Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Post-Infection, further help needed: Can't run chkdsk; and ComboFix quarantine question


  • This topic is locked This topic is locked
12 replies to this topic

#1 mattmurdock

mattmurdock

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:13 PM

Posted 12 August 2009 - 10:39 AM

Greetings and thanks in advance for your time.

Software details:
Windows XP Pro, Tablet Edition, SP3, all updates taken.
Firefox used for all my web browsing.
Windows Firewall running

Machine details:
Gateway M280 tablet PC notebook
Celeron processor 1.60 GHz
504 MB of RAM.
Hard Drive is a Fujitsu MHV2040BH (which is SATA, I believe).

*I have recently had a malware infection. Now I am partway through fix, and need advice.
I should have posted earlier, but would really appreciate help.

My approaches to it and background following, organized with headers (A), (B), ( C).
*The HELP I NEED NOW is requested in header (D), questions 1. and 2., at bottom, just before the row of plusses ++++++++++ ahead of my SDD log.

(A). Symptoms that I first observed:

1. Two or more instances of "iexplore.exe" process launch at startup and constantly run, even though I do not launch Internet Explorer. (I observe them through Task Manager)
When I kill these processes using 'End Process,' they re-launch again after a few minutes.

2. During Google searches (using Firefox), in the status bar at the bottom of the window, I see that as part of the page load process, Firefox is checking or redirecting using the suspiciously-misspelled "web-analitycs.google.com."

3. When plugging in a USB device, my system would crash, and show a blue screen with a message (for an instant-- didn't have enough time to read the whole message), and then the machine would reboot:
Something like this:
'error DRIVER_IRQL_NOT_LESS_OR_EQUAL
If this is the first time you have received this message, .... [then restart the computer. If you have received it multiple times, then your ???? may be bad... ]

I could never Pause on the blue screen long enough to read the message thoroughly.


(B). First steps I tried, after reading spyware help forums and consulting Bleepingcomputer forums:

1. AVG Antivirus, AVG Free version 8.5.392. I already had this installed, always updated, as my security software. Scans did not catch the problem.
2. Malwarebytes. I was able to install MBAM only by re-naming it during the download, BUT I was unable to run the software in the corrupted state, however. It just hung.
3. A scan-only tool provided by Sophos. This caught a couple of things, but did not solve the problems observed above.
4. I attempted to download scan and repair tools from Avira. In my machine's corrupted state, I was unable to burn their tool to CD, and thus did not use it

( C). What I resorted to doing, in a desparate moment: ComboFix

I installed and ran ComboFix, following carefully the guide on Bleepingcomputer.com. (I know, except for the part about not running it unless a helper tells me to do so. Shame on me)

Again, I had to rename the file during download, to get around the malware blocking it.

*This, of course, worked wonders.
-As far as I can tell, I no longer experience the problem symptoms.
-I have since been able to install and run MBAM to clean out a couple of other things.


(D). **HELP I NEED NOW**:
Post-Combofix, I need expert advice:

1. Should I delete, or otherwise remove somehow, what ComboFix put in quarantine?
(A couple of files seem to be related to the Gateway Recovery Console, which is the recovery software installed on this machine. Perhaps they are contained in a backup of an earlier state. Is it safe to remove them?)

2. I need help finding an alternative way to run chkdsk.

During ComboFix, I was given multiple messages about corrupted files, asking me to run chkdsk.
One example:
"(title bar): PEV.exe – Corrupt File
“The file or directory C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\16 is corrupt and unreadable. Please run the Chkdsk utility.”

BUT I have always had trouble running chkdsk:

-When I schedule chkdsk to run at reboot, it does not run.
-My OS CDs are the Gateway Recoverty CDs for XP (not purely the install CDs), and when I boot from them they do not provide any way to run chkdsk. I am only given the option to do a complete reinstall, or to save files to a new area of the HDD and install a clean set of XP.
-When I boot from an original XP CD I bought, and attempt to enter 'r' to enter Recovery, I get this message:
"Windows did not find any hard disk installed.
Make sure the drive is on, is properly connected, and that any disk-related hardware configuration is correct. This may involve running a manufacturer-supplied diagnostic program."

I am then told that Recovery can't run, and I have to just reboot.

I was unable to find any diagnostic program pertaining to my Fujitsu hard drive.

I have a ComboFix log if desired, and have followed your instructions to post my DDS log and attach the SDD scan attachment.

**Thank you for reading my request!
I sincerely appreciate your advice.

-mattmurdock




+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

DDS Log Follows:


DDS (Ver_09-07-30.01) - NTFSx86
Run by Administrator at 11:27:47.43 on Wed 08/12/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_05
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.147 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Sophos Anti-Virus *On-access scanning disabled* (Updated) {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\SYSTEM32\WISPTIS.EXE
C:\WINDOWS\System32\tabbtnu.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Netscape Internet Service\ncupdatesvc.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
uURLSearchHooks: H - No File
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: PBlockHelper Class: {4115122b-85ff-4dd3-9515-f075bede5eb5} - c:\progra~1\netsca~1\netsca~1\pbhelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\mi1933~1\office12\GRA8E1~1.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\windows\system32\BAE.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NeroCheck] c:\windows\system32\NeroCheck.exe
mRun: [TabletWizard] c:\windows\help\SplshWrp.exe
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoup~1.lnk - c:\program files\sophos\autoupdate\ALMon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bigfix.lnk - c:\program files\bigfix\bigfix.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\exifla~1.lnk - c:\program files\finepixviewers\QuickDCF2.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{f3c1de9e-5e16-4ba9-b854-7b53a45e3579}\Icon3E5562ED7.ico
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mi1933~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
LSP: c:\program files\netscape internet service\netscape web accelerator\sliplsp.dll
Trusted Zone: taxactonline.com\www
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/OAS/ActiveX/MSDcode.cab
DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - hxxp://files.member.yahoo.com/dl/installs/sbc/yinst.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase9563.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1190089417656
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {F5D98C43-DB16-11CF-8ECA-0000C0FD59C7} - hxxp://gis.cityofmadison.com/ACGM_7146/Acgm.cab
TCP: {29DB3150-5AF0-4306-8808-04F0B6DA3D2B} = 128.104.254.254,144.92.254.254
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\mi1933~1\office12\GR99D3~1.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll
Notify: loginkey - c:\program files\common files\microsoft shared\ink\loginkey.dll
Notify: TabBtnWL - TabBtnWL.dll
Notify: tpgwlnotify - tpgwlnot.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\mi1933~1\office12\GRA8E1~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\zngondhr.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\zngondhr.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071102000004.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-28 335752]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-5-28 27784]
R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [2009-8-7 104704]
R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [2009-8-7 35584]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-5-28 298776]
R2 Sophos AutoUpdate Service;Sophos AutoUpdate Service;c:\program files\sophos\autoupdate\ALsvc.exe [2008-6-26 172032]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 FinePnt;FinePoint Innovations HID Driver;c:\windows\system32\drivers\FpHidDrv.sys [2007-8-21 17280]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-8-8 38160]
R3 MSTabBtn;Tablet PC Buttons HID Driver;c:\windows\system32\drivers\MSTabBtn.sys [2007-8-21 9600]
R3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-11-14 394952]
S2 CiscoVpnInstallService;Cisco Systems, Inc. Installer service;c:\docume~1\admini~1\locals~1\temp\wzse0.tmp\instal~1.exe --> c:\docume~1\admini~1\locals~1\temp\wzse0.tmp\INSTAL~1.EXE [?]
S2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\sophos\sophos anti-virus\SAVAdminService.exe [2008-12-9 69632]
S2 SAVService;Sophos Anti-Virus;c:\program files\sophos\sophos anti-virus\SavService.exe [2008-12-9 98304]
S3 Ad-Watch Connect Filter;Ad-Watch Connect Kernel Filter;\??\c:\windows\system32\drivers\nsdriver.sys --> c:\windows\system32\drivers\NSDriver.sys [?]
S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [2009-8-7 14976]

=============== Created Last 30 ================

2009-08-10 13:05 <DIR> --d----- c:\program files\ACW
2009-08-09 01:35 <DIR> --d----- c:\docume~1\admini~1\applic~1\Malwarebytes
2009-08-09 01:00 <DIR> -cd----- c:\windows\system32\dllcache\cache
2009-08-08 23:57 216,064 a------- c:\windows\PEV.exe
2009-08-08 23:57 161,792 a------- c:\windows\SWREG.exe
2009-08-08 23:57 98,816 a------- c:\windows\sed.exe
2009-08-08 19:04 65,536 a------- c:\windows\system32\NeroCo.dll
2009-08-08 19:04 57,344 a------- c:\windows\system32\NeroBurnRights.cpl
2009-08-08 19:04 2,031,616 -------- c:\windows\UNNeroBurnRights.exe
2009-08-08 19:04 23,936 -------- c:\windows\UNNeroBurnRights.cfg
2009-08-08 17:41 310 a------- c:\windows\system32\uacsr.dat
2009-08-08 12:01 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-08 12:01 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-08 12:01 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-08-08 12:01 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-08-07 13:24 130,088 a---h--- c:\windows\system32\2bcd5adc.stf
2009-08-07 13:24 130,088 a---h--- c:\windows\system32\26342141.stf
2009-08-07 13:24 130,088 a------- c:\windows\system32\sdccoinstaller.dll
2009-08-07 13:24 <DIR> --d----- c:\program files\common files\Cisco Systems
2009-08-07 13:23 23,552 a------- c:\windows\system32\SophosBootTasks.exe
2009-08-07 13:23 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Sophos
2009-08-07 13:22 104,704 a------- c:\windows\system32\drivers\savonaccesscontrol.sys
2009-08-07 13:22 35,584 a------- c:\windows\system32\drivers\savonaccessfilter.sys
2009-08-07 13:22 14,976 a------- c:\windows\system32\drivers\SophosBootDriver.sys
2009-08-07 13:22 <DIR> --d----- c:\program files\Sophos
2009-07-30 16:08 <DIR> --d----- c:\documents and settings\administrator\AIMPro
2009-07-30 14:39 <DIR> --d----- c:\docume~1\admini~1\applic~1\AIMPro
2009-07-30 14:38 <DIR> --d----- c:\program files\AIM

==================== Find3M ====================

2009-08-11 12:02 44,544 a------- c:\windows\system32\agremove.exe
2009-07-12 14:53 335,752 a------- c:\windows\system32\drivers\avgldx86.sys
2009-07-03 13:09 915,456 a------- c:\windows\system32\wininet.dll
2009-06-24 09:48 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-06-16 10:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 10:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-03 15:09 1,291,264 a------- c:\windows\system32\quartz.dll
2008-02-02 14:50 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat
2007-09-23 01:09 0 a------- c:\docume~1\admini~1\applic~1\wklnhst.dat
2009-02-20 19:29 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009022020090221\index.dat

============= FINISH: 11:28:58.75 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:13 PM

Posted 23 August 2009 - 06:26 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#3 mattmurdock

mattmurdock
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:13 PM

Posted 23 August 2009 - 08:02 PM

Thanks very much for your reply! I have been waiting patiently in hope that someone could help.

Per your instructions:
I ran another DDS scan today (8/23/09)--

-DDS file results are posted below, at the end of this post.
-Attach file 8-23 was zipped up and attached to this post.

My situation is exactly the same as described in my first post (see 8/12/09).

I still need advice on the same two questions, listed in the original post under "(D) HELP I NEED NOW."

Since that time, I have scanned for malware with Malwarebytes' Anti-Malware a few times. No new threats have been found.

I sincerely appreciate your time! Thanks,

-mattmurdock

+++++++++++++++++
DDS log from update scan 8-23-09:


DDS (Ver_09-07-30.01) - NTFSx86
Run by Administrator at 20:48:06.67 on Sun 08/23/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_05
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.244 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Sophos Anti-Virus *On-access scanning disabled* (Updated) {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\SYSTEM32\WISPTIS.EXE
svchost.exe
C:\WINDOWS\System32\tabbtnu.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Netscape Internet Service\ncupdatesvc.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
uURLSearchHooks: H - No File
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: PBlockHelper Class: {4115122b-85ff-4dd3-9515-f075bede5eb5} - c:\progra~1\netsca~1\netsca~1\pbhelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\mi1933~1\office12\GRA8E1~1.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\windows\system32\BAE.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NeroCheck] c:\windows\system32\NeroCheck.exe
mRun: [TabletWizard] c:\windows\help\SplshWrp.exe
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoup~1.lnk - c:\program files\sophos\autoupdate\ALMon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bigfix.lnk - c:\program files\bigfix\bigfix.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\exifla~1.lnk - c:\program files\finepixviewers\QuickDCF2.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{f3c1de9e-5e16-4ba9-b854-7b53a45e3579}\Icon3E5562ED7.ico
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mi1933~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
LSP: c:\program files\netscape internet service\netscape web accelerator\sliplsp.dll
Trusted Zone: taxactonline.com\www
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/OAS/ActiveX/MSDcode.cab
DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - hxxp://files.member.yahoo.com/dl/installs/sbc/yinst.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase9563.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1190089417656
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {F5D98C43-DB16-11CF-8ECA-0000C0FD59C7} - hxxp://gis.cityofmadison.com/ACGM_7146/Acgm.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\mi1933~1\office12\GR99D3~1.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll
Notify: loginkey - c:\program files\common files\microsoft shared\ink\loginkey.dll
Notify: TabBtnWL - TabBtnWL.dll
Notify: tpgwlnotify - tpgwlnot.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\mi1933~1\office12\GRA8E1~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\zngondhr.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - www.google.com
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\zngondhr.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071102000004.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-28 335752]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-5-28 27784]
R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [2009-8-7 104704]
R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [2009-8-7 35584]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-5-28 298776]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 FinePnt;FinePoint Innovations HID Driver;c:\windows\system32\drivers\FpHidDrv.sys [2007-8-21 17280]
R3 MSTabBtn;Tablet PC Buttons HID Driver;c:\windows\system32\drivers\MSTabBtn.sys [2007-8-21 9600]
S2 CiscoVpnInstallService;Cisco Systems, Inc. Installer service;c:\docume~1\admini~1\locals~1\temp\wzse0.tmp\instal~1.exe --> c:\docume~1\admini~1\locals~1\temp\wzse0.tmp\INSTAL~1.EXE [?]
S2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\sophos\sophos anti-virus\SAVAdminService.exe [2008-12-9 69632]
S2 SAVService;Sophos Anti-Virus;c:\program files\sophos\sophos anti-virus\SavService.exe [2008-12-9 98304]
S2 Sophos AutoUpdate Service;Sophos AutoUpdate Service;c:\program files\sophos\autoupdate\ALsvc.exe [2008-6-26 172032]
S3 Ad-Watch Connect Filter;Ad-Watch Connect Kernel Filter;\??\c:\windows\system32\drivers\nsdriver.sys --> c:\windows\system32\drivers\NSDriver.sys [?]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-11-14 394952]
S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [2009-8-7 14976]

=============== Created Last 30 ================

2009-08-15 14:19 <DIR> --d----- c:\program files\IrfanView
2009-08-12 12:19 128,512 -c------ c:\windows\system32\dllcache\dhtmled.ocx
2009-08-12 12:19 1,315,328 -c------ c:\windows\system32\dllcache\msoe.dll
2009-08-10 13:05 <DIR> --d----- c:\program files\ACW
2009-08-09 01:35 <DIR> --d----- c:\docume~1\admini~1\applic~1\Malwarebytes
2009-08-09 01:00 <DIR> -cd----- c:\windows\system32\dllcache\cache
2009-08-08 23:57 216,064 a------- c:\windows\PEV.exe
2009-08-08 23:57 161,792 a------- c:\windows\SWREG.exe
2009-08-08 23:57 98,816 a------- c:\windows\sed.exe
2009-08-08 19:04 65,536 a------- c:\windows\system32\NeroCo.dll
2009-08-08 19:04 57,344 a------- c:\windows\system32\NeroBurnRights.cpl
2009-08-08 19:04 2,031,616 -------- c:\windows\UNNeroBurnRights.exe
2009-08-08 19:04 23,936 -------- c:\windows\UNNeroBurnRights.cfg
2009-08-08 17:41 310 a------- c:\windows\system32\uacsr.dat
2009-08-08 12:01 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-08 12:01 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-08 12:01 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-08-08 12:01 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-08-07 13:24 130,088 a---h--- c:\windows\system32\290e0e87.stf
2009-08-07 13:24 130,088 a------- c:\windows\system32\sdccoinstaller.dll
2009-08-07 13:24 <DIR> --d----- c:\program files\common files\Cisco Systems
2009-08-07 13:23 23,552 a------- c:\windows\system32\SophosBootTasks.exe
2009-08-07 13:23 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Sophos
2009-08-07 13:22 104,704 a------- c:\windows\system32\drivers\savonaccesscontrol.sys
2009-08-07 13:22 35,584 a------- c:\windows\system32\drivers\savonaccessfilter.sys
2009-08-07 13:22 14,976 a------- c:\windows\system32\drivers\SophosBootDriver.sys
2009-08-07 13:22 <DIR> --d----- c:\program files\Sophos
2009-08-05 05:01 204,800 -c------ c:\windows\system32\dllcache\mswebdvd.dll
2009-07-30 16:08 <DIR> --d----- c:\documents and settings\administrator\AIMPro
2009-07-30 14:39 <DIR> --d----- c:\docume~1\admini~1\applic~1\AIMPro
2009-07-30 14:38 <DIR> --d----- c:\program files\AIM

==================== Find3M ====================

2009-08-22 20:37 44,544 a------- c:\windows\system32\agremove.exe
2009-08-05 05:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-17 15:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2009-07-12 14:53 335,752 a------- c:\windows\system32\drivers\avgldx86.sys
2009-07-03 13:09 915,456 a------- c:\windows\system32\wininet.dll
2009-06-25 04:25 730,112 a------- c:\windows\system32\lsasrv.dll
2009-06-25 04:25 301,568 a------- c:\windows\system32\kerberos.dll
2009-06-25 04:25 147,456 a------- c:\windows\system32\schannel.dll
2009-06-25 04:25 136,192 a------- c:\windows\system32\msv1_0.dll
2009-06-25 04:25 56,832 a------- c:\windows\system32\secur32.dll
2009-06-25 04:25 54,272 a------- c:\windows\system32\wdigest.dll
2009-06-24 09:48 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-06-16 10:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 10:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-12 08:31 80,896 a------- c:\windows\system32\tlntsess.exe
2009-06-12 08:31 76,288 a------- c:\windows\system32\telnet.exe
2009-06-10 10:13 84,992 a------- c:\windows\system32\avifil32.dll
2009-06-10 09:19 2,066,432 a------- c:\windows\system32\mstscax.dll
2009-06-10 02:14 132,096 a------- c:\windows\system32\wkssvc.dll
2009-06-03 15:09 1,291,264 a------- c:\windows\system32\quartz.dll
2008-02-02 14:50 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat
2007-09-23 01:09 0 a------- c:\docume~1\admini~1\applic~1\wklnhst.dat
2009-02-20 19:29 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009022020090221\index.dat

============= FINISH: 20:49:48.82 ===============

Attached Files



#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:13 PM

Posted 29 August 2009 - 04:17 PM

Hello again.

I apologize for the delay. Let's continue with two more scans please.

Download and run RootRepeal CR

Please download RootRepeal from the following location and save it to your desktop.
  • Unzip the RootRepeal.zip file it to it's own folder. (If you did not use the "Direct Download" mirror to download RootRepeal).
  • Close/Disable all other programs especially your security programs (anti-spyware, anti-virus, and firewall) Refer to this page, if you are unsure how.
  • Physically disconnect your machine from the internet as your system will be unprotected.
  • Double-click on RootRepeal.exe to run it. If you are using Vista, please right-click and run as Administrator...
  • Click the Posted Image tab at the bottom.
  • Now press the Posted Image button.
  • A box will pop up, check the boxes beside All Seven options/scan area
    Posted Image
  • Now click OK.
  • Another box will open, check the boxes beside all the drives, eg : C:\, then click OK.
  • The scan will take a little while to run, so let it go unhindered.
  • Once it is done, click the Save Report button. Posted Image
  • Save it as RepealScan and save it to your desktop
  • Reconnect to the internet.
  • Post the contents of that log in your reply please.
Download and run MalwareBytes Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link

Take a new DDS run afterward and post back with both the DDS and Attach logs in your next reply. Also, let me know how your computer is running and if you have any more problems, issues or symptoms to update for me.

Thanks.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 mattmurdock

mattmurdock
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:13 PM

Posted 30 August 2009 - 11:35 PM

Extremeboy, many thanks for your willingness to help me with my issue!

I am very eager to figure out a way to run chkdsk, since I believe I continue to have disk corruption issues.
At this point, that is my main goal.

Currently, my main symptoms are
-Can't run chkdsk at all. When I tell it to run at re-start, it does not run
-Experiencing some disk problems. (examples: occasional file that goes bad and can't be read; trouble with the 'spooler' software that makes me unable to print, even with printers correctly installed)

In your post, you asked me to run a few scans, and then post the logs.
I have followed your instructions, and posted the requested logs below, in the order you requested.
(Numbered in parentheses below, so you can quickly do a find):

(MBAM didn't find any malicious items)

(1). RootRepeal
(2). MBAM
(3). DDS: (3a). attach.txt, and (3b). dds.txt

The logs follow! Thanks.

+++++++++++++++++++++++++++++++
(1). RootRepeal:

I actually also saved my RootRepeal 'log,' just a few lines, first:
20:25:13: Error - on-disk corruption detected - run chkdsk!
20:25:25: Error - end of index is past block!
20:25:55: Error - end of index is past block!
20:25:57: Error - on-disk corruption detected - run chkdsk!
20:27:31: Error - end of index is past block!
20:27:31: Error - end of index is past block!
20:27:31: Error - end of index is past block!
20:27:31: Error - end of index is past block!
20:27:31: Error - end of index is past block!
20:28:50: Error - on-disk corruption detected - run chkdsk!
20:28:50: Error - end of index is past block!
20:28:50: Error - end of index is past block!
20:31:00: Error - end of index is past block!
20:31:07: Error - end of index is past block!


Now, the actual scan:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/30 20:23
Program Version: Version 1.3.5.0
Windows Version: Windows XP Tablet PC Edition SP3
==================================================

Drivers
-------------------
Name: dump_iaStor.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_iaStor.sys
Address: 0x9847A000 Size: 786432 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0x97F18000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\System Volume Information\_restore{8BC79291-E322-403F-8E40-1FBD3FCA0EBD}\Fifoed(2)\A0051048.cfg
Status: Invisible to the Windows API!

Path: C:\System Volume Information\_restore{8BC79291-E322-403F-8E40-1FBD3FCA0EBD}\RP411\A0064537.cfg
Status: Invisible to the Windows API!

Path: C:\System Volume Information\_restore{8BC79291-E322-403F-8E40-1FBD3FCA0EBD}\RP411\A0064555.lnk
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\zngondhr.default\Cache.Trash\Trash\Cache\CommonAppData
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\zngondhr.default\Cache.Trash\Trash\Cache\banc-bft.ide
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\zngondhr.default\Cache.Trash\Trash\Cache\SophosBootTasks.exe
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\zngondhr.default\Cache.Trash\Trash\Cache\SophosBHO.dll
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\zngondhr.default\Cache.Trash\Trash\Cache\SophtainerAdapter.dll
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\zngondhr.default\Cache.Trash\Trash\Cache\zbot-fh.ide
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\zngondhr.default\Cache.Trash\Trash\Cache\DCManagement.dll
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\zngondhr.default\Cache.Trash\Trash\Cache\native.exe
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\zngondhr.default\Cache.Trash\Trash\Cache\6682df93b82a1f7b381c3772d9204f16x000.dat
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\zngondhr.default\Cache.Trash\Trash\Cache\slr.dll.managed_manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\zngondhr.default\Cache.Trash\Trash\Cache\SAVPosturePlugin.dll
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\zngondhr.default\Cache.Trash\Trash\Cache\_R62E7~1
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\zngondhr.default\Cache.Trash\Trash\Cache\WinXP_AMD64
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\zngondhr.default\Cache.Trash\Trash\Cache\CollectedData_4376.xml
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\zngondhr.default\Cache.Trash\Trash-1\Cache\CommonAppData
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\zngondhr.default\Cache.Trash\Trash-1\Cache\banc-bft.ide
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\zngondhr.default\Cache.Trash\Trash-1\Cache\SophosBootTasks.exe
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\zngondhr.default\Cache.Trash\Trash-1\Cache\SophosBHO.dll
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\zngondhr.default\Cache.Trash\Trash-1\Cache\SophtainerAdapter.dll
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\zngondhr.default\Cache.Trash\Trash-1\Cache\zbot-fh.ide
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\zngondhr.default\Cache.Trash\Trash-1\Cache\DCManagement.dll
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\zngondhr.default\Cache.Trash\Trash-1\Cache\native.exe
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\zngondhr.default\Cache.Trash\Trash-1\Cache\6682df93b82a1f7b381c3772d9204f16x000.dat
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\zngondhr.default\Cache.Trash\Trash-1\Cache\slr.dll.managed_manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\zngondhr.default\Cache.Trash\Trash-1\Cache\SAVPosturePlugin.dll
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\zngondhr.default\Cache.Trash\Trash-1\Cache\_R62E7~1
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\zngondhr.default\Cache.Trash\Trash-1\Cache\WinXP_AMD64
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\zngondhr.default\Cache.Trash\Trash-1\Cache\CollectedData_4376.xml
Status: Locked to the Windows API!

==EOF==

+++++++++++++++++++++++++++++++++

(2). MBAM Quick Scan, log:

Malwarebytes' Anti-Malware 1.40
Database version: 2719
Windows 5.1.2600 Service Pack 3

8/30/2009 11:54:17 PM
mbam-log-2009-08-30 (23-54-17).txt

Scan type: Quick Scan
Objects scanned: 101526
Time elapsed: 8 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

++++++++++++++++++++++++++++++++++++

(3a). DDS: attach.txt:


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-07-30.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 9/17/2007 10:20:11 PM
System Uptime: 8/30/2009 8:08:14 PM (3 hours ago)

Motherboard: Gateway | | Gateway M280
Processor: Intel® Celeron® M processor 1.60GHz | uFCPGA2 | 1596/400mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 33 GiB total, 11.727 GiB free.
D: is FIXED (FAT32) - 5 GiB total, 1.712 GiB free.
E: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Intel® PRO/Wireless 2200BG Network Connection
Device ID: PCI\VEN_8086&DEV_4220&SUBSYS_27018086&REV_05\4&2C7B872C&0&20F0
Manufacturer: Intel Corporation
Name: Intel® PRO/Wireless 2200BG Network Connection
PNP Device ID: PCI\VEN_8086&DEV_4220&SUBSYS_27018086&REV_05\4&2C7B872C&0&20F0
Service: w29n51

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Cisco Systems VPN Adapter
Device ID: ROOT\NET\0000
Manufacturer: Cisco Systems
Name: Cisco Systems VPN Adapter
PNP Device ID: ROOT\NET\0000
Service: CVirtA

==== System Restore Points ===================

RP312: 7/23/2009 2:43:41 PM - Avg8 Update
RP313: 7/23/2009 2:43:44 PM - Software Distribution Service 3.0
RP314: 7/23/2009 2:43:45 PM - System Checkpoint
RP315: 7/23/2009 2:43:45 PM - Installed SA32xx Device Manager
RP316: 7/23/2009 2:43:46 PM - Installed MediaConverter for Philips
RP317: 7/23/2009 2:43:46 PM - Software Distribution Service 3.0
RP318: 7/23/2009 2:43:47 PM - Software Distribution Service 3.0
RP319: 7/23/2009 2:43:47 PM - Software Distribution Service 3.0
RP320: 7/23/2009 2:43:49 PM - Software Distribution Service 3.0
RP321: 7/23/2009 2:43:49 PM - System Checkpoint
RP322: 7/23/2009 2:43:50 PM - System Checkpoint
RP323: 7/23/2009 2:43:51 PM - Software Distribution Service 3.0
RP324: 7/23/2009 2:43:52 PM - Avg8 Update
RP325: 7/23/2009 2:43:53 PM - Software Distribution Service 3.0
RP326: 7/23/2009 2:43:53 PM - System Checkpoint
RP327: 7/23/2009 2:43:54 PM - System Checkpoint
RP328: 7/23/2009 2:43:54 PM - Software Distribution Service 3.0
RP329: 7/23/2009 2:43:54 PM - Removed VPN Client
RP330: 7/23/2009 2:43:54 PM - Installed Cisco Systems VPN Client 5.0.02.0090
RP331: 7/23/2009 2:43:55 PM - System Checkpoint
RP332: 7/23/2009 2:43:55 PM - Avg8 Update
RP333: 7/23/2009 2:43:55 PM - System Checkpoint
RP334: 7/23/2009 2:43:55 PM - Software Distribution Service 3.0
RP335: 7/23/2009 2:43:55 PM - System Checkpoint
RP336: 7/23/2009 2:43:56 PM - System Checkpoint
RP337: 7/23/2009 2:43:56 PM - Software Distribution Service 3.0
RP338: 7/23/2009 2:43:56 PM - System Checkpoint
RP339: 7/23/2009 2:43:56 PM - System Checkpoint
RP340: 7/23/2009 2:43:57 PM - Software Distribution Service 3.0
RP341: 7/23/2009 2:43:58 PM - Software Distribution Service 3.0
RP342: 7/23/2009 2:43:59 PM - System Checkpoint
RP343: 7/23/2009 2:43:59 PM - Software Distribution Service 3.0
RP344: 7/23/2009 2:44:00 PM - System Checkpoint
RP345: 7/23/2009 2:44:01 PM - Software Distribution Service 3.0
RP346: 7/23/2009 2:44:01 PM - Avg8 Update
RP347: 7/23/2009 2:44:01 PM - Software Distribution Service 3.0
RP348: 7/23/2009 2:44:01 PM - System Checkpoint
RP349: 7/23/2009 2:44:02 PM - System Checkpoint
RP350: 7/23/2009 2:44:02 PM - Software Distribution Service 3.0
RP351: 7/23/2009 2:44:02 PM - Software Distribution Service 3.0
RP352: 7/23/2009 2:44:02 PM - System Checkpoint
RP353: 7/23/2009 2:44:02 PM - Software Distribution Service 3.0
RP354: 7/23/2009 2:44:02 PM - System Checkpoint
RP355: 7/23/2009 2:44:03 PM - System Checkpoint
RP356: 7/23/2009 2:44:03 PM - Software Distribution Service 3.0
RP357: 7/23/2009 2:44:03 PM - Software Distribution Service 3.0
RP358: 7/23/2009 2:44:03 PM - System Checkpoint
RP359: 7/23/2009 2:44:04 PM - System Checkpoint
RP360: 7/23/2009 2:44:04 PM - System Checkpoint
RP361: 7/23/2009 2:44:04 PM - System Checkpoint
RP362: 7/23/2009 2:44:04 PM - Software Distribution Service 3.0
RP363: 7/23/2009 2:44:04 PM - Removed Cisco Systems VPN Client 5.0.02.0090
RP364: 7/23/2009 2:44:05 PM - Removed Cisco Systems VPN Client 5.0.02.0090
RP365: 7/23/2009 2:44:05 PM - Installed Cisco Systems VPN Client 5.0.05.0290
RP366: 7/23/2009 2:44:05 PM - Software Distribution Service 3.0
RP367: 7/23/2009 2:44:05 PM - Software Distribution Service 3.0
RP368: 7/23/2009 2:44:06 PM - Avg8 Update
RP369: 7/23/2009 2:44:06 PM - Avg8 Update
RP370: 7/23/2009 2:44:06 PM - Avg8 Update
RP371: 7/23/2009 2:44:06 PM - Software Distribution Service 3.0
RP372: 7/23/2009 2:44:06 PM - Avg8 Update
RP373: 7/23/2009 2:44:07 PM - Software Distribution Service 3.0
RP374: 7/23/2009 2:44:07 PM - Software Distribution Service 3.0
RP375: 7/23/2009 2:44:07 PM - Software Distribution Service 3.0
RP376: 7/23/2009 2:44:07 PM - System Checkpoint
RP377: 7/23/2009 2:44:08 PM - Software Distribution Service 3.0
RP378: 7/23/2009 2:44:08 PM - System Checkpoint
RP379: 7/23/2009 2:44:08 PM - Software Distribution Service 3.0
RP380: 7/23/2009 2:44:09 PM - System Checkpoint
RP381: 7/23/2009 2:44:09 PM - Software Distribution Service 3.0
RP382: 7/23/2009 2:44:09 PM - System Checkpoint
RP383: 7/23/2009 2:44:09 PM - Software Distribution Service 3.0
RP384: 7/23/2009 2:44:10 PM - System Checkpoint
RP385: 7/23/2009 2:44:10 PM - System Checkpoint
RP386: 7/23/2009 2:44:10 PM - Software Distribution Service 3.0
RP387: 7/23/2009 2:44:10 PM - Software Distribution Service 3.0
RP388: 7/23/2009 2:44:10 PM - Software Distribution Service 3.0
RP389: 7/23/2009 2:44:11 PM - System Checkpoint
RP390: 7/23/2009 2:44:11 PM - Software Distribution Service 3.0
RP391: 7/23/2009 2:44:11 PM - System Checkpoint
RP392: 7/23/2009 2:44:11 PM - Software Distribution Service 3.0
RP393: 7/23/2009 2:44:11 PM - Avg8 Update
RP394: 7/23/2009 2:44:12 PM - Avg8 Update
RP395: 7/23/2009 2:44:12 PM - System Checkpoint
RP396: 7/23/2009 2:44:12 PM - Software Distribution Service 3.0
RP397: 7/23/2009 2:44:12 PM - System Checkpoint
RP398: 7/23/2009 2:44:12 PM - Software Distribution Service 3.0
RP399: 7/23/2009 2:44:13 PM - System Checkpoint
RP400: 7/23/2009 2:44:13 PM - System Checkpoint
RP401: 7/23/2009 2:44:13 PM - Software Distribution Service 3.0
RP402: 7/23/2009 2:44:13 PM - Software Distribution Service 3.0
RP403: 7/23/2009 2:44:13 PM - System Checkpoint
RP404: 7/23/2009 2:44:14 PM - Software Distribution Service 3.0
RP405: 7/23/2009 2:44:14 PM - Avg8 Update
RP406: 7/23/2009 2:44:14 PM - Avg8 Update
RP407: 7/23/2009 2:44:14 PM - Software Distribution Service 3.0
RP408: 7/23/2009 2:44:15 PM - Software Distribution Service 3.0
RP409: 7/23/2009 2:44:15 PM - Avg8 Update
RP410: 7/23/2009 2:44:15 PM - Software Distribution Service 3.0
RP411: 7/23/2009 2:44:15 PM - System Checkpoint
RP412: 7/23/2009 2:44:15 PM - System Checkpoint
RP413: 7/23/2009 2:44:15 PM - Software Distribution Service 3.0
RP414: 8/10/2009 12:01:22 AM - System Checkpoint
RP415: 8/10/2009 8:34:03 PM - Software Distribution Service 3.0
RP416: 8/12/2009 12:53:09 PM - System Checkpoint
RP417: 8/12/2009 8:55:19 PM - Software Distribution Service 3.0
RP418: 8/14/2009 12:46:46 AM - System Checkpoint
RP419: 8/15/2009 12:09:02 PM - System Checkpoint
RP420: 8/17/2009 8:53:02 AM - Software Distribution Service 3.0
RP421: 8/18/2009 1:26:53 PM - System Checkpoint
RP422: 8/18/2009 7:54:52 PM - Software Distribution Service 3.0
RP423: 8/20/2009 7:40:31 PM - System Checkpoint
RP424: 8/21/2009 7:23:31 PM - Software Distribution Service 3.0
RP425: 8/22/2009 12:05:33 AM - Software Distribution Service 3.0
RP426: 8/23/2009 2:38:24 PM - System Checkpoint
RP427: 8/25/2009 5:19:18 PM - Software Distribution Service 3.0
RP428: 8/26/2009 10:39:22 AM - Avg8 Update
RP429: 8/26/2009 10:43:55 AM - Avg8 Update
RP430: 8/28/2009 10:04:38 AM - Software Distribution Service 3.0
RP431: 8/29/2009 12:51:32 PM - System Checkpoint
RP432: 8/30/2009 8:39:13 PM - System Checkpoint

==== Installed Programs ======================

7-Zip 4.57
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Reader 7.1.0
Agilix GoBinder Lite
Ahead Nero Express
AIM Pro
Amazon MP3 Downloader 1.0.3
Apple Software Update
ArcSoft MediaConverter 2.5
ARGUS 2006
Audacity 1.2.6
AVG Free 8.5
Bonjour
Browser Address Error Redirector
CCleaner (remove only)
Cisco Systems VPN Client 5.0.05.0290
Conexant AC-Link Audio
Critical Update for Windows Media Player 11 (KB959772)
Data Fax SoftModem with SmartCP
DVD Solution
FUJIFILM FinePixViewer S Ver.2.1
gtw_logo
GWCares
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Ink Art
Intel® Graphics Media Accelerator Driver for Mobile
Intel® PROSet/Wireless Software
IrfanView (remove only)
Java 2 Runtime Environment, SE v1.4.2
Java™ 6 Update 5
Learn2 Player (Uninstall Only)
Malwarebytes' Anti-Malware
mCore
mDriver
mDrWiFi
mHelp
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Education Pack for Windows XP Tablet PC Edition
Microsoft Energy Blue Theme Pack
Microsoft Experience Pack for Tablet PC
Microsoft Ink Crossword
Microsoft Ink Desktop
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Media Transfer
Microsoft National Language Support Downlevel APIs
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs
Microsoft Silverlight
Microsoft Snipping Tool 2.0
Microsoft Software Update for Web Folders (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Windows XP Tablet PC Edition 2005 Recognizer Pack
mIWA
mLogView
mMHouse
Mozilla Firefox (3.5.2)
mPfMgr
mPfWiz
mProSafe
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
mWlsSafe
mXML
mZConfig
Nero BurnRights
Netscape Internet Service
Netscape Web Accelerator
Palisade Numerical Tools - Book Version
PL-2303 USB-to-Serial
Power2Go 4.0
PowerDVD
QuickTime
RealPlayer Basic
Recovery Software Suite Gateway
SA32xx Device Manager
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB913433)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Skype™ 4.0
Sophos Anti-Virus
Sophos AutoUpdate
StatTools 1.1 for Excel
Synaptics Pointing Device Driver
Tablet PC Tutorials for Microsoft Windows XP SP2
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973815)
Viewpoint Media Player
WebFldrs XP
Windows Defender
Windows Driver Package - (mr7910) Image (08/08/2006 1.4.0.0)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live OneCare safety scanner
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player Firefox Plugin
Windows XP Service Pack 3
Yahoo! Install Manager

==== Event Viewer Messages From Past Week ========

8/30/2009 7:45:53 PM, error: Service Control Manager [7034] - The Print Spooler service terminated unexpectedly. It has done this 2 time(s).
8/30/2009 7:30:41 PM, error: Print [22] - Failed to ugrade printer settings for printer HP LaserJet 1020,0 driver HP LaserJet 1020 error 1801.
8/30/2009 7:07:08 PM, error: Service Control Manager [7034] - The Print Spooler service terminated unexpectedly. It has done this 1 time(s).
8/27/2009 9:33:32 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000243' while processing the file 'avgrsstx.dll.old' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
8/27/2009 6:33:56 PM, error: DCOM [10016] - The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {D2B7A809-15DC-40B4-A1E1-C61EA97191DB} to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19). This security permission can be modified using the Component Services administrative tool.
8/27/2009 11:13:00 PM, error: Service Control Manager [7034] - The Sophos AutoUpdate Service service terminated unexpectedly. It has done this 1 time(s).
8/26/2009 10:54:19 AM, error: Service Control Manager [7034] - The Sophos Anti-Virus service terminated unexpectedly. It has done this 2 time(s).
8/26/2009 10:54:10 AM, error: Service Control Manager [7034] - The Sophos Anti-Virus status reporter service terminated unexpectedly. It has done this 1 time(s).
8/26/2009 10:45:36 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the avg8wd service.
8/24/2009 12:11:35 AM, error: Service Control Manager [7000] - The Application Layer Gateway Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
8/24/2009 12:11:04 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Application Layer Gateway Service service to connect.
8/24/2009 12:10:38 AM, error: Service Control Manager [7000] - The Cisco Systems, Inc. Installer service service failed to start due to the following error: The system cannot find the path specified.
8/24/2009 12:02:08 PM, error: Service Control Manager [7034] - The Sophos Anti-Virus service terminated unexpectedly. It has done this 1 time(s).
8/24/2009 12:02:08 PM, error: SAVOnAccessControl [37] - Driver threads still active when driver is being shutdown.
8/23/2009 9:07:17 PM, error: PlugPlayManager [12] - The device 'RAS Async Adapter' (SW\{eeab7790-c514-11d1-b42b-00805fc1270e}\asyncmac) disappeared from the system without first being prepared for removal.
8/23/2009 11:50:32 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Sophos Anti-Virus service to connect.
8/23/2009 11:50:32 PM, error: Service Control Manager [7000] - The Sophos Anti-Virus service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
8/23/2009 11:50:23 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service SAVService with arguments "" in order to run the server: {D2B7A809-15DC-40B4-A1E1-C61EA97191DB}

==== End Of File ===========================


+++++++++++++++++++++++++++++++++++++++++++

(3b). DDS: dds.txt:


DDS (Ver_09-07-30.01) - NTFSx86
Run by Administrator at 23:55:20.46 on Sun 08/30/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_05
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.210 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Sophos Anti-Virus *On-access scanning disabled* (Outdated) {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\SYSTEM32\WISPTIS.EXE
C:\WINDOWS\System32\tabbtnu.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Netscape Internet Service\ncupdatesvc.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\System32\rpcnetp.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
uURLSearchHooks: H - No File
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: PBlockHelper Class: {4115122b-85ff-4dd3-9515-f075bede5eb5} - c:\progra~1\netsca~1\netsca~1\pbhelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\mi1933~1\office12\GRA8E1~1.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\windows\system32\BAE.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NeroCheck] c:\windows\system32\NeroCheck.exe
mRun: [TabletWizard] c:\windows\help\SplshWrp.exe
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoup~1.lnk - c:\program files\sophos\autoupdate\ALMon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bigfix.lnk - c:\program files\bigfix\bigfix.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\exifla~1.lnk - c:\program files\finepixviewers\QuickDCF2.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{f3c1de9e-5e16-4ba9-b854-7b53a45e3579}\Icon3E5562ED7.ico
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mi1933~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
LSP: c:\program files\netscape internet service\netscape web accelerator\sliplsp.dll
Trusted Zone: taxactonline.com\www
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/OAS/ActiveX/MSDcode.cab
DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - hxxp://files.member.yahoo.com/dl/installs/sbc/yinst.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase9563.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1190089417656
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {F5D98C43-DB16-11CF-8ECA-0000C0FD59C7} - hxxp://gis.cityofmadison.com/ACGM_7146/Acgm.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\mi1933~1\office12\GR99D3~1.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll
Notify: loginkey - c:\program files\common files\microsoft shared\ink\loginkey.dll
Notify: TabBtnWL - TabBtnWL.dll
Notify: tpgwlnotify - tpgwlnot.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\mi1933~1\office12\GRA8E1~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\zngondhr.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - www.google.com
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\zngondhr.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071102000004.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-28 335240]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-5-28 27784]
R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [2009-8-7 104704]
R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [2009-8-7 35584]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-5-28 297752]
R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\sophos\sophos anti-virus\SAVAdminService.exe [2008-12-9 69632]
R2 SAVService;Sophos Anti-Virus;c:\program files\sophos\sophos anti-virus\SavService.exe [2008-12-9 98304]
R2 Sophos AutoUpdate Service;Sophos AutoUpdate Service;c:\program files\sophos\autoupdate\ALsvc.exe [2008-6-26 172032]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 FinePnt;FinePoint Innovations HID Driver;c:\windows\system32\drivers\FpHidDrv.sys [2007-8-21 17280]
R3 MSTabBtn;Tablet PC Buttons HID Driver;c:\windows\system32\drivers\MSTabBtn.sys [2007-8-21 9600]
RUnknown rpcnetp;rpcnetp; [x]
S2 CiscoVpnInstallService;Cisco Systems, Inc. Installer service;c:\docume~1\admini~1\locals~1\temp\wzse0.tmp\instal~1.exe --> c:\docume~1\admini~1\locals~1\temp\wzse0.tmp\INSTAL~1.EXE [?]
S3 Ad-Watch Connect Filter;Ad-Watch Connect Kernel Filter;\??\c:\windows\system32\drivers\nsdriver.sys --> c:\windows\system32\drivers\NSDriver.sys [?]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-11-14 394952]
S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [2009-8-7 14976]

=============== Created Last 30 ================

2009-08-30 20:09 17,408 a------- c:\windows\system32\rpcnetp.dll
2009-08-30 20:08 17,408 a------- c:\windows\system32\rpcnetp.exe
2009-08-30 19:30 574,100 a------- c:\windows\system32\hp1022n.img
2009-08-30 19:30 61,440 a------- c:\windows\system32\ZIMF.DLL
2009-08-30 19:30 53,248 a------- c:\windows\system32\ZTAG.DLL
2009-08-30 19:30 10,632 a------- c:\windows\system32\ZSHP1020.CHM
2009-08-30 19:30 206,768 a------- c:\windows\system32\hp1022.img
2009-08-30 19:06 <DIR> --d----- C:\spoolerlogs
2009-08-15 14:19 <DIR> --d----- c:\program files\IrfanView
2009-08-12 12:19 128,512 -c------ c:\windows\system32\dllcache\dhtmled.ocx
2009-08-12 12:19 1,315,328 -c------ c:\windows\system32\dllcache\msoe.dll
2009-08-10 13:05 <DIR> --d----- c:\program files\ACW
2009-08-09 01:35 <DIR> --d----- c:\docume~1\admini~1\applic~1\Malwarebytes
2009-08-09 01:00 <DIR> -cd----- c:\windows\system32\dllcache\cache
2009-08-08 23:57 216,064 a------- c:\windows\PEV.exe
2009-08-08 23:57 161,792 a------- c:\windows\SWREG.exe
2009-08-08 23:57 98,816 a------- c:\windows\sed.exe
2009-08-08 19:04 65,536 a------- c:\windows\system32\NeroCo.dll
2009-08-08 19:04 57,344 a------- c:\windows\system32\NeroBurnRights.cpl
2009-08-08 19:04 2,031,616 -------- c:\windows\UNNeroBurnRights.exe
2009-08-08 19:04 23,936 -------- c:\windows\UNNeroBurnRights.cfg
2009-08-08 17:41 310 a------- c:\windows\system32\uacsr.dat
2009-08-08 12:01 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-08 12:01 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-08 12:01 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-08-08 12:01 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-08-07 13:24 130,088 a------- c:\windows\system32\sdccoinstaller.dll
2009-08-07 13:24 <DIR> --d----- c:\program files\common files\Cisco Systems
2009-08-07 13:23 23,552 a------- c:\windows\system32\SophosBootTasks.exe
2009-08-07 13:23 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Sophos
2009-08-07 13:22 104,704 a------- c:\windows\system32\drivers\savonaccesscontrol.sys
2009-08-07 13:22 35,584 a------- c:\windows\system32\drivers\savonaccessfilter.sys
2009-08-07 13:22 14,976 a------- c:\windows\system32\drivers\SophosBootDriver.sys
2009-08-07 13:22 <DIR> --d----- c:\program files\Sophos
2009-08-05 05:01 204,800 -c------ c:\windows\system32\dllcache\mswebdvd.dll

==================== Find3M ====================

2009-08-30 19:31 44,544 a------- c:\windows\system32\agremove.exe
2009-08-26 10:42 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-08-26 10:42 335,240 a------- c:\windows\system32\drivers\avgldx86.sys
2009-08-05 05:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-17 15:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2009-07-03 13:09 915,456 a------- c:\windows\system32\wininet.dll
2009-06-25 04:25 730,112 a------- c:\windows\system32\lsasrv.dll
2009-06-25 04:25 301,568 a------- c:\windows\system32\kerberos.dll
2009-06-25 04:25 147,456 a------- c:\windows\system32\schannel.dll
2009-06-25 04:25 136,192 a------- c:\windows\system32\msv1_0.dll
2009-06-25 04:25 56,832 a------- c:\windows\system32\secur32.dll
2009-06-25 04:25 54,272 a------- c:\windows\system32\wdigest.dll
2009-06-16 10:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 10:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-12 08:31 80,896 a------- c:\windows\system32\tlntsess.exe
2009-06-12 08:31 76,288 a------- c:\windows\system32\telnet.exe
2009-06-10 10:13 84,992 a------- c:\windows\system32\avifil32.dll
2009-06-10 09:19 2,066,432 a------- c:\windows\system32\mstscax.dll
2009-06-10 02:14 132,096 a------- c:\windows\system32\wkssvc.dll
2009-06-03 15:09 1,291,264 a------- c:\windows\system32\quartz.dll
2008-02-02 14:50 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat
2007-09-23 01:09 0 a------- c:\docume~1\admini~1\applic~1\wklnhst.dat
2009-02-20 19:29 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009022020090221\index.dat

============= FINISH: 23:56:01.59 ===============

#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:13 PM

Posted 31 August 2009 - 01:41 PM

Hello.

I see you have 2 anti-virus softwares running:

2 Anti-virus/Firewall Programs Running Simultaenously Warning

I do not recommend that you have more than one anti virus or firewall product installed and running on your computer at a time. In addition to wasting resources, if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:

1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.

Therefore please go to add/remove in the control panel and remove either AVG Free 8.5 or Sophos Anti-Virus

Please uninstall them until you are only running one antivirus using Add/Remove Programs if you are using XP or remove it via Programs and Features if you are using Vista.

--

Regarding the chkdsk and other problems, we'll deal with those at the end. First, we'll make sure that there is no more malware on your system.

Update Java to Version 6 Update 16

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 16.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u16-windows-i586.exe to install the newest version.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

Run ESET Online Scan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
You can refer to this animation by neomage if needed.

Take a new DDS run afterward and post back with both the DDS and Attach logs in your next reply.

Thanks.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 mattmurdock

mattmurdock
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:13 PM

Posted 31 August 2009 - 08:39 PM

Thanks for the further help, Extremeboy!

I followed your instructions. The summary:

(A). Sophos is now uninstalled, using add/remove programs.
[I was using a scan-only version, that said it did not actively monitor files, and thus said it would not interfere with my main AV software. Hopefully that was true.]

(B). Java: Old versions uninstalled; JRE 6 Update 16 is now installed, as you specified. (Thanks!)

©. ESET Online Scan performed-- See log below, pasted after point ©.
[It found 4 items, which were files that had previously been quarantined by another scan]

(D). DDS scan performed again-- See logs below, pasted after point (D).


OK, I await your expert advice. Thank you very much again.

-mattmurdock

+++++++++++++++++++++

©. ESET Online Scan results:

C:\Qoobox\Quarantine\C\WINDOWS\system32\cxpfwxvt.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\srruutwa.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\srruutwa.ini2.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\UAClebeirilam.dll.vir probably a variant of Win32/Agent trojan cleaned by deleting - quarantined




(D). DDS Scan 8-31 results (attach.txt and DDS.txt, in order):


Attach.txt:

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-07-30.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 9/17/2007 10:20:11 PM
System Uptime: 8/31/2009 7:16:15 PM (2 hours ago)

Motherboard: Gateway | | Gateway M280
Processor: Intel® Celeron® M processor 1.60GHz | uFCPGA2 | 1596/400mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 33 GiB total, 11.626 GiB free.
D: is FIXED (FAT32) - 5 GiB total, 1.712 GiB free.
E: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Cisco Systems VPN Adapter
Device ID: ROOT\NET\0000
Manufacturer: Cisco Systems
Name: Cisco Systems VPN Adapter
PNP Device ID: ROOT\NET\0000
Service: CVirtA

==== System Restore Points ===================

RP312: 7/23/2009 2:43:41 PM - Avg8 Update
RP313: 7/23/2009 2:43:44 PM - Software Distribution Service 3.0
RP314: 7/23/2009 2:43:45 PM - System Checkpoint
RP315: 7/23/2009 2:43:45 PM - Installed SA32xx Device Manager
RP316: 7/23/2009 2:43:46 PM - Installed MediaConverter for Philips
RP317: 7/23/2009 2:43:46 PM - Software Distribution Service 3.0
RP318: 7/23/2009 2:43:47 PM - Software Distribution Service 3.0
RP319: 7/23/2009 2:43:47 PM - Software Distribution Service 3.0
RP320: 7/23/2009 2:43:49 PM - Software Distribution Service 3.0
RP321: 7/23/2009 2:43:49 PM - System Checkpoint
RP322: 7/23/2009 2:43:50 PM - System Checkpoint
RP323: 7/23/2009 2:43:51 PM - Software Distribution Service 3.0
RP324: 7/23/2009 2:43:52 PM - Avg8 Update
RP325: 7/23/2009 2:43:53 PM - Software Distribution Service 3.0
RP326: 7/23/2009 2:43:53 PM - System Checkpoint
RP327: 7/23/2009 2:43:54 PM - System Checkpoint
RP328: 7/23/2009 2:43:54 PM - Software Distribution Service 3.0
RP329: 7/23/2009 2:43:54 PM - Removed VPN Client
RP330: 7/23/2009 2:43:54 PM - Installed Cisco Systems VPN Client 5.0.02.0090
RP331: 7/23/2009 2:43:55 PM - System Checkpoint
RP332: 7/23/2009 2:43:55 PM - Avg8 Update
RP333: 7/23/2009 2:43:55 PM - System Checkpoint
RP334: 7/23/2009 2:43:55 PM - Software Distribution Service 3.0
RP335: 7/23/2009 2:43:55 PM - System Checkpoint
RP336: 7/23/2009 2:43:56 PM - System Checkpoint
RP337: 7/23/2009 2:43:56 PM - Software Distribution Service 3.0
RP338: 7/23/2009 2:43:56 PM - System Checkpoint
RP339: 7/23/2009 2:43:56 PM - System Checkpoint
RP340: 7/23/2009 2:43:57 PM - Software Distribution Service 3.0
RP341: 7/23/2009 2:43:58 PM - Software Distribution Service 3.0
RP342: 7/23/2009 2:43:59 PM - System Checkpoint
RP343: 7/23/2009 2:43:59 PM - Software Distribution Service 3.0
RP344: 7/23/2009 2:44:00 PM - System Checkpoint
RP345: 7/23/2009 2:44:01 PM - Software Distribution Service 3.0
RP346: 7/23/2009 2:44:01 PM - Avg8 Update
RP347: 7/23/2009 2:44:01 PM - Software Distribution Service 3.0
RP348: 7/23/2009 2:44:01 PM - System Checkpoint
RP349: 7/23/2009 2:44:02 PM - System Checkpoint
RP350: 7/23/2009 2:44:02 PM - Software Distribution Service 3.0
RP351: 7/23/2009 2:44:02 PM - Software Distribution Service 3.0
RP352: 7/23/2009 2:44:02 PM - System Checkpoint
RP353: 7/23/2009 2:44:02 PM - Software Distribution Service 3.0
RP354: 7/23/2009 2:44:02 PM - System Checkpoint
RP355: 7/23/2009 2:44:03 PM - System Checkpoint
RP356: 7/23/2009 2:44:03 PM - Software Distribution Service 3.0
RP357: 7/23/2009 2:44:03 PM - Software Distribution Service 3.0
RP358: 7/23/2009 2:44:03 PM - System Checkpoint
RP359: 7/23/2009 2:44:04 PM - System Checkpoint
RP360: 7/23/2009 2:44:04 PM - System Checkpoint
RP361: 7/23/2009 2:44:04 PM - System Checkpoint
RP362: 7/23/2009 2:44:04 PM - Software Distribution Service 3.0
RP363: 7/23/2009 2:44:04 PM - Removed Cisco Systems VPN Client 5.0.02.0090
RP364: 7/23/2009 2:44:05 PM - Removed Cisco Systems VPN Client 5.0.02.0090
RP365: 7/23/2009 2:44:05 PM - Installed Cisco Systems VPN Client 5.0.05.0290
RP366: 7/23/2009 2:44:05 PM - Software Distribution Service 3.0
RP367: 7/23/2009 2:44:05 PM - Software Distribution Service 3.0
RP368: 7/23/2009 2:44:06 PM - Avg8 Update
RP369: 7/23/2009 2:44:06 PM - Avg8 Update
RP370: 7/23/2009 2:44:06 PM - Avg8 Update
RP371: 7/23/2009 2:44:06 PM - Software Distribution Service 3.0
RP372: 7/23/2009 2:44:06 PM - Avg8 Update
RP373: 7/23/2009 2:44:07 PM - Software Distribution Service 3.0
RP374: 7/23/2009 2:44:07 PM - Software Distribution Service 3.0
RP375: 7/23/2009 2:44:07 PM - Software Distribution Service 3.0
RP376: 7/23/2009 2:44:07 PM - System Checkpoint
RP377: 7/23/2009 2:44:08 PM - Software Distribution Service 3.0
RP378: 7/23/2009 2:44:08 PM - System Checkpoint
RP379: 7/23/2009 2:44:08 PM - Software Distribution Service 3.0
RP380: 7/23/2009 2:44:09 PM - System Checkpoint
RP381: 7/23/2009 2:44:09 PM - Software Distribution Service 3.0
RP382: 7/23/2009 2:44:09 PM - System Checkpoint
RP383: 7/23/2009 2:44:09 PM - Software Distribution Service 3.0
RP384: 7/23/2009 2:44:10 PM - System Checkpoint
RP385: 7/23/2009 2:44:10 PM - System Checkpoint
RP386: 7/23/2009 2:44:10 PM - Software Distribution Service 3.0
RP387: 7/23/2009 2:44:10 PM - Software Distribution Service 3.0
RP388: 7/23/2009 2:44:10 PM - Software Distribution Service 3.0
RP389: 7/23/2009 2:44:11 PM - System Checkpoint
RP390: 7/23/2009 2:44:11 PM - Software Distribution Service 3.0
RP391: 7/23/2009 2:44:11 PM - System Checkpoint
RP392: 7/23/2009 2:44:11 PM - Software Distribution Service 3.0
RP393: 7/23/2009 2:44:11 PM - Avg8 Update
RP394: 7/23/2009 2:44:12 PM - Avg8 Update
RP395: 7/23/2009 2:44:12 PM - System Checkpoint
RP396: 7/23/2009 2:44:12 PM - Software Distribution Service 3.0
RP397: 7/23/2009 2:44:12 PM - System Checkpoint
RP398: 7/23/2009 2:44:12 PM - Software Distribution Service 3.0
RP399: 7/23/2009 2:44:13 PM - System Checkpoint
RP400: 7/23/2009 2:44:13 PM - System Checkpoint
RP401: 7/23/2009 2:44:13 PM - Software Distribution Service 3.0
RP402: 7/23/2009 2:44:13 PM - Software Distribution Service 3.0
RP403: 7/23/2009 2:44:13 PM - System Checkpoint
RP404: 7/23/2009 2:44:14 PM - Software Distribution Service 3.0
RP405: 7/23/2009 2:44:14 PM - Avg8 Update
RP406: 7/23/2009 2:44:14 PM - Avg8 Update
RP407: 7/23/2009 2:44:14 PM - Software Distribution Service 3.0
RP408: 7/23/2009 2:44:15 PM - Software Distribution Service 3.0
RP409: 7/23/2009 2:44:15 PM - Avg8 Update
RP410: 7/23/2009 2:44:15 PM - Software Distribution Service 3.0
RP411: 7/23/2009 2:44:15 PM - System Checkpoint
RP412: 7/23/2009 2:44:15 PM - System Checkpoint
RP413: 7/23/2009 2:44:15 PM - Software Distribution Service 3.0
RP414: 8/10/2009 12:01:22 AM - System Checkpoint
RP415: 8/10/2009 8:34:03 PM - Software Distribution Service 3.0
RP416: 8/12/2009 12:53:09 PM - System Checkpoint
RP417: 8/12/2009 8:55:19 PM - Software Distribution Service 3.0
RP418: 8/14/2009 12:46:46 AM - System Checkpoint
RP419: 8/15/2009 12:09:02 PM - System Checkpoint
RP420: 8/17/2009 8:53:02 AM - Software Distribution Service 3.0
RP421: 8/18/2009 1:26:53 PM - System Checkpoint
RP422: 8/18/2009 7:54:52 PM - Software Distribution Service 3.0
RP423: 8/20/2009 7:40:31 PM - System Checkpoint
RP424: 8/21/2009 7:23:31 PM - Software Distribution Service 3.0
RP425: 8/22/2009 12:05:33 AM - Software Distribution Service 3.0
RP426: 8/23/2009 2:38:24 PM - System Checkpoint
RP427: 8/25/2009 5:19:18 PM - Software Distribution Service 3.0
RP428: 8/26/2009 10:39:22 AM - Avg8 Update
RP429: 8/26/2009 10:43:55 AM - Avg8 Update
RP430: 8/28/2009 10:04:38 AM - Software Distribution Service 3.0
RP431: 8/29/2009 12:51:32 PM - System Checkpoint
RP432: 8/30/2009 8:39:13 PM - System Checkpoint
RP433: 8/31/2009 12:55:25 AM - Removed Sophos Anti-Virus
RP434: 8/31/2009 12:56:54 AM - Removed Sophos AutoUpdate
RP435: 8/31/2009 10:54:59 AM - Installed SA32xx Device Manager
RP436: 8/31/2009 6:53:52 PM - Installed Java™ 6 Update 15
RP437: 8/31/2009 7:10:30 PM - Removed Java™ 6 Update 5
RP438: 8/31/2009 7:11:51 PM - Removed Java™ 6 Update 15
RP439: 8/31/2009 7:13:16 PM - Removed Java 2 Runtime Environment, SE v1.4.2
RP440: 8/31/2009 7:19:13 PM - Installed Java™ 6 Update 16

==== Installed Programs ======================

7-Zip 4.57
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Reader 7.1.0
Agilix GoBinder Lite
Ahead Nero Express
AIM Pro
Amazon MP3 Downloader 1.0.3
Apple Software Update
ArcSoft MediaConverter 2.5
ARGUS 2006
Audacity 1.2.6
AVG Free 8.5
Bonjour
Browser Address Error Redirector
CCleaner (remove only)
Cisco Systems VPN Client 5.0.05.0290
Conexant AC-Link Audio
Critical Update for Windows Media Player 11 (KB959772)
Data Fax SoftModem with SmartCP
DVD Solution
ESET Online Scanner v3
FUJIFILM FinePixViewer S Ver.2.1
gtw_logo
GWCares
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Ink Art
Intel® Graphics Media Accelerator Driver for Mobile
Intel® PROSet/Wireless Software
IrfanView (remove only)
Java™ 6 Update 16
Learn2 Player (Uninstall Only)
Malwarebytes' Anti-Malware
mCore
mDriver
mDrWiFi
mHelp
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Education Pack for Windows XP Tablet PC Edition
Microsoft Energy Blue Theme Pack
Microsoft Experience Pack for Tablet PC
Microsoft Ink Crossword
Microsoft Ink Desktop
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Media Transfer
Microsoft National Language Support Downlevel APIs
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs
Microsoft Silverlight
Microsoft Snipping Tool 2.0
Microsoft Software Update for Web Folders (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Windows XP Tablet PC Edition 2005 Recognizer Pack
mIWA
mLogView
mMHouse
Mozilla Firefox (3.5.2)
mPfMgr
mPfWiz
mProSafe
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
mWlsSafe
mXML
mZConfig
Nero BurnRights
Netscape Internet Service
Netscape Web Accelerator
Palisade Numerical Tools - Book Version
PL-2303 USB-to-Serial
Power2Go 4.0
PowerDVD
QuickTime
RealPlayer Basic
Recovery Software Suite Gateway
SA32xx Device Manager
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB913433)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Skype™ 4.0
StatTools 1.1 for Excel
Synaptics Pointing Device Driver
Tablet PC Tutorials for Microsoft Windows XP SP2
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973815)
Viewpoint Media Player
WebFldrs XP
Windows Defender
Windows Driver Package - (mr7910) Image (08/08/2006 1.4.0.0)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live OneCare safety scanner
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player Firefox Plugin
Windows XP Service Pack 3
Yahoo! Install Manager

==== Event Viewer Messages From Past Week ========

8/30/2009 7:45:53 PM, error: Service Control Manager [7034] - The Print Spooler service terminated unexpectedly. It has done this 2 time(s).
8/30/2009 7:30:41 PM, error: Print [22] - Failed to ugrade printer settings for printer HP LaserJet 1020,0 driver HP LaserJet 1020 error 1801.
8/30/2009 7:07:08 PM, error: Service Control Manager [7034] - The Print Spooler service terminated unexpectedly. It has done this 1 time(s).
8/27/2009 9:33:32 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000243' while processing the file 'avgrsstx.dll.old' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
8/27/2009 6:33:56 PM, error: DCOM [10016] - The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {D2B7A809-15DC-40B4-A1E1-C61EA97191DB} to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19). This security permission can be modified using the Component Services administrative tool.
8/27/2009 11:13:00 PM, error: Service Control Manager [7034] - The Sophos AutoUpdate Service service terminated unexpectedly. It has done this 1 time(s).
8/26/2009 10:54:19 AM, error: Service Control Manager [7034] - The Sophos Anti-Virus service terminated unexpectedly. It has done this 2 time(s).
8/26/2009 10:54:10 AM, error: Service Control Manager [7034] - The Sophos Anti-Virus status reporter service terminated unexpectedly. It has done this 1 time(s).
8/26/2009 10:45:36 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the avg8wd service.
8/25/2009 4:09:35 PM, error: PlugPlayManager [12] - The device 'RAS Async Adapter' (SW\{eeab7790-c514-11d1-b42b-00805fc1270e}\asyncmac) disappeared from the system without first being prepared for removal.
8/25/2009 2:37:56 PM, error: Service Control Manager [7000] - The Cisco Systems, Inc. Installer service service failed to start due to the following error: The system cannot find the path specified.
8/24/2009 12:11:35 AM, error: Service Control Manager [7000] - The Application Layer Gateway Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
8/24/2009 12:11:04 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Application Layer Gateway Service service to connect.
8/24/2009 12:02:08 PM, error: Service Control Manager [7034] - The Sophos Anti-Virus service terminated unexpectedly. It has done this 1 time(s).
8/24/2009 12:02:08 PM, error: SAVOnAccessControl [37] -

==== End Of File ===========================




DDS.txt:


DDS (Ver_09-07-30.01) - NTFSx86
Run by Administrator at 21:22:17.81 on Mon 08/31/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.191 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Netscape Internet Service\ncupdatesvc.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\SYSTEM32\WISPTIS.EXE
C:\WINDOWS\System32\tabbtnu.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32Info.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
uURLSearchHooks: H - No File
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: PBlockHelper Class: {4115122b-85ff-4dd3-9515-f075bede5eb5} - c:\progra~1\netsca~1\netsca~1\pbhelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\mi1933~1\office12\GRA8E1~1.DLL
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\windows\system32\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NeroCheck] c:\windows\system32\NeroCheck.exe
mRun: [TabletWizard] c:\windows\help\SplshWrp.exe
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bigfix.lnk - c:\program files\bigfix\bigfix.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\exifla~1.lnk - c:\program files\finepixviewers\QuickDCF2.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\philip~1.lnk - c:\program files\philips\sa32xx device manager\SA32xx_DeviceManager.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{f3c1de9e-5e16-4ba9-b854-7b53a45e3579}\Icon3E5562ED7.ico
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mi1933~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
LSP: c:\program files\netscape internet service\netscape web accelerator\sliplsp.dll
Trusted Zone: taxactonline.com\www
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/OAS/ActiveX/MSDcode.cab
DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - hxxp://files.member.yahoo.com/dl/installs/sbc/yinst.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase9563.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1190089417656
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {F5D98C43-DB16-11CF-8ECA-0000C0FD59C7} - hxxp://gis.cityofmadison.com/ACGM_7146/Acgm.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\mi1933~1\office12\GR99D3~1.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll
Notify: loginkey - c:\program files\common files\microsoft shared\ink\loginkey.dll
Notify: TabBtnWL - TabBtnWL.dll
Notify: tpgwlnotify - tpgwlnot.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\mi1933~1\office12\GRA8E1~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\zngondhr.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - www.google.com
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\zngondhr.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071102000004.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-28 335240]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-5-28 27784]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-5-28 297752]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 FinePnt;FinePoint Innovations HID Driver;c:\windows\system32\drivers\FpHidDrv.sys [2007-8-21 17280]
R3 MSTabBtn;Tablet PC Buttons HID Driver;c:\windows\system32\drivers\MSTabBtn.sys [2007-8-21 9600]
S2 CiscoVpnInstallService;Cisco Systems, Inc. Installer service;c:\docume~1\admini~1\locals~1\temp\wzse0.tmp\instal~1.exe --> c:\docume~1\admini~1\locals~1\temp\wzse0.tmp\INSTAL~1.EXE [?]
S3 Ad-Watch Connect Filter;Ad-Watch Connect Kernel Filter;\??\c:\windows\system32\drivers\nsdriver.sys --> c:\windows\system32\drivers\NSDriver.sys [?]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-11-14 394952]

=============== Created Last 30 ================

2009-08-31 19:24 <DIR> --d----- c:\program files\ESET
2009-08-31 19:20 73,728 a------- c:\windows\system32\javacpl.cpl
2009-08-31 18:54 411,368 a------- c:\windows\system32\deploytk.dll
2009-08-31 10:52 12,841,260 a------- c:\docume~1\admini~1\applic~1\sa3225_02_pal_eng.exe
2009-08-30 19:30 574,100 a------- c:\windows\system32\hp1022n.img
2009-08-30 19:30 61,440 a------- c:\windows\system32\ZIMF.DLL
2009-08-30 19:30 53,248 a------- c:\windows\system32\ZTAG.DLL
2009-08-30 19:30 10,632 a------- c:\windows\system32\ZSHP1020.CHM
2009-08-30 19:30 206,768 a------- c:\windows\system32\hp1022.img
2009-08-30 19:06 <DIR> --d----- C:\spoolerlogs
2009-08-15 14:19 <DIR> --d----- c:\program files\IrfanView
2009-08-12 12:19 128,512 -c------ c:\windows\system32\dllcache\dhtmled.ocx
2009-08-12 12:19 1,315,328 -c------ c:\windows\system32\dllcache\msoe.dll
2009-08-10 13:05 <DIR> --d----- c:\program files\ACW
2009-08-09 01:35 <DIR> --d----- c:\docume~1\admini~1\applic~1\Malwarebytes
2009-08-09 01:00 <DIR> -cd----- c:\windows\system32\dllcache\cache
2009-08-08 23:57 216,064 a------- c:\windows\PEV.exe
2009-08-08 23:57 161,792 a------- c:\windows\SWREG.exe
2009-08-08 23:57 98,816 a------- c:\windows\sed.exe
2009-08-08 19:04 65,536 a------- c:\windows\system32\NeroCo.dll
2009-08-08 19:04 57,344 a------- c:\windows\system32\NeroBurnRights.cpl
2009-08-08 19:04 2,031,616 -------- c:\windows\UNNeroBurnRights.exe
2009-08-08 19:04 23,936 -------- c:\windows\UNNeroBurnRights.cfg
2009-08-08 17:41 310 a------- c:\windows\system32\uacsr.dat
2009-08-08 12:01 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-08 12:01 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-08 12:01 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-08-08 12:01 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-08-07 13:23 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Sophos
2009-08-07 13:22 <DIR> --d----- c:\program files\Sophos
2009-08-05 05:01 204,800 -c------ c:\windows\system32\dllcache\mswebdvd.dll

==================== Find3M ====================

2009-08-31 19:34 44,544 a------- c:\windows\system32\agremove.exe
2009-08-26 10:42 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-08-26 10:42 335,240 a------- c:\windows\system32\drivers\avgldx86.sys
2009-08-05 05:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-17 15:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2009-07-03 13:09 915,456 a------- c:\windows\system32\wininet.dll
2009-06-25 04:25 730,112 a------- c:\windows\system32\lsasrv.dll
2009-06-25 04:25 301,568 a------- c:\windows\system32\kerberos.dll
2009-06-25 04:25 147,456 a------- c:\windows\system32\schannel.dll
2009-06-25 04:25 136,192 a------- c:\windows\system32\msv1_0.dll
2009-06-25 04:25 56,832 a------- c:\windows\system32\secur32.dll
2009-06-25 04:25 54,272 a------- c:\windows\system32\wdigest.dll
2009-06-16 10:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 10:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-12 08:31 80,896 a------- c:\windows\system32\tlntsess.exe
2009-06-12 08:31 76,288 a------- c:\windows\system32\telnet.exe
2009-06-10 10:13 84,992 a------- c:\windows\system32\avifil32.dll
2009-06-10 09:19 2,066,432 a------- c:\windows\system32\mstscax.dll
2009-06-10 02:14 132,096 a------- c:\windows\system32\wkssvc.dll
2009-06-03 15:09 1,291,264 a------- c:\windows\system32\quartz.dll
2008-02-02 14:50 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat
2007-09-23 01:09 0 a------- c:\docume~1\admini~1\applic~1\wklnhst.dat
2009-02-20 19:29 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009022020090221\index.dat

============= FINISH: 21:22:29.87 ===============

#8 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:13 PM

Posted 01 September 2009 - 11:13 AM

Hello.

That looks good.

How's your computer running now? Any more problems? Do the problems previously still exist?

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#9 mattmurdock

mattmurdock
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:13 PM

Posted 01 September 2009 - 11:50 AM

To respond to your latest post,
Glad to hear that the logs look good.

I still need help resolving my most pressing issue: Disk corruption left behind after malware, and an inability to run chkdsk to correct it.

My main questions are still the same I asked for help on, in my original help request August 12, following this section:

(D). **HELP I NEED NOW**:


That section contains a description of my chkdsk problems, and what I have tried.
Do you have any idea how to help resolve this?

Thanks a million, once again.
-mattmurdock

#10 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:13 PM

Posted 01 September 2009 - 12:51 PM

Hello.

Regarding Combofix, we can remove everything related to that once I gave you my final speech. NO need to worry too much about that.

Regarding the chkdsk issue, I suggest you start a topic here: http://www.bleepingcomputer.com/forums/f/56/windows-xp-home-and-professional/

Then some windows expert or helper can help you out. I'm not a Windows Expert, so I'm not exactly sure what might have caused it.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#11 mattmurdock

mattmurdock
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:13 PM

Posted 02 September 2009 - 10:17 PM

Extremeboy,

Thanks. At your suggestion, I started a new topic on the other forum, to attempt to address the chkdsk and file system error problems.

Just wanted to let you know that I am still diligently pursuing resolution of these issues, and following your advice.

As far as this topic is concerned, what should be our next step?
-Should I await a resolution of the file system and disk error problem?

or,

-Should we take additional steps at this point, such as unwinding ComboFix?

Thanks again,

-mattmurdock

#12 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:13 PM

Posted 03 September 2009 - 09:04 AM

Hello.

We can cleanup on our side.

--

Please follow/read the steps below to remove the tools we used and for some more information. :thumbup2:

Uninstall ComboFix

Remove Combofix now that we're done with it.
  • Click on your Start Menu, then Run....
  • Now type combofix /u in the runbox and click OK. Notice the space between the "x" and "/".
    Posted Image
  • You will then recieve a message letting you know that Combofix was uninstalled Successfully.
This will remove files/folders assoicated with combofix and uninstall it.

Download and Run OTC

We will now remove the tools we used during this fix using OTC.
  • Download OTC by OldTimer and save it to your desktop.
  • Double click Posted Image icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big Posted Image button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.
System A bit Slow? Try StartupLight

You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance.

If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware.

--
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Preventing Infections in the Future

Please also have a look at the following links, giving some advice and Tips to protect yourself against malware and reduce the potential for re-infection:
  • Avoid gaming sites, underground web pages, pirated software sites, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
Vist the WindowsUpdate Site Regularly

I recommend you regularly visit the Windows Update Site!
  • Lots of Hacking/Trojans use the methods found (plugged by the updates) that have not been stopped by people not updating.
  • Update ALL Critical updates and any other Windows updates for services/programs that you use.
  • If you wish to turn on automatic updates then you will find here is a nice little article about turning on automatic updates.
  • Note that it will download them for you, but you still have to actually click install.
Update Non-Microsoft Programs

It is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Update all programs regularly - Make sure you update all the programs you have installed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

With Regards,
Extremeboy

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#13 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:13 PM

Posted 05 September 2009 - 05:16 PM

Hello.

Since the problem appears to be resolved, this topic is now Closed. Glad we could help :thumbup2:
If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.

This applies only to the original topic starter

Everyone else please start a new topic in the Hijackthis-Malware Removal Forum.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users