Live Chat & Podcast at 1:00PM Eastern on Sunday!
There's no such thing as a stupid question, but they're the easiest to answer.
JoinTour
Login
Search
Virus & Other Malware Removal
Go to first new post Something is very wrong with pc it takes ...
Go to first new post How did you find PC CLEANER PRO on my c ...
Go to first new post Trojan: Win32/Alureon.FK - hijack this l ...
Go to first new post Black desktop, missing all shortcuts, fi ...
Go to first new post Missing Photos/Black Desktop/Phantom Use ...
Go to first new post Network, good; Internet, bad
Go to first new post Need Help
Go to first new post Odd Processes/SCODEF-CREDAT/possible vir ...
Go to first new post Google Hijacker/Google Search Result vir ...
Go to first new post server not found
Go to first new post slow computer, downloads over a few mb f ...
Go to first new post Ramnit virus, nearly cleared
Go to first new post Windows live Messenger Virus
Go to first new post We Got System Checked :-(
Go to first new post This setup thing keeps popping up everyd ...
Tag Cloud
access acer asus bios bsod computer crash desktop dns driver drivers error ethernet excel freeze gaming hard drive hardware hdmi internet laptop malware memory monitor motherboard network not working printer problem ram registry repair router slow software sound trojan ubuntu 11.10 uninstall usb video virus vista wifi windows windows 7 windows 7 32 bit windows 7 64 bit windows xp wireless
Search
Search for:
Tech Support Guy Forums > Security & Malware Removal > Virus & Other Malware Removal >
Internet Hangs on Boot Up (In Progress)

Page 1 of 3 1 23
Reply  
Thread Tools
Test001's Avatar
Member with 41 posts.
  
Join Date: Nov 2009
04-Nov-2009, 07:07 PM #1
Internet Hangs on Boot Up
I am running a Dell Studio 1537 and it usually runs great with no issues. Typically I could boot windows xp very fast and my desktop will load and I could access the web immediately with no issues. I downloaded some updates and ever since my computer has been hanging upon boot. When the system boots it will load the desktop and then about 2 minutes later I can access MY COMPUTER or Internet Explorer. Right before I am up and running I get the your computer may be at risk in the system tray and it is only there for a split second and then it is gone. I reset the firewall thinking maybe that was the issue but it did not help. I tried turning off the firewall to see if it would boot regularly but still same result. I defragged and ran msconfig and removed all startup programs that were not needed. Still same issue.. I checked the com services and made sure they were set to automatic for firewall etc.

I am hoping maybe there is something in this log file that I am missing that could explain why this hangs..

Also ... This is strange but when the system boots and my desktop loads very quickly..I can double click and open outlook 2007 and send and receive mail. (So the internet is working) I still have no access to MY COMPUTER and my norton antivirus has the red circle around it until the system loads eventually after 2 mins and then I can use IE and all programs with no issues.


Thanks in advance and please review my log file...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:06:51 PM, on 11/4/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\spoolsv.exe
c:\program files\idt\xpm09_6047v002\wdm\STacSV.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINNT\BCMSMMSG.exe
C:\Program Files\DellTPad\Apoint.exe
C:\WINNT\system32\AESTFltr.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe
C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
C:\WINNT\system32\ctfmon.exe
C:\DOCUME~1\Matt\LOCALS~1\Temp\Temporary Directory 1 for mdAxel_0_02[1].zip\mdAxel.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINNT\system32\cisvc.exe
C:\WINNT\System32\dllhost.exe
C:\WINNT\system32\CTsvcCDA.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINNT\System32\wbem\unsecapp.exe
C:\WINNT\system32\cidaemon.exe
C:\WINNT\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\MICROS~2\Office12\OUTLOOK.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile - {D5233FCD-D258-4903-89B8-FB1568E7413D} - mscoree.dll (file missing)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Trirot] Trirot.exe
O4 - HKLM\..\Run: [XGIWatchDog] C:\Program Files\XGI\XWatDog.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
O4 - HKLM\..\Run: [AESTFltr] %SystemRoot%\system32\AESTFltr.exe /NoDlg
O4 - HKLM\..\Run: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
O4 - HKLM\..\Run: [BlackBerryAutoUpdate] C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe /background
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" /tf Intel Wireless Tray
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [RegServer] regserve.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [mdAxel] C:\DOCUME~1\Matt\LOCALS~1\Temp\Temporary Directory 1 for mdAxel_0_02[1].zip\mdAxel.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Attach Web page to ACT! contact - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra 'Tools' menuitem: Attach Web page to ACT! contact... - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.rapmls.com
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install-ie/alttiff.cab
O16 - DPF: {2EDF75C0-5ABD-49f9-BAB6-220476A32034} (System Requirements Lab) - http://intel-drv-cdn.systemrequireme...eqlab_srlx.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/tech...bs/tgctlsr.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/re...s/MSNPUpld.cab
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) - http://catalog.update.microsoft.com/...?1243218437625
O16 - DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} (Creative Software AutoUpdate) - http://ccfiles.creative.com/Web/soft...01/CTSUEng.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/...Uploader55.cab
O16 - DPF: {8569D715-FF88-44BA-8D1D-AD3E59543DDE} (ActiveReports Viewer2) - http://ml.sitexdata.com/mortgageleads/arview2.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {DF05D910-DC8E-403A-93B0-5C866F3200D1} (PtClickLoan Control) - https://www.clickloan.com/CAB/PtClic...tClickLoan.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://naasystem.webex.com/client/T...ex/ieatgpc.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://ccfiles.creative.com/Web/soft...5108/CTPID.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - AppInit_DLLs: acaptuser32.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\system32\CTsvcCDA.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel(R) Corporation - C:\Program Files\Intel\WiFi\bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel(R) Corporation - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Intel(R) PROSet/Wireless WiFi Service (S24EventMonitor) - Intel(R) Corporation - C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - c:\program files\idt\xpm09_6047v002\wdm\STacSV.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 13200 bytes
Register for free to hide this ad!
Test001's Avatar
Member with 41 posts.
  
Join Date: Nov 2009
04-Nov-2009, 07:08 PM #2
Also forgot to mention running SP3...

Thanks...
sjpritch25's Avatar
Computer Specs
Moderator & Malware Removal Specialist with 9,113 posts.
  
Join Date: Sep 2005
Location: Florida
Experience: Advanced
08-Nov-2009, 05:29 PM #3
Welcome to TSG

Download GMER Antirootkit Here, click on Download EXE and save to your Desktop
  • Disconnect from the internet and disable all active protection so your security program drivers will not conflict with gmer's driver
  • Double-click Gmer.exe to run the program.
  • When the program opens, click the "Rootkit" Tab
  • On the right-side, check all the items to be scanned, but leave "Show All" unchecked
  • Select all drives that are connected to your system to be scanned
  • Click the Scan button
  • When the scan is finished, click Copy to save the scan log to the Windows clipboard
  • Open Notepad or a similar text editor
  • Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl V
  • Save the gmer scan log and post it in your next reply.
  • Close Gmer
  • Open a command prompt (Start | run |type cmd and hit Enter)
    • Type or paste the following to unload the gmer driver:
    • net stop gmer
    • Hit Enter
    • Exit the command prompt.
  • Re-enable all active protection.
__________________
Microsoft Valuable Professional Consumer--Security 2007-2010
Please make a donation to keep the site running. All proceeds go directly to the site!!! Donate Here
Test001's Avatar
Member with 41 posts.
  
Join Date: Nov 2009
09-Nov-2009, 05:44 PM #4
Thanks for looking into this...

Here is the results...
GMER 1.0.15.15163 - http://www.gmer.net
Rootkit scan 2009-11-09 13:40:32
Windows 5.1.2600 Service Pack 3
Running: h5ondmqf.exe; Driver: C:\DOCUME~1\Matt\LOCALS~1\Temp\uxtdapow.sys

---- System - GMER 1.0.15 ----
SSDT spdp.sys ZwCreateKey [0xB9EAB0E0]
SSDT spdp.sys ZwEnumerateKey [0xB9EC8CA2]
SSDT spdp.sys ZwEnumerateValueKey [0xB9EC9030]
SSDT spdp.sys ZwOpenKey [0xB9EAB0C0]
SSDT spdp.sys ZwQueryKey [0xB9EC9108]
SSDT spdp.sys ZwQueryValueKey [0xB9EC8F88]
SSDT spdp.sys ZwSetValueKey [0xB9EC919A]
INT 0x63 ? 8AFA1BF8
INT 0x63 ? 8AFA1BF8
INT 0x63 ? 8AFA1BF8
INT 0x63 ? 8AFA1BF8
INT 0x63 ? 8ADF1BF8
INT 0x63 ? 8ADF1BF8
INT 0x63 ? 8ADF1BF8
INT 0x63 ? 8AFA1BF8
INT 0x84 ? 8ADF1BF8
INT 0xA4 ? 8ADF1BF8
INT 0xB4 ? 8ADF1BF8
---- Kernel code sections - GMER 1.0.15 ----
? spdp.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload B91448AC 5 Bytes JMP 8ADF11D8
.text afmvbqlk.SYS B8AFD384 1 Byte [20]
.text afmvbqlk.SYS B8AFD384 37 Bytes [20, 00, 00, 68, 00, 00, 00, ...]
.text afmvbqlk.SYS B8AFD3AA 24 Bytes [00, 00, 20, 00, 00, E0, 00, ...]
.text afmvbqlk.SYS B8AFD3C4 3 Bytes [00, 00, 00]
.text afmvbqlk.SYS B8AFD3C9 1 Byte [00]
.text ...
---- Kernel IAT/EAT - GMER 1.0.15 ----
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B9EAC040] spdp.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B9EAC13C] spdp.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B9EAC0BE] spdp.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B9EAC7FC] spdp.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B9EAC6D2] spdp.sys
IAT \SystemRoot\System32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [B9EBBD92] spdp.sys
IAT \SystemRoot\System32\Drivers\afmvbqlk.SYS[HAL.dll!KfAcquireSpinLock] 000000AD
IAT \SystemRoot\System32\Drivers\afmvbqlk.SYS[HAL.dll!READ_PORT_UCHAR] 000000D4
IAT \SystemRoot\System32\Drivers\afmvbqlk.SYS[HAL.dll!KeGetCurrentIrql] 000000A2
IAT \SystemRoot\System32\Drivers\afmvbqlk.SYS[HAL.dll!KfRaiseIrql] 000000AF
IAT \SystemRoot\System32\Drivers\afmvbqlk.SYS[HAL.dll!KfLowerIrql] 0000009C
IAT \SystemRoot\System32\Drivers\afmvbqlk.SYS[HAL.dll!HalGetInterruptVector] 000000A4
IAT \SystemRoot\System32\Drivers\afmvbqlk.SYS[HAL.dll!HalTranslateBusAddress] 00000072
IAT \SystemRoot\System32\Drivers\afmvbqlk.SYS[HAL.dll!KeStallExecutionProcessor] 000000C0
IAT \SystemRoot\System32\Drivers\afmvbqlk.SYS[HAL.dll!KfReleaseSpinLock] 000000B7
IAT \SystemRoot\System32\Drivers\afmvbqlk.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] 000000FD
IAT \SystemRoot\System32\Drivers\afmvbqlk.SYS[HAL.dll!READ_PORT_USHORT] 00000093
IAT \SystemRoot\System32\Drivers\afmvbqlk.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 00000026
IAT \SystemRoot\System32\Drivers\afmvbqlk.SYS[HAL.dll!WRITE_PORT_UCHAR] 00000036
IAT \SystemRoot\System32\Drivers\afmvbqlk.SYS[WMILIB.SYS!WmiSystemControl] 000000F7
IAT \SystemRoot\System32\Drivers\afmvbqlk.SYS[WMILIB.SYS!WmiCompleteRequest] 000000CC
---- User IAT/EAT - GMER 1.0.15 ----
IAT C:\WINNT\Explorer.EXE[1824] @ C:\WINNT\Explorer.EXE [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1824] @ C:\WINNT\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1824] @ C:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1824] @ C:\WINNT\system32\Secur32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1824] @ C:\WINNT\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1824] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1824] @ C:\WINNT\system32\msvcrt.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1824] @ C:\WINNT\system32\ole32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1824] @ C:\WINNT\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1824] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1824] @ C:\WINNT\system32\NETAPI32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1824] @ C:\WINNT\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1824] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1824] @ C:\WINNT\system32\USERENV.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1824] @ C:\WINNT\system32\iphlpapi.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1824] @ C:\WINNT\system32\WS2_32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1824] @ C:\WINNT\system32\WS2HELP.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
---- Devices - GMER 1.0.15 ----
Device \FileSystem\Ntfs \Ntfs 8AFA01F8
AttachedDevice \FileSystem\Ntfs \Ntfs symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
Device \Driver\usbuhci \Device\USBPDO-0 8ADF01F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8AFFE1F8
Device \Driver\dmio \Device\DmControl\DmConfig 8AFFE1F8
Device \Driver\dmio \Device\DmControl\DmPnP 8AFFE1F8
Device \Driver\dmio \Device\DmControl\DmInfo 8AFFE1F8
Device \Driver\usbuhci \Device\USBPDO-1 8ADF01F8
Device \Driver\usbuhci \Device\USBPDO-2 8ADF01F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{BD2E7768-F552-499A-A064-E0609FDBD59C} 881941F8
Device \Driver\usbehci \Device\USBPDO-3 8ADEF1F8
Device \Driver\usbuhci \Device\USBPDO-4 8ADF01F8
Device \Driver\usbuhci \Device\USBPDO-5 8ADF01F8
Device \Driver\usbehci \Device\USBPDO-6 8ADEF1F8
Device \Driver\Ftdisk \Device\HarddiskVolume1 8AFA21F8
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
Device \Driver\usbuhci \Device\USBPDO-7 8ADF01F8
Device \Driver\Ftdisk \Device\HarddiskVolume2 8AFA21F8
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
Device \Driver\Cdrom \Device\CdRom0 8ACB31F8
Device \Driver\Cdrom \Device\CdRom1 8ACB31F8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [B9DE1B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort0 [B9DE1B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort1 [B9DE1B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort2 [B9DE1B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort3 [B9DE1B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e [B9DE1B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\Cdrom \Device\CdRom2 8ACB31F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 881941F8
Device \Driver\NetBT \Device\NetbiosSmb 881941F8
Device \Driver\PCI_PNP7646 \Device\0000005a spdp.sys
Device \Driver\sptd \Device\2304490146 spdp.sys
Device \Driver\usbuhci \Device\USBFDO-0 8ADF01F8
Device \Driver\usbuhci \Device\USBFDO-1 8ADF01F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8816A1F8
Device \Driver\usbuhci \Device\USBFDO-2 8ADF01F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{3238F843-2BDD-4C3E-A609-C34BF3A7C8A2} 881941F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 8816A1F8
Device \Driver\usbehci \Device\USBFDO-3 8ADEF1F8
Device \Driver\usbuhci \Device\USBFDO-4 8ADF01F8
Device \Driver\Ftdisk \Device\FtControl 8AFA21F8
Device \Driver\usbuhci \Device\USBFDO-5 8ADF01F8
Device \Driver\usbuhci \Device\USBFDO-6 8ADF01F8
Device \Driver\usbehci \Device\USBFDO-7 8ADEF1F8
Device \Driver\afmvbqlk \Device\Scsi\afmvbqlk1Port5Path0Target0Lun0 8AC70500
Device \Driver\afmvbqlk \Device\Scsi\afmvbqlk1 8AC70500
Device \FileSystem\Cdfs \Cdfs 881B7500
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C 90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C 90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C 90D04@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C 90D04@ujdew 0x50 0x57 0xB0 0x18 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C 90D04\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C 90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C 90D04\00000001@ujdew 0x07 0x5C 0xAF 0x73 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C 90D04\00000001\jdgg40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C 90D04\00000001\jdgg40@ujdew 0x4B 0x1C 0x83 0xFD ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D0 4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D0 4@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D0 4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D0 4@ujdew 0x50 0x57 0xB0 0x18 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D0 4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D0 4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D0 4\00000001@ujdew 0x07 0x5C 0xAF 0x73 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D0 4\00000001\jdgg40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D0 4\00000001\jdgg40@ujdew 0x4B 0x1C 0x83 0xFD ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{8C0B0701-6A33-7AD8-CDD1-91A3D55087AC}
---- EOF - GMER 1.0.15 ----
Attachment Blocked
Attachments in the HJT forum are often designed to solve a specific issue and not meant to be used without instructions specific to your computer. If you want help specific to your computer, please post a HiJackThis Log. If you started this thread, please make sure you are logged in to be able to view attachments.
sjpritch25's Avatar
Computer Specs
Moderator & Malware Removal Specialist with 9,113 posts.
  
Join Date: Sep 2005
Location: Florida
Experience: Advanced
09-Nov-2009, 08:12 PM #5
Okay you have a pretty nasty rootkit on your system.

Do you have a Windows XP re-installation disc? I only ask because we might need it later.

You must install Recovery Console when prompted by Combofix.


Download Combofix from this webpage: http://www.bleepingcomputer.com/comb...o-use-combofix

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
__________________
Microsoft Valuable Professional Consumer--Security 2007-2010
Please make a donation to keep the site running. All proceeds go directly to the site!!! Donate Here
Test001's Avatar
Member with 41 posts.
  
Join Date: Nov 2009
09-Nov-2009, 08:23 PM #6
Thanks for the reply...

I will have to look for the disk...

I am familiar with ComboFix... I will do that right now. Just curious.. What line or lines are flagging in your findings. I just spend an hour going over my HiJack this log and make a couple fixes to (missing file) and all the Roxio entries. I do not have roxio on my system..

I will do the combo now and reply with findings...

Thanks..
sjpritch25's Avatar
Computer Specs
Moderator & Malware Removal Specialist with 9,113 posts.
  
Join Date: Sep 2005
Location: Florida
Experience: Advanced
09-Nov-2009, 08:39 PM #7
Quote:
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [B9DE1B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort0 [B9DE1B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort1 [B9DE1B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort2 [B9DE1B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort3 [B9DE1B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e [B9DE1B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
New varaint of tdss that infects your ide controller system file. You might have the nasty version, but ComboFix will tell us if you do for sure.
Test001's Avatar
Member with 41 posts.
  
Join Date: Nov 2009
09-Nov-2009, 08:57 PM #8
Thanks.. So many things to look for....

Correct me if I am wrong but shouldn't I have only one svchost.exe? I am showing 2? Please let me know your thoughts in regards to both of these reports. Combo / HiJack

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:50:33 PM, on 11/9/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\spoolsv.exe
c:\program files\idt\xpm09_6047v002\wdm\STacSV.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINNT\System32\dllhost.exe
C:\WINNT\system32\CTsvcCDA.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINNT\BCMSMMSG.exe
C:\Program Files\DellTPad\Apoint.exe
C:\WINNT\system32\AESTFltr.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe
C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\DellTPad\HidFind.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINNT\System32\wbem\unsecapp.exe
C:\WINNT\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile - {D5233FCD-D258-4903-89B8-FB1568E7413D} - mscoree.dll (file missing)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Trirot] Trirot.exe
O4 - HKLM\..\Run: [XGIWatchDog] C:\Program Files\XGI\XWatDog.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
O4 - HKLM\..\Run: [AESTFltr] %SystemRoot%\system32\AESTFltr.exe /NoDlg
O4 - HKLM\..\Run: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
O4 - HKLM\..\Run: [BlackBerryAutoUpdate] C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe /background
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" /tf Intel Wireless Tray
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [RegServer] regserve.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.rapmls.com
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install-ie/alttiff.cab
O16 - DPF: {2EDF75C0-5ABD-49f9-BAB6-220476A32034} (System Requirements Lab) - http://intel-drv-cdn.systemrequireme...eqlab_srlx.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/tech...bs/tgctlsr.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/re...s/MSNPUpld.cab
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) - http://catalog.update.microsoft.com/...?1243218437625
O16 - DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} (Creative Software AutoUpdate) - http://ccfiles.creative.com/Web/soft...01/CTSUEng.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/...Uploader55.cab
O16 - DPF: {8569D715-FF88-44BA-8D1D-AD3E59543DDE} (ActiveReports Viewer2) - http://ml.sitexdata.com/mortgageleads/arview2.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {DF05D910-DC8E-403A-93B0-5C866F3200D1} (PtClickLoan Control) - https://www.clickloan.com/CAB/PtClic...tClickLoan.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://naasystem.webex.com/client/T...ex/ieatgpc.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://ccfiles.creative.com/Web/soft...5108/CTPID.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - AppInit_DLLs: C:\WINNT\system32\acaptuser32.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\system32\CTsvcCDA.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel(R) Corporation - C:\Program Files\Intel\WiFi\bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel(R) Corporation - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Intel(R) PROSet/Wireless WiFi Service (S24EventMonitor) - Intel(R) Corporation - C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - c:\program files\idt\xpm09_6047v002\wdm\STacSV.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 12228 bytes


ComboFix 09-11-08.03 - Matt 11/09/2009 16:37.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3067.2414 [GMT -8:00]
Running from: c:\documents and settings\Matt\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users.WINNT\Start Menu\Programs\ACT! 2006
c:\documents and settings\All Users.WINNT\Start Menu\Programs\ACT! 2006 \ACT! 2006 .lnk
c:\documents and settings\All Users.WINNT\Start Menu\Programs\ACT! 2006 \Read Me.lnk
c:\documents and settings\All Users.WINNT\Start Menu\Programs\ACT! 2006 \Uninstall.lnk
c:\documents and settings\All Users.WINNT\Start Menu\Programs\ACT! 2006 \User Guide.lnk
C:\Images
c:\winnt\01a5b801-10aa-4023-998d-a31986c9a740.ocx
c:\winnt\f96ac0e5-19d2-42c5-8f68-eb7a99861769.ocx
c:\winnt\patchw32.dll
c:\winnt\pw32a.dll
c:\winnt\system32\2d2ca2ce-704a-428c-8cbe-0736b29190aa.dll
c:\winnt\system32\43f1c37a-c8ee-40c4-ae97-245883ef2153.dll
c:\winnt\Web\default.htt
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_IAS

((((((((((((((((((((((((( Files Created from 2009-10-10 to 2009-11-10 )))))))))))))))))))))))))))))))
.
2009-11-04 17:05 . 2009-11-04 17:12 -------- d-----w- c:\documents and settings\Matt\SecurityScans
2009-11-04 17:05 . 2009-11-04 17:05 -------- d-----w- c:\program files\Microsoft Baseline Security Analyzer 2
2009-11-04 16:56 . 2009-11-04 16:57 -------- d-----w- c:\program files\MagicDisc
2009-11-04 16:56 . 2009-02-25 02:42 116736 ----a-w- c:\winnt\system32\drivers\mcdbus.sys
2009-11-02 19:03 . 2009-11-02 19:03 -------- d-----w- c:\program files\Common Files\Intel
2009-11-02 18:59 . 2009-11-02 18:59 -------- d-----w- c:\program files\SystemRequirementsLab
2009-10-31 17:47 . 2009-10-31 17:47 -------- d-----w- c:\program files\Trend Micro
2009-10-31 16:36 . 2009-10-31 16:36 152576 ----a-w- c:\documents and settings\Matt\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-10-31 16:17 . 2009-10-31 16:17 -------- d-----w- c:\program files\Common Files\Sonic Shared
2009-10-31 16:17 . 2009-10-31 16:18 -------- d-----w- c:\program files\Roxio
2009-10-29 17:13 . 2009-10-29 17:13 -------- d-----w- c:\documents and settings\All Users.WINNT\Application Data\InstallShield
2009-10-29 17:13 . 2009-10-29 17:13 -------- d-----w- c:\documents and settings\All Users.WINNT\Application Data\Sonic
2009-10-29 17:12 . 2009-10-31 16:17 -------- d-----w- c:\documents and settings\All Users.WINNT\Application Data\Roxio
2009-10-29 16:45 . 2009-10-29 16:45 -------- d-----w- c:\documents and settings\Matt\Application Data\Blackberry Desktop
2009-10-29 16:32 . 2009-10-29 17:21 256 ----a-w- c:\winnt\system32\pool.bin
2009-10-29 16:32 . 2009-10-29 16:32 -------- d-----w- c:\documents and settings\Matt\Application Data\Research In Motion
2009-10-29 15:55 . 2009-10-31 16:04 -------- d-----w- c:\documents and settings\All Users.WINNT\Application Data\Research In Motion
2009-10-29 15:52 . 2009-01-09 23:18 27136 ----a-r- c:\winnt\system32\drivers\RimSerial.sys
2009-10-29 15:52 . 2009-10-31 16:19 -------- d-----w- c:\program files\Common Files\Roxio Shared
2009-10-29 15:51 . 2009-10-29 15:52 -------- d-----w- c:\program files\Common Files\Research In Motion
2009-10-29 15:51 . 2009-10-29 15:55 -------- d-----w- c:\program files\Research In Motion
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-09 19:09 . 2005-08-11 22:14 12260 ----a-w- c:\winnt\system32\Fxxplfnt.tmp
2009-11-09 15:17 . 2008-06-10 21:44 -------- d-----w- c:\documents and settings\All Users.WINNT\Application Data\Google Updater
2009-11-08 06:14 . 2009-10-08 03:57 -------- d-----w- c:\documents and settings\Matt\Application Data\vlc
2009-11-04 17:28 . 2007-08-18 19:51 -------- d-----w- c:\documents and settings\All Users.WINNT\Application Data\Microsoft Help
2009-11-02 19:03 . 2009-05-17 02:12 -------- d-----w- c:\program files\Intel
2009-10-31 17:15 . 2005-05-25 00:04 94936 ----a-w- c:\documents and settings\Matt\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-31 16:37 . 2009-05-02 15:15 -------- d-----w- c:\program files\Java
2009-10-31 00:43 . 2009-05-14 18:48 -------- d-----w- c:\documents and settings\Matt\Application Data\uTorrent
2009-10-29 17:13 . 2007-03-24 19:56 -------- d-----w- c:\documents and settings\Matt\Application Data\InstallShield
2009-10-27 02:57 . 2009-05-17 06:11 -------- d-----w- c:\documents and settings\Matt\Application Data\BSplayer Pro
2009-10-08 04:22 . 2009-08-24 20:45 -------- d-----w- c:\program files\IDT
2009-10-08 04:18 . 2009-10-08 04:09 660 ----a-w- c:\winnt\system32\drivers\sthdae.log
2009-10-08 04:14 . 2009-10-08 04:13 -------- d-----w- c:\documents and settings\All Users.WINNT\Application Data\DriverScanner
2009-10-08 04:13 . 2009-10-08 04:12 -------- dc-h--w- c:\documents and settings\All Users.WINNT\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}
2009-10-08 04:13 . 2009-10-08 04:13 -------- d-----w- c:\program files\Uniblue
2009-10-08 04:13 . 2009-10-08 04:13 -------- d-----w- c:\documents and settings\Matt\Application Data\Uniblue
2009-10-01 17:11 . 2008-01-19 03:45 -------- d-----w- c:\documents and settings\All Users.WINNT\Application Data\FLEXnet
2009-09-25 05:37 . 2001-08-23 21:00 667136 ----a-w- c:\winnt\system32\wininet.dll
2009-09-25 05:37 . 2005-05-24 22:51 81920 ------w- c:\winnt\system32\ieencode.dll
2009-09-18 04:54 . 2009-04-15 20:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-18 04:53 . 2008-09-09 05:08 4045528 ----a-w- c:\documents and settings\All Users.WINNT\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-09-13 00:07 . 2009-09-13 00:06 -------- d-----w- c:\documents and settings\All Users.WINNT\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-13 00:07 . 2009-09-13 00:06 -------- d-----w- c:\program files\iTunes
2009-09-13 00:06 . 2009-09-13 00:06 -------- d-----w- c:\program files\iPod
2009-09-13 00:06 . 2007-12-26 04:26 -------- d-----w- c:\program files\Common Files\Apple
2009-09-13 00:04 . 2009-09-13 00:04 -------- d-----w- c:\program files\QuickTime
2009-09-13 00:00 . 2009-09-13 00:00 79144 ----a-w- c:\documents and settings\All Users.WINNT\Application Data\Apple Computer\Installer Cache\iTunes 9.0.0.70\SetupAdmin.exe
2009-09-12 03:26 . 2009-08-26 18:35 -------- d-----w- c:\program files\PeerBlock
2009-09-11 14:18 . 2001-08-23 21:00 136192 ----a-w- c:\winnt\system32\msv1_0.dll
2009-09-10 21:54 . 2008-09-04 20:45 38224 ----a-w- c:\winnt\system32\drivers\mbamswissarmy.sys
2009-09-10 21:53 . 2008-09-04 20:45 19160 ----a-w- c:\winnt\system32\drivers\mbam.sys
2009-09-04 21:03 . 2001-08-23 21:00 58880 ----a-w- c:\winnt\system32\msasn1.dll
2009-08-28 05:12 . 2009-08-28 05:12 716272 ----a-w- c:\winnt\system32\drivers\sptd.sys
2009-08-26 08:00 . 2001-08-23 21:00 247326 ----a-w- c:\winnt\system32\strmdll.dll
2009-08-18 07:33 . 2009-08-18 07:33 1193832 ----a-w- c:\winnt\system32\FM20.DLL
2005-05-24 21:23 . 2005-05-24 21:23 21952 ---ha-w- c:\program files\folder.htt
2001-09-29 00:00 . 2008-05-22 18:43 164864 ----a-w- c:\program files\UNWISE.EXE
2006-04-11 02:48 . 2006-04-11 02:21 56 --sh--r- c:\winnt\system32\4994F12BB5.sys
2008-08-04 19:50 . 2006-04-11 02:21 1682 --sha-w- c:\winnt\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2008-10-24 206112]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray"="c:\progra~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-04-26 90112]
"XGIWatchDog"="c:\program files\XGI\XWatDog.exe" [2005-03-01 81920]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-10-25 167936]
"AESTFltr"="c:\winnt\system32\AESTFltr.exe" [2008-07-11 466944]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2008-07-21 442460]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-10-31 623960]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"IntelZeroConfig"="c:\program files\Intel\WiFi\bin\ZCfgSvc.exe" [2009-05-21 1372160]
"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2009-05-21 1202448]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"Trirot"="Trirot.exe" - c:\winnt\system32\Trirot.exe [2005-03-01 65536]
"BCMSMMSG"="BCMSMMSG.exe" - c:\winnt\BCMSMMSG.exe [2003-08-29 122880]
"Synchronization Manager"="mobsync.exe" - c:\winnt\system32\mobsync.exe [2008-04-14 143360]
"RegServer"="regserve.exe" - c:\winnt\system32\RegServe.exe [2005-03-01 28672]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [2008-04-14 214528]
"tscuninstall"="c:\winnt\system32\tscupgrd.exe" [2004-08-04 44544]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\winnt\system32\acaptuser32.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf010 00.sys]
@="Driver"
[HKLM\~\startupfolder\C:^Documents and Settings^Matt^Start Menu^Programs^Startup^MagicDisc.lnk]
path=c:\documents and settings\Matt\Start Menu\Programs\Startup\MagicDisc.lnk
backup=c:\winnt\pss\MagicDisc.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
R2 MSSQL$ACT7;MSSQL$ACT7;c:\program files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe -sACT7 --> c:\program files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe -sACT7 [?]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [3/25/2008 2:31 PM 24652]
R3 AESTAud;AE Audio Service;c:\winnt\system32\drivers\AESTAud.sys [5/16/2009 8:36 PM 108160]
R3 itecir;ITECIR Infrared Receiver;c:\winnt\system32\drivers\itecir.sys [5/16/2009 6:51 PM 54784]
R3 k57w2k;Broadcom NetLink (TM) Gigabit Ethernet;c:\winnt\system32\drivers\k57xp32.sys [5/16/2009 6:45 PM 174592]
R3 OA001Ufd;Creative Camera OA001 Upper Filter Driver;c:\winnt\system32\drivers\OA001Ufd.sys [5/16/2009 7:27 PM 133472]
R3 OA001Vid;Creative Camera OA001 Function Driver;c:\winnt\system32\drivers\OA001Vid.sys [5/16/2009 7:27 PM 279488]
S3 AWINDIS5;AWINDIS5 Protocol Driver;c:\winnt\system32\AWINDIS5.SYS [8/8/2005 12:08 PM 16194]
S3 hcdriver;EHCI;c:\winnt\system32\drivers\hcdriver.sys [12/2/2005 11:46 AM 46080]
S3 NETGEAR_WG511_SERVICE;NETGEAR WG511T Wireless Adapter Service;c:\winnt\system32\DRIVERS\wg511nd5.sys --> c:\winnt\system32\DRIVERS\wg511nd5.sys [?]
S3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [8/26/2009 10:35 AM 6144]
S3 ptiusbf;PTI USB Filter;c:\winnt\system32\DRIVERS\PTIUSBF.SYS --> c:\winnt\system32\DRIVERS\PTIUSBF.SYS [?]
S3 SQLAgent$ACT7;SQLAgent$ACT7;c:\program files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlagent.EXE -i ACT7 --> c:\program files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlagent.EXE -i ACT7 [?]
S3 Xgiv3;Xgiv3;c:\winnt\system32\drivers\Xgiv3m.sys [5/24/2005 2:32 PM 337408]
S4 RT80x86;Ralink 802.11n Wireless Driver;c:\winnt\system32\DRIVERS\RT2860.sys --> c:\winnt\system32\DRIVERS\RT2860.sys [?]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - MBR
*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder
2009-10-17 c:\winnt\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-12 19:34]
2009-11-10 c:\winnt\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-06-10 02:50]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: rapmls.com
Trusted Zone: turbotax.com
DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
DPF: {2EDF75C0-5ABD-49f9-BAB6-220476A32034} - hxxp://intel-drv-cdn.systemrequirementslab.com/multi/bin/sysreqlab_srlx.cab
.
- - - - ORPHANS REMOVED - - - -
SafeBoot-sglfb.sys
SafeBoot-tga.sys

**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-09 16:46
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys spbo.sys hal.dll >>UNKNOWN [0x8AFB5938]<<
kernel: MBR read successfully
user & kernel MBR OK
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
atapi.sys @ 0x0 0x0 bytes
\Driver\atapi [ IRP_MJ_CREATE ] 0xA6F2 != 0xB9DE1B40 atapi.sys
\Driver\atapi [ IRP_MJ_CLOSE ] 0xA6F2 != 0xB9DE1B40 atapi.sys
\Driver\atapi [ IRP_MJ_DEVICE_CONTROL ] 0xA712 != 0xB9DE1B40 atapi.sys
\Driver\atapi [ IRP_MJ_INTERNAL_DEVICE_CONTROL ] 0x6852 != 0xB9DE1B40 atapi.sys
\Driver\atapi [ IRP_MJ_POWER ] 0xA73C != 0xB9DE1B40 atapi.sys
\Driver\atapi [ IRP_MJ_SYSTEM_CONTROL ] 0x11336 != 0xB9DE1B40 atapi.sys
\Driver\atapi IRP hooks detected !
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1993962763-1844237615-725345543-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{8C0B0701-6A33-7AD8-CDD1-91A3D55087AC}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(672)
c:\winnt\system32\Ati2evxx.dll
- - - - - - - > 'lsass.exe'(728)
c:\winnt\system32\relog_ap.dll
- - - - - - - > 'explorer.exe'(7804)
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
.
------------------------ Other Running Processes ------------------------
.
c:\winnt\system32\Ati2evxx.exe
c:\program files\Intel\WiFi\bin\S24EvMon.exe
c:\winnt\system32\Ati2evxx.exe
c:\program files\idt\xpm09_6047v002\wdm\STacSV.exe
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\winnt\System32\dllhost.exe
c:\winnt\system32\CTsvcCDA.exe
c:\progra~1\SYMANT~1\SYMANT~1\DefWatch.exe
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe
c:\program files\DellTPad\ApMsgFwd.exe
c:\program files\DellTPad\Apntex.exe
c:\program files\DellTPad\HidFind.exe
c:\progra~1\SYMANT~1\SYMANT~1\Rtvscan.exe
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\winnt\system32\wdfmgr.exe
c:\winnt\System32\wbem\unsecapp.exe
.
**************************************************************************
.
Completion time: 2009-11-10 16:48 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-10 00:48
Pre-Run: 73,652,191,232 bytes free
Post-Run: 73,616,101,376 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINNT
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
- - End Of File - - 11359BDAF49E915784DBAA0416701CC2
Attachment Blocked
Attachments in the HJT forum are often designed to solve a specific issue and not meant to be used without instructions specific to your computer. If you want help specific to your computer, please post a HiJackThis Log. If you started this thread, please make sure you are logged in to be able to view attachments.
Test001's Avatar
Member with 41 posts.
  
Join Date: Nov 2009
09-Nov-2009, 08:58 PM #9
Thanks again for taking the time to help with this....
Test001's Avatar
Member with 41 posts.
  
Join Date: Nov 2009
09-Nov-2009, 09:15 PM #10
I guess this confirms it???

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys spbo.sys hal.dll >>UNKNOWN [0x8AFB5938]<<
kernel: MBR read successfully
user & kernel MBR OK
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
atapi.sys @ 0x0 0x0 bytes
\Driver\atapi [ IRP_MJ_CREATE ] 0xA6F2 != 0xB9DE1B40 atapi.sys
\Driver\atapi [ IRP_MJ_CLOSE ] 0xA6F2 != 0xB9DE1B40 atapi.sys
\Driver\atapi [ IRP_MJ_DEVICE_CONTROL ] 0xA712 != 0xB9DE1B40 atapi.sys
\Driver\atapi [ IRP_MJ_INTERNAL_DEVICE_CONTROL ] 0x6852 != 0xB9DE1B40 atapi.sys
\Driver\atapi [ IRP_MJ_POWER ] 0xA73C != 0xB9DE1B40 atapi.sys
\Driver\atapi [ IRP_MJ_SYSTEM_CONTROL ] 0x11336 != 0xB9DE1B40 atapi.sys
\Driver\atapi IRP hooks detected !
sjpritch25's Avatar
Computer Specs
Moderator & Malware Removal Specialist with 9,113 posts.
  
Join Date: Sep 2005
Location: Florida
Experience: Advanced
09-Nov-2009, 09:43 PM #11
yep
Are you going to be around tonight. If so we can fix this thing right away.


Open notepad and copy/paste the text in the codebox below into it:
Code:
@echo off
cls
echo................Searching for File..............
echo...............Please be patient................
dir /a d /s "%systemdrive%\atapi.sys" > log.txt
notepad log.txt
del%0
Save this as search.bat
Choose to "Save type as - All Files"
Save it on your desktop.

It should look like this:
Double click on search.bat & allow it to run
__________________
Microsoft Valuable Professional Consumer--Security 2007-2010
Please make a donation to keep the site running. All proceeds go directly to the site!!! Donate Here
Test001's Avatar
Member with 41 posts.
  
Join Date: Nov 2009
09-Nov-2009, 10:29 PM #12
Volume in drive C has no label.
Volume Serial Number is F49D-410B
Directory of C:\Documents and Settings\Matt\Desktop\1537 XP 32 Drivers\--1537 inf files\Primary IDE Channel
04/14/2008 12:10 AM 96,512 atapi.sys
1 File(s) 96,512 bytes
Directory of C:\Documents and Settings\Matt\Desktop\1537 XP 32 Drivers\--1537 inf files\Primary IDE Channel#1
04/14/2008 12:10 AM 96,512 atapi.sys
1 File(s) 96,512 bytes
Directory of C:\Documents and Settings\Matt\Desktop\1537 XP 32 Drivers\--1537 inf files\Secondary IDE Channel
04/14/2008 12:10 AM 96,512 atapi.sys
1 File(s) 96,512 bytes
Directory of C:\Documents and Settings\Matt\Desktop\1537 XP 32 Drivers\--1537 inf files\Secondary IDE Channel#1
04/14/2008 12:10 AM 96,512 atapi.sys
1 File(s) 96,512 bytes
Directory of C:\WINNT\$NtServicePackUninstall$
08/03/2004 09:59 PM 95,360 atapi.sys
1 File(s) 95,360 bytes
Directory of C:\WINNT\ERDNT\cache
04/13/2008 11:10 PM 96,512 atapi.sys
1 File(s) 96,512 bytes
Directory of C:\WINNT\ServicePackFiles\i386
04/13/2008 11:10 PM 96,512 atapi.sys
1 File(s) 96,512 bytes
Directory of C:\WINNT\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e
04/13/2008 10:40 AM 96,512 atapi.sys
1 File(s) 96,512 bytes
Directory of C:\WINNT\system32\drivers
04/13/2008 11:10 PM 96,512 atapi.sys
1 File(s) 96,512 bytes
Directory of C:\WINNT\system32\ReinstallBackups\0012\DriverFiles\i386
08/03/2004 09:59 PM 95,360 atapi.sys
1 File(s) 95,360 bytes
Directory of C:\WINNT\system32\ReinstallBackups\0021\DriverFiles\i386
08/03/2004 09:59 PM 95,360 atapi.sys
1 File(s) 95,360 bytes
Total Files Listed:
11 File(s) 1,058,176 bytes
0 Dir(s) 73,638,387,712 bytes free


***This was the findings / Thanks****
Test001's Avatar
Member with 41 posts.
  
Join Date: Nov 2009
09-Nov-2009, 10:30 PM #13
Forgot to also attach the file..

Here it is..
Attachment Blocked
Attachments in the HJT forum are often designed to solve a specific issue and not meant to be used without instructions specific to your computer. If you want help specific to your computer, please post a HiJackThis Log. If you started this thread, please make sure you are logged in to be able to view attachments.
Test001's Avatar
Member with 41 posts.
  
Join Date: Nov 2009
09-Nov-2009, 10:37 PM #14
FYI...

The reason you see the drivers on the desktop is because I purchased this DELL STUDIO 1537 and it came with Vista. Dell does not support XP on this system and I wanted XP Pro so I had to find all the drivers myself in order to make it work. I found a few sites that others had the same issues and many techs created tutorials with all the drivers and I downloaded that and have been using the system for the last 8 months with no issues. It is still very fast but over the last 3 weeks the boot hangs as previously mentioned.

Look..
http://www.samsware.com/Downloads/32...tion-Guide.pdf (This is just a pdf)

I keep the drivers on my desktop because I have been uninstalling and reinstalling the video drivers and sound drivers. The sound is horrible on the system and I was looking for an alternative etc. That is why there is the drivers folder on the dektop.
Test001's Avatar
Member with 41 posts.
  
Join Date: Nov 2009
09-Nov-2009, 10:41 PM #15
Also this is a SATA drive not IDE..
Email This Email  Print This Print  Tweet This Send to Facebook Send to MySpace Send to StumbleUpon Digg This | More Services More
Reply
Page 1 of 3 1 23

THIS THREAD HAS EXPIRED.
Are you having the same problem? We have volunteers ready to answer your question, but first you'll have to join for free. Need help getting started? Check out our Welcome Guide.

Search Tech Support Guy

Find the solution to your
computer problem!

« Previous Thread | Virus & Other Malware Removal | Next Thread »

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
WELCOME TO TECH SUPPORT GUY! Are you looking for the solution to your computer problem? Join our site today to ask your question -- for free! Our site is run completely by volunteers who want to help you solve your computer problems. See our Welcome Guide to get started.
Thread Tools



Facebook Facebook Twitter Twitter TechGuy.tv TechGuy.tv Mobile TSG Mobile
Contact Us - HelpOnThe.Net - Archive - Terms of Service - Top
You Are Using:
Server ID
Advertisements do not imply our endorsement of that product or service.
All times are GMT -4. The time now is 01:57 AM.
Copyright © 1996 - 2011 TechGuy, Inc. All rights reserved.

 Powered by Cermak Technologies, Inc.