View Full Version : Total security infection!?!
randytattershall
2009-09-29, 07:11
Help, I too have this "scareware" and need assistance removing.
Started with Norton then Spybot. Spybot identified it but was unable to remove.
Thanks
RKT
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:55:16 PM, on 9/28/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\DISC\DISCover.exe
C:\Program Files\DISC\DiscUpdMgr.exe
C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Norton 360\Engine\3.5.2.11\ccSvcHst.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Canon\MultiPASS4\monitr32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\fxredir.exe
C:\Program Files\Canon\MultiPASS4\MPTBox.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Caere\OmniPagePro90\opware32.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
C:\Program Files\Nova Development\Scrapbook Factory Deluxe 4.0\ReminderApp.exe
C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\TS\tsc.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\DISC\DiscStreamHub.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Norton 360\Engine\3.5.2.11\ccSvcHst.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\WINDOWS\system32\wuauclt.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\WINDOWS\system32\dg.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PAVILION&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton 360\Engine\3.5.2.11\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton 360\Engine\3.5.2.11\IPSBHO.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: HpWebHelper - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\3.5.2.11\coIEPlg.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [DISCover] C:\Program Files\DISC\DISCover.exe
O4 - HKLM\..\Run: [DiscUpdateManager] C:\Program Files\DISC\DiscUpdMgr.exe
O4 - HKLM\..\Run: [DMAScheduler] "c:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [monitr32] C:\Program Files\Canon\MultiPASS4\monitr32.exe
O4 - HKLM\..\Run: [fxredir] C:\WINDOWS\system32\fxredir.exe
O4 - HKLM\..\Run: [MPTBox] C:\Program Files\Canon\MultiPASS4\MPTBox.exe
O4 - HKLM\..\Run: [OmniPage] C:\Program Files\Caere\OmniPagePro90\opware32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [ReminderApp] C:\Program Files\Nova Development\Scrapbook Factory Deluxe 4.0\ReminderApp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe" /hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [TS] C:\Program Files\TS\tsc.exe
O4 - HKUS\S-1-5-21-2567882293-3334311744-1662768229-1009\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Randy's')
O4 - HKUS\S-1-5-21-2567882293-3334311744-1662768229-1009\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'Randy's')
O4 - HKUS\S-1-5-21-2567882293-3334311744-1662768229-1009\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'Randy's')
O4 - HKUS\S-1-5-21-2567882293-3334311744-1662768229-1009\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9d.exe (User 'Randy's')
O4 - HKUS\S-1-5-21-2567882293-3334311744-1662768229-500\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Administrator')
O4 - S-1-5-21-2567882293-3334311744-1662768229-1009 Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'Randy's')
O4 - S-1-5-21-2567882293-3334311744-1662768229-1009 User Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'Randy's')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Updates From HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
O8 - Extra context menu item: &Search - ?p=ZUxdm326PBUS
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.trymedia.com (HKLM)
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton 360\Engine\3.5.2.11\coIEPlg.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Intel® Quick Resume Technology Drivers (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: MpService - Canon Inc - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
O23 - Service: Norton 360 (N360) - Symantec Corporation - C:\Program Files\Norton 360\Engine\3.5.2.11\ccSvcHst.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
--
End of file - 15409 bytes
Hello
Welcome to Safer Networking.
Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.
Disable the TeaTimer, leave it disabled, do not turn it back on until we're done or it will prevent fixes from taking
Run Spybot-S&D in Advanced Mode.
If it is not already set to do this Go to the Mode menu select "Advanced Mode"
On the left hand side, Click on Tools
Then click on the Resident Icon in the List
Uncheck "Resident TeaTimer" and OK any prompts.
Restart your computer.<--You need to do this for it to take effect
Please download RootRepeal one of these locations and save it to your desktop
Here (http://ad13.geekstogo.com/RootRepeal.exe)
Here (http://download.bleepingcomputer.com/rootrepeal/RootRepeal.exe)
Here (http://rootrepeal.psikotick.com/RootRepeal.exe)
Open http://billy-oneal.com/forums/rootRepeal/rootRepealDesktopIcon.png on your desktop.
Click the http://billy-oneal.com/forums/rootRepeal/reportTab.png tab.
Click the http://billy-oneal.com/forums/rootRepeal/btnScan.png button.
Check just these boxes:
http://forums.whatthetech.com/uploads/monthly_08_2009/post-75503-1250480183.gif
Push Ok
Check the box for your main system drive (Usually C:, and press Ok.
Allow RootRepeal to run a scan of your system. This may take some time.
Once the scan completes, push the http://billy-oneal.com/forums/rootRepeal/saveReport.png button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your post.
randytattershall
2009-09-30, 15:30
Thank you for your assistance.
Please review.
RT
ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2009/09/30 06:23
Program Version: Version 1.3.5.0
Windows Version: Windows XP Media Center Edition SP2
==================================================
Drivers
-------------------
Name: dump_iaStor.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_iaStor.sys
Address: 0xA44C2000 Size: 876544 File Visible: No Signed: -
Status: -
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA078E000 Size: 49152 File Visible: No Signed: -
Status: -
Name: SYMEFA.SYS
Image Path: SYMEFA.SYS
Address: 0xBA5B4000 Size: 323584 File Visible: No Signed: -
Status: -
SSDT
-------------------
#: 012 Function Name: NtAlertResumeThread
Status: Hooked by "<unknown>" at address 0x88ed6300
#: 013 Function Name: NtAlertThread
Status: Hooked by "<unknown>" at address 0x88e68c78
#: 017 Function Name: NtAllocateVirtualMemory
Status: Hooked by "<unknown>" at address 0x893594a8
#: 019 Function Name: NtAssignProcessToJobObject
Status: Hooked by "<unknown>" at address 0x8935c330
#: 031 Function Name: NtConnectPort
Status: Hooked by "<unknown>" at address 0x889773d8
#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xa48ce130
#: 043 Function Name: NtCreateMutant
Status: Hooked by "<unknown>" at address 0x893e7428
#: 052 Function Name: NtCreateSymbolicLinkObject
Status: Hooked by "<unknown>" at address 0x88f7c280
#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x8939bf48
#: 057 Function Name: NtDebugActiveProcess
Status: Hooked by "<unknown>" at address 0x893540d0
#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xa48ce3b0
#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xa48ce910
#: 068 Function Name: NtDuplicateObject
Status: Hooked by "<unknown>" at address 0x891ecc40
#: 083 Function Name: NtFreeVirtualMemory
Status: Hooked by "<unknown>" at address 0x88e92220
#: 089 Function Name: NtImpersonateAnonymousToken
Status: Hooked by "<unknown>" at address 0x893e6cf8
#: 091 Function Name: NtImpersonateThread
Status: Hooked by "<unknown>" at address 0x88fe3488
#: 097 Function Name: NtLoadDriver
Status: Hooked by "<unknown>" at address 0x89161758
#: 108 Function Name: NtMapViewOfSection
Status: Hooked by "<unknown>" at address 0x8932b3a8
#: 114 Function Name: NtOpenEvent
Status: Hooked by "<unknown>" at address 0x893e73f0
#: 119 Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xa48ce6c0
#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0x88ff63d0
#: 123 Function Name: NtOpenProcessToken
Status: Hooked by "<unknown>" at address 0x89111160
#: 125 Function Name: NtOpenSection
Status: Hooked by "<unknown>" at address 0x89421a38
#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0x88f67160
#: 137 Function Name: NtProtectVirtualMemory
Status: Hooked by "<unknown>" at address 0x891b8aa8
#: 206 Function Name: NtResumeThread
Status: Hooked by "<unknown>" at address 0x8911a1f0
#: 213 Function Name: NtSetContextThread
Status: Hooked by "<unknown>" at address 0x8928fd68
#: 228 Function Name: NtSetInformationProcess
Status: Hooked by "<unknown>" at address 0x88f7c1b0
#: 240 Function Name: NtSetSystemInformation
Status: Hooked by "<unknown>" at address 0x8935a960
#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xa48ceb60
#: 253 Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x893245f0
#: 254 Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x8932b6c0
#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0x88f58150
#: 258 Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x8917b270
#: 267 Function Name: NtUnmapViewOfSection
Status: Hooked by "<unknown>" at address 0x89111128
#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0x890ae1a0
==EOF====EOF==
Try this one please
http://img.photobucket.com/albums/v666/sUBs/gmer_zip.gif
Download GMER Rootkit Scanner from here (http://www.gmer.net/gmer.zip) or here (http://www.majorgeeks.com/download.php?det=5198).
Extract the contents of the zipped file to desktop.
Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
http://i266.photobucket.com/albums/ii277/sUBs_/th_Gmer_initScan.gif (http://i266.photobucket.com/albums/ii277/sUBs_/Gmer_initScan.gif)
Click the image to enlarge it
In the right panel, you will see several boxes that have been checked. Uncheck the following ...
Sections
IAT/EAT
Drives/Partition other than Systemdrive (typically C:\)
Show All (don't miss this one)
Then click the Scan button & wait for it to finish.
Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
Save it where you can easily find it, such as your desktop, and post it in your next reply.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
randytattershall
2009-10-01, 05:56
Here is the latest report.
Your assistance here is really appreciated!!!!
Thanks
Randy:bigthumb:
GMER 1.0.15.15087 - http://www.gmer.net
Rootkit scan 2009-09-30 20:53:10
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\kxldapow.sys
---- System - GMER 1.0.15 ----
SSDT 88ED6300 ZwAlertResumeThread
SSDT 88E68C78 ZwAlertThread
SSDT 893594A8 ZwAllocateVirtualMemory
SSDT 8935C330 ZwAssignProcessToJobObject
SSDT 889773D8 ZwConnectPort
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xA48CE130]
SSDT 893E7428 ZwCreateMutant
SSDT 88F7C280 ZwCreateSymbolicLinkObject
SSDT 8939BF48 ZwCreateThread
SSDT 893540D0 ZwDebugActiveProcess
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xA48CE3B0]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xA48CE910]
SSDT 891ECC40 ZwDuplicateObject
SSDT 88E92220 ZwFreeVirtualMemory
SSDT 893E6CF8 ZwImpersonateAnonymousToken
SSDT 88FE3488 ZwImpersonateThread
SSDT 89161758 ZwLoadDriver
SSDT 8932B3A8 ZwMapViewOfSection
SSDT 893E73F0 ZwOpenEvent
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwOpenKey [0xA48CE6C0]
SSDT 88FF63D0 ZwOpenProcess
SSDT 89111160 ZwOpenProcessToken
SSDT 89421A38 ZwOpenSection
SSDT 88F67160 ZwOpenThread
SSDT 891B8AA8 ZwProtectVirtualMemory
SSDT 8911A1F0 ZwResumeThread
SSDT 8928FD68 ZwSetContextThread
SSDT 88F7C1B0 ZwSetInformationProcess
SSDT 8935A960 ZwSetSystemInformation
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xA48CEB60]
SSDT 893245F0 ZwSuspendProcess
SSDT 8932B6C0 ZwSuspendThread
SSDT 88F58150 ZwTerminateProcess
SSDT 8917B270 ZwTerminateThread
SSDT 89111128 ZwUnmapViewOfSection
SSDT 890AE1A0 ZwWriteVirtualMemory
Code 1A2C48F7 KeFindConfigurationEntry
---- Devices - GMER 1.0.15 ----
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 ELkbd.sys (Intel Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
Device \FileSystem\Cdfs \Cdfs A2DFF400
Device \FileSystem\Cdfs \Cdfs A2E02C74
---- EOF - GMER 1.0.15 ----
Hello Randy,
Total Security is a Rogue program that is installed with a Rootkit and I am not looking at anything on any of your logs that is showing a Rootkit, but I do see TS installed.
Disable the TeaTimer, leave it disabled, do not turn it back on until we're done or it will prevent fixes from taking
Run Spybot-S&D in Advanced Mode.
If it is not already set to do this Go to the Mode menu select "Advanced Mode"
On the left hand side, Click on Tools
Then click on the Resident Icon in the List
Uncheck "Resident TeaTimer" and OK any prompts.
Restart your computer.<--You need to do this for it to take effect
Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.
O4 - HKCU\..\Run: [TS] C:\Program Files\TS\tsc.exe
Download: DelDomains (http://mvps.org/winhelp2002/DelDomains.inf) and save it to the desktop.
Close all open windows and your browser
Right Click DelDomains.inf and select > Install
Reboot your computer
Internet Explorer is needed to run this program properly.
Please download Malwarebytes' Anti-Malware from Here (http://www.besttechie.net/tools/mbam-setup.exe) or Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)
Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
http://forums.whatthetech.com/post_a4255_MBAM.PNG
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected .
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
Post the report and also a new HJT log please
randytattershall
2009-10-02, 05:10
Ken, Followed to a tee! Did not find the tsc.exe with the HJT so moved on through your list. (Not in HJT below either.)
Can not express enough my appreciation for your help!!!
Thanks
Randy
Malwarebytes' Anti-Malware 1.41
Database version: 2890
Windows 5.1.2600 Service Pack 2
10/1/2009 7:54:33 PM
mbam-log-2009-10-01 (19-54-33).txt
Scan type: Quick Scan
Objects scanned: 115260
Time elapsed: 7 minute(s), 3 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 23
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 12
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
C:\Program Files\Windows Live\Messenger\msimg32.dll (Adware.MyWebSearch) -> Delete on reboot.
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{343ce214-9998-4b21-a151-ffe970167297} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{e596df5f-4239-4d40-8367-ebadf0165917} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{63d0ed2c-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{98d9753d-d73b-42d5-8c85-4469cda897ab} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servises (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\Program Files\Common Files\TSUninstall (Rogue.TotalSecurity) -> Quarantined and deleted successfully.
Files Infected:
C:\Program Files\Windows Live\Messenger\msimg32.dll (Adware.MyWebSearch) -> Delete on reboot.
C:\WINDOWS\system32\dg.exe (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\TSUninstall\Uninstall.lnk (Rogue.TotalSecurity) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Desktop\Total Security.lnk (Rogue.TotalSecurity) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\TS\Computer Scan.lnk (Rogue.TotalSecurity) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\TS\Help.lnk (Rogue.TotalSecurity) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\TS\Registration.lnk (Rogue.TotalSecurity) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\TS\Security Center.lnk (Rogue.TotalSecurity) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\TS\Settings.lnk (Rogue.TotalSecurity) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\TS\Total Security.lnk (Rogue.TotalSecurity) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\TS\Update.lnk (Rogue.TotalSecurity) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\TS.lnk (Rogue.TotalSecurity) -> Quarantined and deleted successfully.
Whew! muha:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:00:50 PM, on 10/1/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\DISC\DISCover.exe
C:\Program Files\DISC\DiscUpdMgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Canon\MultiPASS4\monitr32.exe
C:\WINDOWS\system32\fxredir.exe
C:\Program Files\Canon\MultiPASS4\MPTBox.exe
C:\Program Files\Caere\OmniPagePro90\opware32.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Nova Development\Scrapbook Factory Deluxe 4.0\ReminderApp.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\Program Files\Norton 360\Engine\3.5.2.11\ccSvcHst.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\DISC\DiscStreamHub.exe
C:\Program Files\Norton 360\Engine\3.5.2.11\ccSvcHst.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PAVILION&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton 360\Engine\3.5.2.11\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton 360\Engine\3.5.2.11\IPSBHO.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: HpWebHelper - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\3.5.2.11\coIEPlg.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [DISCover] C:\Program Files\DISC\DISCover.exe
O4 - HKLM\..\Run: [DiscUpdateManager] C:\Program Files\DISC\DiscUpdMgr.exe
O4 - HKLM\..\Run: [DMAScheduler] "c:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [monitr32] C:\Program Files\Canon\MultiPASS4\monitr32.exe
O4 - HKLM\..\Run: [fxredir] C:\WINDOWS\system32\fxredir.exe
O4 - HKLM\..\Run: [MPTBox] C:\Program Files\Canon\MultiPASS4\MPTBox.exe
O4 - HKLM\..\Run: [OmniPage] C:\Program Files\Caere\OmniPagePro90\opware32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [ReminderApp] C:\Program Files\Nova Development\Scrapbook Factory Deluxe 4.0\ReminderApp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe" /hide
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Updates From HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
O8 - Extra context menu item: &Search - ?p=ZUxdm326PBUS
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton 360\Engine\3.5.2.11\coIEPlg.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Intel® Quick Resume Technology Drivers (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: MpService - Canon Inc - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
O23 - Service: Norton 360 (N360) - Symantec Corporation - C:\Program Files\Norton 360\Engine\3.5.2.11\ccSvcHst.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
--
End of file - 13657 bytes
Good Morning,
Even though your logs look fine and both Rootkit scanners did not find anything I see an entry from Malwarebytes for the TDSS rootkit, it may be gone or never fully installed but lets make sure.
Download TFC (http://oldtimer.geekstogo.com/TFC.exe) to your desktop
Close any open windows.
Double click the TFC icon to run the program
TFC will close all open programs itself in order to run,
Click the Start button to begin the process.
Allow TFC to run uninterrupted.
The program should not take long to finish it's job
Once its finished it should automatically reboot your machine,
if it doesn't, manually reboot to ensure a complete clean
Reboot your pc
Download ComboFix from one of these locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)
* IMPORTANT !!! Save ComboFix.exe to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://i24.photobucket.com/albums/c30/ken545/RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://i24.photobucket.com/albums/c30/ken545/whatnext.jpg
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.
*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
randytattershall
2009-10-03, 07:34
Wow! That did not work so well.
I ran the TFC without any issue.
Downloaded the Combo Fix and saved to desk top.
I have norton 360. Disabled antifirus and firewall.
Started combofix, looked to be doing it job, did the system restore step and started the scan. Froze up 45 (or so) seconds into the scan. The page said it possibly could take some time so I left it just incase it was still working. Hours later still in the stalled mode. Closed program and tried to get on line. Kept getting redirected and would not allow access to internet. Restarted computer and ran comb fix again. Same result. Closed and restarted 3rd time. This time Combo fix said update was now available. Loaded and program looked like it was going to work this time but stalled in the scan process again. Restarted computer again. Was able to access internet so here I am.
Attaching acreen prints.
OR NOT, MS Word is locked up and will not open my file and will not close even with task manager.
randytattershall
2009-10-03, 08:06
I tried again to open MS word and locked up. Had to use task manager to force restart. I will leave that alone for now till I hear back from you.
Thanks
Randy
Good Morning Randy,
Lets leave Combofix be for the moment.
Run this program, it won't fix anything but I need to see the report.
Download DDS by sUBs from one of the following links. Save it to your desktop.
DDS.com (http://www.techsupportforum.com/sectools/sUBs/dds)
DDS.scr (http://download.bleepingcomputer.com/sUBs/dds.scr)
DDS.pif (http://www.forospyware.com/sUBs/dds)
Double click on the DDS icon, allow it to run.
A small box will open, with an explaination about the tool. No input is needed, the scan is running.
Notepad will open with the results, click no to the Optional_Scan
Follow the instructions that pop up for posting the results.
Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.
Information on A/V control Here (http://www.bleepingcomputer.com/forums/topic114351.html)
randytattershall
2009-10-03, 18:49
I was looking in the Add/Remove programs list and found "total security" Details say last used on 10-3-09 and it does not have file size.
Have done nothing in this regard, just reporting.
randytattershall
2009-10-03, 18:56
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_09-09-29.01)
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 3/31/2007 4:42:27 AM
System Uptime: 10/3/2009 9:29:12 AM (0 hours ago)
Motherboard: ASUSTek Computer INC. | | EMERY2
Processor: Intel(R) Pentium(R) D CPU 3.20GHz | Socket 775 | 3200/200mhz
Processor: Intel(R) Pentium(R) D CPU 3.20GHz | Socket 775 | 3200/200mhz
==== Disk Partitions =========================
C: is FIXED (NTFS) - 224 GiB total, 174.464 GiB free.
D: is FIXED (NTFS) - 233 GiB total, 232.812 GiB free.
E: is FIXED (FAT32) - 9 GiB total, 0.481 GiB free.
F: is CDROM ()
G: is CDROM ()
H: is Removable
I: is Removable
J: is Removable
K: is Removable
==== Disabled Device Manager Items =============
Class GUID: {4D36E96C-E325-11CE-BFC1-08002BE10318}
Description: Microsoft Kernel DLS Synthesizer
Device ID: SW\{8C07DD50-7A8D-11D2-8F8C-00C04FBF8FEF}\DMUSIC
Manufacturer: Microsoft
Name: Microsoft Kernel DLS Synthesizer
PNP Device ID: SW\{8C07DD50-7A8D-11D2-8F8C-00C04FBF8FEF}\DMUSIC
Service: DMusic
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: RAS Async Adapter
Device ID: SW\{EEAB7790-C514-11D1-B42B-00805FC1270E}\ASYNCMAC
Manufacturer: Microsoft
Name: RAS Async Adapter
PNP Device ID: SW\{EEAB7790-C514-11D1-B42B-00805FC1270E}\ASYNCMAC
Service: AsyncMac
==== System Restore Points ===================
RP620: 6/13/2009 1:15:36 AM - System Checkpoint
RP621: 6/13/2009 9:42:19 AM - Logitech QuickCam v11.90.1262
RP622: 6/28/2009 12:22:14 AM - System Checkpoint
RP623: 7/15/2009 6:20:37 AM - Software Distribution Service 3.0
RP624: 7/19/2009 6:25:51 AM - Software Distribution Service 3.0
RP625: 7/30/2009 3:00:20 AM - Software Distribution Service 3.0
RP626: 8/13/2009 8:45:43 AM - Software Distribution Service 3.0
RP627: 8/14/2009 8:57:00 AM - Software Distribution Service 3.0
RP628: 8/27/2009 7:00:37 AM - Software Distribution Service 3.0
RP629: 9/9/2009 12:50:11 PM - Software Distribution Service 3.0
RP630: 10/2/2009 6:14:04 AM - ComboFix created restore point
==== Installed Programs ======================
2007 Microsoft Office Suite Service Pack 1 (SP1)
Adobe Flash Player 10 ActiveX
Adobe Reader 7.0.9
Adobe® Photoshop® Album Starter Edition 3.0
Agere Systems PCI-SV92PP Soft Modem
AiO_Scan
AiO_Scan_CDA
AiOSoftware
AiOSoftwareNPI
Apple Mobile Device Support
Apple Software Update
Bonjour
Bookworm Deluxe
Bounce Symphony
BufferChm
CameraDrivers
CameraUserGuides
Canon MultiPASS Suite 4.00
CP_AtenaShokunin1Config
CP_CalendarTemplates1
cp_LightScribeConfig
cp_OnlineProjectsConfig
CP_Package_Basic1
CP_Package_Variety1
CP_Package_Variety2
CP_Package_Variety3
CP_Panorama1Config
cp_PosterPrintConfig
cp_UpdateProjectsConfig
Critical Update for Windows Media Player 11 (KB959772)
CueTour
Customer Experience Enhancement
Destinations
DeviceManagementQFolder
Diner Dash
DISCover
DocProc
DocumentViewer
Easy Internet Sign-up
Enhanced Multimedia Keyboard Solution
Fax
Fax_CDA
Flip Words
Fonts
GearDrvs
GemMaster Mystic
Google Earth
Google Toolbar for Internet Explorer
High Definition Audio Driver Package - KB888111
Highlight Viewer (Windows Live Toolbar)
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 10 (KB910393)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB888795)
Hotfix for Windows XP (KB891593)
Hotfix for Windows XP (KB893357)
Hotfix for Windows XP (KB895961)
Hotfix for Windows XP (KB899337)
Hotfix for Windows XP (KB899510)
Hotfix for Windows XP (KB902841)
Hotfix for Windows XP (KB906569)
Hotfix for Windows XP (KB912024)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB935448)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB970653-v3)
HP Boot Optimizer
HP Deskjet Printer Preload
HP DigitalMedia Archive
HP Document Viewer 6.1
HP DVD Play 2.1
HP Game Console
HP Imaging Device Functions 7.0
HP Photosmart 330,380,420,470,7800,8000,8200 Series
HP Photosmart Cameras 6.0
HP Photosmart Essential
HP Photosmart for Media Center PC
HP Photosmart Premier Software 6.5
HP Product Assistant
HP PSC & OfficeJet 5.3.B
HP PSC & OfficeJet 6.1.A
HP Rhapsody
HP Solution Center and Imaging Support Tools 6.1
HP Update
HP Web Helper
hpiCamDrvQFolder
HPPhotoSmartExpress
HPProductAssistant
HpSdpAppCoreApp
Insaniquarium Deluxe
InstantShareDevices
Intel Matrix Storage Manager
Intel(R) PRO Network Connections Drivers
Intel(R) Quick Resume Technology Drivers
Intel® Viiv™ Software
iTunes
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 5
Java(TM) 6 Update 2
Java(TM) 6 Update 7
LightScribe 1.4.84.1
Logitech Desktop Messenger
Logitech Legacy USB Camera Driver Package
Logitech Webcam Software
Logitech Webcam Software Driver Package
Malwarebytes' Anti-Malware
Map Button (Windows Live Toolbar)
Microsoft .NET Framework 1.0 Hotfix (KB887998)
Microsoft .NET Framework 1.0 Hotfix (KB930494)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2006
Microsoft National Language Support Downlevel APIs
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Software Update for Web Folders (English) 12
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Works
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
muvee autoProducer 5.0
muvee autoProducer unPlugged 2.0
Mystery Case Files
Netscape Browser (remove only)
NewCopy
NewCopy_CDA
Norton 360
NVIDIA Drivers
OmniPage Pro 9.0
OpenOffice.org Installer 1.0
OptionalContentQFolder
Otto
PanoStandAlone
PC-Doctor 5 for Windows
PhotoGallery
PSPrinters08
PSTAPlugin
Python 2.2 pywin32 extensions (build 203)
Python 2.2.3
Quicken 2007
QuickTime
RandMap
Readme
RealPlayer
Realtek High Definition Audio Driver
Rhapsody
Rhapsody Player Engine
Ricochet Lost Worlds
Scan
Scan Manager 5.2
ScannerCopy
SCRABBLE
Scrapbook Factory Deluxe 4.0
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB969679)
Security Update for Microsoft Office Excel 2007 (KB969682)
Security Update for Microsoft Office OneNote 2007 (KB950130)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office Word 2007 (KB969604)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Visio 2007 (KB947590)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958470)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971032)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
SkinsHP1
SlideShow
SlideShowMusic
Smart Menus (Windows Live Toolbar)
SolutionCenter
Sonic Express Labeler
Sonic MyDVD Plus
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
Sonic_PrimoSDK
Spybot - Search & Destroy
Status
Toolbox
Tornado Jockey
Total Security
Tradewinds
TrayApp
Unload
Update for 2007 Microsoft Office System (KB967642)
Update for Windows Internet Explorer 8 (KB971930)
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB912945)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973815)
Update Rollup 2 for Windows XP Media Center Edition 2005
Updates from HP (remove only)
URGE
WebFldrs XP
WebReg
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live Favorites for Windows Live Toolbar
Windows Live installer
Windows Live Mail
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Toolbar
Windows Live Toolbar Extension (Windows Live Toolbar)
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB883667
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB892050
Windows XP Hotfix - KB893066
Windows XP Media Center Edition 2005 KB908246
Windows XP Media Center Edition 2005 KB925766
Windows XP Media Center Edition 2005 KB973768
Yahoo! Toolbar
==== Event Viewer Messages From Past Week ========
9/28/2009 5:39:22 AM, error: System Error [1003] - Error code 0000007f, parameter1 00000000, parameter2 00000000, parameter3 00000000, parameter4 00000000.
9/28/2009 12:45:15 PM, error: Print [6161] - The document Microsoft Word - Document1 owned by HP_Administrator failed to print on printer Canon MultiPASS F50 Printer. Data type: NT EMF 1.008. Size of the spool file in bytes: 49545216. Number of bytes printed: 6594712. Total number of pages in the document: 8. Number of pages printed: 1. Client machine: \\DESKTOP. Win32 error code returned by the print processor: 0 (0x0).
10/3/2009 9:50:26 AM, error: Service Control Manager [7016] - The MpService service has reported an invalid current state 0.
10/2/2009 9:49:44 PM, error: Service Control Manager [7023] - The Automatic Updates service terminated with the following error: The specified module could not be found.
10/2/2009 6:08:10 AM, error: Service Control Manager [7034] - The Process Monitor service terminated unexpectedly. It has done this 1 time(s).
10/2/2009 6:08:10 AM, error: Service Control Manager [7034] - The Pml Driver HPZ12 service terminated unexpectedly. It has done this 1 time(s).
10/2/2009 6:08:10 AM, error: Service Control Manager [7034] - The NVIDIA Display Driver Service service terminated unexpectedly. It has done this 1 time(s).
10/2/2009 6:08:10 AM, error: Service Control Manager [7034] - The MpService service terminated unexpectedly. It has done this 1 time(s).
10/2/2009 6:08:10 AM, error: Service Control Manager [7034] - The Media Center Scheduler Service service terminated unexpectedly. It has done this 1 time(s).
10/2/2009 6:08:10 AM, error: Service Control Manager [7034] - The Machine Debug Manager service terminated unexpectedly. It has done this 1 time(s).
10/2/2009 6:08:10 AM, error: Service Control Manager [7034] - The LightScribeService Direct Disc Labeling Service service terminated unexpectedly. It has done this 1 time(s).
10/2/2009 6:08:10 AM, error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).
10/2/2009 6:08:10 AM, error: Service Control Manager [7034] - The Intel® Quick Resume Technology Drivers service terminated unexpectedly. It has done this 1 time(s).
10/2/2009 6:08:10 AM, error: Service Control Manager [7034] - The Intel(R) Matrix Storage Event Monitor service terminated unexpectedly. It has done this 1 time(s).
10/2/2009 6:08:10 AM, error: Service Control Manager [7034] - The Bonjour Service service terminated unexpectedly. It has done this 1 time(s).
10/2/2009 6:08:10 AM, error: Service Control Manager [7031] - The Media Center Receiver Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
10/2/2009 6:08:10 AM, error: Service Control Manager [7031] - The Media Center Extender Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
10/2/2009 6:08:10 AM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
10/2/2009 5:21:10 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the WZCSVC service.
10/1/2009 7:39:34 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: ftsata2
10/1/2009 12:49:39 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
==== End Of File ===========================
Second report
DDS (Ver_09-09-29.01) - NTFSx86
Run by HP_Administrator at 9:50:24.73 on Sat 10/03/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1285 [GMT -7:00]
AV: Norton 360 *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\Program Files\Norton 360\Engine\3.5.2.11\ccSvcHst.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Norton 360\Engine\3.5.2.11\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\DISC\DISCover.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Canon\MultiPASS4\monitr32.exe
C:\WINDOWS\system32\fxredir.exe
C:\Program Files\Canon\MultiPASS4\MPTBox.exe
C:\Program Files\Caere\OmniPagePro90\opware32.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Nova Development\Scrapbook Factory Deluxe 4.0\ReminderApp.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\DISC\DiscUpdMgr.exe
C:\Program Files\DISC\DiscStreamHub.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Live Toolbar\msn_sl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\HP_Administrator\Desktop\dds.com
============== Pseudo HJT Report ===============
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PAVILION&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\engine\3.5.2.11\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\engine\3.5.2.11\IPSBHO.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: hpWebHelper Class: {aaae832a-5fff-4661-9c8f-369692d1dcb9} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\WebHelper.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: 1 (0x1) - No File
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\3.5.2.11\coIEPlg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
mRun: [HPHUPD08] c:\program files\hp\digital imaging\{33d6cc28-9f75-4d1b-a11d-98895b3a3729}\hphupd08.exe
mRun: [DISCover] c:\program files\disc\DISCover.exe
mRun: [DiscUpdateManager] c:\program files\disc\DiscUpdMgr.exe
mRun: [DMAScheduler] "c:\program files\hp digitalmedia archive\DMAScheduler.exe"
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [<NO NAME>]
mRun: [PCDrProfiler]
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [monitr32] c:\program files\canon\multipass4\monitr32.exe
mRun: [fxredir] c:\windows\system32\fxredir.exe
mRun: [MPTBox] c:\program files\canon\multipass4\MPTBox.exe
mRun: [OmniPage] c:\program files\caere\omnipagepro90\opware32.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"
mRun: [ReminderApp] c:\program files\nova development\scrapbook factory deluxe 4.0\ReminderApp.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\logitech webcam software\LWS.exe" /hide
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\update~1.lnk - c:\program files\updates from hp\9972322\program\Updates from HP.exe
IE: &Search - ?p=ZUxdm326PBUS
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton 360\engine\3.5.2.11\CoIEPlg.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
============= SERVICES / DRIVERS ===============
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0305020.00b\SymEFA.sys [2009-9-8 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\n360\0305020.00b\BHDrvx86.sys [2009-9-8 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0305020.00b\cchpx86.sys [2009-9-8 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20090916.003\IDSXpx86.sys [2009-9-17 329080]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 N360;Norton 360;c:\program files\norton 360\engine\3.5.2.11\ccSvcHst.exe [2009-9-8 117640]
R3 CXFALCON;Conexant Falcon II NTSC Video Capture;c:\windows\system32\drivers\cxfalcon.sys [2006-6-10 82048]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-9-30 102448]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20091003.004\NAVENG.SYS [2009-10-3 84912]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20091003.004\NAVEX15.SYS [2009-10-3 1323568]
R3 WN5301;LIteon Wireless PCI Network Adapter Service;c:\windows\system32\drivers\wn5301.sys [2006-6-10 468768]
=============== Created Last 30 ================
2009-10-02 21:53 388,608 a------- c:\windows\system32\CF1132.exe
2009-10-02 21:53 <DIR> --ds---- C:\ComboFix
2009-10-02 21:52 388,608 a------- c:\windows\system32\CF10542.exe
2009-10-02 17:31 388,608 a------- c:\windows\system32\CF20237.exe
2009-10-02 17:26 388,608 a------- c:\windows\system32\CF20634.exe
2009-10-02 07:06 388,608 a------- c:\windows\system32\CF20803.exe
2009-10-02 06:13 229,888 a------- c:\windows\PEV.exe
2009-10-02 06:13 161,792 a------- c:\windows\SWREG.exe
2009-10-02 06:13 98,816 a------- c:\windows\sed.exe
2009-10-02 06:13 388,608 a------- c:\windows\system32\CF19986.exe
2009-10-02 05:52 <DIR> --d----- c:\docume~1\hp_adm~1\applic~1\HpUpdate
2009-10-02 05:52 <DIR> --d----- c:\windows\Hewlett-Packard
2009-10-01 19:45 <DIR> --d----- c:\docume~1\hp_adm~1\applic~1\Malwarebytes
2009-10-01 19:45 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-01 19:45 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-10-01 19:45 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-10-01 19:45 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-09-28 21:54 <DIR> --d----- c:\program files\Trend Micro
2009-09-25 14:23 <DIR> --d----- c:\program files\TS
==================== Find3M ====================
2009-08-19 12:14 124,976 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-08-19 12:14 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2009-08-19 12:14 7,456 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-08-19 12:14 806 a------- c:\windows\system32\drivers\SYMEVENT.INF
2009-08-19 12:13 107,368 a----r-- c:\windows\system32\GEARAspi.dll
2009-08-19 12:13 26,600 a----r-- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-08-18 12:20 36,400 a----r-- c:\windows\system32\drivers\SymIM.sys
2009-08-05 02:11 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-05 02:11 204,800 a------- c:\windows\system32\dllcache\mswebdvd.dll
2009-07-19 18:48 11,067,392 -------- c:\windows\system32\dllcache\ieframe.dll
2009-07-19 06:18 5,937,152 -------- c:\windows\system32\dllcache\mshtml.dll
2009-07-17 11:55 58,880 a------- c:\windows\system32\dllcache\atl.dll
2009-07-17 11:55 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 23:43 10,841,088 a------- c:\windows\system32\dllcache\wmp.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\dllcache\wmpdxm.dll
2009-07-10 06:42 1,315,328 a------- c:\windows\system32\dllcache\msoe.dll
2007-08-03 16:46 251 a------- c:\program files\wt3d.ini
2007-05-05 12:41 22 a--sh--- c:\windows\sminst\HPCD.sys
============= FINISH: 9:51:12.36 ===============
Hi,
c:\program files\TS <--Delete this folder
Please run this free online virus scanner from ESET (http://www.eset.eu/online-scanner)
Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is ticked, and the option Scan unwanted applications is checked
Click Scan
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic
randytattershall
2009-10-05, 05:15
Finished report.
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=6
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6050
# api_version=3.0.2
# EOSSerial=994ab5911157224496e10cdc0b6054d0
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=false
# utc_time=2009-10-05 03:08:09
# local_time=2009-10-04 08:08:09 (-0800, Pacific Daylight Time)
# country="United States"
# lang=9
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=3589 21 100 100 22618820625000
# scanned=124617
# found=8
# cleaned=8
# scan_time=3834
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch1.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 9DAE018BDABFC5BB841351FDBB268340 C
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch5.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 6CEF6761AA3387BBC54555E7DD36881A C
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent19.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 02EB5D065060053E14AB0CC1B803C5B2 C
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent49.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) D2B2733BB3EF0CAE804D14F3FD4AE01D C
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent8.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) E6647E5F04285B83DAF893E3801A37DB C
C:\Program Files\Netscape\Netscape Browser\chrome\m3ntstbr.jar Win32/Toolbar.MyWebSearch application (cleaned by deleting - quarantined) AB3215E9A56E91D45753D1BC56682B96 C
C:\Program Files\Netscape\Netscape Browser\plugins\NPMyWebS.dll Win32/Toolbar.MyWebSearch application (cleaned by deleting - quarantined) 618631EFA98F57659502EB9AC7C1E69B C
C:\Program Files\Windows Live\Messenger\riched20.dll Win32/Toolbar.MyWebSearch application (cleaned by deleting - quarantined) C4FF418909D55A7744B04774A83135C9 C
randytattershall
2009-10-05, 07:05
FYI Researching Norton 360 history. View entry on 9-25-09
Category: System Activity Monitoring
Date & Time,Severity,Activity,Status,Recommended Action,Program,Last Updated,Affected Area,Modified resource,Target file
10/3/2009 9:50 AM,Low,"dds.com made 4 modifications to your computer., Resource",Detected,"No Action Required, No Action Required",c:\documents and settings\hp_administrator\desktop\dds.com,"Saturday, October 03, 2009 9:50 AM",System Configuration,"c:\documents and settings\hp_administrator\local settings\temp\rarsfx0\eds.exe, c:\documents and settings\hp_administrator\local settings\temp\rarsfx0\etpaths.exe, c:\documents and settings\hp_administrator\local settings\temp\rarsfx0\fi.exe, c:\documents and settings\hp_administrator\local settings\temp\rarsfx0\wregs.exe",
10/1/2009 7:45 PM,Low,"mbam-setup[1].tmp made 27 modifications to your computer., Resource, Resource",Detected,"No Action Required, No Action Required",c:\documents and settings\hp_administrator\local settings\temp\is-1q2su.tmp\mbam-setup[1].tmp,"Thursday, October 01, 2009 7:45 PM","System Configuration, Windows Startup Settings","c:\documents and settings\hp_administrator\local settings\temp\is-n502c.tmp\_isetup\_regdll.tmp, c:\documents and settings\hp_administrator\local settings\temp\is-n502c.tmp\_isetup\_shfoldr.dll, c:\documents and settings\hp_administrator\local settings\temp\is-n502c.tmp\mbam.dll, c:\program files\malwarebytes' anti-malware\is-6nq6g.tmp, c:\program files\malwarebytes' anti-malware\is-240ee.tmp, c:\program files\malwarebytes' anti-malware\is-p2pma.tmp, c:\program files\malwarebytes' anti-malware\is-ge1v2.tmp, c:\program files\malwarebytes' anti-malware\is-petl8.tmp, c:\windows\system32\drivers\mbam.sys, c:\program files\malwarebytes' anti-malware\is-0cumh.tmp, c:\windows\system32\drivers\is-sjlfs.tmp, c:\program files\malwarebytes' anti-malware\is-483jr.tmp, c:\program files\malwarebytes' anti-malware\is-4pv1s.tmp, c:\program files\malwarebytes' anti-malware\is-ufob8.tmp, c:\program files\malwarebytes' anti-malware\is-omfad.tmp, c:\program files\malwarebytes' anti-malware\is-9h4ng.tmp, c:\program files\malwarebytes' anti-malware\is-ad4f4.tmp, \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce, \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Malwarebytes' Anti-Malware, \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Malwarebytes' Anti-Malware_is1\DisplayIcon, \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Malwarebytes' Anti-Malware_is1\UninstallString, c:\documents and settings\all users\start menu\programs\malwarebytes' anti-malware\malwarebytes' anti-malware.lnk, c:\documents and settings\all users\start menu\programs\malwarebytes' anti-malware\malwarebytes' anti-malware.lnk, c:\documents and settings\all users\start menu\programs\malwarebytes' anti-malware\malwarebytes' anti-malware help.lnk, c:\documents and settings\all users\start menu\programs\malwarebytes' anti-malware\malwarebytes' anti-malware help.lnk, c:\documents and settings\all users\start menu\programs\malwarebytes' anti-malware\uninstall malwarebytes' anti-malware.lnk, c:\documents and settings\all users\start menu\programs\malwarebytes' anti-malware\uninstall malwarebytes' anti-malware.lnk",
9/30/2009 6:31 PM,Low,"gmer.exe made 4 modifications to your computer., Resource, Resource",Detected,"No Action Required, No Action Required",c:\documents and settings\hp_administrator\local settings\temp\temporary directory 1 for gmer[1].zip\gmer.exe,"Wednesday, September 30, 2009 6:31 PM","System Configuration, Windows System Settings","\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\kxldapow\Type, \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\kxldapow\ImagePath, c:\documents and settings\hp_administrator\local settings\temp\kxldapow.sys",C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\kxldapow.sys
9/28/2009 9:55 PM,Low,"hijackthis.exe made 10 modifications to your Windows Startup Settings., Resource, Resource, Resource",Detected,"No Action Required, No Action Required",c:\program files\trend micro\hijackthis\hijackthis.exe,"Monday, September 28, 2009 9:55 PM","System Configuration, Network Related Activity, Windows Startup Settings","\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HijackThis\UninstallString, \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HijackThis\DisplayIcon, c:\windows\system.ini, c:\windows\win.ini, c:\windows\system32\drivers\etc\hosts, c:\documents and settings\randy's\start menu\programs\startup\onenote 2007 screen clipper and launcher.lnk, c:\documents and settings\all users\start menu\programs\startup\adobe reader speed launch.lnk, c:\documents and settings\all users\start menu\programs\startup\hp digital imaging monitor.lnk, c:\documents and settings\all users\start menu\programs\startup\logitech desktop messenger.lnk, c:\documents and settings\all users\start menu\programs\startup\updates from hp.lnk",
9/28/2009 7:04 AM,Low,"rootrepeal.exe made 4 modifications to your computer., Resource, Resource",Detected,"No Action Required, No Action Required",c:\documents and settings\hp_administrator\desktop\rootrepeal.exe,"Monday, September 28, 2009 7:04 AM","System Configuration, Windows System Settings","c:\windows\system32\drivers\rootrepeal.sys, \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\rootrepeal\Type, \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\rootrepeal\ImagePath",C:\WINDOWS\system32\drivers\rootrepeal.sys
9/28/2009 12:56 AM,Low,"advcheck164.tmp made 3 modifications to your System Configuration., Resource",Detected,"No Action Required, No Action Required",c:\documents and settings\hp_administrator\local settings\temp\is-cg54m.tmp\advcheck164.tmp,"Monday, September 28, 2009 12:56 AM",System Configuration,"c:\documents and settings\hp_administrator\local settings\temp\is-2snih.tmp\_isetup\_regdll.tmp, c:\documents and settings\hp_administrator\local settings\temp\is-2snih.tmp\_isetup\_shfoldr.dll, c:\program files\spybot - search & destroy\is-0i5sh.tmp",
9/25/2009 2:23 PM,Low,"tsc.exe made 19 modifications to your Program Startup Settings., Resource, Resource, Resource",Detected,"No Action Required, No Action Required",c:\program files\ts\tsc.exe,"Friday, September 25, 2009 2:23 PM","Windows Startup Settings, System Configuration, Program Startup Settings","c:\documents and settings\hp_administrator\application data\microsoft\internet explorer\quick launch\ts.lnk, c:\documents and settings\hp_administrator\application data\microsoft\internet explorer\quick launch\ts.lnk, c:\documents and settings\all users\start menu\ts\total security.lnk, c:\documents and settings\all users\start menu\ts\total security.lnk, c:\documents and settings\all users\start menu\ts\computer scan.lnk, c:\documents and settings\all users\start menu\ts\computer scan.lnk, c:\documents and settings\all users\start menu\ts\update.lnk, c:\documents and settings\all users\start menu\ts\update.lnk, c:\documents and settings\all users\start menu\ts\settings.lnk, c:\documents and settings\all users\start menu\ts\settings.lnk, c:\documents and settings\all users\start menu\ts\help.lnk, c:\documents and settings\all users\start menu\ts\help.lnk, c:\documents and settings\all users\start menu\ts\registration.lnk, c:\documents and settings\all users\start menu\ts\registration.lnk, c:\documents and settings\all users\start menu\ts\security center.lnk, c:\documents and settings\all users\start menu\ts\security center.lnk, \REGISTRY\USER\S-1-5-21-2567882293-3334311744-1662768229-1008\Software\Microsoft\Windows\CurrentVersion\Run, \REGISTRY\USER\S-1-5-21-2567882293-3334311744-1662768229-1008\Software\Microsoft\Windows\CurrentVersion\Run\TS, \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{35A5B43B-CB8A-49CA-A9F4-D3B308D2E3CC}",9/25/2009 2:23 PM,Low,"soft_123[1].exe made 2 modifications to your computer., Resource",Detected,"No Action Required, No Action Required",c:\documents and settings\hp_administrator\local settings\temporary internet files\content.ie5\en6tnzyz\soft_123[1].exe,"Friday, September 25, 2009 2:23 PM",System Configuration,"c:\program files\ts\tsc.exe, c:\program files\ts\system.dat",9/3/2009 7:35 PM,Low,"au_.exe made 2 modifications to your computer., Resource",Detected,"No Action Required, No Action Required",c:\documents and settings\hp_administrator\local settings\temp\~nsu.tmp\au_.exe,"Thursday, September 03, 2009 7:35 PM",System Configuration,"c:\documents and settings\hp_administrator\local settings\temp\nsvcc3.tmp\nscc4.tmp, c:\documents and settings\hp_administrator\local settings\temp\nsvcc3.tmp\nsexec.dll",
9/3/2009 7:35 PM,Low,"uninstall_activex.exe modified your System Configuration., Resource",Detected,"No Action Required, No Action Required",c:\windows\system32\macromed\flash\uninstall_activex.exe,"Thursday, September 03, 2009 7:35 PM",System Configuration,c:\documents and settings\hp_administrator\local settings\temp\~nsu.tmp\au_.exe,
8/10/2009 9:10 PM,Low,"launchpad.exe modified your System Configuration., Resource",Detected,"No Action Required, No Action Required",c:\documents and settings\hp_administrator\application data\u3\0831411b8a81189c\launchpad.exe,"Monday, August 10, 2009 9:10 PM",System Configuration,c:\documents and settings\hp_administrator\application data\u3\temp\launchpad removal.exe,
6/13/2009 9:59 AM,Low,"teatimer.exe made 2 modifications to your computer., Resource",Detected,"No Action Required, No Action Required",c:\program files\spybot - search & destroy\teatimer.exe,"Saturday, June 13, 2009 9:59 AM",System Configuration,"\REGISTRY\USER\S-1-5-21-2567882293-3334311744-1662768229-1008\Software\Microsoft\Windows\CurrentVersion\Run, \REGISTRY\USER\S-1-5-21-2567882293-3334311744-1662768229-1008\Software\Microsoft\Windows\CurrentVersion\RunOnce",
6/13/2009 9:59 AM,Low,"qttask.exe modified your System Configuration., Resource",Detected,"No Action Required, No Action Required",c:\program files\quicktime\qttask.exe,"Saturday, June 13, 2009 9:59 AM",System Configuration,\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Run,
6/13/2009 9:59 AM,Low,"realsched.exe modified your System Configuration., Resource",Detected,"No Action Required, No Action Required",c:\program files\common files\real\update_ob\realsched.exe,"Saturday, June 13, 2009 9:59 AM",System Configuration,\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Run,
The modifications made in red where by Trendmicro HJT.
ESET found bad files which where backups of what Spybot removed and also some left over entries from MyWebSearch.
How are things running now ?
randytattershall
2009-10-05, 15:40
It looks like this system is running well. I opened a few MS Word docs without issue. Online is smooth. In fear of jinxing myself I think this one is clean.:)
I truely could not have done this without your help! Thank you!!!:rockon:
Looking at the collection of programs I have downloaded what should I keep and what should be removed? (If any)
ALSO, how can I guard against this in the future????:police:
Best Regards,
Randy Tattershall
Hello Randy,
Glad things are working well again.:bigthumb:
DDS <--Drag it to the trash
GMER <--Drag it to the trash
RootRepeal <---Drag it to the trash
DelDomains <--Drag it to the trash
TFC <--Yours to keep, run it about once aweek to clean out the clutter.
Malwarebytes <-- Yours to keep also, check for updates and run a scan now and then.
How did I get infected in the first place ?
Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)
Keep in mind if you install some of these programs. Only ONE Anti Virus and only ONE Firewall is recommended, more is overkill and can cause you problems. You can install all the Spyware programs I have listed without any problems. If you install Spyware Blaster and Spyware Guard, they will conflict with the TeaTimer in Spybot , you can still install Spybot Search and Destroy but do not enable the TeaTimer .
Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community
Spybot Search and Destroy 1.6 (http://www.safer-networking.org/en/download/)
Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.
Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.
Spyware Guard (http://www.javacoolsoftware.com/spywareguard.html) It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.
IE-Spyad (http://www.pcworld.com/downloads/file/fid,23332-order,1-page,1-c,antispywaretools/description.html)
IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.
Firefox 3 (http://www.mozilla.org/products/firefox/) It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.
Safe Surfn
Ken
randytattershall
2009-10-07, 05:05
Ken, I want you to know that we are very greatful for your help. A donation will be underway shortly!!!!
I have downloaded the suggested programs and will surf securely.:thanks:
Thank you again,
Randy Tattershall
Your very welcome Randy,
Take care,
Ken :)