Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Secdrv


  • This topic is locked This topic is locked
9 replies to this topic

#1 jamez7

jamez7

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:10:32 AM

Posted 27 January 2009 - 08:27 PM

I'm new here & would like to say "thank you" in advance for any help you can provide. I recently found 'secdrv' in my computer & was informed this is a rootkit & it needs to be removed. I posted this message previously but didn't include the dds.txt report. I am now including that report as well as the attach.txt file. Please help me remove this from my computer. Thanks again.


DDS (Ver_09-01-19.01) - NTFSx86
Run by Owner at 14:31:55.23 on Sat 01/24/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.247.17 [GMT -7:00]

AV: avast! antivirus 4.8.1296 [VPS 090124-0] *On-access scanning disabled* (Updated)
AV: Norton AntiVirus *On-access scanning disabled* (Outdated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\2JFB5FFF\autoruns[1].exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://srch-qus8.hpwis.com/
uInternet Settings,ProxyOverride = localhost;*.local
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: Yahoo! Companion BHO: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\common\ycomp5,1,1,0.dll
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\smart web printing\hpswp_printenhancer.dll
BHO: HP Print Clips: {053f9267-dc04-4294-a72c-58f732d338c0} - c:\program files\hp\smart web printing\hpswp_framework.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 5.0\reader\activex\AcroIEHelper.ocx
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: CNavExtBho Class: {bdf3e430-b101-42ad-a544-fadc6b084872} - c:\program files\norton antivirus\NavShExt.dll
TB: Norton AntiVirus: {42cdd1bf-3ffb-4238-8ad1-7859df00b1d6} - c:\program files\norton antivirus\NavShExt.dll
TB: &Yahoo! Companion: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\common\ycomp5,1,1,0.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
uRun: [Uniblue RegistryBooster 2] c:\program files\uniblue\registrybooster 2\RegistryBooster.exe /S
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [StorageGuard] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [ccRegVfy] "c:\program files\common files\symantec shared\ccRegVfy.exe"
mRun: [Reminder] "c:\windows\creator\Remind_XP.exe"
mRun: [PS2] c:\windows\system32\ps2.exe
mRun: [ThreatFire] c:\program files\threatfire\TFTray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [TotalRecorderScheduler] "c:\program files\highcriteria\totalrecorder\TotRecSched.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\spamsu~1.lnk - c:\program files\intermute\spamsubtract\SpamSubtract.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\compaq~1.lnk - c:\program files\compaq connections\1940576\program\BackWeb-1940576.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\quicke~1.lnk - c:\program files\quicken\bagent.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {E763472E-A716-4CD9-89BD-DBDA6122F741} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {700259D7-1666-479a-93B1-3250410481E8} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: SpSubLSP.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1227677951796
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1230414462406
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {D821DC4A-0814-435E-9820-661C543A4679} - hxxp://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
Notify: igfxcui - igfxsrvc.dll
Notify: OPXPGina - c:\program files\softex\omnipass\opxpgina.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-1-14 111184]
R3 ATIDACXX;ATI DTV Wonder Analog Audio Capture Device;c:\windows\system32\drivers\atidacxx.sys [2007-9-23 12800]
R3 ATIDDCXX;ATI DTV Wonder Digital BDA Capture Device;c:\windows\system32\drivers\atiddcxx.sys [2005-9-26 10112]
R3 ATIDTUXX;ATI DTV Wonder Digital And Analog Tuner Device;c:\windows\system32\drivers\atidtuxx.sys [2005-9-26 44544]
R3 ATIDVCXX;ATI DTV Wonder Analog AV Capture Device;c:\windows\system32\drivers\atidvcxx.sys [2005-9-26 201472]
R3 ATIDXBXX;ATI DTV Wonder Analog AV Crossbar Device;c:\windows\system32\drivers\atidxbxx.sys [2005-9-26 9728]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-1-14 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-1-14 352920]
R3 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2002-11-13 317128]
R4 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-1-14 20560]
R4 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-1-14 155160]
R4 SAVRTPEL;SAVRTPEL;c:\windows\system32\drivers\SAVRTPEL.SYS [2008-11-26 35552]
S3 ccPwdSvc;Symantec Password Validation Service;c:\program files\common files\symantec shared\ccPwdSvc.exe [2002-11-15 100032]
S3 navapsvc;Norton AntiVirus Auto Protect Service;c:\program files\norton antivirus\Navapsvc.exe [2002-11-15 116336]
S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20081119.017\NAVENG.Sys [2008-11-26 89104]
S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20081119.017\NavEx15.Sys [2008-11-26 876112]
S3 SAVRT;SAVRT;c:\windows\system32\drivers\SAVRT.SYS [2008-11-26 235744]
S4 mrtRate;mrtRate; [x]

=============== Created Last 30 ================

2009-01-15 22:00 <DIR> --d----- C:\temp
2009-01-15 21:36 695,296 a------- c:\windows\system32\SET39.tmp
2009-01-15 19:52 <DIR> --d----- c:\program files\CCleaner
2009-01-13 22:34 <DIR> --d----- c:\docume~1\owner\applic~1\Malwarebytes
2009-01-13 22:34 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-13 22:34 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-13 22:34 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-13 22:34 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-07 22:55 23,392 a------- c:\windows\system32\nscompat.tlb
2009-01-07 22:55 16,832 a------- c:\windows\system32\amcompat.tlb
2009-01-04 16:05 <DIR> --d----- c:\program files\common files\Real
2009-01-04 16:00 <DIR> --d----- c:\program files\Rhapsody
2009-01-04 00:10 421,888 a------- c:\windows\system32\ac3filter.acm
2009-01-04 00:10 <DIR> --d----- c:\program files\XP Codec Pack
2009-01-03 23:19 120,056 -------- c:\windows\system32\pxcpyi64.exe
2009-01-03 23:19 118,520 -------- c:\windows\system32\pxinsi64.exe
2009-01-03 23:19 129,784 -------- c:\windows\system32\pxafs.dll
2009-01-03 23:08 765,952 a------- c:\windows\system32\xvidcore.dll
2009-01-03 23:08 77,824 a------- c:\windows\system32\xvid.ax
2009-01-03 23:08 180,224 a------- c:\windows\system32\xvidvfw.dll
2009-01-03 23:08 <DIR> --d----- c:\program files\Xvid
2008-12-28 02:19 27,496 a------- c:\windows\system32\mucltui.dll.mui
2008-12-28 02:19 268,648 a------- c:\windows\system32\mucltui.dll

==================== Find3M ====================

2008-12-23 19:13 139,759 a------- c:\windows\hpoins15.dat
2008-12-19 08:15 4,338,246 a------- c:\windows\system32\libavcodec.dll
2008-12-17 10:41 884,237 a------- c:\windows\system32\ff_x264.dll
2008-12-17 10:22 93,184 a------- c:\windows\system32\ff_wmv9.dll
2008-12-17 10:22 57,344 a------- c:\windows\system32\ff_vfw.dll
2008-12-17 10:17 239,247 a------- c:\windows\system32\ff_theora.dll
2008-12-17 09:59 560,802 a------- c:\windows\system32\libmplayer.dll
2008-12-11 03:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-12-08 23:00 81,151 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-12-08 22:52 420,432 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\presario\xphnars3en\plugin\bin\pchplugin.zip
2008-12-08 22:52 49,152 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\presario\xphnars3en\plugin\bin\PCHI18N.dll
2008-12-08 22:52 106,496 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\presario\xphnars3en\plugin\bin\PluginCtrl.dll
2008-12-08 22:52 77,824 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\presario\xphnars3en\plugin\bin\WinVerifyTrust.dll
2008-12-08 22:51 159,744 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\presario\xphnars3en\plugin\bin\PCHButton.exe
2008-12-08 22:51 122,880 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\presario\xphnars3en\plugin\bin\SearchCtrl.dll
2008-12-08 22:51 126,976 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\presario\xphnars3en\plugin\bin\ContentUpdater.exe
2008-12-08 22:51 1,306,152 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\presario\xphnars3en\plugin\bin\motdeusr.zip
2008-11-29 13:26 991,232 a------- c:\windows\system32\VSFilter.dll
2008-11-26 10:31 2,678 a------- c:\windows\java\packages\data\A7LBDRT7.DAT
2008-11-26 10:31 2,678 a------- c:\windows\java\packages\data\V5N3R5NV.DAT
2008-11-26 10:31 2,678 a------- c:\windows\java\packages\data\OP375BLJ.DAT
2008-11-26 10:31 2,678 a------- c:\windows\java\packages\data\U0Y80B5Z.DAT
2008-11-26 10:31 2,678 a------- c:\windows\java\packages\data\P3HRJX33.DAT
2008-11-21 14:47 524,288 a------- c:\windows\system32\DivXsm.exe
2008-11-21 14:47 3,596,288 a------- c:\windows\system32\qt-dx331.dll
2008-11-21 14:46 1,044,480 a------- c:\windows\system32\libdivx.dll
2008-11-21 14:46 200,704 a------- c:\windows\system32\ssldivx.dll
2008-11-21 14:44 161,096 a------- c:\windows\system32\DivXCodecVersionChecker.exe
2008-11-21 14:44 12,288 a------- c:\windows\system32\DivXWMPExtType.dll
2003-08-27 14:19 36,963 ac---r-- c:\program files\common files\SM1updtr.dll
2003-05-28 17:12 20,480 ac------ c:\program files\UPGRADE ANY VERSION OF MUSICMATCH JUKEBOX This One Works.doc
2003-05-28 17:03 10,083,328 ac------ c:\program files\MusicMatch Jukebox 8.0.exe
2003-04-10 03:51 32 a--sh--- c:\windows\{DA550BF1-5AE0-4007-B9B0-C9FF520E8090}.dat
2007-12-17 17:46 428,957 a--sh--- c:\windows\system32\ghhkj.ini2
2003-04-10 03:51 32 ac-sh--- c:\windows\system32\{1BADA6CB-9766-4CB8-9EA3-38879756A4DF}.dat

============= FINISH: 14:33:20.23 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:01:32 PM

Posted 09 February 2009 - 12:15 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results, click no to the Optional_Scan
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#3 jamez7

jamez7
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:10:32 AM

Posted 09 February 2009 - 03:36 PM

Thanks for your reply. I'm including new dds & attach files. Just to give you some background. I ran 'autoruns' & it found secdrv.sys located in C:\Windows\System32\drivers\secdrv.sys & was informed it needs to be removed. I did download different peer to peer programs that seem to coincide with the time I began to have computer issues. Thanks again.


DDS (Ver_09-01-19.01) - NTFSx86
Run by Owner at 12:44:22.90 on Mon 02/09/2009
Internet Explorer: 7.0.5730.13

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://srch-qus8.hpwis.com/
uStart Page = hxxp://login.live.com/login.srf?wa=wsignin1.0&rpsnv=10&ct=1232821757&rver=5.5.4177.0&wp=MBI&wreply=http:%2F%2Fmail.live.com%2Fdefault.aspx%3Fn%3D396507292&id=64855
uInternet Settings,ProxyOverride = localhost;*.local
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: Yahoo! Companion BHO: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\common\ycomp5,1,1,0.dll
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\smart web printing\hpswp_printenhancer.dll
BHO: HP Print Clips: {053f9267-dc04-4294-a72c-58f732d338c0} - c:\program files\hp\smart web printing\hpswp_framework.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 5.0\reader\activex\AcroIEHelper.ocx
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: CNavExtBho Class: {bdf3e430-b101-42ad-a544-fadc6b084872} - c:\program files\norton antivirus\NavShExt.dll
TB: Norton AntiVirus: {42cdd1bf-3ffb-4238-8ad1-7859df00b1d6} - c:\program files\norton antivirus\NavShExt.dll
TB: &Yahoo! Companion: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\common\ycomp5,1,1,0.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
uRun: [Uniblue RegistryBooster 2] c:\program files\uniblue\registrybooster 2\RegistryBooster.exe /S
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [StorageGuard] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [ccRegVfy] "c:\program files\common files\symantec shared\ccRegVfy.exe"
mRun: [Reminder] "c:\windows\creator\Remind_XP.exe"
mRun: [PS2] c:\windows\system32\ps2.exe
mRun: [ThreatFire] c:\program files\threatfire\TFTray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [TotalRecorderScheduler] "c:\program files\highcriteria\totalrecorder\TotRecSched.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {E763472E-A716-4CD9-89BD-DBDA6122F741} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {700259D7-1666-479a-93B1-3250410481E8} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: SpSubLSP.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/SCRABBLE/Images/stg_drm.ocx
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1227677951796
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1230414462406
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {D821DC4A-0814-435E-9820-661C543A4679} - hxxp://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
Notify: igfxcui - igfxsrvc.dll
Notify: OPXPGina - c:\program files\softex\omnipass\opxpgina.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-02-04 18:53 <DIR> --d----- c:\program files\SCRABBLE
2009-02-04 18:53 <DIR> --d----- c:\docume~1\owner\applic~1\SpinTop
2009-01-15 22:00 <DIR> --d----- C:\temp
2009-01-15 21:36 695,296 a------- c:\windows\system32\SET39.tmp
2009-01-15 19:52 <DIR> --d----- c:\program files\CCleaner
2009-01-13 22:34 <DIR> --d----- c:\docume~1\owner\applic~1\Malwarebytes
2009-01-13 22:34 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-13 22:34 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-13 22:34 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-13 22:34 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes

==================== Find3M ====================

2008-12-23 19:13 139,759 a------- c:\windows\hpoins15.dat
2008-12-19 08:15 4,338,246 a------- c:\windows\system32\libavcodec.dll
2008-12-17 10:41 884,237 a------- c:\windows\system32\ff_x264.dll
2008-12-17 10:22 93,184 a------- c:\windows\system32\ff_wmv9.dll
2008-12-17 10:22 57,344 a------- c:\windows\system32\ff_vfw.dll
2008-12-17 10:17 239,247 a------- c:\windows\system32\ff_theora.dll
2008-12-17 09:59 560,802 a------- c:\windows\system32\libmplayer.dll
2008-12-08 23:00 81,151 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-12-08 22:52 420,432 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\presario\xphnars3en\plugin\bin\pchplugin.zip
2008-12-08 22:52 49,152 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\presario\xphnars3en\plugin\bin\PCHI18N.dll
2008-12-08 22:52 106,496 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\presario\xphnars3en\plugin\bin\PluginCtrl.dll
2008-12-08 22:52 77,824 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\presario\xphnars3en\plugin\bin\WinVerifyTrust.dll
2008-12-08 22:51 159,744 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\presario\xphnars3en\plugin\bin\PCHButton.exe
2008-12-08 22:51 122,880 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\presario\xphnars3en\plugin\bin\SearchCtrl.dll
2008-12-08 22:51 126,976 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\presario\xphnars3en\plugin\bin\ContentUpdater.exe
2008-12-08 22:51 1,306,152 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\presario\xphnars3en\plugin\bin\motdeusr.zip
2008-11-29 13:26 991,232 a------- c:\windows\system32\VSFilter.dll
2008-11-26 10:31 2,678 a------- c:\windows\java\packages\data\A7LBDRT7.DAT
2008-11-26 10:31 2,678 a------- c:\windows\java\packages\data\V5N3R5NV.DAT
2008-11-26 10:31 2,678 a------- c:\windows\java\packages\data\OP375BLJ.DAT
2008-11-26 10:31 2,678 a------- c:\windows\java\packages\data\U0Y80B5Z.DAT
2008-11-26 10:31 2,678 a------- c:\windows\java\packages\data\P3HRJX33.DAT
2008-11-21 14:47 524,288 a------- c:\windows\system32\DivXsm.exe
2008-11-21 14:47 3,596,288 a------- c:\windows\system32\qt-dx331.dll
2008-11-21 14:47 129,784 -------- c:\windows\system32\pxafs.dll
2008-11-21 14:47 120,056 -------- c:\windows\system32\pxcpyi64.exe
2008-11-21 14:47 118,520 -------- c:\windows\system32\pxinsi64.exe
2008-11-21 14:46 1,044,480 a------- c:\windows\system32\libdivx.dll
2008-11-21 14:46 200,704 a------- c:\windows\system32\ssldivx.dll
2008-11-21 14:44 161,096 a------- c:\windows\system32\DivXCodecVersionChecker.exe
2008-11-21 14:44 12,288 a------- c:\windows\system32\DivXWMPExtType.dll
2003-08-27 14:19 36,963 ac---r-- c:\program files\common files\SM1updtr.dll
2003-05-28 17:12 20,480 ac------ c:\program files\UPGRADE ANY VERSION OF MUSICMATCH JUKEBOX This One Works.doc
2003-05-28 17:03 10,083,328 ac------ c:\program files\MusicMatch Jukebox 8.0.exe
2003-04-10 03:51 32 a--sh--- c:\windows\{DA550BF1-5AE0-4007-B9B0-C9FF520E8090}.dat
2007-12-17 17:46 428,957 a--sh--- c:\windows\system32\ghhkj.ini2
2003-04-10 03:51 32 ac-sh--- c:\windows\system32\{1BADA6CB-9766-4CB8-9EA3-38879756A4DF}.dat

============= FINISH: 12:47:46.71 ===============

Attached Files



#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:32 PM

Posted 09 February 2009 - 08:48 PM

Hello.

I do see some entries we need to remove. A few more scans please, also what problems do you currently have?

Download and run MalwareBytes Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link

Run ESET Online Scan
  • Please disable your realtime protection software before proceeding. Refer to this page if you are unsure how.
  • Please go to ESET OnlineScan (NOD32)
  • You will then see the Terms of Use, tick the check-box infront of YES, I accept the Terms of Use
  • Now click Start. If you see a "Security Warning" that asks if you want to install and run a file called "OnlineScanner.cab", click Yes.
  • Click Start. The online scanner will now prepare itself for running on your pc.
  • To do a full-scan, tick: Remove found threats and Scan potentially unwanted applications.
  • Press Scan. The Onlinescan will now start and scan your computer. Please be patient as this a while.
  • When the scan has finished, it will show a screen with two tabs "overview" and "details" and the option to get information or buy software, just close the window.
  • Click Start, then Run.... The the box that appears type with the quotes:
    "C:\Program Files\EsetOnlineScanner\log.txt"
  • The scan results will now open in Notepad
  • Click into the text area, right-click and chose select all. Right-click again and chose Copy.
  • Post back with the log.txt in your next reply.
Note: For Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)

Post back with:
-MBAM log
-ESET Scan log
-What problems do you have?


With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 jamez7

jamez7
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:10:32 AM

Posted 11 February 2009 - 11:01 AM

Thanks for your response. I've included the mbam & eset scanlogs. The main issue I'm currently having is that my computer has been running slow & sometimes freezes or shuts down, also any time I try to watch video in full screen it shuts down the program whether I'm watching netflix or Windows Media Player.





Malwarebytes' Anti-Malware 1.33
Database version: 1744
Windows 5.1.2600 Service Pack 3

2/10/2009 4:34:47 PM
mbam-log-2009-02-10 (16-34-47).txt

Scan type: Quick Scan
Objects scanned: 50469
Time elapsed: 21 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3843 (20090210)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=6012830ffbba4a45b37d5e426e44c420
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2009-02-11 03:25:10
# local_time=2009-02-10 08:25:10 (-0700, Mountain Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 3
# scanned=407170
# found=0
# scan_time=12173

#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:32 PM

Posted 11 February 2009 - 04:18 PM

Hello.

Those scans look clean it seems. Post back with the DDS logs again. Re-run it and post the results.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 jamez7

jamez7
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:10:32 AM

Posted 12 February 2009 - 09:33 PM

I've included the dds logs again. I'm glad to hear you don't see anything wrong, I was just worried about that secdrv. Thanks.

DDS (Ver_09-02-01.01) - NTFSx86
Run by Owner at 18:28:33.04 on Thu 02/12/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.247.19 [GMT -7:00]

AV: avast! antivirus 4.8.1296 [VPS 090212-0] *On-access scanning disabled* (Updated)
AV: Norton AntiVirus *On-access scanning disabled* (Outdated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Acrobat 5.0\Reader\AcroRd32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\56I7NRJ5\dds[1].scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://srch-qus8.hpwis.com/
uStart Page = hxxp://login.live.com/login.srf?wa=wsignin1.0&rpsnv=10&ct=1232821757&rver=5.5.4177.0&wp=MBI&wreply=http:%2F%2Fmail.live.com%2Fdefault.aspx%3Fn%3D396507292&id=64855
uInternet Settings,ProxyOverride = localhost;*.local
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: Yahoo! Companion BHO: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\common\ycomp5,1,1,0.dll
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\smart web printing\hpswp_printenhancer.dll
BHO: HP Print Clips: {053f9267-dc04-4294-a72c-58f732d338c0} - c:\program files\hp\smart web printing\hpswp_framework.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 5.0\reader\activex\AcroIEHelper.ocx
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: CNavExtBho Class: {bdf3e430-b101-42ad-a544-fadc6b084872} - c:\program files\norton antivirus\NavShExt.dll
TB: Norton AntiVirus: {42cdd1bf-3ffb-4238-8ad1-7859df00b1d6} - c:\program files\norton antivirus\NavShExt.dll
TB: &Yahoo! Companion: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\common\ycomp5,1,1,0.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
uRun: [Uniblue RegistryBooster 2] c:\program files\uniblue\registrybooster 2\RegistryBooster.exe /S
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [StorageGuard] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [ccRegVfy] "c:\program files\common files\symantec shared\ccRegVfy.exe"
mRun: [Reminder] "c:\windows\creator\Remind_XP.exe"
mRun: [PS2] c:\windows\system32\ps2.exe
mRun: [ThreatFire] c:\program files\threatfire\TFTray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [TotalRecorderScheduler] "c:\program files\highcriteria\totalrecorder\TotRecSched.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Fax Machine]
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\spamsu~1.lnk - c:\program files\intermute\spamsubtract\SpamSubtract.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\compaq~1.lnk - c:\program files\compaq connections\1940576\program\BackWeb-1940576.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\quicke~1.lnk - c:\program files\quicken\bagent.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {E763472E-A716-4CD9-89BD-DBDA6122F741} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {700259D7-1666-479a-93B1-3250410481E8} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: SpSubLSP.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/SCRABBLE/Images/stg_drm.ocx
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - hxxp://www.eset.eu/buxus/docs/OnlineScanner.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1227677951796
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1230414462406
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {D821DC4A-0814-435E-9820-661C543A4679} - hxxp://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
Notify: igfxcui - igfxsrvc.dll
Notify: OPXPGina - c:\program files\softex\omnipass\opxpgina.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-1-14 111184]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-1-14 20560]
R2 SAVRTPEL;SAVRTPEL;c:\windows\system32\drivers\SAVRTPEL.SYS [2008-11-26 35552]
R3 ATIDACXX;ATI DTV Wonder Analog Audio Capture Device;c:\windows\system32\drivers\atidacxx.sys [2007-9-23 12800]
R3 ATIDDCXX;ATI DTV Wonder Digital BDA Capture Device;c:\windows\system32\drivers\atiddcxx.sys [2005-9-26 10112]
R3 ATIDTUXX;ATI DTV Wonder Digital And Analog Tuner Device;c:\windows\system32\drivers\atidtuxx.sys [2005-9-26 44544]
R3 ATIDVCXX;ATI DTV Wonder Analog AV Capture Device;c:\windows\system32\drivers\atidvcxx.sys [2005-9-26 201472]
R3 ATIDXBXX;ATI DTV Wonder Analog AV Crossbar Device;c:\windows\system32\drivers\atidxbxx.sys [2005-9-26 9728]
S2 mrtRate;mrtRate; [x]
S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20081119.017\NAVENG.Sys [2008-11-26 89104]
S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20081119.017\NavEx15.Sys [2008-11-26 876112]
S3 SAVRT;SAVRT;c:\windows\system32\drivers\SAVRT.SYS [2008-11-26 235744]

=============== Created Last 30 ================

2009-02-12 15:48 <DIR> --d----- c:\docume~1\owner\applic~1\Stamps.com Internet Postage
2009-02-12 15:44 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{E40FD160-D3F8-4151-96D1-7B73567D4FF3}
2009-02-12 15:42 <DIR> --d----- c:\program files\Stamps.com Internet Postage
2009-02-12 15:42 36 a---h--- c:\windows\system32\f9t.dat
2009-02-11 14:21 0 a------- c:\windows\system32\FaxMan
2009-02-11 14:19 <DIR> --d----- c:\program files\Fax Machine
2009-02-10 16:58 <DIR> --d----- c:\program files\EsetOnlineScanner
2009-02-10 09:04 <DIR> --d----- c:\docume~1\owner\applic~1\Jarte
2009-02-10 09:03 <DIR> --d----- c:\program files\Jarte
2009-02-09 14:18 1,374 a------- c:\windows\imsins.BAK
2009-02-04 18:53 <DIR> --d----- c:\program files\SCRABBLE
2009-02-04 18:53 <DIR> --d----- c:\docume~1\owner\applic~1\SpinTop
2009-01-15 22:00 <DIR> --d----- C:\temp
2009-01-15 21:36 695,296 a------- c:\windows\system32\SET39.tmp
2009-01-15 19:52 <DIR> --d----- c:\program files\CCleaner
2009-01-13 22:34 <DIR> --d----- c:\docume~1\owner\applic~1\Malwarebytes
2009-01-13 22:34 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-13 22:34 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-13 22:34 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-13 22:34 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes

==================== Find3M ====================

2008-12-23 19:13 139,759 a------- c:\windows\hpoins15.dat
2008-12-20 16:15 826,368 a------- c:\windows\system32\wininet.dll
2008-12-19 08:15 4,338,246 a------- c:\windows\system32\libavcodec.dll
2008-12-17 10:41 884,237 a------- c:\windows\system32\ff_x264.dll
2008-12-17 10:22 93,184 a------- c:\windows\system32\ff_wmv9.dll
2008-12-17 10:22 57,344 a------- c:\windows\system32\ff_vfw.dll
2008-12-17 10:17 239,247 a------- c:\windows\system32\ff_theora.dll
2008-12-17 09:59 560,802 a------- c:\windows\system32\libmplayer.dll
2008-12-08 23:00 81,151 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-12-08 22:52 420,432 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\presario\xphnars3en\plugin\bin\pchplugin.zip
2008-12-08 22:52 49,152 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\presario\xphnars3en\plugin\bin\PCHI18N.dll
2008-12-08 22:52 106,496 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\presario\xphnars3en\plugin\bin\PluginCtrl.dll
2008-12-08 22:52 77,824 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\presario\xphnars3en\plugin\bin\WinVerifyTrust.dll
2008-12-08 22:51 159,744 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\presario\xphnars3en\plugin\bin\PCHButton.exe
2008-12-08 22:51 122,880 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\presario\xphnars3en\plugin\bin\SearchCtrl.dll
2008-12-08 22:51 126,976 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\presario\xphnars3en\plugin\bin\ContentUpdater.exe
2008-12-08 22:51 1,306,152 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\presario\xphnars3en\plugin\bin\motdeusr.zip
2008-11-29 13:26 991,232 a------- c:\windows\system32\VSFilter.dll
2008-11-26 10:31 2,678 a------- c:\windows\java\packages\data\A7LBDRT7.DAT
2008-11-26 10:31 2,678 a------- c:\windows\java\packages\data\V5N3R5NV.DAT
2008-11-26 10:31 2,678 a------- c:\windows\java\packages\data\OP375BLJ.DAT
2008-11-26 10:31 2,678 a------- c:\windows\java\packages\data\U0Y80B5Z.DAT
2008-11-26 10:31 2,678 a------- c:\windows\java\packages\data\P3HRJX33.DAT
2008-11-21 14:47 524,288 a------- c:\windows\system32\DivXsm.exe
2008-11-21 14:47 3,596,288 a------- c:\windows\system32\qt-dx331.dll
2008-11-21 14:47 129,784 -------- c:\windows\system32\pxafs.dll
2008-11-21 14:47 120,056 -------- c:\windows\system32\pxcpyi64.exe
2008-11-21 14:47 118,520 -------- c:\windows\system32\pxinsi64.exe
2008-11-21 14:46 1,044,480 a------- c:\windows\system32\libdivx.dll
2008-11-21 14:46 200,704 a------- c:\windows\system32\ssldivx.dll
2008-11-21 14:44 161,096 a------- c:\windows\system32\DivXCodecVersionChecker.exe
2008-11-21 14:44 12,288 a------- c:\windows\system32\DivXWMPExtType.dll
2003-08-27 14:19 36,963 ac---r-- c:\program files\common files\SM1updtr.dll
2003-05-28 17:12 20,480 ac------ c:\program files\UPGRADE ANY VERSION OF MUSICMATCH JUKEBOX This One Works.doc
2003-05-28 17:03 10,083,328 ac------ c:\program files\MusicMatch Jukebox 8.0.exe
2003-04-10 03:51 32 a--sh--- c:\windows\{DA550BF1-5AE0-4007-B9B0-C9FF520E8090}.dat
2007-12-17 17:46 428,957 a--sh--- c:\windows\system32\ghhkj.ini2
2003-04-10 03:51 32 ac-sh--- c:\windows\system32\{1BADA6CB-9766-4CB8-9EA3-38879756A4DF}.dat

============= FINISH: 18:32:19.02 ===============

Attached Files



#8 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:32 PM

Posted 13 February 2009 - 02:13 PM

Hello again.

I've included the dds logs again. I'm glad to hear you don't see anything wrong, I was just worried about that secdrv. Thanks.

I think that was a false-positive. That file is in the correct location and it's part of the Macrovision SECURITY Driver, which is legitimate. I also have the same file on my system. Just to make sure we will upload it onto an online scanner.

Submit File to Online Scanner

There is a file that I would like you to check out for me using VirusTotal/VirSCAN
  • Open VirusTotal Online Scanner or VirSCAN. If one site is busy or down, try the other
  • At the top of the page you'll see a box. Paste in the following line(s) (do one line at a time).
  • C:\Windows\System32\drivers\secdrv.sys
  • Click Submit.
  • Wait for the scan to finish.
  • Copy Scanner Results into your next reply.
  • If more than one file was listed, repeat for each of them.
Download and Run OTMoveIT3
  • Please download OTMoveIt3 by OldTimer and save it to your desktop. If you are running on Vista, right click on the file and choose Run As Administrator.
  • Double click the Posted Image icon on your desktop.
  • Paste the following code under the Posted Image area. Do not include the word "Code".
    :services
    mrtRate
    :files
    c:\windows\system32\ghhkj.ini2
    :reg
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Explorer Bars]
    "{32683183-48a0-441b-a342-7c2a440a9478}"=-
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
    "{32683183-48a0-441b-a342-7c2a440a9478}"=-
    [-HKEY_CLASSES_ROOT\CLSID\{32683183-48a0-441b-a342-7c2a440a9478}]
    :commands
    [EmptyTemp]
    [Reboot]
  • Click the large Posted Image button.
  • Copy/Paste the contents under the Posted Image line here in your next reply.
Note:If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Download and Run Scan with GMER

We will use GMER to scan for rootkits.
  • Download gmer.zip and save to your desktop.
    Alternate Download Site 1
  • Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • When you have done this, disconnect from the Internet and close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Click the >>>
  • Click on Settings, then check the first five settings:
    • System Protection and Tracing
    • Processes
    • Save created processes to the log
    • Drivers
    • Save loaded drivers to the log
  • You will be prompted to restart your computer. Please do so.
  • After the reboot, run Gmer again and click on the Rootkit tab.[list]
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for Show All.
  • Click on the Scan and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan. You will know that the scan is done when the Stop buttons turns back to Scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose New>Text document. Once the file is created, open it and right-click again and choose Paste. Save the file as gmer.txt and copy the information in your next reply.
If GMER doesn't work in Normal Mode try running it in Safe Mode

Important!:Please do not select the Show all checkbox during the scan..

Post back with:
-Virscan/Virustotal scan log
-OTmoveIT log
-GMER log
-New DDS scan log
-Any problems you still have?


With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#9 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:32 PM

Posted 16 February 2009 - 01:11 PM

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 5-7 days the topic will need to be closed.

Thanks for understanding. :thumbup2:

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#10 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:32 PM

Posted 19 February 2009 - 05:20 PM

Hello.

Due to Lack of feedback, this topic is now Closed.

If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic in the Hijackthis-Malware Removal forum.

With Regards,
Extremeboy

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users