1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Active Internet Security 2010, virus, disabled system restore checkpoints

Discussion in 'Malware and Virus Removal Archive' started by TraderJeff, 2010/02/01.

  1. 2010/02/01
    TraderJeff

    TraderJeff Inactive Thread Starter

    Joined:
    2010/01/30
    Messages:
    9
    Likes Received:
    0
    [Active] Internet Security 2010, virus, disabled system restore checkpoints

    Also encountering extremely slow and problematic system reboots/bootups

    On Sunday January 24th I was suddenly besieged with Internet Security 2010 system popups and an attempt to download something to my machine. I powered off the machine and when I rebooted the popups again occured. Using my laptop PC I googled the virus and found your bulletin board. I downloaded rkill and executed it, downloaded Malwarebytes and ran it. I deleted selected items and upon reboot t deleted all but 1. The item that remains is listed below:

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\asc3550p (Rootkit.Agent) -> Quarantined and deleted successfully.

    I downloaded Spybot and ran it. It found about 6 problems and got rid of them.
    The Internet 2010 virus appears to be gone, Malware also found a gamevance virus and seems to have gotten rid of it.

    Later I decided that I might want to restore back before the Internet 2010 infection but the virus removal deleted all the checkpoints. I later found in Sytems in the Control panel that the turn off System Restore button was checked. I unchecked it and it went back to monitoring drives C and D.

    Upon the next reboot the System restore button was rechecked and I have not been able to resolve this.

    Lastly system reboots have been extremely slow when they complete - the Icons take 10 minutes or more to appear. Also the last time I went to attempt safe mode with networking it stopped at the MUP driver. The last few reboots have had to be attempted more than once to get it to slowly come up. Any help you can give me will be appreciated. Here are the DDS logs:
    DDS (Ver_09-12-01.01) - NTFSx86
    Run by HP_Administrator at 9:30:53.57 on Mon 02/01/2010
    Internet Explorer: 6.0.2900.2180
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1285 [GMT -6:00]

    AV: Norton 360 *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
    FW: Norton 360 *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Norton 360\Engine\3.0.0.134\ccSvcHst.exe
    C:\WINDOWS\system32\nvsvc32.exe
    svchost.exe
    C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\Elservice.exe
    C:\Program Files\Norton 360\Engine\3.0.0.134\ccSvcHst.exe
    C:\WINDOWS\ehome\ehtray.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
    C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe
    C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\HP\KBD\KBD.EXE
    c:\windows\system\hpsysdrv.exe
    C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
    C:\Program Files\DISC\DISCover.exe
    C:\Program Files\DISC\DiscUpdMgr.exe
    C:\Program Files\DISC\DiscStreamHub.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\HP_Administrator\Desktop\dds.pif

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://att.my.yahoo.com/
    uSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
    uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
    uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
    uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
    mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
    mDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
    mSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
    mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
    mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
    mSearchAssistant = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
    uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
    BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
    BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
    BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\engine\3.0.0.134\coIEPlg.dll
    BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\engine\3.0.0.134\IPSBHO.DLL
    BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
    BHO: hpWebHelper Class: {aaae832a-5fff-4661-9c8f-369692d1dcb9} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\WebHelper.dll
    TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
    TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\3.0.0.134\coIEPlg.dll
    uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
    uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
    mRun: [ehTray] c:\windows\ehome\ehtray.exe
    mRun: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
    mRun: [RTHDCPL] RTHDCPL.EXE
    mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\Iaanotif.exe
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
    mRun: [DMAScheduler] "c:\program files\hp digitalmedia archive\DMAScheduler.exe "
    mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
    mRun: [<NO NAME>]
    mRun: [PCDrProfiler]
    mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
    mRun: [HP Software Update] c:\program files\hp\hp software update\HPwuSchd2.exe
    mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
    mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\update~1.lnk - c:\program files\updates from hp\9972322\program\Updates from HP.exe
    IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    Trusted Zone: commercebank.com\tunnel
    Trusted Zone: trymedia.com
    DPF: {181BCAB2-C89B-4E4B-9E6B-59FA67A426B5} - hxxps://tunnel.commercebank.com/epa/nsepa.ocx
    DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
    DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    TCP: {71EE03D8-0373-4CC2-8521-290131052559} = 68.94.156.1,68.94.157.1
    TCP: {F3E3CDFB-7809-41E2-B47A-0BDA8A384464} = 68.94.156.1,68.94.157.1
    TCP: {FE3AA6AE-D49E-4033-8249-64759150F78E} = 68.94.156.1,68.94.157.1
    Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton 360\engine\3.0.0.134\CoIEPlg.dll
    Hosts: 127.0.0.1 www.spywareinfo.com
    Hosts: 74.208.77.54 hcurltest1
    Hosts: 82.165.161.232 hcurltest2
    Hosts: 255.255.255.255 hcurltest5
    Hosts: 255.255.255.255 vnsjs1.1stworks.com

    ============= SERVICES / DRIVERS ===============

    R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0300000.086\SymEFA.sys [2009-8-12 310320]
    R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\n360\0300000.086\BHDrvx86.sys [2009-8-12 258608]
    R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0300000.086\cchpx86.sys [2009-8-12 482352]
    R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20100128.002\IDSXpx86.sys [2010-1-29 329592]
    R2 {22D78859-9CE9-4b77-BF18-AC83E81A9263};{22D78859-9CE9-4b77-BF18-AC83E81A9263};c:\program files\hp\dvdplay\000.fcl [2008-8-19 6656]
    R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
    R2 N360;Norton 360;c:\program files\norton 360\engine\3.0.0.134\ccSvcHst.exe [2009-8-12 115560]
    R3 CXFALCON;Conexant Falcon II NTSC Video Capture;c:\windows\system32\drivers\cxfalcon.sys [2008-8-19 82048]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-8-28 102448]
    R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100131.022\NAVENG.SYS [2010-2-1 84912]
    R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100131.022\NAVEX15.SYS [2010-2-1 1323568]
    R3 WN5301;LIteon Wireless PCI Network Adapter Service;c:\windows\system32\drivers\wn5301.sys [2008-8-19 468768]

    =============== Created Last 30 ================

    2010-01-28 15:27:13 0 d-----w- c:\docume~1\hp_adm~1\applic~1\Uniblue
    2010-01-27 12:46:59 0 d--h--w- c:\windows\system32\GroupPolicy
    2010-01-27 03:53:46 0 d-----w- c:\program files\Norton Support
    2010-01-27 01:34:43 0 d-----w- c:\program files\Spybot - Search & Destroy
    2010-01-27 01:32:24 16409960 ----a-w- C:\spybotsd162.exe
    2010-01-26 16:30:56 664 ----a-w- c:\windows\system32\d3d9caps.dat
    2010-01-25 01:40:28 0 d-----w- c:\docume~1\hp_adm~1\applic~1\Malwarebytes
    2010-01-25 01:40:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-01-25 01:40:22 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-01-25 01:40:22 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-01-25 01:40:22 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
    2010-01-25 01:38:41 5061512 ----a-w- C:\mbam-setup.exe
    2010-01-25 01:29:30 0 ----a-w- c:\windows\system32\16060.exe

    ==================== Find3M ====================

    2010-01-31 20:22:43 94208 ----a-w- c:\windows\DUMP9e62.tmp
    2010-01-29 13:41:06 94208 ----a-w- c:\windows\DUMPa538.tmp
    2009-12-16 13:35:58 18432 ----a-w- c:\windows\system32\dllcache\iedw.exe
    2009-12-08 08:59:48 474112 ----a-w- c:\windows\system32\dllcache\shlwapi.dll
    2009-11-21 16:36:13 470528 ----a-w- c:\windows\system32\dllcache\aclayers.dll
    2009-07-13 02:50:33 74895392 --sha-w- c:\windows\system32\drivers\fidbox.dat

    ============= FINISH: 9:31:31.96 ===============

    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_09-12-01.01)

    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 8/19/2008 7:21:01 PM
    System Uptime: 2/1/2010 8:43:11 AM (1 hours ago)

    Motherboard: ASUSTek Computer INC. | | Basswood
    Processor: Intel(R) Core(TM)2 CPU 6400 @ 2.13GHz | Socket 775 | 2133/266mhz
    Processor: Intel(R) Core(TM)2 CPU 6400 @ 2.13GHz | Socket 775 | 2133/266mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 224 GiB total, 121.999 GiB free.
    D: is FIXED (FAT32) - 8 GiB total, 0.972 GiB free.
    E: is CDROM ()
    F: is Removable
    G: is Removable
    H: is Removable
    I: is Removable

    ==== Disabled Device Manager Items =============

    ==== System Restore Points ===================

    RP11: 2/1/2010 9:01:54 AM - System Checkpoint

    ==== Installed Programs ======================

    Adobe Flash Player 10 ActiveX
    Adobe Reader 7.1.0
    AutoUpdate
    BufferChm
    Citrix Presentation Server Client - Web Only
    CP_AtenaShokunin1Config
    CP_CalendarTemplates1
    cp_LightScribeConfig
    cp_OnlineProjectsConfig
    CP_Package_Basic1
    CP_Package_Variety1
    CP_Package_Variety2
    CP_Package_Variety3
    CP_Panorama1Config
    cp_PosterPrintConfig
    cp_UpdateProjectsConfig
    CueTour
    Data Fax SoftModem with SmartCP
    Destinations
    DeviceManagementQFolder
    DISCover
    DivX
    Enhanced Multimedia Keyboard Solution
    FullDPAppQFolder
    GEAR driver installer for x86 and x64
    GemMaster Mystic
    GoToMeeting 4.1.0.366
    High Definition Audio Driver Package - KB888111
    hotComm® CL
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Media Player 10 (KB903157)
    Hotfix for Windows Media Player 10 (KB910393)
    Hotfix for Windows XP (KB888795)
    Hotfix for Windows XP (KB891593)
    Hotfix for Windows XP (KB893357)
    Hotfix for Windows XP (KB895961)
    Hotfix for Windows XP (KB899337)
    Hotfix for Windows XP (KB899510)
    Hotfix for Windows XP (KB902841)
    Hotfix for Windows XP (KB906569)
    Hotfix for Windows XP (KB912024)
    Hotfix for Windows XP (KB935448)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB970653-v3)
    Hotfix for Windows XP (KB976098-v2)
    HP Boot Optimizer
    HP DigitalMedia Archive
    HP DVD Play HD DVD 2.2
    HP Imaging Device Functions 7.0
    HP Photosmart for Media Center PC
    HP Photosmart Premier Software 6.5
    HP Software Update
    HP Web Helper
    HPPhotoSmartExpress
    HpSdpAppCoreApp
    InstantShareDevices
    Intel(R) Matrix Storage Manager
    Intel(R) PRO Network Connections Drivers
    Intel(R) Quick Resume Technology Drivers
    Intel® Viivâ„¢ Software
    J2SE Runtime Environment 5.0 Update 6
    Java(TM) 6 Update 7
    LightScribe 1.4.105.1
    Malwarebytes' Anti-Malware
    Microsoft .NET Framework 1.0 Hotfix (KB930494)
    Microsoft .NET Framework 1.0 Hotfix (KB953295)
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB953297)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Money 2006
    Microsoft Office Standard Edition 2003 60 days trial
    Microsoft Silverlight
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Works
    Move Media Player
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 6 Service Pack 2 (KB973686)
    muvee autoProducer 5.0
    muvee autoProducer unPlugged 2.0
    My HP Games
    Netscape Browser (remove only)
    NinjaTrader 6.5
    Norton 360
    NVIDIA Drivers
    OptionalContentQFolder
    Otto
    PC-Doctor 5 for Windows
    PhotoGallery
    Python 2.2 pywin32 extensions (build 203)
    Python 2.2.3
    Quicken 2006
    RandMap
    Real Only Track 'n Trade Live
    RealPlayer
    Realtek High Definition Audio Driver
    Remove WeatherBug Installer
    Rhapsody
    Security Update for CAPICOM (KB931906)
    Security Update for Step By Step Interactive Training (KB923723)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player 10 (KB911565)
    Security Update for Windows Media Player 10 (KB936782)
    Security Update for Windows XP (KB896358)
    Security Update for Windows XP (KB896422)
    Security Update for Windows XP (KB896424)
    Security Update for Windows XP (KB901190)
    Security Update for Windows XP (KB901214)
    Security Update for Windows XP (KB902400)
    Security Update for Windows XP (KB904706)
    Security Update for Windows XP (KB908519)
    Security Update for Windows XP (KB908531)
    Security Update for Windows XP (KB911562)
    Security Update for Windows XP (KB912812)
    Security Update for Windows XP (KB912919)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923689)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB944338-v2)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950749)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB953838)
    Security Update for Windows XP (KB953839)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956390)
    Security Update for Windows XP (KB956391)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957095)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958215)
    Security Update for Windows XP (KB958470)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960714)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB963027)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969897)
    Security Update for Windows XP (KB969898)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971032)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB971961)
    Security Update for Windows XP (KB972260)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974455)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB976325)
    SkinsHP1
    SlideShow
    SlideShowMusic
    Sonic Express Labeler
    Sonic MyDVD Plus
    Sonic RecordNow Audio
    Sonic RecordNow Copy
    Sonic RecordNow Data
    Sonic Update Manager
    Sonic_PrimoSDK
    Spybot - Search & Destroy
    Stock Assault 2.0
    Track 'n Trade Live
    Trade Guider EOD
    Unload
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows Media Player 10 (KB913800)
    Update for Windows Media Player 10 (KB926251)
    Update for Windows XP (KB898461)
    Update for Windows XP (KB912945)
    Update for Windows XP (KB925720)
    Update for Windows XP (KB951072-v2)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    Update for Windows XP (KB976749)
    Update for Windows XP (KB978207)
    Update Rollup 2 for Windows XP Media Center Edition 2005
    Updates from HP (remove only)
    WebFldrs XP
    Windows Imaging Component
    Windows Installer 3.1 (KB893803)
    Windows Media Format Runtime
    Windows XP Hotfix - KB873339
    Windows XP Hotfix - KB883667
    Windows XP Hotfix - KB885250
    Windows XP Hotfix - KB885835
    Windows XP Hotfix - KB885836
    Windows XP Hotfix - KB887472
    Windows XP Hotfix - KB887742
    Windows XP Hotfix - KB888113
    Windows XP Hotfix - KB890175
    Windows XP Hotfix - KB891781
    Windows XP Hotfix - KB892050
    Windows XP Hotfix - KB893066
    Windows XP Media Center Edition 2005 KB908246
    Windows XP Media Center Edition 2005 KB912067
    Windows XP Media Center Edition 2005 KB973768
    WinRAR archiver
    Yahoo! Toolbar
    Yahoo! Toolbar for Internet Explorer
    ZoneAlarm Spy Blocker

    ==== Event Viewer Messages From Past Week ========

    1/27/2010 9:32:21 AM, error: iaStor [9] - The device, \Device\Ide\iaStor0, did not respond within the timeout period.
    1/27/2010 5:56:59 AM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Internet Explorer 8 for Windows XP.
    1/27/2010 5:51:53 AM, error: System Error [1003] - Error code 00000077, parameter1 00000001, parameter2 00000000, parameter3 00000000, parameter4 ad25bc34.
    1/27/2010 3:23:14 PM, error: System Error [1003] - Error code 00000077, parameter1 00000001, parameter2 00000000, parameter3 00000000, parameter4 b2e8bc34.
    1/27/2010 12:36:38 PM, error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: This operation returned because the timeout period expired.
    1/27/2010 12:35:08 PM, error: Service Control Manager [7022] - The Automatic Updates service hung on starting.
    1/27/2010 12:27:27 PM, error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume C:.
    1/26/2010 12:52:38 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD BHDrvx86 ccHP eeCtrl Fips IDSxpx86 intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SRTSP SRTSPX SYMTDI Tcpip WS2IFSL
    1/26/2010 12:52:38 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
    1/26/2010 12:52:38 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
    1/26/2010 12:52:38 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    1/26/2010 12:52:38 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
    1/26/2010 12:17:01 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments " " in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    1/26/2010 12:16:56 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments " " in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
    1/26/2010 10:14:17 AM, error: System Error [1003] - Error code 100000d1, parameter1 00000001, parameter2 00000002, parameter3 00000000, parameter4 b5cf5fb5.
    1/26/2010 10:11:44 AM, error: Service Control Manager [7022] - The Intel(R) Quick Resume technology service hung on starting.
    1/26/2010 10:06:25 AM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000043' while processing the file 'SrtETmp' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
    1/25/2010 9:52:17 PM, error: Service Control Manager [7034] - The NVIDIA Display Driver Service service terminated unexpectedly. It has done this 1 time(s).
    1/25/2010 7:58:02 PM, error: System Error [1003] - Error code 100000d1, parameter1 0000000c, parameter2 00000002, parameter3 00000000, parameter4 b88cefcd.
    1/25/2010 7:48:53 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the N360 service.
    1/25/2010 10:46:30 AM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000243' while processing the file 'SrtETmp' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.

    ==== End Of File ===========================
     
    TraderJeff,
    #1
  2. 2010/02/01
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.


    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    • Please, never rename Combofix unless instructed.
    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    NOTE 1. If Combofix asks you to install Recovery Console, please allow it.
    NOTE 2. If Combofix asks you to update the program, always do so.

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    • Double click on combofix.exe & follow the prompts.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!


    Download HijackThis:
    http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download
    by clicking on Installer under Version 2.0.2
    [DO NOT download version 2.0.3 (beta)]
    Install, and run it.
    Post HijackTHis log.
    Do NOT attempt to fix anything!

    NOTE. If you're using Vista, or 7, right click on HijackThis, and click Run as Administrator
     
    broni,
    #2


  3. to hide this advert.

  4. 2010/02/01
    TraderJeff

    TraderJeff Inactive Thread Starter

    Joined:
    2010/01/30
    Messages:
    9
    Likes Received:
    0
    Upon ComboFix's reboot of the system the reboot appears to have stopped = the monitor went to sleep. This has happened more frequently. Appears the only way out is to power off and then power the PC back on. Should I try this? I am typing this on my laptop situated next to it.
     
    TraderJeff,
    #3
  5. 2010/02/01
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Please do. See, if you can find Combofix log.
     
    broni,
    #4
  6. 2010/02/01
    TraderJeff

    TraderJeff Inactive Thread Starter

    Joined:
    2010/01/30
    Messages:
    9
    Likes Received:
    0
    System came back up on first power off / power on. ComboFix then resumed

    ComboFix then deleted some files, rebooted and then resumed running again.

    Should also mention that there was an OTTO program in my add/remove programs list.
    Google indicated that this was also a problem - ComboFix appeared to find this also.

    Received the message:

    Cannot export REGRUNS00. Error opening the file. There may be a disk or file system error. Will post the log in the next reply.
     
    TraderJeff,
    #5
  7. 2010/02/01
    TraderJeff

    TraderJeff Inactive Thread Starter

    Joined:
    2010/01/30
    Messages:
    9
    Likes Received:
    0
    Will now run Hijack This and post log. Here is ComboFix log:


    ComboFix 10-02-01.02 - HP_Administrator 02/01/2010 14:31:29.1.2 - x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1675 [GMT -6:00]
    Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
    AV: Norton 360 *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
    FW: Norton 360 *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\recycler\S-1-5-21-527237240-179605362-725345543-500
    c:\windows\kb913800.exe
    c:\windows\system32\16060.exe
    c:\windows\system32\config\46635700.Evt
    D:\Autorun.inf

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_ASC3550P
    -------\Service_asc3550p


    ((((((((((((((((((((((((( Files Created from 2010-01-01 to 2010-02-01 )))))))))))))))))))))))))))))))
    .

    2010-01-28 15:27 . 2010-01-28 15:27 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Uniblue
    2010-01-25 01:40 . 2010-01-25 01:40 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Malwarebytes
    2010-01-25 01:40 . 2010-01-25 01:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-01-31 20:22 . 2009-07-12 22:48 94208 ----a-w- c:\windows\DUMP9e62.tmp
    2010-01-29 20:01 . 2009-10-23 22:34 -------- d-----w- c:\program files\Vuze
    2010-01-29 13:41 . 2009-07-12 22:48 94208 ----a-w- c:\windows\DUMPa538.tmp
    2010-01-27 12:53 . 2010-01-26 16:30 664 ----a-w- c:\windows\system32\d3d9caps.dat
    2010-01-27 03:53 . 2010-01-27 03:53 -------- d-----w- c:\program files\Norton Support
    2010-01-27 02:01 . 2009-07-13 01:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2010-01-27 01:38 . 2010-01-27 01:34 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2010-01-27 01:32 . 2010-01-27 01:32 16409960 ----a-w- C:\spybotsd162.exe
    2010-01-26 01:43 . 2008-08-27 02:07 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Azureus
    2010-01-25 03:12 . 2010-01-25 01:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-01-25 01:39 . 2010-01-25 01:38 5061512 ----a-w- C:\mbam-setup.exe
    2010-01-22 13:59 . 2009-03-17 00:40 -------- d-----w- c:\program files\Microsoft Silverlight
    2010-01-07 22:07 . 2010-01-25 01:40 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-01-07 22:07 . 2010-01-25 01:40 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
    2009-12-27 21:14 . 2008-09-06 20:11 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Move Networks
    2009-12-26 22:24 . 2008-08-21 19:49 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\U3
    2009-12-22 05:35 . 2008-08-19 21:43 668672 ----a-w- c:\windows\system32\wininet.dll
    2009-12-22 05:35 . 2008-08-19 21:42 81920 ----a-w- c:\windows\system32\ieencode.dll
    2009-07-13 02:50 . 2008-08-19 23:38 74895392 --sha-w- c:\windows\system32\drivers\fidbox.dat
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MSMSGS "= "c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
    "SpybotSD TeaTimer "= "c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ehTray "= "c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
    "ftutil2 "= "ftutil2.dll" [2004-06-07 106496]
    "RTHDCPL "= "RTHDCPL.EXE" [2006-06-14 16239616]
    "IAAnotif "= "c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
    "NvCplDaemon "= "c:\windows\system32\NvCpl.dll" [2007-03-09 7700480]
    "nwiz "= "nwiz.exe" [2007-03-09 1622016]
    "DMAScheduler "= "c:\program files\HP DigitalMedia Archive\DMAScheduler.exe" [2006-04-13 90112]
    "Recguard "= "c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568]
    "HPBootOp "= "c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-15 249856]
    "HP Software Update "= "c:\program files\HP\HP Software Update\HPwuSchd2.exe" [2005-02-17 49152]
    "TkBellExe "= "c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-08-21 185896]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
    Updates From HP.lnk - c:\program files\Updates from HP\9972322\Program\Updates from HP.exe [2008-8-19 36903]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
    @= "FSFilter Activity Monitor "

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring "=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring "=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring "=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe "=
    "c:\\Program Files\\DISC\\DISCover.exe "=
    "c:\\Program Files\\DISC\\DiscStreamHub.exe "=
    "c:\\Program Files\\DISC\\myFTP.exe "=
    "c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe "=
    "c:\\Program Files\\Messenger\\msmsgs.exe "=
    "c:\\Program Files\\1stWORKS\\hotCommCL\\BIN\\HotComm.exe "=

    R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0300000.086\SymEFA.sys [8/12/2009 4:37 AM 310320]
    R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\N360\0300000.086\BHDrvx86.sys [8/12/2009 4:37 AM 258608]
    R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0300000.086\cchpx86.sys [8/12/2009 4:37 AM 482352]
    R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100128.002\IDSXpx86.sys [1/29/2010 4:57 PM 329592]
    R2 {22D78859-9CE9-4b77-BF18-AC83E81A9263};{22D78859-9CE9-4b77-BF18-AC83E81A9263};c:\program files\HP\DVDPlay\000.fcl [8/19/2008 5:05 PM 6656]
    R3 CXFALCON;Conexant Falcon II NTSC Video Capture;c:\windows\system32\drivers\cxfalcon.sys [8/19/2008 4:48 PM 82048]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/28/2009 5:42 AM 102448]
    R3 WN5301;LIteon Wireless PCI Network Adapter Service;c:\windows\system32\drivers\wn5301.sys [8/19/2008 4:46 PM 468768]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://att.my.yahoo.com/
    uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
    mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
    mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
    Trusted Zone: commercebank.com\tunnel
    Trusted Zone: trymedia.com
    TCP: {71EE03D8-0373-4CC2-8521-290131052559} = 68.94.156.1,68.94.157.1
    TCP: {F3E3CDFB-7809-41E2-B47A-0BDA8A384464} = 68.94.156.1,68.94.157.1
    TCP: {FE3AA6AE-D49E-4033-8249-64759150F78E} = 68.94.156.1,68.94.157.1
    DPF: {181BCAB2-C89B-4E4B-9E6B-59FA67A426B5} - hxxps://tunnel.commercebank.com/epa/nsepa.ocx
    .
    - - - - ORPHANS REMOVED - - - -

    HKLM-Run-PCDrProfiler - (no file)



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-02-01 14:42
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
    "ImagePath "= "\ "c:\program files\Norton 360\Engine\3.0.0.134\ccSvcHst.exe\" /s \ "N360\" /m \ "c:\program files\Norton 360\Engine\3.0.0.134\diMaster.dll\" /prefetch:1 "

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{22D78859-9CE9-4b77-BF18-AC83E81A9263}]
    "ImagePath "= "\??\c:\program files\HP\DVDPlay\000.fcl "
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'explorer.exe'(2712)
    c:\docume~1\HP_ADM~1\LOCALS~1\Temp\IadHide5.dll
    c:\windows\system32\nview.dll
    c:\windows\system32\shdoclc.dll
    c:\windows\system32\msi.dll
    c:\windows\system32\nvwddi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\eHome\ehRecvr.exe
    c:\windows\eHome\ehSched.exe
    c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
    c:\program files\Common Files\LightScribe\LSSrvc.exe
    c:\program files\Norton 360\Engine\3.0.0.134\ccSvcHst.exe
    c:\windows\system32\nvsvc32.exe
    c:\windows\ehome\mcrdsvc.exe
    c:\program files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\Elservice.exe
    c:\windows\system32\dllhost.exe
    c:\program files\Norton 360\Engine\3.0.0.134\ccSvcHst.exe
    c:\windows\RTHDCPL.EXE
    c:\windows\eHome\ehmsas.exe
    c:\windows\system32\rundll32.exe
    c:\hp\KBD\KBD.EXE
    c:\windows\system\hpsysdrv.exe
    c:\program files\Java\jre1.6.0_07\bin\jusched.exe
    c:\program files\DISC\DISCover.exe
    c:\program files\DISC\DiscUpdMgr.exe
    c:\program files\DISC\DiscStreamHub.exe
    .
    **************************************************************************
    .
    Completion time: 2010-02-01 15:02:32 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-02-01 21:02

    Pre-Run: 130,828,120,064 bytes free
    Post-Run: 130,871,947,264 bytes free

    - - End Of File - - 970A72D3D8093AEF9A69D3F08A0B2E19
     
    TraderJeff,
    #6
  8. 2010/02/01
    TraderJeff

    TraderJeff Inactive Thread Starter

    Joined:
    2010/01/30
    Messages:
    9
    Likes Received:
    0
    Here is the HijackThis log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 3:15:05 PM, on 2/1/2010
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\Norton 360\Engine\3.0.0.134\ccSvcHst.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\Elservice.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\Program Files\Norton 360\Engine\3.0.0.134\ccSvcHst.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\ehome\ehtray.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
    C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
    C:\HP\KBD\KBD.EXE
    c:\windows\system\hpsysdrv.exe
    C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
    C:\Program Files\DISC\DISCover.exe
    C:\Program Files\DISC\DiscUpdMgr.exe
    C:\Program Files\DISC\DiscStreamHub.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.my.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton 360\Engine\3.0.0.134\coIEPlg.dll
    O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton 360\Engine\3.0.0.134\IPSBHO.DLL
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O2 - BHO: hpWebHelper Class - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\3.0.0.134\coIEPlg.dll
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
    O4 - HKLM\..\Run: [DMAScheduler] "c:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe "
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
    O4 - .DEFAULT User Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Updates From HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
    O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: http://*.trymedia.com (HKLM)
    O16 - DPF: {181BCAB2-C89B-4E4B-9E6B-59FA67A426B5} (Nsepa Control) - https://tunnel.commercebank.com/epa/nsepa.ocx
    O17 - HKLM\System\CCS\Services\Tcpip\..\{71EE03D8-0373-4CC2-8521-290131052559}: NameServer = 68.94.156.1,68.94.157.1
    O17 - HKLM\System\CCS\Services\Tcpip\..\{F3E3CDFB-7809-41E2-B47A-0BDA8A384464}: NameServer = 68.94.156.1,68.94.157.1
    O17 - HKLM\System\CCS\Services\Tcpip\..\{FE3AA6AE-D49E-4033-8249-64759150F78E}: NameServer = 68.94.156.1,68.94.157.1
    O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton 360\Engine\3.0.0.134\coIEPlg.dll
    O23 - Service: Intel(R) Quick Resume technology (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\Elservice.exe
    O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: Norton 360 (N360) - Symantec Corporation - C:\Program Files\Norton 360\Engine\3.0.0.134\ccSvcHst.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

    --
    End of file - 8241 bytes
     
    TraderJeff,
    #7
  9. 2010/02/01
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Uninstall Combofix:
    Go Start > Run [Vista users, go Start> "Start search"]
    Type in:
    Combofix /Uninstall
    Note the space between the "Combofix" and the "/Uninstall "
    Restart computer.

    ===============================================================

    I'd like to see HijackThis log, I asked for.
    Post it after running steps listed below.

    1. Download Temp File Cleaner (TFC)
    Double click on TFC.exe to run the program.
    Click on Start button to begin cleaning process.
    TFC will close all running programs, and it may ask you to restart computer.


    2. Go to Kaspersky website and perform an online antivirus scan.

    1. Disable your active antivirus program.
    2. Read through the requirements and privacy statement and click on Accept button.
    3. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
    4. When the downloads have finished, click on Settings.
    5. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

    • Spyware, Adware, Dialers, and other potentially dangerous programs
      [*] Archives
      [*] Mail databases
    6. Click on My Computer under Scan.
    7. Once the scan is complete, it will display the results. Click on View Scan Report.
    8. You will see a list of infected items there. Click on Save Report As....
    9. Save this report to a convenient place. Change the Files of type to Text file (.txt before clicking on the Save button. Then post it here.
     
    broni,
    #8
  10. 2010/02/01
    TraderJeff

    TraderJeff Inactive Thread Starter

    Joined:
    2010/01/30
    Messages:
    9
    Likes Received:
    0
    I am still unable to get to safe mode so I cannot change the settings there. I can change the monitor settings to use the default settings but it comes back to the same error message (ComboFix still has control evidently). Unsure as to how to proceed - I have not gotten a good reboot since attempting the Uninstall of ComboFix.
     
    TraderJeff,
    #9
  11. 2010/02/01
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    I didn't ask you to change any settings, nor go to Safe Mode.
    What error are you getting?
     
    broni,
    #10
  12. 2010/02/01
    TraderJeff

    TraderJeff Inactive Thread Starter

    Joined:
    2010/01/30
    Messages:
    9
    Likes Received:
    0
    The first part of my earlier reply was missing. It went something like this.

    Broni, I ******* up. I typed in Combofix /Uninstall as directed but clicked on Run instead of hitting enter. I had a hijackthis text open and ComboFix appeared to be running again. It finished and went to reboot. The monitor came up with the message:

    Input signal out of range - change settings to 1280 x 1024 - 60 hz. It was 124 x 237 - evidently set to the hijackthis text size.

    I tried what I could to change the size but could not get it to work. Google search suggested changing the input in safe mode so I tried that.however I am still unable to get to safe mode so I cannot change the settings there. I can change the monitor settings to use the default settings but it comes back to the same error message (ComboFix still has control evidently). Unsure as to how to proceed - I have not gotten a good reboot since attempting the Uninstall of ComboFix.
     
    TraderJeff,
    #11
  13. 2010/02/01
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    I'm not sure, if I understand....I've never seen 124 x 237 screen resolution.
    How does your screen look like.

    How are you trying to access safe mode?
    After restarting computer, you should keep tapping F8 key.
     
    broni,
    #12
  14. 2010/02/01
    TraderJeff

    TraderJeff Inactive Thread Starter

    Joined:
    2010/01/30
    Messages:
    9
    Likes Received:
    0
    I can get to safe mode - however when it starts up it stops at
    \WINDOWS\System32\Drivers\Mup.sys. I am allowed at that point to change my video settings to Factory Reset.

    However during the reboot the monitor goes to sleep. Powering the monitor off and on it shows VGA input - No Input signal
     
    TraderJeff,
    #13
  15. 2010/02/01
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    I suspect some hardware issue here.
    At this point, I have to send you to either Windows, or hardware section and see what others can figure out.
    The access to malware forum is very limited (just you and me), so out there you'll get more attention.
    Once the issue is solved, you're very welcome to come back here to continue.
     
    broni,
    #14
  16. 2010/02/01
    TraderJeff

    TraderJeff Inactive Thread Starter

    Joined:
    2010/01/30
    Messages:
    9
    Likes Received:
    0
    Thank you for your help, Broni. Sorry I ******* it up.
     
    TraderJeff,
    #15
  17. 2010/02/01
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Hey, I don't think, it's your fault :)
    I think, there is something else wrong with the machine.
     
    broni,
    #16

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...