Fat tdrpm140.sys (Acronis Try&Decide Volume Filter Driver/Acronis)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected] 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected] 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected] yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected]
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected] 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected] 10000

---- Files - GMER 1.0.15 ----

File C:\WINNT\system32\drivers\UMDF\es-ES\ZuneDriver.dll.mui 6656 bytes executable
File C:\WINNT\system32\drivers\UMDF\fr-FR\ZuneDriver.dll.mui 6144 bytes executable
File C:\WINNT\system32\drivers\UMDF\it-IT\ZuneDriver.dll.mui 6656 bytes executable
File C:\WINNT\system32\DRVSTORE\GEARAspiWD_4F4AA3475F1B13A1E8212B6D40B351211BC358CE 0 bytes
File C:\WINNT\system32\DRVSTORE\GEARAspiWD_4F4AA3475F1B13A1E8212B6D40B351211BC358CE\GEARAspiWDM.inf 2763 bytes
File C:\WINNT\system32\DRVSTORE\GEARAspiWD_4F4AA3475F1B13A1E8212B6D40B351211BC358CE\GEARAspiWDMx86.cat 7919 bytes
File C:\WINNT\system32\DRVSTORE\GEARAspiWD_4F4AA3475F1B13A1E8212B6D40B351211BC358CE\x86 0 bytes
File C:\WINNT\system32\DRVSTORE\GEARAspiWD_4F4AA3475F1B13A1E8212B6D40B351211BC358CE\x86\GEARAspi.dll 107368 bytes executable
File C:\WINNT\system32\DRVSTORE\GEARAspiWD_4F4AA3475F1B13A1E8212B6D40B351211BC358CE\x86\GEARAspiWDM.sys 23848 bytes executable
File C:\WINNT\system32\DRVSTORE\GEARAspiWD_D213663B6381F01E45A131159A9DEFE018321CB3 0 bytes
File C:\WINNT\system32\DRVSTORE\GEARAspiWD_D213663B6381F01E45A131159A9DEFE018321CB3\GEARAspiWDM.inf 2761 bytes
File C:\WINNT\system32\DRVSTORE\GEARAspiWD_D213663B6381F01E45A131159A9DEFE018321CB3\GEARAspiWDMx86.cat 11168 bytes
File C:\WINNT\system32\DRVSTORE\GEARAspiWD_D213663B6381F01E45A131159A9DEFE018321CB3\x86 0 bytes
File C:\WINNT\system32\DRVSTORE\GEARAspiWD_D213663B6381F01E45A131159A9DEFE018321CB3\x86\GEARAspi.dll 107368 bytes executable
File C:\WINNT\system32\DRVSTORE\GEARAspiWD_D213663B6381F01E45A131159A9DEFE018321CB3\x86\GEARAspiWDM.sys 15464 bytes executable
File C:\WINNT\system32\DRVSTORE\GEARAspiWD_F475AF659D36685632E9BD97B57E9D9661FF3FFD 0 bytes
File C:\WINNT\system32\DRVSTORE\GEARAspiWD_F475AF659D36685632E9BD97B57E9D9661FF3FFD\GEARAspiWDM.inf 2763 bytes
File C:\WINNT\system32\DRVSTORE\GEARAspiWD_F475AF659D36685632E9BD97B57E9D9661FF3FFD\GEARAspiWDMx86.cat 7919 bytes
File C:\WINNT\system32\DRVSTORE\GEARAspiWD_F475AF659D36685632E9BD97B57E9D9661FF3FFD\x86 0 bytes
File C:\WINNT\system32\DRVSTORE\GEARAspiWD_F475AF659D36685632E9BD97B57E9D9661FF3FFD\x86\GEARAspi.dll 107368 bytes executable
File C:\WINNT\system32\DRVSTORE\GEARAspiWD_F475AF659D36685632E9BD97B57E9D9661FF3FFD\x86\GEARAspiWDM.sys 23400 bytes executable
File C:\WINNT\system32\DRVSTORE\hpohsla_1F214374B1716048FBFF63827D9E01DBD35928C9 0 bytes
File C:\WINNT\system32\DRVSTORE\hpohsla_1F214374B1716048FBFF63827D9E01DBD35928C9\hpohsla.cab 8159408 bytes
File C:\WINNT\system32\DRVSTORE\hpohsla_1F214374B1716048FBFF63827D9E01DBD35928C9\hpohsla.cat 143324 bytes
File C:\WINNT\system32\DRVSTORE\hpohsla_1F214374B1716048FBFF63827D9E01DBD35928C9\hpohsla.inf 43272 bytes
File C:\WINNT\system32\DRVSTORE\hpohsla_1F214374B1716048FBFF63827D9E01DBD35928C9\hpzids01.dll 271704 bytes executable
File C:\WINNT\system32\DRVSTORE\hpohsla_1F214374B1716048FBFF63827D9E01DBD35928C9\P3i2enww.cab 308021 bytes
File C:\WINNT\system32\DRVSTORE\hposcu12_2EE2235FE88C2F49077C4C82E0EC22D7DFE78B19 0 bytes
File C:\WINNT\system32\DRVSTORE\hposcu12_2EE2235FE88C2F49077C4C82E0EC22D7DFE78B19\drivers 0 bytes
File C:\WINNT\system32\DRVSTORE\hposcu12_2EE2235FE88C2F49077C4C82E0EC22D7DFE78B19\drivers\dot4 0 bytes
File C:\WINNT\system32\DRVSTORE\hposcu12_2EE2235FE88C2F49077C4C82E0EC22D7DFE78B19\drivers\dot4\Win2000 0 bytes
File C:\WINNT\system32\DRVSTORE\hposcu12_2EE2235FE88C2F49077C4C82E0EC22D7DFE78B19\drivers\dot4\Win2000\difxapi.dll 309760 bytes executable
File C:\WINNT\system32\DRVSTORE\hposcu12_2EE2235FE88C2F49077C4C82E0EC22D7DFE78B19\drivers\dot4\Win2000\hppldcoi.dll 364544 bytes executable
File C:\WINNT\system32\DRVSTORE\hposcu12_2EE2235FE88C2F49077C4C82E0EC22D7DFE78B19\drivers\scanner 0 bytes
File C:\WINNT\system32\DRVSTORE\hposcu12_2EE2235FE88C2F49077C4C82E0EC22D7DFE78B19\drivers\scanner\x32 0 bytes
File C:\WINNT\system32\DRVSTORE\hposcu12_2EE2235FE88C2F49077C4C82E0EC22D7DFE78B19\drivers\scanner\x32\hpotiop5.dll 970752 bytes executable
File C:\WINNT\system32\DRVSTORE\hposcu12_2EE2235FE88C2F49077C4C82E0EC22D7DFE78B19\drivers\scanner\x32\hpotsti1.dll 229376 bytes executable
File C:\WINNT\system32\DRVSTORE\hposcu12_2EE2235FE88C2F49077C4C82E0EC22D7DFE78B19\drivers\scanner\x32\hpovst12.dll 303104 bytes executable
File C:\WINNT\system32\DRVSTORE\hposcu12_2EE2235FE88C2F49077C4C82E0EC22D7DFE78B19\drivers\scanner\x32\hpowiax5.dll 729088 bytes executable
File C:\WINNT\system32\DRVSTORE\hposcu12_2EE2235FE88C2F49077C4C82E0EC22D7DFE78B19\hposcu12.cat 17697 bytes
File C:\WINNT\system32\DRVSTORE\hposcu12_2EE2235FE88C2F49077C4C82E0EC22D7DFE78B19\hposcu12.inf 83376 bytes
File C:\WINNT\system32\DRVSTORE\hpounppsai_6061E964AAB2421A44614FC1062377BE342B60A3 0 bytes
File C:\WINNT\system32\DRVSTORE\hpounppsai_6061E964AAB2421A44614FC1062377BE342B60A3\hpounppsaio2_09.cat 89128 bytes
File C:\WINNT\system32\DRVSTORE\hpounppsai_6061E964AAB2421A44614FC1062377BE342B60A3\hpounppsaio2_09.inf 5408 bytes
File C:\WINNT\system32\DRVSTORE\hpzid413_F75AD070CF6AC37359152FFE52115AEC89378C94 0 bytes
File C:\WINNT\system32\DRVSTORE\hpzid413_F75AD070CF6AC37359152FFE52115AEC89378C94\drivers 0 bytes
File C:\WINNT\system32\DRVSTORE\hpzid413_F75AD070CF6AC37359152FFE52115AEC89378C94\drivers\dot4 0 bytes
File C:\WINNT\system32\DRVSTORE\hpzid413_F75AD070CF6AC37359152FFE52115AEC89378C94\drivers\dot4\Win2000 0 bytes
File C:\WINNT\system32\DRVSTORE\hpzid413_F75AD070CF6AC37359152FFE52115AEC89378C94\drivers\dot4\Win2000\HPZid412.sys 49920 bytes executable
File C:\WINNT\system32\DRVSTORE\hpzid413_F75AD070CF6AC37359152FFE52115AEC89378C94\HPZid413.cat 89207 bytes
File C:\WINNT\system32\DRVSTORE\hpzid413_F75AD070CF6AC37359152FFE52115AEC89378C94\hpzid413.inf 135094 bytes
File C:\WINNT\system32\DRVSTORE\hpzipa13_DB40AE39DB38AD8D2AF2D8E4340ABA1C191DE2CE 0 bytes
File C:\WINNT\system32\DRVSTORE\hpzipa13_DB40AE39DB38AD8D2AF2D8E4340ABA1C191DE2CE\drivers 0 bytes
File C:\WINNT\system32\DRVSTORE\hpzipa13_DB40AE39DB38AD8D2AF2D8E4340ABA1C191DE2CE\drivers\dot4 0 bytes
File C:\WINNT\system32\DRVSTORE\hpzipa13_DB40AE39DB38AD8D2AF2D8E4340ABA1C191DE2CE\drivers\dot4\Win2000 0 bytes
File C:\WINNT\system32\DRVSTORE\hpzipa13_DB40AE39DB38AD8D2AF2D8E4340ABA1C191DE2CE\drivers\dot4\Win2000\difxapi.dll 309760 bytes executable
File C:\WINNT\system32\DRVSTORE\hpzipa13_DB40AE39DB38AD8D2AF2D8E4340ABA1C191DE2CE\drivers\dot4\Win2000\hppldcoi.dll 364544 bytes executable
File C:\WINNT\system32\DRVSTORE\hpzipa13_DB40AE39DB38AD8D2AF2D8E4340ABA1C191DE2CE\drivers\dot4\Win2000\HPZid412.sys 49920 bytes executable
File C:\WINNT\system32\DRVSTORE\hpzipa13_DB40AE39DB38AD8D2AF2D8E4340ABA1C191DE2CE\drivers\dot4\Win2000\HPzipr12.sys 16496 bytes executable
File C:\WINNT\system32\DRVSTORE\hpzipa13_DB40AE39DB38AD8D2AF2D8E4340ABA1C191DE2CE\drivers\dot4\Win2000\HPZius12.sys 21568 bytes executable
File C:\WINNT\system32\DRVSTORE\hpzipa13_DB40AE39DB38AD8D2AF2D8E4340ABA1C191DE2CE\HPZc3212.dll 282624 bytes
File C:\WINNT\system32\DRVSTORE\hpzipa13_DB40AE39DB38AD8D2AF2D8E4340ABA1C191DE2CE\hpzipa13.cat 91400 bytes
File C:\WINNT\system32\DRVSTORE\hpzipa13_DB40AE39DB38AD8D2AF2D8E4340ABA1C191DE2CE\hpzipa13.inf 115124 bytes
File C:\WINNT\system32\DRVSTORE\hpzipr13_9B62D8E7E43E761D5D4A9F1967C0FC868E8BC390 0 bytes
File C:\WINNT\system32\DRVSTORE\hpzipr13_9B62D8E7E43E761D5D4A9F1967C0FC868E8BC390\drivers 0 bytes
File C:\WINNT\system32\DRVSTORE\hpzipr13_9B62D8E7E43E761D5D4A9F1967C0FC868E8BC390\drivers\dot4 0 bytes
File C:\WINNT\system32\DRVSTORE\hpzipr13_9B62D8E7E43E761D5D4A9F1967C0FC868E8BC390\drivers\dot4\Win2000 0 bytes
File C:\WINNT\system32\DRVSTORE\hpzipr13_9B62D8E7E43E761D5D4A9F1967C0FC868E8BC390\drivers\dot4\Win2000\HPZipr12.sys 16496 bytes executable
File C:\WINNT\system32\DRVSTORE\hpzipr13_9B62D8E7E43E761D5D4A9F1967C0FC868E8BC390\HPZipr13.cat 89207 bytes
File C:\WINNT\system32\DRVSTORE\hpzipr13_9B62D8E7E43E761D5D4A9F1967C0FC868E8BC390\hpzipr13.inf 59110 bytes
File C:\WINNT\system32\DRVSTORE\hpzius13_9B9B07948B5298EA9F9D379B539EC8677D74FF6B 0 bytes
File C:\WINNT\system32\DRVSTORE\hpzius13_9B9B07948B5298EA9F9D379B539EC8677D74FF6B\drivers 0 bytes
File C:\WINNT\system32\DRVSTORE\hpzius13_9B9B07948B5298EA9F9D379B539EC8677D74FF6B\drivers\dot4 0 bytes
File C:\WINNT\system32\DRVSTORE\hpzius13_9B9B07948B5298EA9F9D379B539EC8677D74FF6B\drivers\dot4\Win2000 0 bytes
File C:\WINNT\system32\DRVSTORE\hpzius13_9B9B07948B5298EA9F9D379B539EC8677D74FF6B\drivers\dot4\Win2000\difxapi.dll 309760 bytes executable
File C:\WINNT\system32\DRVSTORE\hpzius13_9B9B07948B5298EA9F9D379B539EC8677D74FF6B\drivers\dot4\Win2000\hppldcoi.dll 364544 bytes executable
File C:\WINNT\system32\DRVSTORE\hpzius13_9B9B07948B5298EA9F9D379B539EC8677D74FF6B\drivers\dot4\Win2000\hpzid412.sys 49920 bytes executable
File C:\WINNT\system32\DRVSTORE\hpzius13_9B9B07948B5298EA9F9D379B539EC8677D74FF6B\drivers\dot4\Win2000\hpzipr12.sys 16496 bytes executable
File C:\WINNT\system32\DRVSTORE\hpzius13_9B9B07948B5298EA9F9D379B539EC8677D74FF6B\drivers\dot4\Win2000\HPZius12.sys 21568 bytes executable
File C:\WINNT\system32\DRVSTORE\hpzius13_9B9B07948B5298EA9F9D379B539EC8677D74FF6B\drivers\dot4\WinxP 0 bytes
File C:\WINNT\system32\DRVSTORE\hpzius13_9B9B07948B5298EA9F9D379B539EC8677D74FF6B\drivers\dot4\WinxP\Hppaufd0.sys 16800 bytes executable
File C:\WINNT\system32\DRVSTORE\hpzius13_9B9B07948B5298EA9F9D379B539EC8677D74FF6B\HPZc3212.dll 282624 bytes
File C:\WINNT\system32\DRVSTORE\hpzius13_9B9B07948B5298EA9F9D379B539EC8677D74FF6B\HPZius13.cat 91839 bytes
File C:\WINNT\system32\DRVSTORE\hpzius13_9B9B07948B5298EA9F9D379B539EC8677D74FF6B\hpzius13.inf 171632 bytes
File C:\WINNT\system32\DRVSTORE\wdcsam_D64176EAE5FF9EF62F44B1696EF72916A266836B 0 bytes
File C:\WINNT\system32\DRVSTORE\wdcsam_D64176EAE5FF9EF62F44B1696EF72916A266836B\wdcsam.cat 10866 bytes
File C:\WINNT\system32\DRVSTORE\wdcsam_D64176EAE5FF9EF62F44B1696EF72916A266836B\wdcsam.inf 2477 bytes
File C:\WINNT\system32\DRVSTORE\wdcsam_D64176EAE5FF9EF62F44B1696EF72916A266836B\wdcsam.sys 11520 bytes executable
File C:\WINNT\system32\icsxml\cmnicfg.xml 5854 bytes
File C:\WINNT\system32\icsxml\ipcfg.xml 13437 bytes
File C:\WINNT\system32\icsxml\osinfo.xml 766 bytes
File C:\WINNT\system32\icsxml\potscfg.xml 2598 bytes
File C:\WINNT\system32\icsxml\pppcfg.xml 14420 bytes
File C:\WINNT\system32\LogFiles\HTTPERR 0 bytes

---- EOF - GMER 1.0.15 ----
cbrynolf is offline  
Old 08-01-2010, 07:08 AM   #16
TSF Security Manager
Emeritus
 
Ried's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,837
OS: WinXP Home, Vista, Windows 7 64bit



Disable your AntiVirus and AntiSpyware applications as they will interfere with our tools and the removal. If you are unsure how to do this, please refer to our sticky topic How to disable your security applications


====================================================


Double click on combofix.exe & follow the prompts. Post the C:\ComboFix.txt when it has completed.
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Old 08-01-2010, 07:52 AM   #17
Registered Member
 
Join Date: Jul 2010
Posts: 47
OS: XP SP3



i had to run combofix in safe mode last time because it just did nothing. Looks like I will have to start it from safe mode again if that is all right as it is just sitting there doing nothing?
cbrynolf is offline  
Old 08-01-2010, 07:54 AM   #18
TSF Security Manager
Emeritus
 
Ried's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,837
OS: WinXP Home, Vista, Windows 7 64bit



It's one of your onboard protection programs that is hindering the tool. Make sure all of them are fully disabled. Uninstall HitManPro if you have to for now.
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Old 08-01-2010, 09:48 AM   #19
Registered Member
 
Join Date: Jul 2010
Posts: 47
OS: XP SP3



tried several attempts at disabling virus software and still would hang up. Started in safe mode and it rebooted because of rootkit activity. Upon reboot in normal mode it did finish the scan with the following result.


ComboFix 10-07-30.04 - Owner 08/01/2010 10:25:20.4.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.286 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: Norton AntiVirus *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
.

((((((((((((((((((((((((( Files Created from 2010-07-01 to 2010-08-01 )))))))))))))))))))))))))))))))
.

2010-07-31 13:58 . 2010-07-31 13:58 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Identities
2010-07-28 01:52 . 2010-07-28 01:52 12552 ----a-w- c:\winnt\system32\drivers\hddirect.sys
2010-07-28 01:37 . 2010-07-28 01:37 12872 ----a-w- c:\winnt\system32\bootdelete.exe
2010-07-28 01:35 . 2010-07-28 01:47 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\NPE
2010-07-28 01:23 . 2010-07-29 23:15 16968 ----a-w- c:\winnt\system32\drivers\hitmanpro35.sys
2010-07-28 01:23 . 2010-07-28 01:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-07-28 01:23 . 2010-07-28 01:23 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-07-26 10:46 . 2010-07-26 10:46 54016 ----a-w- c:\winnt\system32\drivers\ltlk.sys
2010-07-26 02:33 . 2010-07-26 02:33 503808 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-65c78599-n\msvcp71.dll
2010-07-26 02:33 . 2010-07-26 02:33 499712 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-65c78599-n\jmc.dll
2010-07-26 02:33 . 2010-07-26 02:33 12800 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-1ad0cb0c-n\decora-d3d.dll
2010-07-26 02:33 . 2010-07-26 02:33 61440 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-1ad0cb0c-n\decora-sse.dll
2010-07-26 02:33 . 2010-07-26 02:33 348160 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-65c78599-n\msvcr71.dll
2010-07-26 02:33 . 2010-04-12 22:29 411368 ----a-w- c:\winnt\system32\deployJava1.dll
2010-07-26 02:30 . 2010-07-26 02:30 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-07-26 01:50 . 2010-07-26 01:51 -------- d---a-w- c:\program files\Norton Support
2010-07-25 02:53 . 2010-07-25 02:53 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\vevclkfib
2010-07-25 02:51 . 2010-07-30 06:25 1324 ----a-w- c:\winnt\system32\d3d9caps.dat
2010-07-23 00:53 . 2010-08-01 14:23 -------- d-----w- c:\documents and settings\All Users\Application Data\RegCure
2010-07-20 23:34 . 2010-07-20 23:34 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Symantec
2010-07-20 02:08 . 2010-07-20 02:08 -------- d-----w- c:\documents and settings\Owner\Application Data\5D799B10E0DAD5352612EAEAE006B5F8
2010-07-13 19:37 . 2010-06-14 14:31 744448 ------w- c:\winnt\system32\dllcache\helpsvc.exe
2010-07-11 22:18 . 2006-11-14 12:28 86016 ----a-w- c:\winnt\system32\cttele.dll
2010-07-11 21:51 . 1999-12-17 06:00 6752 ----a-w- c:\winnt\system32\PfModNT.sys
2010-07-11 20:49 . 2010-07-11 22:23 -------- d-----w- c:\winnt\system32\Defaults
2010-07-11 20:48 . 2010-07-11 22:17 409600 ----a-w- c:\winnt\system32\wrap_oal.dll
2010-07-11 20:48 . 2010-07-11 22:17 114688 ----a-w- c:\winnt\system32\OpenAL32.dll
2010-07-11 20:48 . 2010-07-11 22:17 -------- d-----w- c:\documents and settings\Owner\Application Data\Creative
2010-07-11 20:47 . 2006-08-11 19:56 3072 ----a-w- c:\winnt\CTXFIRES.DLL
2010-07-11 16:09 . 2010-07-11 19:35 -------- d-----w- C:\fixit

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-01 14:25 . 2009-04-04 23:35 -------- d-----w- c:\program files\DNA
2010-08-01 14:25 . 2009-04-04 23:35 -------- d-----w- c:\documents and settings\Owner\Application Data\DNA
2010-08-01 14:25 . 2003-08-09 23:45 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-08-01 14:23 . 2003-08-09 23:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-07-28 01:44 . 2008-10-22 00:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-07-26 02:34 . 2004-04-24 19:54 -------- d-----w- c:\program files\Common Files\Java
2010-07-26 02:33 . 2004-04-24 19:54 -------- d-----w- c:\program files\Java
2010-07-26 02:17 . 2008-01-09 23:20 -------- d-----w- c:\program files\Norton Security Scan
2010-07-26 02:17 . 2002-07-17 17:53 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-07-24 12:48 . 2002-07-17 17:57 -------- d-----w- c:\program files\PC-Doctor for Windows
2010-07-23 00:28 . 1980-01-01 05:00 14336 ----a-w- c:\winnt\system32\svchost.exe
2010-07-21 21:54 . 2008-12-14 00:00 -------- d-----w- c:\program files\Common Files\Apple
2010-07-20 02:24 . 2009-04-04 23:35 -------- d-----w- c:\documents and settings\Owner\Application Data\BitTorrent
2010-07-20 01:55 . 2009-04-04 14:22 -------- d-----w- c:\documents and settings\Owner\Application Data\FileZilla
2010-07-11 21:40 . 2002-07-17 17:51 -------- d-----w- c:\program files\Creative
2010-07-11 20:49 . 2002-07-17 17:51 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-07-11 20:34 . 2002-07-17 17:53 -------- d-----w- c:\program files\Gateway
2010-07-04 13:36 . 2010-03-13 20:11 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-25 12:43 . 2010-06-25 12:43 -------- d-----w- c:\documents and settings\Owner\Application Data\Unity
2010-06-23 22:54 . 2009-10-04 10:03 -------- d-----w- c:\documents and settings\Owner\Application Data\FreeFLVConverter
2010-06-14 14:31 . 2002-10-13 15:32 744448 ----a-w- c:\winnt\PCHEALTH\HELPCTR\Binaries\helpsvc.exe
2010-05-04 17:20 . 2004-02-06 23:05 832512 ----a-w- c:\winnt\system32\wininet.dll
2010-05-04 17:20 . 2009-07-14 21:42 78336 ----a-w- c:\winnt\system32\ieencode.dll
2010-05-04 17:20 . 1980-01-01 05:00 17408 ----a-w- c:\winnt\system32\corpol.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2001-08-16 28738]
"MP10_EnsureFileVer"="c:\winnt\inf\unregmp2.exe" [2008-04-14 208896]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-07-25 563984]
"nwiz"="nwiz.exe" [2003-07-28 323584]
"CTHelper"="CTHELPER.EXE" [2007-04-09 19456]
"CTxfiHlp"="CTXFIHLP.EXE" [2007-04-09 19968]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
OCRAWARE.lnk - c:\oplimit\OCRAWARE.EXE [2002-7-21 51360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 01000000
"NoSMMyDocs"= 00000000
"NoSMMyPictures"= 00000000
"NoNetworkConnections"= 01000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HDDirect.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\winnt\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^setup_9.0.0.722_27.07.2010_09-30.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\setup_9.0.0.722_27.07.2010_09-30.lnk
backup=c:\winnt\pss\setup_9.0.0.722_27.07.2010_09-30.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
2008-10-04 03:40 165144 ----a-w- c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
2008-10-04 03:45 960376 ----a-w- c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
2002-02-28 13:47 675840 ----a-w- c:\program files\Adaptec\Easy CD Creator 5\DirectCD\Directcd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
2009-10-02 23:54 323392 ----a-w- c:\program files\DNA\btdna.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CapFax]
2001-11-07 19:25 20480 ------w- c:\program files\PhoneTools\capFax.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gadwin PrintScreen]
2008-12-09 11:08 495616 ----a-w- c:\program files\Gadwin Systems\PrintScreen\PrintScreen.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-01-28 23:35 135664 ----atw- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-10-15 02:17 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]
2007-08-22 21:31 80896 ----a-w- c:\program files\HP\Digital Imaging\bin\HpqSRmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-06-05 18:39 292136 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
2007-07-25 21:06 2027792 ----a-w- c:\program files\Logitech\QuickCam\Quickcam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QAGENT]
2001-08-01 17:30 94208 ----a-w- c:\program files\QUICKENW\qagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-02-18 16:43 248040 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-07-01 05:53 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
2008-10-04 03:23 4344472 ----a-w- c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USSShReg]
1997-11-23 09:16 20992 ------w- c:\progra~1\ULEADS~1\ULEADP~1.2\SSaver\USSSHREG.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WD Drive Manager]
2008-02-19 07:13 438272 ----a-w- c:\program files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2002-04-26 17:53 12288 ----a-w- c:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher]
2010-01-07 20:38 158448 ----a-w- d:\zune\ZuneLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"mnmsrvc"=3 (0x3)
"WDBtnMgrSvc.exe"=2 (0x2)
"Symantec Core LC"=2 (0x2)
"PictureTaker"=3 (0x3)
"Norton AntiVirus"=2 (0x2)
"LiveUpdate Notice Service"=2 (0x2)
"LiveUpdate"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"iPod Service"=3 (0x3)
"HitmanPro35Crusader"=3 (0x3)
"gusvc"=3 (0x3)
"gupdate"=2 (0x2)
"Automatic LiveUpdate Scheduler"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"AcrSch2Svc"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINNT\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\FileZilla FTP Client\\filezilla.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 tdrpman140;Acronis Try&Decide and Restore Points filter (build 140);c:\winnt\system32\drivers\tdrpm140.sys [4/2/2009 6:20 PM 971168]
R2 mrtRate;mrtRate;c:\winnt\system32\drivers\MrtRate.sys [7/17/2002 12:54 PM 34712]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/18/2010 1:51 AM 102448]
R3 EuMusDesignVirtualAudioCableWdm_s2x;Sound2x Audio Cable (WDM);c:\winnt\system32\drivers\vacs2xkd.sys [1/8/2010 8:15 PM 42880]
S0 SymEFA;Symantec Extended File Attributes;c:\winnt\system32\drivers\NAV\1008000.029\SYMEFA.SYS --> c:\winnt\system32\drivers\NAV\1008000.029\SYMEFA.SYS [?]
S1 BHDrvx86;Symantec Heuristics Driver;c:\winnt\system32\drivers\NAV\1008000.029\BHDrvx86.sys [1/27/2010 7:21 PM 259632]
S1 ccHP;Symantec Hash Provider;c:\winnt\system32\drivers\NAV\1008000.029\cchpx86.sys [1/27/2010 7:21 PM 482432]
S1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100730.001\IDSXpx86.sys [7/31/2010 7:56 AM 331640]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\winnt\system32\drivers\ASPI32.SYS [1/8/2010 8:15 PM 16512]
S3 HDDirect;Hard Disk Direct Control;c:\winnt\system32\drivers\hddirect.sys [7/27/2010 8:52 PM 12552]
S3 MusCAudio;MusCAudio;c:\winnt\system32\drivers\MusCAudio.sys [2/1/2009 3:02 PM 23096]
S3 MusCVideo;MusCVideo;c:\winnt\system32\drivers\MusCVideo.sys [2/1/2009 3:02 PM 3768]
S3 PacketNTx;Packet helper driver;c:\winnt\system32\drivers\PacketNTx.sys [7/23/2002 6:22 PM 24544]
S3 pc22nd5;Toshiba PCX2200 USB Cable Modem networking driver (NDIS);c:\winnt\system32\drivers\pc22nd5.sys [7/23/2002 6:21 PM 17648]
S3 pc22unic;Toshiba PCX2200 USB Cable Modem WDM driver;c:\winnt\system32\drivers\pc22unic.sys [7/23/2002 6:21 PM 69744]
S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/28/2010 6:35 PM 135664]
S4 HitmanPro35Crusader;Hitman Pro 3.5 Crusader;c:\documents and settings\Owner\My Documents\Downloads\HitmanPro35.exe [7/27/2010 8:21 PM 6084416]
S4 Norton AntiVirus;Norton AntiVirus;c:\program files\Norton AntiVirus\Norton AntiVirus\Engine\16.8.0.41\ccSvcHst.exe [1/27/2010 7:21 PM 117640]
S4 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe [2/19/2008 2:15 AM 106496]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - NMSSVC

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-08-01 c:\winnt\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-28 23:35]

2010-08-01 c:\winnt\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-28 23:35]

2010-08-01 c:\winnt\Tasks\GoogleUpdateTaskUserS-1-5-21-1567011825-3825283475-173008773-1003Core.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-02-14 23:35]

2010-08-01 c:\winnt\Tasks\GoogleUpdateTaskUserS-1-5-21-1567011825-3825283475-173008773-1003UA.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-02-14 23:35]
.
.
------- Supplementary Scan -------
.
uStart Page = www.google.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
DPF: {22CF0C35-80CE-11D3-9354-00105AA793BF} - hxxp://www.immdesign.com/webview/IPAWebView.cab
DPF: {2357B3CF-7F8D-4451-8D81-FD6097610AEE} - hxxp://activex.camfrogweb.com/advanced/2.0.2.3/cfweb_activex.camfrogweb.com-advanced-2.0.2.3_instmodule.exe
DPF: {C9B08199-657A-468D-A26B-692137572131} - hxxp://www.focusfocus.com/download/windows/ffhost.cab
DPF: {D59931FE-DC91-11D2-88D5-000000000000} - hxxp://www.focusfocus.com/download/windows/ffcall.cab
.
- - - - ORPHANS REMOVED - - - -

ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)
MSConfigStartUp-SpybotSD TeaTimer - c:\program files\Spybot - Search & Destroy\TeaTimer.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, https://www.gmer.net
Rootkit scan 2010-08-01 10:37
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTHelper = CTHELPER.EXE?
CTxfiHlp = CTXFIHLP.EXE?

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, https://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x83693B4C]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf860af28
\Driver\ACPI -> ACPI.sys @ 0xf856dcb8
\Driver\atapi -> atapi.sys @ 0xf8525852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0615
ParseProcedure -> ntoskrnl.exe @ 0x8056c3ac
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0615
ParseProcedure -> ntoskrnl.exe @ 0x8056c3ac
NDIS: Intel(R) PRO/100 Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xf83e9bb0
PacketIndicateHandler -> NDIS.sys @ 0xf83d8a0d
SendHandler -> NDIS.sys @ 0xf83ecb40
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Norton AntiVirus]
"ImagePath"="\"c:\program files\Norton AntiVirus\Norton AntiVirus\Engine\16.8.0.41\ccSvcHst.exe\" /s \"Norton AntiVirus\" /m \"c:\program files\Norton AntiVirus\Norton AntiVirus\Engine\16.8.0.41\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(640)
c:\winnt\system32\WININET.dll

- - - - - - - > 'lsass.exe'(700)
c:\winnt\system32\WININET.dll
.
Completion time: 2010-08-01 10:42:21
ComboFix-quarantined-files.txt 2010-08-01 15:42
ComboFix2.txt 2010-07-31 15:50

Pre-Run: 423,823,339,520 bytes free
Post-Run: 423,802,982,400 bytes free

- - End Of File - - 791B703B108994701204B365E95BE2B9
cbrynolf is offline  
Old 08-01-2010, 04:39 PM   #20
TSF Security Manager
Emeritus
 
Ried's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,837
OS: WinXP Home, Vista, Windows 7 64bit



Please download Rootkit Unhooker and save it to your desktop.

Close all open programs and browsers, then Double-click RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan
  • Check Drivers, Stealth Code, Files, and Code Hooks
  • Uncheck the rest, then click OK
  • When prompted to Select Disks for Scan, make sure C:\ is checked and click OK
  • Wait till the scanner has finished then go File > Save Report
  • Save the report somewhere you can find it. Click Close
  • Copy the entire contents of the report and paste it in your next reply.

Note** you may get the following warning. Please click OK to continue:

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 10:33 AM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts