0

Hello;
First off, a repeated thank you for past assists (can't get my old i.d back, so this is a new one).
I followed the sticky (Read this and follow before posting ..) and have run ino trouble. ATF cleaning went well, gmer scan ok, mbam won't run, my antivrus program won't run (avast with same day update. removed that and dl'd AVG, it won't run either)

i've had to do a system restore just to get windows to function, ms's tool only came up with aleuron.h .

Any search i try for removing this jsut leads to antivirus programs, prior to doign the system restore, windows wouldn't function at all, cmd: window would appear on desktop with an error message about an invalid line in one of the windows ntfs files and everything would just be locked up. only got this working by rebooting into safe mode followed by the restore.
any input on how to kill this one is appreciated. Thank you.

2
Contributors
13
Replies
14
Views
7 Years
Discussion Span
Last Post by jholland1964
0

First log file from GMER, the second run of it would not complete.

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-09-10 21:47:16
Windows 5.1.2600 Service Pack 2
Running: 8m1rnt6n.exe; Driver: C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\fxliiaow.sys


---- Devices - GMER 1.0.15 ----

Device -> \Driver\atapi \Device\Harddisk0\DR0 86C4CEC5

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

0

DDS (Ver_10-03-17.01) - NTFSx86
Run by HP_Owner at 20:32:03.98 on Sat 09/25/2010
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.279 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\hphmon06.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\EloSrvce.exe
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
C:\Program Files\EPSON\EPuras\EPurasLog.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\EloDkMon.exe
C:\WINDOWS\system32\EloTTray.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\EPSON\EPuras\EPuras.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\HP_Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
mDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
mSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
TB: HP view: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} - c:\program files\hp\digital imaging\bin\HPDTLK02.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SunJavaUpdateSched] c:\program files\java\j2re1.4.2_03\bin\jusched.exe
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [HPHUPD06] c:\program files\hp\{aac4fc36-8f89-4587-8dd3-ebc57c83374d}\hphupd06.exe
mRun: [HPHmon06] c:\windows\system32\hphmon06.exe
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [iTunesHelper] c:\program files\itunes\iTunesHelper.exe
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
mRun: [Reminder] "c:\windows\creator\Remind_XP.exe"
mRun: [DXDllRegExe] c:\windows\system32\dxdllreg.exe
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [AlcxMonitor] ALCXMNTR.EXE
mRun: [PS2] c:\windows\system32\ps2.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
StartupFolder: c:\documents and settings\hp_owner\start menu\programs\startup\chkntfs.exe
StartupFolder: c:\docume~1\hp_owner\startm~1\programs\startup\hporga~1.lnk - c:\program files\hewlett-packard\hp organize\bin\displayAgent.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\pcdvr-~2.lnk - c:\program files\pcdvr-4-net\pcdvr-4-net\SuperDVR.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\update~1.lnk - c:\program files\updates from hp\309731\program\Updates from HP.exe
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
DPF: {1663ED61-23EB-11D2-B92F-008048FDD814} - hxxp://192.168.0.3/ScriptX.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {9F3B4DE4-AA29-11D1-A3D9-FDA4E35D1D25} - hxxp://192.168.0.3/io.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: igfxcui - igfxsrvc.dll
SEH: {FA010552-4A27-4cb1-A1BB-3E2D697F1639} - No File

============= SERVICES / DRIVERS ===============

R2 EPSON TM Parallel Port Driver;EPSON TM Parallel Port Driver;c:\windows\system32\drivers\tmlpt.sys [2010-1-20 18696]
R2 EpsonPuras;Epson Puras Service;c:\program files\epson\epuras\EPuras.exe [2010-1-20 376832]
R2 EpsonPurasLog;Epson Puras Log Service;c:\program files\epson\epuras\EPurasLog.exe [2010-1-20 176128]
R2 Esdpdx01;Esdpdx01;c:\windows\system32\drivers\ESDPDX01.SYS [2003-1-19 95449]
R3 DS2490;DS2490 (USB Host for 1-Wire Network);c:\windows\system32\drivers\DS2490.sys [2010-3-27 58852]
R3 EloBus;Elobus Filter Driver;c:\windows\system32\drivers\EloBus.sys [2010-3-27 14848]
R3 EloSer;Elo Serial Driver;c:\windows\system32\drivers\EloSer.Sys [2010-3-27 47104]
R3 TD3004F60v;TD3004F60v;c:\windows\system32\drivers\TD3004F60v.sys [2010-5-25 15174]

=============== Created Last 30 ================

2010-09-25 18:52:52 40840 ----a-w- c:\windows\system32\drivers\ulyltxrf.sys
2010-09-25 17:32:10 0 d-----w- C:\eda6bfaf30e004026a3863102b14
2010-09-25 16:45:35 0 d-----w- c:\windows\system32\wbem\Repository
2010-09-23 16:53:01 0 d-sh--w- C:\found.000
2010-09-19 18:58:01 38848 ----a-w- c:\windows\avastSS.scr
2010-09-19 18:57:52 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-09-18 15:52:49 0 d-----w- c:\docume~1\hp_owner\applic~1\Malwarebytes
2010-09-18 15:51:20 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-18 15:51:19 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-18 15:51:19 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-18 15:51:19 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-09-11 18:48:19 0 d-----w- C:\a7a6885ce1d2ac0bd6a252201230aedd
2010-09-11 01:32:41 0 d-----w- c:\windows\system32\MpEngineStore
2010-09-11 01:12:02 114 ----atw- c:\documents and settings\hp_owner\æ
2010-08-29 17:21:23 664 ----a-w- c:\windows\system32\d3d9caps.dat

==================== Find3M ====================

2010-09-25 18:59:21 3645 ----a-w- c:\windows\viassary-hp.reg
2010-09-05 16:35:52 4272 ----a-w- c:\docume~1\hp_owner\applic~1\wklnhst.dat

============= FINISH: 20:33:35.31 ===============

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 8/7/2006 8:40:01 PM
System Uptime: 9/25/2010 5:42:42 PM (3 hours ago)

Motherboard: ASUSTeK Computer INC. | | 'P4SD-LA'
Processor: Intel(R) Celeron(R) CPU 2.93GHz | CPU 1 | 2933/133mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 86 GiB total, 67.077 GiB free.
D: is FIXED (FAT32) - 7 GiB total, 1.788 GiB free.
E: is CDROM ()
F: is CDROM (CDFS)
H: is Removable
I: is Removable
J: is Removable
K: is Removable

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Realtek RTL8139/810x Family Fast Ethernet NIC
Device ID: ROOT\NET\0000
Manufacturer: Realtek Semiconductor Corp.
Name: Realtek RTL8139/810x Family Fast Ethernet NIC #2
PNP Device ID: ROOT\NET\0000
Service: RTL8023xp

==== System Restore Points ===================

RP253: 9/4/2010 3:01:05 PM - System Checkpoint
RP254: 9/6/2010 11:25:44 AM - System Checkpoint
RP255: 9/7/2010 9:46:15 PM - System Checkpoint
RP256: 9/11/2010 2:39:04 PM - System Checkpoint
RP257: 9/11/2010 10:11:31 PM - Restore Operation
RP258: 9/13/2010 2:37:27 PM - System Checkpoint
RP259: 9/14/2010 3:15:58 PM - System Checkpoint
RP260: 9/17/2010 7:22:28 PM - System Checkpoint
RP261: 9/18/2010 10:19:14 PM - System Checkpoint
RP262: 9/19/2010 2:57:52 PM - avast! Free Antivirus Setup
RP263: 9/24/2010 8:07:56 PM - System Checkpoint
RP264: 9/25/2010 12:33:15 PM - Restore Operation
RP265: 9/25/2010 12:44:44 PM - Restore Operation
RP266: 9/25/2010 3:06:28 PM - Configured PC-Doctor for Windows

==== Installed Programs ======================

5500
5500_Help
5500Tour
5500Trb
Adobe Acrobat - Reader 6.0.2 Update
Adobe Flash Player 10 ActiveX
Adobe Reader 6.0.1
Agere Systems PCI Soft Modem
AiO_Scan
AiOSoftware
BufferChm
CameraDrivers
Copy
CP_AtenaShokunin1Config
cp_dwSharkTaleAlbums1
cp_dwSharkTaleCards1
cp_dwShrek2Albums1
cp_dwShrek2Cards1
CP_PLSBusinessFlyers
CreativeProjects
CreativeProjectsTemplates
CueTour
CustomerResearchQFolder
D1300
D1300_Help
Destinations
DeviceManagementQFolder
DocProc
DocumentViewer
e-Range G2 Prepaid Range System
Elo XP Universal Driver
EPSON Advanced Printer Driver
EPSON APD4 Sample&Manual
eSupportQFolder
Fax
GoToMeeting 4.5.0.456
Help and Support Additions
HP Customer Participation Program 7.0
HP Deskjet Preloaded Printer Drivers
HP Image Zone 4.5.3
HP Image Zone Plus 4.5.3
HP Imaging Device Functions 7.0
HP Organize
HP Photosmart and Deskjet 7.0 Software
HP Photosmart Cameras 4.0
HP Photosmart Essential
HP PSC & OfficeJet 4.2
HP Software Update
HP Solution Center 7.0
hph_ProductContext
hph_readme
hph_software
hph_software_req
HPIZplus450
hpmdtab
HPPhotoSmartExpress
HPProductAssistant
HpSdpAppCoreApp
HPSystemDiagnostics
InstantShare
Intel(R) Extreme Graphics Driver
IntelliMover Data Transfer Demo
InterVideo DiscLabel
InterVideo WinDVD Creator
InterVideo WinDVD Player
iTunes
Java 2 Runtime Environment, SE v1.4.2_03
KBD
MarketResearch
Memories Disc Creator 2.0
Microsoft .NET Framework 1.1
Microsoft Office Standard Edition 2003
Microsoft Plus! Dancer LE
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Web Publishing Wizard 1.52
Microsoft Works
MSN
Overland
PanoStandAlone
PC DVR-4-Net
PhotoGallery
Photosmart 320,370,7400,8100,8400 Series
PrintScreen
ProductContext
PS2
PSPrinters06
QFolder
QuickProjects
QuickTime
Readme
Scan
Shockwave
SkinsHP1
SkinsHP2
SolutionCenter
Special Internet Offers
Status
The Print Shop 20
The Print Shop Premium Fonts
Toolbox
TrayApp
Unload
Updates from HP
WebFldrs XP
WebReg
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB883667
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888239
Windows XP Hotfix - KB890175

==== Event Viewer Messages From Past Week ========

9/25/2010 12:31:18 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Aavmker4 AFD aswSP aswTdi Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip
9/25/2010 12:31:18 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
9/25/2010 12:31:18 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
9/25/2010 12:31:18 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
9/25/2010 12:31:18 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
9/25/2010 12:30:42 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
9/25/2010 12:30:29 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
9/24/2010 8:12:46 PM, error: Rasman [20063] - Remote Access Connection Manager failed to start because the Point to Point Protocol failed to initialize. Insufficient system resources exist to complete the requested service.
9/24/2010 8:07:50 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC000009A' while processing the file 'CFG.INI' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
9/24/2010 8:07:50 PM, error: Service Control Manager [7000] - The Application Layer Gateway Service service failed to start due to the following error: Insufficient system resources exist to complete the requested service.
9/24/2010 7:44:48 PM, error: Service Control Manager [7023] - The Workstation service terminated with the following error: Insufficient system resources exist to complete the requested service.
9/24/2010 7:44:48 PM, error: Service Control Manager [7001] - The Computer Browser service depends on the Workstation service which failed to start because of the following error: Insufficient system resources exist to complete the requested service.
9/24/2010 7:44:13 PM, error: Workstation [3113] - Initialization failed because the requested service redirector could not be started.
9/23/2010 5:02:59 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC000009A' while processing the file 'setup.ini' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
9/23/2010 12:56:58 PM, error: Srv [2020] - The server was unable to allocate from the system paged pool because the pool was empty.
9/23/2010 12:56:24 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Windows User Mode Driver Framework service to connect.
9/23/2010 12:56:24 PM, error: Service Control Manager [7000] - The Windows User Mode Driver Framework service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
9/22/2010 10:43:14 AM, error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume C:.
9/22/2010 10:43:14 AM, error: Application Popup [877] - There was error [DATABASE OPEN FAILED] processing the driver database.
9/22/2010 10:40:06 AM, error: Server [2505] - The server could not bind to the transport \Device\NetBT_Tcpip_{E14E0BBD-CAEC-461F-B370-A51AF96374C9} because another computer on the network has the same name. The server could not start.
9/22/2010 10:40:05 AM, error: Server [2505] - The server could not bind to the transport \Device\NetbiosSmb because another computer on the network has the same name. The server could not start.
9/19/2010 5:38:02 PM, error: Service Control Manager [7000] - The Application Layer Gateway Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
9/19/2010 5:38:01 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Application Layer Gateway Service service to connect.
9/19/2010 5:23:43 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
9/18/2010 1:35:50 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: PCIIde
9/18/2010 1:10:08 PM, error: Service Control Manager [7001] - The SSDP Discovery Service service depends on the HTTP service which failed to start because of the following error: Not enough storage is available to process this command.
9/18/2010 1:10:08 PM, error: Service Control Manager [7000] - The HTTP service failed to start due to the following error: Not enough storage is available to process this command.
9/18/2010 1:09:24 PM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
9/18/2010 1:09:24 PM, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.

==== End Of File ===========================

0

I'm sorry you had to wait so long for assistance. We are very short handed at the moment.

Please download ComboFix by sUBs

· You must download it to and run it from your Desktop

· Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix

· Double click combofix.exe & follow the prompts.

· Now when you click on the Combofix icon to run it you may get a security warning because Combofix does not have a digital signature. It will ask if you want to run the program, click Yes.

Combofix will back up the registry and then ComboFix will attempt to detect if you have the Windows Recovery Console installed. If you don't have it then it will ask if you want it installed. This isn't really necessary so just say no and have it go on and do it's scan.

This can take a while, so please be patient. If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

Post back with that Combofix log.

Edited by jholland1964: n/a

0

thank you, no need at all to apologize ....
combofix log:
ComboFix 10-09-27.05 - HP_Owner 09/28/2010 20:10:20.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.806 [GMT -4:00]
Running from: c:\documents and settings\HP_Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\HP_Owner\Start Menu\Programs\Startup\chkntfs.exe
c:\windows\system32\spool\prtprocs\w32x86\TMPROCES.DLL
c:\windows\viassary-hp.reg
D:\Autorun.inf

Infected copy of c:\windows\system32\drivers\termdd.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((( Files Created from 2010-08-28 to 2010-09-29 )))))))))))))))))))))))))))))))
.

2010-09-26 01:56 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-26 01:56 . 2010-09-26 01:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-26 01:56 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-25 18:52 . 2010-09-25 18:52 40840 ----a-w- c:\windows\system32\drivers\ulyltxrf.sys
2010-09-25 17:32 . 2010-09-25 18:57 -------- d-----w- C:\eda6bfaf30e004026a3863102b14
2010-09-25 16:45 . 2010-09-25 16:45 -------- d-----w- c:\windows\system32\wbem\Repository
2010-09-23 16:53 . 2010-09-23 16:53 -------- d-----w- C:\found.000
2010-09-19 22:19 . 2010-09-19 22:19 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
2010-09-19 22:19 . 2010-09-19 22:19 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-09-19 18:58 . 2010-09-07 14:52 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-09-19 18:58 . 2010-09-07 14:47 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-09-19 18:58 . 2010-09-07 14:47 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-09-19 18:58 . 2010-09-07 14:52 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-09-19 18:58 . 2010-09-07 14:47 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-09-19 18:58 . 2010-09-07 14:47 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-09-19 18:58 . 2010-09-07 14:46 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-09-19 18:58 . 2010-09-07 15:12 38848 ----a-w- c:\windows\avastSS.scr
2010-09-19 18:58 . 2010-09-07 15:11 167592 ----a-w- c:\windows\system32\aswBoot.exe
2010-09-19 18:57 . 2010-09-19 18:57 -------- d-----w- c:\program files\Alwil Software
2010-09-19 18:57 . 2010-09-19 18:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-09-19 18:36 . 2004-08-04 11:00 185344 ----a-w- c:\windows\system32\Thawbrkr.dll
2010-09-19 18:36 . 2004-08-04 11:00 185344 ----a-w- c:\windows\system32\dllcache\thawbrkr.dll
2010-09-19 18:36 . 2004-08-04 11:00 19456 ----a-w- c:\windows\system32\dllcache\agt0401.dll
2010-09-19 18:36 . 2004-08-04 11:00 10752 ----a-w- c:\windows\system32\dllcache\c_iscii.dll
2010-09-19 18:36 . 2004-08-04 11:00 10752 ----a-w- c:\windows\system32\c_iscii.dll
2010-09-19 18:36 . 2004-08-04 11:00 5632 ----a-w- c:\windows\system32\kbdusa.dll
2010-09-19 18:36 . 2004-08-04 11:00 5632 ----a-w- c:\windows\system32\dllcache\kbdusa.dll
2010-09-19 18:36 . 2004-08-04 11:00 19456 ----a-w- c:\windows\system32\dllcache\agt040d.dll
2010-09-19 18:36 . 2004-08-04 11:00 6144 ----a-w- c:\windows\system32\ftlx041e.dll
2010-09-19 18:36 . 2004-08-04 11:00 6144 ----a-w- c:\windows\system32\dllcache\ftlx041e.dll
2010-09-19 15:50 . 2010-09-19 15:54 20798256 ----a-w- c:\documents and settings\HP_Owner\Application Data\Adobe\Acrobat\6.0\Updater\AdbeRdr70_enu_full.exe
2010-09-18 15:52 . 2010-09-18 15:52 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Malwarebytes
2010-09-18 15:51 . 2010-09-18 15:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-09-11 18:48 . 2010-09-12 02:12 -------- d-----w- C:\a7a6885ce1d2ac0bd6a252201230aedd
2010-09-11 01:32 . 2010-09-25 18:57 -------- d-----w- c:\windows\system32\MpEngineStore
2010-09-04 17:33 . 2010-09-18 19:06 -------- d-s---w- c:\documents and settings\NetworkService\UserData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-29 00:20 . 2010-09-29 00:20 3645 ----a-w- c:\windows\viassary-hp.reg
2010-09-26 22:13 . 2010-03-27 18:03 -------- d-----w- c:\program files\e-Range
2010-09-25 20:31 . 2010-08-29 17:21 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-09-25 19:12 . 2006-08-08 15:10 222432 ----a-w- c:\documents and settings\HP_Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-09-25 19:07 . 2005-02-26 15:21 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-09-19 15:50 . 2006-08-23 17:39 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\AdobeUM
2010-09-18 17:33 . 2008-09-27 19:44 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Ogbu
2010-09-18 17:33 . 2007-12-18 12:39 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Lusiuf
2010-09-05 16:35 . 2006-08-27 15:30 4272 ----a-w- c:\documents and settings\HP_Owner\Application Data\wklnhst.dat
2010-08-01 17:29 . 2010-08-01 17:29 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Image Zone Express
2010-08-01 17:29 . 2010-03-27 19:44 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\HP
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\j2re1.4.2_03\bin\jusched.exe" [2005-02-26 32881]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-11-02 126976]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 88363]
"HPHUPD06"="c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-07 49152]
"HPHmon06"="c:\windows\system32\hphmon06.exe" [2004-06-07 659456]
"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-11 61440]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2004-10-14 278528]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 253952]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2004-12-14 663552]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 57344]
"PS2"="c:\windows\system32\ps2.exe" [2004-10-25 90112]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-02-26 98304]

c:\documents and settings\HP_Owner\Start Menu\Programs\Startup\
HP Organize.lnk - c:\program files\Hewlett-Packard\HP Organize\bin\displayAgent.exe [2005-2-26 36864]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=

R2 EPSON TM Parallel Port Driver;EPSON TM Parallel Port Driver;c:\windows\system32\drivers\tmlpt.sys [1/20/2010 7:28 PM 18696]
R2 EpsonPuras;Epson Puras Service;c:\program files\epson\EPuras\EPuras.exe [1/20/2010 7:28 PM 376832]
R2 EpsonPurasLog;Epson Puras Log Service;c:\program files\epson\EPuras\EPurasLog.exe [1/20/2010 7:28 PM 176128]
R2 Esdpdx01;Esdpdx01;c:\windows\system32\drivers\ESDPDX01.SYS [1/19/2003 95449]
R3 DS2490;DS2490 (USB Host for 1-Wire Network);c:\windows\system32\drivers\DS2490.sys [3/27/2010 4:01 PM 58852]
R3 EloBus;Elobus Filter Driver;c:\windows\system32\drivers\EloBus.sys [3/27/2010 3:50 PM 14848]
R3 EloSer;Elo Serial Driver;c:\windows\system32\drivers\EloSer.Sys [3/27/2010 3:50 PM 47104]
R3 TD3004F60v;TD3004F60v;c:\windows\system32\drivers\TD3004F60v.sys [5/25/2010 10:39 PM 15174]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
DPF: {9F3B4DE4-AA29-11D1-A3D9-FDA4E35D1D25} - hxxp://192.168.0.3/io.cab
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-DXDllRegExe - c:\windows\system32\dxdllreg.exe
ShellExecuteHooks-{FA010552-4A27-4cb1-A1BB-3E2D697F1639} - (no file)
AddRemove-EloTouchscreen - c:\program files\elotouchsystems\EloSetup

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-28 20:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\SoftwareDistribution
c:\windows\system32\wuapi.dll.mui 15064 bytes executable
c:\windows\system32\wuauclt.exe.wusetup.177406.bak 111104 bytes executable
c:\windows\system32\wuaucpl.cpl.mui 15072 bytes executable
c:\windows\system32\wuaucpl.cpl.wusetup.180234.bak 162304 bytes executable
c:\windows\system32\wuaueng.dll.mui 17632 bytes executable
c:\windows\system32\wuaueng.dll.wusetup.182906.bak 1134592 bytes executable
c:\windows\system32\wucltui.dll.mui 21728 bytes executable
c:\windows\system32\wups2.dll 44768 bytes executable

scan completed successfully
hidden files: 9

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3284)
c:\docume~1\HP_Owner\LOCALS~1\Temp\IadHide5.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\EloSrvce.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\EloDkMon.exe
c:\windows\system32\EloTTray.exe
c:\windows\system32\wdfmgr.exe
c:\windows\AGRSMMSG.exe
c:\windows\ALCXMNTR.EXE
c:\program files\Updates from HP\309731\Program\Updates from HP.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\windows\system32\HPZipm12.exe
.
**************************************************************************
.
Completion time: 2010-09-28 20:25:06 - machine was rebooted
ComboFix-quarantined-files.txt 2010-09-29 00:25

Pre-Run: 71,180,365,824 bytes free
Post-Run: 72,691,019,776 bytes free

- - End Of File - - 9A7405BB00655D7E1901382BB6567D02

0

Please download and run this program:
http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html
you actually have to register to use it but the program is free, be sure to NOT put a check mark in the box which says I am interested in a home version of this product.
* Double-click sar_15_sfx.exe to begin the installation, read the license agreement and click Accept.
* Allow the default location of C:\Program Files\Sophos\Sophos Anti-Rootkit and click Install.
* A message will appear "Sophos Anti-Rootkit was successfully installed. Click 'yes' to start it now".
* Click Yes and allow the driver and its randomly named .tmp file (i.e. F.tmp) to load if asked.
* If the scan did not start automatically, make sure the following are checked:
o Running processes
o Windows Registry
o Local Hard Drives
* Click Start scan.
* Sophos Anti-Rootkit will scan the selected areas and display any suspicious files in the upper panel.
* When the scan is complete, a pop-up screen will appear with "Rootkit Scan Results". Click OK to continue.
* Click on the suspicious file to display more information about it in the lower panel which also includes whether the item is recommended for removal.
o Files tagged as Removable: No are not marked for removal and cannot be removed.
o Files tagged as Removable: Yes (clean up recommended) are marked for removal by default.
o Files tagged as Removable: Yes (but clean up not recommended) are not marked for removal because Sophos did not recognize them. These files will require further investigation.
* Select only items recommended for removal, then click "Clean up checked items". You will be asked to confirm, click Yes.
* A pop up window will appear advising the cleanup will finish when you restart your computer. Click Restart Now.
* After reboot, a dialog box displays the files you selected for removal and the action taken.
* Click Empty list and then click Continue to re-scan your computer a second time to ensure everything was cleaned.
* When done, go to Start > Run and type or copy/paste: %temp%\sarscan.log
* This should open the log from the rootkit scan. Please post this log in your next reply. If you have a problem, you can find sarscan.log in C:\Documents and Settings\<username>\Local Settings\Temp\.

0

sophos found two items, neither recommended for removal.
Here's the log

Sophos Anti-Rootkit Version 1.5.4 (c) 2009 Sophos Plc
Started logging on 9/29/2010 at 14:59:47 PM
User "HP_Owner" on computer "BACKOFFICE"
Windows version 5.1 SP 2.0 Service Pack 2 build 2600 SM=0x300 PT=0x1 Win32
Info: Starting process scan.
Info: Starting registry scan.
Info: Starting disk scan of C: (NTFS).
Hidden: file C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\WUATXP2R\=1285720075&ga_hid=819213813&ga_fc=1&u_tz=-240&u_his=1&u_java=1&u_h=768&u_w=1024&u_ah=734&u_aw=1024&u_cd=32&u_nplug=0&u_nmime=0&biw=975&bih=586&fu=0&ifi=1&dtd=203
Hidden: file C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\LPEOAWCY\=1285786607&ga_hid=2083399947&ga_fc=1&u_tz=-240&u_his=1&u_java=1&u_h=768&u_w=1024&u_ah=734&u_aw=1024&u_cd=32&u_nplug=0&u_nmime=0&biw=975&bih=586&fu=0&ifi=1&dtd=78
Info: Starting disk scan of D: (FAT).
Stopped logging on 9/29/2010 at 15:15:07 PM

0

Please download Malwarebytes' Anti-Malware (MBA-M) to your Desktop.

* DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When MBA-M finishes, Notepad will open with the log. Please save it where you can find it easily. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt.

REBOOT after running MBA-M!

Post back here with that log.

0

OK, Mbam ran successfully this time, here's the log ...
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4724

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

9/30/2010 2:04:15 PM
mbam-log-2010-09-30 (14-04-15).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 206624
Time elapsed: 37 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

0

by normal do you mean not with windows/os in "safe" mode? if so, yes, full scan.

0

by normal I mean everything working correctly, surfing is normal, computer boots ok, no freezes, errors, etc. all programs work as they should.
Have you downloaded and installed a new copy of Avast and done a full scan with it? That would be the next thing to do.

0

so far everything seems to be ok, --had a couple glitches, the suspicious driver file found early in the cleaning process was actually a critical component for my thermal receipt printer, finally have a good working driver installed for it and running correctly. One of my other programs on start-up is having windows installer trying to install my print shop program into it during the program load. a second load attempt clear that out, i'll have to un/reinstall both of those for. I'll reinstall avast and run it. Hoping to fully replace the hardware and update the software by the beginning of next season. (can't update or upgrade the software i'm running without new computers.) present stuff HAS to run on IE 5 and XP without MS update installed! Decrepit to say the least. lol. thank you much for your help and will post back after doing a run with avast.

0

Just be VERY aware that because you are running an out of date computer and browser and must use it without the security updates installed that you most definitely at a much GREATER RISK for problems like these as the time passes and at an extremely great risk of having a fatal crash and losing everything you have on there. Not really sure why you cannot update the software without a new computer, can you explain that better? Is it due to hard drive size or what?

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.