Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can't open Security Center and other issues


  • This topic is locked This topic is locked
25 replies to this topic

#1 pilotgal8

pilotgal8

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:59 PM

Posted 17 December 2009 - 12:37 PM

The issue began with WinXP PRO deciding it wanted to re-boot every morning about 2am. COuldn't find any schedulled tasks. I 'scrub' the machine weekly with SpyBot, Adaware, EasyCleaner and System Mechanic.

The rebooting 'seems' to conincide with the upgrade to SystemMechanic 9.2

However, posting to WindowsBBS (member for some years) wasn't abel to pinpoint a reason.

Now I can't seem to get to Security Center to determine if some 'bad guy' may have added a schedulled task. One of the dumps I posted on WindwsBBS did identify an unknown virus 'protector' ampse.sys, which I deleted.

Windows BBS suggested I post a DDS log here for help with identifying what has happened.

Thanks in advance for any help.

DDS.TXT


DDS (Ver_09-07-30.01) - NTFSx86
Run by Rosemary at 11:51:22.81 on Thu 12/17/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2045.862 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: iolo System Shield *On-access scanning disabled* (Updated) {2565CEEE-6BDB-4A6D-AD6D-F682F2695014}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Authentium\AntiVirus5\vsedsps.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
C:\Program Files\Common Files\Authentium\AntiVirus5\vseamps.exe
C:\Program Files\Common Files\Authentium\AntiVirus5\vseqrts.exe
C:\WINDOWS\system32\rsvp.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe
C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Intel\IntelDH\CCU\CCU_Engine.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Quicken2007\qw.exe
C:\Program Files\Intuit\QuickBooks 2007\qbw32.exe
C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgr.exe
C:\Program Files\Common Files\Intuit\QuickBooks\axlbridge.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\vssvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Rosemary\Desktop\dds.pif

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.goodsearch.com/
uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
mDefault_Page_URL = hxxp://www.yahoo.com/
mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
uRun: [PxDotNetLoader] "c:\program files\fidelity investments\fidelity active trader\system\ATPStartupAssistant.exe"
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [IntelAudioStudio] "c:\program files\intel audio studio\IntelAudioStudio.exe" TRAY
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [CCUTRAYICON] c:\program files\intel\inteldh\ccu\CCU_TrayIcon.exe
mRun: [NMSSupport] "c:\program files\common files\intel\inteldh\nms\support\IntelHCTAgent.exe" /startup
mRun: [<NO NAME>]
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [Intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup
mRun: [YSearchProtection] "c:\program files\yahoo!\search protection\SearchProtection.exe"
mRun: [Carbonite Backup] c:\program files\carbonite\carbonite backup\CarboniteUI.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRunServices: [ZipMagic] c:\program files\ontrack\zipmagic\zm32nt.exe
dRun: [braviax]
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: c:\windows\system32\iavlsp.dll
Trusted Zone: turbotax.com
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxp://echat.bellsouth.net/sdccommon/download/tgctlcm.cab
DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} - hxxps://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISDataManager.CAB
DPF: {15B782AF-55D8-11D1-B477-006097098764} - hxxp://download.macromedia.com/pub/shockwave/cabs/authorware/awswax70.cab
DPF: {2703049B-D81D-4763-A3C6-AF8932FCBD8F} - hxxps://am.hrblock.com/ActivexComponent/CheckFileStatus.CAB
DPF: {60EFC337-15C2-4369-B2A0-3429B071D8B8} - hxxp://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISWebManager.CAB
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1182539247843
DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1182539214796
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {A796D216-2DE1-4EA8-BABB-FE6E7C959098} - hxxp://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab
DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4/jinstall-14_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7}
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\intuit\quickbooks 2009\HelpAsyncPluggableProtocol.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
Handler: x-atng - {7e8717b0-d862-11d5-8c9e-00010304f989} - c:\program files\fidelity investments\fidelity active trader\system\atngprot.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
AppInit_DLLs: cru629.dat
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-4-2 64160]
R0 zmNTMon;zmNTMon;c:\windows\system32\drivers\ZmNTMon.sys [2007-12-3 5760]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-4 333192]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2007-6-23 28424]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-5-4 360584]
R2 AMP;AMP;c:\windows\system32\drivers\amp.sys [2009-10-28 122408]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2009-11-8 285392]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2008-10-10 13088]
R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2008-3-18 650160]
R2 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2008-3-18 650160]
R2 MCLServiceATL;Intel® Application Tracker;c:\program files\intel\inteldh\intel media server\shells\MCLServiceATL.exe [2006-11-10 170456]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 vseamps;vseamps;c:\program files\common files\authentium\antivirus5\vseamps.exe [2009-10-28 92712]
R2 vsedsps;vsedsps;c:\program files\common files\authentium\antivirus5\vsedsps.exe [2009-10-28 117288]
R2 vseqrts;vseqrts;c:\program files\common files\authentium\antivirus5\vseqrts.exe [2009-10-28 113192]
R2 YahooAUService;Yahoo! Updater;c:\program files\yahoo!\softwareupdate\YahooAUService.exe [2008-11-9 602392]
R3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1028432]
S2 AMPSE;AMPSE;c:\windows\system32\drivers\ampse.sys --> c:\windows\system32\drivers\ampse.sys [?]
S2 ioloProductUpdate;iolo Product Update Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2008-3-18 650160]
S3 zmNTZip;zmNTZip;c:\program files\ontrack\zipmagic\zmNTZip.sys [2007-12-3 155576]

============== File Associations ===============

JSEFile=NOTEPAD.EXE %1
regfile=NOTEPAD.EXE %1
scrfile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1

=============== Created Last 30 ================

2009-12-17 00:15 28 a------- c:\windows\pdf995.ini
2009-12-17 00:14 <DIR> --d----- c:\program files\pdf995
2009-12-17 00:06 448 a------- c:\windows\system32\iolo.ini
2009-12-11 09:14 <DIR> --d----- C:\symbols
2009-12-10 11:01 <DIR> --d----- c:\program files\Debugging Tools for Windows (x86)
2009-12-07 06:14 3,255 a------- c:\windows\system32\wbem\Outlook_01ca772e6a2fa02c.mof
2009-12-05 12:34 <DIR> --d----- c:\program files\common files\Authentium
2009-12-05 12:34 118,784 a------- c:\windows\system32\iavlsp.dll
2009-11-26 05:37 <DIR> --d----- c:\program files\MSXML 4.0

==================== Find3M ====================

2009-12-17 00:15 249,856 a------- c:\windows\system32\pdfmona.dll
2009-12-17 00:15 51,716 a------- c:\windows\system32\pdf995mon.dll
2009-12-09 10:53 93,096 a------- c:\windows\system32\IncContxMenu.dll
2009-12-09 10:52 2,118,568 a------- c:\windows\system32\Incinerator.dll
2009-11-21 10:51 471,552 a------- c:\windows\system32\dllcache\aclayers.dll
2009-11-21 10:51 471,552 a------- c:\windows\apppatch\aclayers.dll
2009-11-10 08:04 360,584 ac------ c:\windows\system32\drivers\avgtdix.sys
2009-11-08 09:45 333,192 ac------ c:\windows\system32\drivers\avgldx86.sys
2009-11-08 09:45 12,464 a------- c:\windows\system32\avgrsstx.dll
2009-10-29 14:08 3,070,976 -------- c:\windows\system32\dllcache\mshtml.dll
2009-10-29 00:38 667,136 a------- c:\windows\system32\wininet.dll
2009-10-29 00:38 667,136 -------- c:\windows\system32\dllcache\wininet.dll
2009-10-29 00:38 1,509,888 -------- c:\windows\system32\dllcache\shdocvw.dll
2009-10-29 00:38 627,712 -------- c:\windows\system32\dllcache\urlmon.dll
2009-10-28 17:25 122,408 a----r-- c:\windows\system32\drivers\amp.sys
2009-10-21 00:38 75,776 a------- c:\windows\system32\strmfilt.dll
2009-10-21 00:38 25,088 a------- c:\windows\system32\httpapi.dll
2009-10-21 00:38 75,776 -------- c:\windows\system32\dllcache\strmfilt.dll
2009-10-21 00:38 25,088 -------- c:\windows\system32\dllcache\httpapi.dll
2009-10-20 11:20 265,728 a------- c:\windows\system32\drivers\http.sys
2009-10-20 11:20 265,728 a------- c:\windows\system32\dllcache\http.sys
2009-10-19 13:17 4,732,319 ac------ c:\docume~1\rosemary\applic~1\family.zip
2009-10-13 05:30 270,336 a------- c:\windows\system32\oakley.dll
2009-10-13 05:30 270,336 -------- c:\windows\system32\dllcache\oakley.dll
2009-10-12 08:38 149,504 a------- c:\windows\system32\rastls.dll
2009-10-12 08:38 149,504 -------- c:\windows\system32\dllcache\rastls.dll
2009-10-12 08:38 79,872 a------- c:\windows\system32\raschap.dll
2009-10-12 08:38 79,872 -------- c:\windows\system32\dllcache\raschap.dll
2009-10-11 04:17 411,368 a------- c:\windows\system32\deploytk.dll
2009-10-08 14:57 611,328 a------- c:\windows\system32\uiautomationcore.dll
2009-10-08 14:57 220,160 a------- c:\windows\system32\oleacc.dll
2009-10-08 14:57 220,160 a------- c:\windows\system32\dllcache\oleacc.dll
2009-10-08 14:56 20,480 a------- c:\windows\system32\oleaccrc.dll
2009-10-08 14:56 20,480 a------- c:\windows\system32\dllcache\oleaccrc.dll
2009-09-25 00:37 81,920 a------- c:\windows\system32\ieencode.dll
2009-09-24 20:23 2,403,528 a------- C:\AOS 18-20.zip
2009-09-24 20:22 3,613,622 a------- C:\AOS 16-18.zip
2009-09-24 20:22 3,810,098 a------- C:\AOS 13 - 15.zip
2009-09-24 20:21 3,725,959 a------- C:\AOS 10-12.zip
2009-09-24 20:21 3,991,357 a------- C:\AOS 7-9.zip
2009-09-24 20:20 3,776,086 a------- C:\AOS 4-6.zip
2009-09-24 20:20 3,459,310 a------- C:\AOS 1-3.zip
2009-09-24 07:28 24,779,828 a------- C:\archive.zip
2009-09-21 10:21 15,688 a------- c:\windows\system32\lsdelete.exe
2009-01-22 11:38 60,744 ac------ c:\documents and settings\rosemary\g2mdlhlpx.exe
2007-06-23 17:04 552 ac------ c:\docume~1\rosemary\applic~1\wklnhst.dat

============= FINISH: 11:52:41.18 ===============


ATTACH.TXT


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-07-30.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 6/22/2007 2:13:23 PM
System Uptime: 12/17/2009 12:04:57 AM (11 hours ago)

Motherboard: Intel Corporation | | D975XBX
Processor: Intel® Pentium® D CPU 3.20GHz | J3E1 | 3219/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 233 GiB total, 179.244 GiB free.
D: is CDROM ()
E: is Removable
F: is Removable
G: is Removable
H: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP884: 9/18/2009 5:35:08 PM - System Checkpoint
RP885: 9/19/2009 8:56:03 AM - 9-19-09 B4 cleanup
RP886: 9/20/2009 10:32:47 AM - System Checkpoint
RP887: 9/21/2009 2:49:29 PM - System Checkpoint
RP888: 9/22/2009 3:20:35 PM - System Checkpoint
RP889: 9/23/2009 4:13:05 PM - System Checkpoint
RP890: 9/24/2009 7:51:21 AM - Removed Adobe Reader 8.1.6
RP891: 9/24/2009 7:52:42 AM - Installed Adobe Reader 9.1.
RP892: 9/25/2009 8:10:36 AM - System Checkpoint
RP893: 9/26/2009 9:29:22 AM - System Checkpoint
RP894: 9/27/2009 1:00:27 PM - System Checkpoint
RP895: 9/28/2009 7:37:05 PM - System Checkpoint
RP896: 9/29/2009 7:58:29 PM - System Checkpoint
RP897: 9/30/2009 8:33:01 PM - System Checkpoint
RP898: 10/1/2009 11:10:04 PM - System Checkpoint
RP899: 10/2/2009 11:41:50 PM - System Checkpoint
RP900: 10/4/2009 6:26:22 AM - System Checkpoint
RP901: 10/5/2009 7:55:49 AM - System Checkpoint
RP902: 10/5/2009 8:14:09 AM - Avg8 Update
RP903: 10/5/2009 8:14:55 AM - Avg8 Update
RP904: 10/6/2009 11:04:27 AM - System Checkpoint
RP905: 10/7/2009 8:45:11 AM - Avg8 Update
RP906: 10/8/2009 11:36:45 AM - System Checkpoint
RP907: 10/9/2009 11:54:51 AM - System Checkpoint
RP908: 10/10/2009 12:27:23 PM - System Checkpoint
RP909: 10/11/2009 3:45:50 PM - System Checkpoint
RP910: 10/12/2009 7:33:24 PM - System Checkpoint
RP911: 10/13/2009 8:00:07 PM - System Checkpoint
RP912: 10/14/2009 8:18:08 AM - Software Distribution Service 3.0
RP913: 10/14/2009 8:58:31 AM - Software Distribution Service 3.0
RP914: 10/14/2009 9:13:53 AM - Installed Java™ 6 Update 15
RP915: 10/15/2009 12:08:50 PM - System Checkpoint
RP916: 10/16/2009 2:00:14 PM - System Checkpoint
RP917: 10/17/2009 9:01:46 AM - Avg8 Update
RP918: 10/18/2009 10:03:47 AM - System Checkpoint
RP919: 10/19/2009 10:11:01 AM - System Checkpoint
RP920: 10/20/2009 6:45:13 AM - Software Distribution Service 3.0
RP921: 10/21/2009 6:56:19 AM - System Checkpoint
RP922: 10/21/2009 9:01:35 AM - Avg8 Update
RP923: 10/22/2009 10:43:20 AM - System Checkpoint
RP924: 10/23/2009 4:11:50 AM - Software Distribution Service 3.0
RP925: 10/24/2009 6:11:57 AM - System Checkpoint
RP926: 10/25/2009 8:07:57 AM - System Checkpoint
RP927: 10/26/2009 9:56:04 AM - System Checkpoint
RP928: 10/27/2009 10:01:14 AM - System Checkpoint
RP929: 10/28/2009 12:38:10 PM - System Checkpoint
RP930: 10/29/2009 6:47:56 AM - Software Distribution Service 3.0
RP931: 10/30/2009 8:14:36 AM - System Checkpoint
RP932: 10/31/2009 9:27:44 AM - System Checkpoint
RP933: 11/1/2009 9:58:29 AM - System Checkpoint
RP934: 11/2/2009 11:00:31 AM - System Checkpoint
RP935: 11/3/2009 9:44:39 AM - Avg8 Update
RP936: 11/4/2009 12:46:15 PM - System Checkpoint
RP937: 11/5/2009 2:41:28 PM - System Checkpoint
RP938: 11/6/2009 9:45:02 AM - Avg8 Update
RP939: 11/7/2009 9:49:49 AM - System Checkpoint
RP940: 11/7/2009 11:15:47 AM - Software Distribution Service 3.0
RP941: 11/8/2009 9:45:00 AM - Installed AVG Free 9.0
RP942: 11/9/2009 11:00:14 AM - System Checkpoint
RP943: 11/10/2009 8:03:49 AM - Avg8 Update
RP944: 11/10/2009 8:04:48 AM - Avg8 Update
RP945: 11/11/2009 6:45:41 AM - Software Distribution Service 3.0
RP946: 11/12/2009 7:21:50 AM - System Checkpoint
RP947: 11/12/2009 8:09:48 AM - Avg8 Update
RP948: 11/13/2009 9:42:36 AM - System Checkpoint
RP949: 11/14/2009 10:44:53 AM - System Checkpoint
RP950: 11/15/2009 11:23:26 AM - System Checkpoint
RP951: 11/16/2009 12:15:58 PM - System Checkpoint
RP952: 11/17/2009 3:28:53 PM - System Checkpoint
RP953: 11/18/2009 4:58:00 PM - System Checkpoint
RP954: 11/19/2009 9:12:28 PM - System Checkpoint
RP955: 11/20/2009 9:38:03 AM - Avg8 Update
RP956: 11/20/2009 9:38:47 AM - Avg8 Update
RP957: 11/21/2009 11:30:08 AM - System Checkpoint
RP958: 11/22/2009 12:22:43 PM - System Checkpoint
RP959: 11/23/2009 12:38:12 PM - System Checkpoint
RP960: 11/24/2009 1:09:51 PM - System Checkpoint
RP961: 11/25/2009 4:15:38 PM - System Checkpoint
RP962: 11/26/2009 5:36:02 AM - Software Distribution Service 3.0
RP963: 11/27/2009 5:49:49 AM - System Checkpoint
RP964: 11/28/2009 12:33:24 PM - System Checkpoint
RP965: 11/29/2009 1:52:54 PM - System Checkpoint
RP966: 11/30/2009 2:41:48 PM - System Checkpoint
RP967: 12/1/2009 3:31:54 PM - System Checkpoint
RP968: 12/2/2009 7:00:49 PM - System Checkpoint
RP969: 12/3/2009 7:03:55 PM - System Checkpoint
RP970: 12/4/2009 8:15:53 PM - System Checkpoint
RP971: 12/5/2009 9:09:39 PM - System Checkpoint
RP972: 12/6/2009 11:25:00 PM - System Checkpoint
RP973: 12/7/2009 11:32:56 PM - System Checkpoint
RP974: 12/9/2009 12:20:08 AM - System Checkpoint
RP975: 12/9/2009 4:31:14 AM - Software Distribution Service 3.0
RP976: 12/10/2009 5:32:12 AM - System Checkpoint
RP977: 12/10/2009 7:06:12 AM - Installed Java™ 6 Update 17
RP978: 12/10/2009 11:01:04 AM - Installed Debugging Tools for Windows (x86)
RP979: 12/10/2009 11:30:38 AM - Installed Debugging Tools for Windows (x86)
RP980: 12/11/2009 9:10:25 AM - Installed Debugging Tools for Windows
RP981: 12/12/2009 8:20:52 AM - Avg8 Update
RP982: 12/12/2009 8:22:34 AM - Avg8 Update
RP983: 12/13/2009 8:58:39 AM - System Checkpoint
RP984: 12/14/2009 7:21:30 AM - Software Distribution Service 3.0
RP985: 12/15/2009 8:20:51 AM - System Checkpoint
RP986: 12/16/2009 9:43:35 AM - System Checkpoint
RP987: 12/16/2009 11:41:20 PM - Printer Driver PDF995 Printer Driver Installed
RP988: 12/16/2009 11:41:54 PM - Printer Driver PDF995 Printer Driver Installed
RP989: 12/17/2009 12:11:28 AM - Printer Driver PDF995 Printer Driver Installed
RP990: 12/17/2009 12:15:14 AM - Printer Driver PDF995 Printer Driver Installed

==== Installed Programs ======================


2000 TurboTax for Windows
7200
7200_Help
7200Trb
Acrobat.com
Ad-Aware
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Photoshop 7.0
Adobe Product/Adobe Studio Update 10/2001
Adobe Reader 8.1.2 Security Update 1 (KB403742)
Adobe Reader 9.2
Advanced Analyzer
AiO_Scan
AiOSoftware
AnswerWorks 4.0 Runtime - English
AnswerWorks 5.0 English Runtime
ATI Display Driver
Avery Wizard 3.1
AVG Free 9.0
AVSDK5
Broderbund Media Manager
BufferChm
Carbonite
Compatibility Pack for the 2007 Office system
Copy
CP_AtenaShokunin1Config
cp_dwShrek2Albums1
cp_dwShrek2Cards1
CreativeProjects
CreativeProjectsTemplates
Critical Update for Windows Media Player 11 (KB959772)
CueTour
Debugging Tools for Windows
Debugging Tools for Windows (x86)
Destinations
Director
DocProc
DocumentViewer
doPDF 5.0 printer
EasyCleaner
Fax
Fidelity Active Trader Pro®
Google Earth
Google Updater
GoToMeeting 4.0.0.320
High Definition Audio Driver Package - KB888111
Hotfix for Microsoft .NET Framework 3.0 (KB932471)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
HP Extended Capabilities 4.7
HP Image Zone 4.7
HP Officejet 7200 series
HP Product Assistant
HP Product Detection
HP PSC & OfficeJet 4.7
HP Update
HPSystemDiagnostics
InstantShare
Intel Audio Studio 2.0
Intel® Matrix Storage Manager
Intel® PRO Network Connections Drivers
Intel® Quick Resume Technology Drivers
Intel® Viiv™ Software
Intuit Entitlement Client
iolo technologies' System Mechanic Professional
ItsDeductible Express
Java 2 Runtime Environment, SE v1.4.1_02
Java Web Start
Java™ 6 Update 17
Java™ 6 Update 2
Java™ 6 Update 3
Java™ 6 Update 5
LaserJet 1020 series
Macromedia Shockwave Player
Malwarebytes' Anti-Malware
MarketResearch
MediaShow 3.0
Microsoft .NET Framework 1.0 Hotfix (KB953295)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Digital Image Library 9 - Blocker
Microsoft Digital Image Standard 2006
Microsoft Digital Image Standard 2006 Editor
Microsoft Digital Image Standard 2006 Library
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Office 2003 Primary Interop Assemblies
Microsoft Office Professional Edition 2003
Microsoft Silverlight
Microsoft Streets & Trips 2006
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual Studio 2005 Tools for Office Runtime
Microsoft Web Publishing Wizard 1.52
Microsoft Works Suite 2006 Setup Launcher
mIRC
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
MSXML 6.0 Parser (KB933579)
OIB4 Training Install Kit
Ontrack ZipMagic 4.0
OrchidWiz Encyclopedia
OrderReminder HP LaserJet 1020
PanoStandAlone
PCI SoftV92 Modem
Pdf995
PdfEdit995 (installed by TaxCut)
PhotoGallery
PowerDVD
PowerProducer
PowerStarter
ProductContext
ProSeries Basic Edition 2007
QFolder
QuickBooks
QuickBooks Premier: Accountant Edition 2007
QuickBooks Pro 2009
Quicken 2007
QuoteTracker
Readme
RegScrubXP 3.25
SafeCast Shared Components
Scan
ScannerCopy
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974455)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB976325)
Shockwave
SigmaTel Audio
SkinsHP1
Spelling Dictionaries Support For Adobe Reader 8
Spybot - Search & Destroy
SpywareBlaster 4.1
SupportSoft Assisted Service
TaxCut Premium + State + Efile 2008
Text Twist 2 (remove only)
The Print Shop
TrayApp
TurboTax 2008
TurboTax 2008 wgaiper
TurboTax 2008 WinPerFedFormset
TurboTax 2008 WinPerProgramHelp
TurboTax 2008 WinPerReleaseEngine
TurboTax 2008 WinPerTaxSupport
TurboTax 2008 WinPerUserEducation
TurboTax 2008 wrapper
TurboTax Deluxe 2002
TurboTax Deluxe 2003
TurboTax Deluxe 2004
TurboTax Deluxe 2005
TurboTax Deluxe 2007
TurboTax Deluxe Deduction Maximizer 2006
TurboTax ItsDeductible 2005
TurboTax ItsDeductible 2006
Tweak UI
Unload
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Windows (KB971513)
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB943729)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951618-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update for Windows XP (KB976749)
Update Rollup 2 for Windows XP Media Center Edition 2005
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Visual Studio 2005 Tools for Office Second Edition Runtime
VNC 4.0
WebFldrs XP
WebReg
WexTech AnswerWorks
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Media Format 11 runtime
Windows Media Player 11
Windows Presentation Foundation
Windows Search 4.0
Windows XP Media Center Edition 2005 KB908250
Windows XP Media Center Edition 2005 KB925766
Windows XP Media Center Edition 2005 KB973768
Windows XP Service Pack 3
Works Upgrade
XML Paper Specification Shared Components Pack 1.0
Yahoo! Messenger
Yahoo! Search Protection
Yahoo! Software Update
Yahoo! Toolbar

==== Event Viewer Messages From Past Week ========

12/17/2009 9:22:11 AM, error: VolSnap [25] - The shadow copy of volume C: was aborted because the diff area file could not grow in time. Consider reducing the IO load on this system to avoid this problem in the future.
12/17/2009 9:21:58 AM, error: VolSnap [12] - The shadow copy of volume C: became low on diff area space before it was properly installed.
12/17/2009 12:06:04 AM, error: Service Control Manager [7000] - The AMPSE service failed to start due to the following error: The system cannot find the file specified.
12/16/2009 11:16:29 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Windows Search service to connect.
12/16/2009 11:16:29 PM, error: Service Control Manager [7000] - The Windows Search service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
12/16/2009 11:16:29 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
12/16/2009 11:16:18 PM, error: Service Control Manager [7024] - The Windows Search service terminated with service-specific error 2147749155 (0x80040D23).
12/16/2009 11:15:37 PM, error: Dhcp [1002] - The IP address lease 192.168.1.103 for the Network Card with network address 0016761F508E has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
12/14/2009 1:18:20 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the QoS RSVP service to connect.
12/14/2009 1:18:20 AM, error: Service Control Manager [7000] - The QoS RSVP service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
12/13/2009 1:16:36 AM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000243' while processing the file 'avgcertx.dll.old' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
12/13/2009 1:16:10 AM, error: Dhcp [1002] - The IP address lease 192.168.1.102 for the Network Card with network address 0016761F508E has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
12/11/2009 1:39:48 AM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service ntmssvc with arguments "-Service" in order to run the server: {D61A27C6-8F53-11D0-BFA0-00A024151983}
12/11/2009 1:20:42 AM, error: System Error [1003] - Error code 1000007f, parameter1 00000008, parameter2 80042000, parameter3 00000000, parameter4 00000000.
12/11/2009 1:18:03 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Beep
12/11/2009 1:17:46 AM, error: Service Control Manager [7023] - The Intel® Quick Resume technology service terminated with the following error: The system could not find the environment option that was entered.
12/11/2009 1:17:42 AM, error: Service Control Manager [7023] - The HID Input Service service terminated with the following error: The system cannot find the file specified.
12/11/2009 1:17:42 AM, error: Service Control Manager [7000] - The iolo Product Update Service service failed to start due to the following error: The executable program that this service is configured to run in does not implement the service.
12/10/2009 1:19:01 AM, error: System Error [1003] - Error code 1000007f, parameter1 00000008, parameter2 bab38d70, parameter3 00000000, parameter4 00000000.
12/10/2009 1:15:29 AM, error: Dhcp [1002] - The IP address lease 192.168.1.101 for the Network Card with network address 0016761F508E has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).

==== End Of File ===========================

Edit: Moved topic from AntiVirus, Firewall and Privacy Products and Protection Methods to the more appropriate forum. ~ Animal

BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:59 AM

Posted 18 December 2009 - 12:30 PM

Hi pilotgal8,

Welcome to BC HijackThis forum. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.

Besides the Security Center issue we have to do some some checks, clean the (lefover?) infection and do some maintenance.
  • You have the latest version of Java (Java™ 6 Update 17) and it is good. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components:
    Click "start" and then "Control Panel" icon.
    Doubleclick the "Add or Remove Programs" icon
    A list of programs installed will be "populated" this may take a bit of time.
    Uninstall the following by clicking on the following entries and selecting "remove":

    Java 2 Runtime Environment, SE v1.4.1_02
    Java™ 6 Update 2
    Java™ 6 Update 3
    Java™ 6 Update 5


    You may remove them one by one and then restart the computer at the end.

  • I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
    1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
    2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
    Therefore please go to add/remove in the control panel and remove either AVG or AVSDK5.
    Since you have removed ampse.sys which is a part of Authentium AntiVirus5 and this ativirus is less known, I recommend you to keep AVG and totally uninstall this one.

  • Open your Malwarebytes' Anti-Malware.
    • First update it, to do that under the Update tab press "Check for Updates".
    • Under Scanner tab select "Perform Quick Scan", then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.
    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


  • Download GMER Rootkit Scanner from here or here.
    • Extract the contents of the zipped file to desktop.
    • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
    • Click on this link to see a list of programs that should be disabled.
    • Disconnect from the Internet and close all running programs.
    • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
    • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
    • In the right panel, you will see several boxes that have been checked. Make sure the following are unchecked:
    • Sections
    • IAT/EAT
    • Drives/Partition other than C:\ drive (C:\ drive should remain checked)
    • Show All (this one also should be unchecked)
  • Then click the Scan button & wait for it to begin. (Please be patient as it can take some time to complete).
  • When the scan is finished, you will see the scan button appears again. Click Save to save the scan results to your Desktop.
  • Save the file as gmer.log and copy/paste the contents in your next reply.


#3 pilotgal8

pilotgal8
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:59 PM

Posted 20 December 2009 - 05:43 AM

1. done with re-boot
2. no AVSDK5 in add/remove program list. I do find the files AVDSK5.log & avsdk5.msi in the iolo folder (part of System Shield of System Mechanic)

Hesitant to just remove files that are part of System Mechanic.
3. also no entry for Authentium in add/remove list so that’s why I just deleted the ampse.sys file. BTW…that has stopped the daily 2 am mysterious re-boot, but still can’t open Security Center.


Malware log.

Malwarebytes' Anti-Malware 1.42
Database version: 3393
Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

12/19/2009 3:04:04 PM
mbam-log-2009-12-19 (15-04-04).txt

Scan type: Quick Scan
Objects scanned: 129174
Time elapsed: 6 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CLASSES_ROOT\scrfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: ("%1" /S) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\regfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: (regedit.exe "%1") -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Rosemary\Application Data\wiaserva.log (Malware.Trace) -> Quarantined and deleted successfully.


GMER ran all night, and would NOT save the log file. Now what?

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:59 AM

Posted 20 December 2009 - 08:15 AM

AVSDK5 is on the add/remove program list produces by DDS (Attach.txt). You may not be able to see it because it is a registry leftover and the uninstaller itself is removed. DDS looks into the registry to list the programs and sometime it lists programs previously run, because the registry leftover is not removed.

But in this case the software is still on the system and running even though its uninstaller is removed.. These are processes running on your computer related to Authentium Antivirus5:

C:\Program Files\Common Files\Authentium\AntiVirus5\vsedsps.exe
C:\Program Files\Common Files\Authentium\AntiVirus5\vseamps.exe
C:\Program Files\Common Files\Authentium\AntiVirus5\vseqrts.exe


I don't know what the system Mechanic is doing, but as I already mentioned you have to decide to keep one antivirus and uninstall the others. Since you want to keep system mechanic you have to uninstall AVG. In that case you should reinstall System Mechanic/ Authentium antivirus5 because when you removed ampse.sys, which is a part of Authentium antivirus5 which is itself probably installed and run by System Mechanic, it might have broken the Authentium antivirus.

One more thing:

Registry Data Items Infected:
HKEY_CLASSES_ROOT\scrfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: ("%1" /S) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\regfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: (regedit.exe "%1") -> Quarantined and deleted successfully.JSEFile=NOTEPAD.EXE %1
regfile=NOTEPAD.EXE %1
scrfile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1


These are the changes made by System Mechanic. It breaks some file associations and changes the default settings to prevent malicious software from running. but it can prevent the legit software too from running.

So you have to decide to uninstall AVG and install System Mechanic properly and give your control over to it or uninstall it and let us take a deeper look into the computer and see if there is anything wrong with.

I should remind you that I see sign of infection on the log. Either it is a leftover registry entry from a previous infection or there is still something hidden (like a rootkit) running. To make sure we need GMER log. To run it you may disable all the security programs (including System Mechanic). When running it you may uncheck the Devices section too.

To sum up:

* We need to uninstall one antivirus and make sure the other one is properly running and protecting your system. I recommend keeping AVG and removing Authentium. You probably can do this if you look into System Mechanic configurations to see if there is an option or seek assistance from System Mechanic support.

* We need to run GMER and get a log and make sure there is no rootkit on the system.

* After these steps we will resolve the Security Center issue. You need the Security Center for security reasons and unless we don't know the system is secure no sense in repairing it. If there is something or some malware on the system disabling it or preventing it from working we need to remove it before attempting to repair the Security Center.

Edited by farbar, 20 December 2009 - 09:54 AM.
Added comments


#5 pilotgal8

pilotgal8
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:59 PM

Posted 20 December 2009 - 11:01 AM

Thank you for detailed response & tutorial. I've beginning to suspect this whole set of incidents was created by installing System mechinc 9, wihtout knowing that it now contained an antivirus component (Authentium) which would conflict with AVG.

Poking around other web forums, and having ZERO response to 3 notes to IOLO, I've uninstalled SM using add/remove in Ctrl panel.

I'm attaching a fresh set of DDS logs.

DDS comment

c:\documen~1\rosemary\local~1\temp\RarSFX0\policies01 access is denied

As GMER takes such a long time to run, I'll start it this evening after I've used the computer for some business tasks today.

Thanks for your assistance.


DDS (Ver_09-07-30.01) - NTFSx86
Run by Rosemary at 10:57:08.82 on Sun 12/20/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2045.1300 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\rsvp.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe
C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Intel\IntelDH\CCU\CCU_Engine.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Documents and Settings\Rosemary\Desktop\dds.pif

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.goodsearch.com/
uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
mDefault_Page_URL = hxxp://www.yahoo.com/
mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
uRun: [PxDotNetLoader] "c:\program files\fidelity investments\fidelity active trader\system\ATPStartupAssistant.exe"
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe
c:\docume~1\rosemary\locals~1\temp\rarsfx0\temp00
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [IntelAudioStudio] "c:\program files\intel audio studio\IntelAudioStudio.exe" TRAY
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [CCUTRAYICON] c:\program files\intel\inteldh\ccu\CCU_TrayIcon.exe
mRun: [NMSSupport] "c:\program files\common files\intel\inteldh\nms\support\IntelHCTAgent.exe" /startup
mRun: [<NO NAME>]
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [Intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup
mRun: [YSearchProtection] "c:\program files\yahoo!\search protection\SearchProtection.exe"
mRun: [Carbonite Backup] c:\program files\carbonite\carbonite backup\CarboniteUI.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRunServices: [ZipMagic] c:\program files\ontrack\zipmagic\zm32nt.exe
dRun: [braviax]
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: c:\windows\system32\iavlsp.dll
Trusted Zone: turbotax.com
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxp://echat.bellsouth.net/sdccommon/download/tgctlcm.cab
DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} - hxxps://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISDataManager.CAB
DPF: {15B782AF-55D8-11D1-B477-006097098764} - hxxp://download.macromedia.com/pub/shockwave/cabs/authorware/awswax70.cab
DPF: {2703049B-D81D-4763-A3C6-AF8932FCBD8F} - hxxps://am.hrblock.com/ActivexComponent/CheckFileStatus.CAB
DPF: {60EFC337-15C2-4369-B2A0-3429B071D8B8} - hxxp://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISWebManager.CAB
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1182539247843
DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1182539214796
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {A796D216-2DE1-4EA8-BABB-FE6E7C959098} - hxxp://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab
DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7}
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\intuit\quickbooks 2009\HelpAsyncPluggableProtocol.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
Handler: x-atng - {7e8717b0-d862-11d5-8c9e-00010304f989} - c:\program files\fidelity investments\fidelity active trader\system\atngprot.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
AppInit_DLLs: cru629.dat
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-4-2 64160]
R0 zmNTMon;zmNTMon;c:\windows\system32\drivers\ZmNTMon.sys [2007-12-3 5760]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-4 333192]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2007-6-23 28424]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-5-4 360584]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2009-11-8 285392]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2008-10-10 13088]
R2 MCLServiceATL;Intel® Application Tracker;c:\program files\intel\inteldh\intel media server\shells\MCLServiceATL.exe [2006-11-10 170456]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 YahooAUService;Yahoo! Updater;c:\program files\yahoo!\softwareupdate\YahooAUService.exe [2008-11-9 602392]
S2 ioloProductUpdate;iolo Product Update Service;c:\program files\iolo\common\lib\ioloservicemanager.exe --> c:\program files\iolo\common\lib\ioloServiceManager.exe [?]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1028432]
S3 zmNTZip;zmNTZip;c:\program files\ontrack\zipmagic\zmNTZip.sys [2007-12-3 155576]

============== File Associations ===============

JSEFile=NOTEPAD.EXE %1
regfile=NOTEPAD.EXE %1
scrfile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1

=============== Created Last 30 ================

2009-12-19 08:50 <DIR> --d-h--- c:\windows\PIF
2009-12-17 00:15 28 a------- c:\windows\pdf995.ini
2009-12-17 00:14 <DIR> --d----- c:\program files\pdf995
2009-12-11 09:14 <DIR> --d----- C:\symbols
2009-12-10 11:01 <DIR> --d----- c:\program files\Debugging Tools for Windows (x86)
2009-12-07 06:14 3,255 ac------ c:\windows\system32\wbem\Outlook_01ca772e6a2fa02c.mof
2009-12-05 12:34 118,784 a------- c:\windows\system32\iavlsp.dll
2009-11-26 05:37 <DIR> --d----- c:\program files\MSXML 4.0

==================== Find3M ====================

2009-12-17 00:15 249,856 a------- c:\windows\system32\pdfmona.dll
2009-12-17 00:15 51,716 a------- c:\windows\system32\pdf995mon.dll
2009-12-09 10:52 2,118,568 a------- c:\windows\system32\Incinerator.dll
2009-12-03 16:14 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 16:13 19,160 ac------ c:\windows\system32\drivers\mbam.sys
2009-11-21 10:51 471,552 a------- c:\windows\system32\dllcache\aclayers.dll
2009-11-21 10:51 471,552 a------- c:\windows\apppatch\aclayers.dll
2009-11-10 08:04 360,584 ac------ c:\windows\system32\drivers\avgtdix.sys
2009-11-08 09:45 333,192 ac------ c:\windows\system32\drivers\avgldx86.sys
2009-11-08 09:45 12,464 a------- c:\windows\system32\avgrsstx.dll
2009-10-29 14:08 3,070,976 -------- c:\windows\system32\dllcache\mshtml.dll
2009-10-29 00:38 667,136 a------- c:\windows\system32\wininet.dll
2009-10-29 00:38 667,136 -------- c:\windows\system32\dllcache\wininet.dll
2009-10-29 00:38 1,509,888 -------- c:\windows\system32\dllcache\shdocvw.dll
2009-10-29 00:38 627,712 -------- c:\windows\system32\dllcache\urlmon.dll
2009-10-21 00:38 75,776 a------- c:\windows\system32\strmfilt.dll
2009-10-21 00:38 25,088 a------- c:\windows\system32\httpapi.dll
2009-10-21 00:38 75,776 -------- c:\windows\system32\dllcache\strmfilt.dll
2009-10-21 00:38 25,088 -------- c:\windows\system32\dllcache\httpapi.dll
2009-10-20 11:20 265,728 a------- c:\windows\system32\dllcache\http.sys
2009-10-19 13:17 4,732,319 ac------ c:\docume~1\rosemary\applic~1\family.zip
2009-10-13 05:30 270,336 a------- c:\windows\system32\oakley.dll
2009-10-13 05:30 270,336 -------- c:\windows\system32\dllcache\oakley.dll
2009-10-12 08:38 149,504 a------- c:\windows\system32\rastls.dll
2009-10-12 08:38 149,504 -------- c:\windows\system32\dllcache\rastls.dll
2009-10-12 08:38 79,872 a------- c:\windows\system32\raschap.dll
2009-10-12 08:38 79,872 -------- c:\windows\system32\dllcache\raschap.dll
2009-10-11 04:17 411,368 a------- c:\windows\system32\deploytk.dll
2009-10-08 14:57 611,328 a------- c:\windows\system32\uiautomationcore.dll
2009-10-08 14:57 220,160 a------- c:\windows\system32\oleacc.dll
2009-10-08 14:57 220,160 a------- c:\windows\system32\dllcache\oleacc.dll
2009-10-08 14:56 20,480 a------- c:\windows\system32\oleaccrc.dll
2009-10-08 14:56 20,480 a------- c:\windows\system32\dllcache\oleaccrc.dll
2009-09-25 00:37 81,920 a------- c:\windows\system32\ieencode.dll
2009-09-24 20:23 2,403,528 a------- C:\AOS 18-20.zip
2009-09-24 20:22 3,613,622 a------- C:\AOS 16-18.zip
2009-09-24 20:22 3,810,098 a------- C:\AOS 13 - 15.zip
2009-09-24 20:21 3,725,959 a------- C:\AOS 10-12.zip
2009-09-24 20:21 3,991,357 a------- C:\AOS 7-9.zip
2009-09-24 20:20 3,776,086 a------- C:\AOS 4-6.zip
2009-09-24 20:20 3,459,310 a------- C:\AOS 1-3.zip
2009-09-24 07:28 24,779,828 a------- C:\archive.zip
2009-01-22 11:38 60,744 ac------ c:\documents and settings\rosemary\g2mdlhlpx.exe
2007-06-23 17:04 552 ac------ c:\docume~1\rosemary\applic~1\wklnhst.dat

============= FINISH: 10:58:10.03 ===============

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-07-30.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 6/22/2007 2:13:23 PM
System Uptime: 12/20/2009 10:49:47 AM (0 hours ago)

Motherboard: Intel Corporation | | D975XBX
Processor: Intel® Pentium® D CPU 3.20GHz | J3E1 | 3200/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 233 GiB total, 185.562 GiB free.
D: is CDROM ()
E: is Removable
F: is Removable
G: is Removable
H: is Removable
J: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP887: 9/21/2009 2:49:29 PM - System Checkpoint
RP888: 9/22/2009 3:20:35 PM - System Checkpoint
RP889: 9/23/2009 4:13:05 PM - System Checkpoint
RP890: 9/24/2009 7:51:21 AM - Removed Adobe Reader 8.1.6
RP891: 9/24/2009 7:52:42 AM - Installed Adobe Reader 9.1.
RP892: 9/25/2009 8:10:36 AM - System Checkpoint
RP893: 9/26/2009 9:29:22 AM - System Checkpoint
RP894: 9/27/2009 1:00:27 PM - System Checkpoint
RP895: 9/28/2009 7:37:05 PM - System Checkpoint
RP896: 9/29/2009 7:58:29 PM - System Checkpoint
RP897: 9/30/2009 8:33:01 PM - System Checkpoint
RP898: 10/1/2009 11:10:04 PM - System Checkpoint
RP899: 10/2/2009 11:41:50 PM - System Checkpoint
RP900: 10/4/2009 6:26:22 AM - System Checkpoint
RP901: 10/5/2009 7:55:49 AM - System Checkpoint
RP902: 10/5/2009 8:14:09 AM - Avg8 Update
RP903: 10/5/2009 8:14:55 AM - Avg8 Update
RP904: 10/6/2009 11:04:27 AM - System Checkpoint
RP905: 10/7/2009 8:45:11 AM - Avg8 Update
RP906: 10/8/2009 11:36:45 AM - System Checkpoint
RP907: 10/9/2009 11:54:51 AM - System Checkpoint
RP908: 10/10/2009 12:27:23 PM - System Checkpoint
RP909: 10/11/2009 3:45:50 PM - System Checkpoint
RP910: 10/12/2009 7:33:24 PM - System Checkpoint
RP911: 10/13/2009 8:00:07 PM - System Checkpoint
RP912: 10/14/2009 8:18:08 AM - Software Distribution Service 3.0
RP913: 10/14/2009 8:58:31 AM - Software Distribution Service 3.0
RP914: 10/14/2009 9:13:53 AM - Installed Java™ 6 Update 15
RP915: 10/15/2009 12:08:50 PM - System Checkpoint
RP916: 10/16/2009 2:00:14 PM - System Checkpoint
RP917: 10/17/2009 9:01:46 AM - Avg8 Update
RP918: 10/18/2009 10:03:47 AM - System Checkpoint
RP919: 10/19/2009 10:11:01 AM - System Checkpoint
RP920: 10/20/2009 6:45:13 AM - Software Distribution Service 3.0
RP921: 10/21/2009 6:56:19 AM - System Checkpoint
RP922: 10/21/2009 9:01:35 AM - Avg8 Update
RP923: 10/22/2009 10:43:20 AM - System Checkpoint
RP924: 10/23/2009 4:11:50 AM - Software Distribution Service 3.0
RP925: 10/24/2009 6:11:57 AM - System Checkpoint
RP926: 10/25/2009 8:07:57 AM - System Checkpoint
RP927: 10/26/2009 9:56:04 AM - System Checkpoint
RP928: 10/27/2009 10:01:14 AM - System Checkpoint
RP929: 10/28/2009 12:38:10 PM - System Checkpoint
RP930: 10/29/2009 6:47:56 AM - Software Distribution Service 3.0
RP931: 10/30/2009 8:14:36 AM - System Checkpoint
RP932: 10/31/2009 9:27:44 AM - System Checkpoint
RP933: 11/1/2009 9:58:29 AM - System Checkpoint
RP934: 11/2/2009 11:00:31 AM - System Checkpoint
RP935: 11/3/2009 9:44:39 AM - Avg8 Update
RP936: 11/4/2009 12:46:15 PM - System Checkpoint
RP937: 11/5/2009 2:41:28 PM - System Checkpoint
RP938: 11/6/2009 9:45:02 AM - Avg8 Update
RP939: 11/7/2009 9:49:49 AM - System Checkpoint
RP940: 11/7/2009 11:15:47 AM - Software Distribution Service 3.0
RP941: 11/8/2009 9:45:00 AM - Installed AVG Free 9.0
RP942: 11/9/2009 11:00:14 AM - System Checkpoint
RP943: 11/10/2009 8:03:49 AM - Avg8 Update
RP944: 11/10/2009 8:04:48 AM - Avg8 Update
RP945: 11/11/2009 6:45:41 AM - Software Distribution Service 3.0
RP946: 11/12/2009 7:21:50 AM - System Checkpoint
RP947: 11/12/2009 8:09:48 AM - Avg8 Update
RP948: 11/13/2009 9:42:36 AM - System Checkpoint
RP949: 11/14/2009 10:44:53 AM - System Checkpoint
RP950: 11/15/2009 11:23:26 AM - System Checkpoint
RP951: 11/16/2009 12:15:58 PM - System Checkpoint
RP952: 11/17/2009 3:28:53 PM - System Checkpoint
RP953: 11/18/2009 4:58:00 PM - System Checkpoint
RP954: 11/19/2009 9:12:28 PM - System Checkpoint
RP955: 11/20/2009 9:38:03 AM - Avg8 Update
RP956: 11/20/2009 9:38:47 AM - Avg8 Update
RP957: 11/21/2009 11:30:08 AM - System Checkpoint
RP958: 11/22/2009 12:22:43 PM - System Checkpoint
RP959: 11/23/2009 12:38:12 PM - System Checkpoint
RP960: 11/24/2009 1:09:51 PM - System Checkpoint
RP961: 11/25/2009 4:15:38 PM - System Checkpoint
RP962: 11/26/2009 5:36:02 AM - Software Distribution Service 3.0
RP963: 11/27/2009 5:49:49 AM - System Checkpoint
RP964: 11/28/2009 12:33:24 PM - System Checkpoint
RP965: 11/29/2009 1:52:54 PM - System Checkpoint
RP966: 11/30/2009 2:41:48 PM - System Checkpoint
RP967: 12/1/2009 3:31:54 PM - System Checkpoint
RP968: 12/2/2009 7:00:49 PM - System Checkpoint
RP969: 12/3/2009 7:03:55 PM - System Checkpoint
RP970: 12/4/2009 8:15:53 PM - System Checkpoint
RP971: 12/5/2009 9:09:39 PM - System Checkpoint
RP972: 12/6/2009 11:25:00 PM - System Checkpoint
RP973: 12/7/2009 11:32:56 PM - System Checkpoint
RP974: 12/9/2009 12:20:08 AM - System Checkpoint
RP975: 12/9/2009 4:31:14 AM - Software Distribution Service 3.0
RP976: 12/10/2009 5:32:12 AM - System Checkpoint
RP977: 12/10/2009 7:06:12 AM - Installed Java™ 6 Update 17
RP978: 12/10/2009 11:01:04 AM - Installed Debugging Tools for Windows (x86)
RP979: 12/10/2009 11:30:38 AM - Installed Debugging Tools for Windows (x86)
RP980: 12/11/2009 9:10:25 AM - Installed Debugging Tools for Windows
RP981: 12/12/2009 8:20:52 AM - Avg8 Update
RP982: 12/12/2009 8:22:34 AM - Avg8 Update
RP983: 12/13/2009 8:58:39 AM - System Checkpoint
RP984: 12/14/2009 7:21:30 AM - Software Distribution Service 3.0
RP985: 12/15/2009 8:20:51 AM - System Checkpoint
RP986: 12/16/2009 9:43:35 AM - System Checkpoint
RP987: 12/16/2009 11:41:20 PM - Printer Driver PDF995 Printer Driver Installed
RP988: 12/16/2009 11:41:54 PM - Printer Driver PDF995 Printer Driver Installed
RP989: 12/17/2009 12:11:28 AM - Printer Driver PDF995 Printer Driver Installed
RP990: 12/17/2009 12:15:14 AM - Printer Driver PDF995 Printer Driver Installed
RP991: 12/18/2009 12:33:24 AM - System Checkpoint
RP992: 12/19/2009 5:34:51 AM - System Checkpoint
RP993: 12/19/2009 9:02:13 AM - Avg8 Update
RP994: 12/19/2009 2:05:22 PM - Removed Java 2 Runtime Environment, SE v1.4.1_02
RP995: 12/19/2009 2:06:01 PM - Removed Java™ 6 Update 2
RP996: 12/19/2009 2:06:45 PM - Removed Java™ 6 Update 3
RP997: 12/19/2009 2:07:27 PM - Removed Java™ 6 Update 5

==== Installed Programs ======================


2000 TurboTax for Windows
7200
7200_Help
7200Trb
Acrobat.com
Ad-Aware
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Photoshop 7.0
Adobe Product/Adobe Studio Update 10/2001
Adobe Reader 8.1.2 Security Update 1 (KB403742)
Adobe Reader 9.2
Advanced Analyzer
AiO_Scan
AiOSoftware
AnswerWorks 4.0 Runtime - English
AnswerWorks 5.0 English Runtime
ATI Display Driver
Avery Wizard 3.1
AVG Free 9.0
Broderbund Media Manager
BufferChm
Carbonite
Compatibility Pack for the 2007 Office system
Copy
CP_AtenaShokunin1Config
cp_dwShrek2Albums1
cp_dwShrek2Cards1
CreativeProjects
CreativeProjectsTemplates
Critical Update for Windows Media Player 11 (KB959772)
CueTour
Debugging Tools for Windows
Debugging Tools for Windows (x86)
Destinations
Director
DocProc
DocumentViewer
doPDF 5.0 printer
EasyCleaner
Fax
Fidelity Active Trader Pro®
Google Earth
Google Updater
GoToMeeting 4.0.0.320
High Definition Audio Driver Package - KB888111
Hotfix for Microsoft .NET Framework 3.0 (KB932471)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
HP Extended Capabilities 4.7
HP Image Zone 4.7
HP Officejet 7200 series
HP Product Assistant
HP Product Detection
HP PSC & OfficeJet 4.7
HP Update
HPSystemDiagnostics
InstantShare
Intel Audio Studio 2.0
Intel® Matrix Storage Manager
Intel® PRO Network Connections Drivers
Intel® Quick Resume Technology Drivers
Intel® Viiv™ Software
Intuit Entitlement Client
ItsDeductible Express
Java™ 6 Update 17
LaserJet 1020 series
Macromedia Shockwave Player
Malwarebytes' Anti-Malware
MarketResearch
MediaShow 3.0
Microsoft .NET Framework 1.0 Hotfix (KB953295)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Digital Image Library 9 - Blocker
Microsoft Digital Image Standard 2006
Microsoft Digital Image Standard 2006 Editor
Microsoft Digital Image Standard 2006 Library
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Office 2003 Primary Interop Assemblies
Microsoft Office Professional Edition 2003
Microsoft Silverlight
Microsoft Streets & Trips 2006
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual Studio 2005 Tools for Office Runtime
Microsoft Web Publishing Wizard 1.52
Microsoft Works Suite 2006 Setup Launcher
mIRC
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
MSXML 6.0 Parser (KB933579)
OIB4 Training Install Kit
Ontrack ZipMagic 4.0
OrchidWiz Encyclopedia
OrderReminder HP LaserJet 1020
PanoStandAlone
PCI SoftV92 Modem
Pdf995
PhotoGallery
PowerDVD
PowerProducer
PowerStarter
ProductContext
ProSeries Basic Edition 2007
QFolder
QuickBooks
QuickBooks Premier: Accountant Edition 2007
QuickBooks Pro 2009
Quicken 2007
QuoteTracker
Readme
RegScrubXP 3.25
SafeCast Shared Components
Scan
ScannerCopy
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974455)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB976325)
Shockwave
SigmaTel Audio
SkinsHP1
Spelling Dictionaries Support For Adobe Reader 8
Spybot - Search & Destroy
SpywareBlaster 4.1
SupportSoft Assisted Service
TaxCut Premium + State + Efile 2008
Text Twist 2 (remove only)
The Print Shop
TrayApp
TurboTax 2008
TurboTax 2008 wgaiper
TurboTax 2008 WinPerFedFormset
TurboTax 2008 WinPerProgramHelp
TurboTax 2008 WinPerReleaseEngine
TurboTax 2008 WinPerTaxSupport
TurboTax 2008 WinPerUserEducation
TurboTax 2008 wrapper
TurboTax Deluxe 2002
TurboTax Deluxe 2003
TurboTax Deluxe 2004
TurboTax Deluxe 2005
TurboTax Deluxe 2007
TurboTax Deluxe Deduction Maximizer 2006
TurboTax ItsDeductible 2005
TurboTax ItsDeductible 2006
Tweak UI
Unload
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Windows (KB971513)
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB943729)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951618-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update for Windows XP (KB976749)
Update Rollup 2 for Windows XP Media Center Edition 2005
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Visual Studio 2005 Tools for Office Second Edition Runtime
VNC 4.0
WebFldrs XP
WebReg
WexTech AnswerWorks
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Media Format 11 runtime
Windows Media Player 11
Windows Presentation Foundation
Windows Search 4.0
Windows XP Media Center Edition 2005 KB908250
Windows XP Media Center Edition 2005 KB925766
Windows XP Media Center Edition 2005 KB973768
Windows XP Service Pack 3
Works Upgrade
XML Paper Specification Shared Components Pack 1.0
Yahoo! Messenger
Yahoo! Search Protection
Yahoo! Software Update
Yahoo! Toolbar

==== Event Viewer Messages From Past Week ========

12/20/2009 10:50:39 AM, error: Service Control Manager [7000] - The iolo Product Update Service service failed to start due to the following error: The system cannot find the file specified.
12/19/2009 3:13:39 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Beep uagp35
12/19/2009 2:46:50 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000243' while processing the file 'avglngx.dll.old' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
12/17/2009 9:22:11 AM, error: VolSnap [25] - The shadow copy of volume C: was aborted because the diff area file could not grow in time. Consider reducing the IO load on this system to avoid this problem in the future.
12/17/2009 9:21:58 AM, error: VolSnap [12] - The shadow copy of volume C: became low on diff area space before it was properly installed.
12/17/2009 7:44:17 AM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service ntmssvc with arguments "-Service" in order to run the server: {D61A27C6-8F53-11D0-BFA0-00A024151983}
12/17/2009 12:06:04 AM, error: Service Control Manager [7000] - The AMPSE service failed to start due to the following error: The system cannot find the file specified.
12/16/2009 11:16:29 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Windows Search service to connect.
12/16/2009 11:16:29 PM, error: Service Control Manager [7000] - The Windows Search service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
12/16/2009 11:16:29 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
12/16/2009 11:16:18 PM, error: Service Control Manager [7024] - The Windows Search service terminated with service-specific error 2147749155 (0x80040D23).
12/16/2009 11:15:37 PM, error: Dhcp [1002] - The IP address lease 192.168.1.103 for the Network Card with network address 0016761F508E has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
12/14/2009 1:21:03 AM, error: System Error [1003] - Error code 1000007f, parameter1 00000008, parameter2 80042000, parameter3 00000000, parameter4 00000000.
12/14/2009 1:18:20 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the QoS RSVP service to connect.
12/14/2009 1:18:20 AM, error: Service Control Manager [7000] - The QoS RSVP service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
12/14/2009 1:04:46 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Beep
12/14/2009 1:04:34 PM, error: Service Control Manager [7023] - The Intel® Quick Resume technology service terminated with the following error: The system could not find the environment option that was entered.
12/14/2009 1:04:31 PM, error: Service Control Manager [7023] - The HID Input Service service terminated with the following error: The system cannot find the file specified.
12/14/2009 1:04:31 PM, error: Service Control Manager [7000] - The iolo Product Update Service service failed to start due to the following error: The executable program that this service is configured to run in does not implement the service.
12/13/2009 1:16:36 AM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000243' while processing the file 'avgcertx.dll.old' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
12/13/2009 1:16:10 AM, error: Dhcp [1002] - The IP address lease 192.168.1.102 for the Network Card with network address 0016761F508E has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).

==== End Of File ===========================

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:59 AM

Posted 20 December 2009 - 11:43 AM

Well done. :(

Let's before running GMER repair some changes made by System Mechanic, which is still left behind.
  • Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the code box into a new file:


    @ECHO OFF
    sc stop ioloProductUpdate
    sc delete ioloProductUpdate
    del remove.bat
    • Go to the File menu at the top of the Notepad and select Save as.
    • Select save in: desktop
    • Fill in File name: remove.bat
    • Save as type: All file types (*.*)
    • Click save.
    • Close the Notepad.
    • Locate and double-click remove.bat on the desktop. It should look like this: Posted Image
      If everything goes well the remove.bat opens and disappears after removing the service.
  • Download [http://www.kztechs.com/eng/download.html]System Repair Engineer (SREng2.zip)[/url]
    • Extract it to Desktop and double click SREngLdr.EXE to run it
    • Select System Repair from the left pane.
    • Click on File Association
    • Select all entries that has an Error status click [Repair]
    • Refer to this image for an example:

      Posted Image
    • In your case, it would be JSEFile
      regfile
      scrfile
      VBEFile
      VBSFile
    • Close SREng now.


#7 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:59 AM

Posted 20 December 2009 - 11:57 AM

Please after doing the fixes in the previous log let me know. we need to do one more thing before proceeding to running GMER.

#8 pilotgal8

pilotgal8
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:59 PM

Posted 21 December 2009 - 03:18 AM

Glad I came back here, as I ran GMER and still couldn't get the log to save.

Ran remove.bat
Didn't download the newere SREndldr, as you didn't indicate I should.
The one I ran showed only REG SCR VBS and JS with errors.

Thanks for your help.

#9 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:59 AM

Posted 21 December 2009 - 05:30 AM

We have to remove another SM leftover.
  • Download LSPFix.zip to a convenient location and unzip the file.
    • Please double-click LSPFix.exe.
    • Under Keep section select only iavlsp.dll and press >> to move it to Remove section.
    • Check the "I know what I'm doing" button.
    • Click "Finish>>" then reboot your computer.
  • Now please post a DDS.txt log. No need for Attach.txt.


#10 pilotgal8

pilotgal8
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:59 PM

Posted 21 December 2009 - 07:48 AM

iavlsp removed 3 Protocol provider entries and renumbered 13

DDS (Ver_09-07-30.01) - NTFSx86
Run by Rosemary at 7:46:17.81 on Mon 12/21/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2045.1230 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\rsvp.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe
C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Intel\IntelDH\CCU\CCU_Engine.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Documents and Settings\Rosemary\Desktop\dds.pif

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.goodsearch.com/
uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
mDefault_Page_URL = hxxp://www.yahoo.com/
mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
uRun: [PxDotNetLoader] "c:\program files\fidelity investments\fidelity active trader\system\ATPStartupAssistant.exe"
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [IntelAudioStudio] "c:\program files\intel audio studio\IntelAudioStudio.exe" TRAY
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [CCUTRAYICON] c:\program files\intel\inteldh\ccu\CCU_TrayIcon.exe
mRun: [NMSSupport] "c:\program files\common files\intel\inteldh\nms\support\IntelHCTAgent.exe" /startup
mRun: [<NO NAME>]
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [Intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup
mRun: [YSearchProtection] "c:\program files\yahoo!\search protection\SearchProtection.exe"
mRun: [Carbonite Backup] c:\program files\carbonite\carbonite backup\CarboniteUI.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRunServices: [ZipMagic] c:\program files\ontrack\zipmagic\zm32nt.exe
dRun: [braviax]
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: turbotax.com
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxp://echat.bellsouth.net/sdccommon/download/tgctlcm.cab
DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} - hxxps://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISDataManager.CAB
DPF: {15B782AF-55D8-11D1-B477-006097098764} - hxxp://download.macromedia.com/pub/shockwave/cabs/authorware/awswax70.cab
DPF: {2703049B-D81D-4763-A3C6-AF8932FCBD8F} - hxxps://am.hrblock.com/ActivexComponent/CheckFileStatus.CAB
DPF: {60EFC337-15C2-4369-B2A0-3429B071D8B8} - hxxp://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISWebManager.CAB
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1182539247843
DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1182539214796
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {A796D216-2DE1-4EA8-BABB-FE6E7C959098} - hxxp://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab
DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7}
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\intuit\quickbooks 2009\HelpAsyncPluggableProtocol.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
Handler: x-atng - {7e8717b0-d862-11d5-8c9e-00010304f989} - c:\program files\fidelity investments\fidelity active trader\system\atngprot.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
AppInit_DLLs: cru629.dat
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-4-2 64160]
R0 zmNTMon;zmNTMon;c:\windows\system32\drivers\ZmNTMon.sys [2007-12-3 5760]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-4 333192]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2007-6-23 28424]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-5-4 360584]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2009-11-8 285392]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2008-10-10 13088]
R2 MCLServiceATL;Intel® Application Tracker;c:\program files\intel\inteldh\intel media server\shells\MCLServiceATL.exe [2006-11-10 170456]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 YahooAUService;Yahoo! Updater;c:\program files\yahoo!\softwareupdate\YahooAUService.exe [2008-11-9 602392]
S2 ioloProductUpdate;iolo Product Update Service;c:\program files\iolo\common\lib\ioloservicemanager.exe --> c:\program files\iolo\common\lib\ioloServiceManager.exe [?]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1028432]
S3 zmNTZip;zmNTZip;c:\program files\ontrack\zipmagic\zmNTZip.sys [2007-12-3 155576]

============== File Associations ===============

JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1

=============== Created Last 30 ================

2009-12-19 08:50 <DIR> --d-h--- c:\windows\PIF
2009-12-17 00:15 28 a------- c:\windows\pdf995.ini
2009-12-17 00:14 <DIR> --d----- c:\program files\pdf995
2009-12-11 09:14 <DIR> --d----- C:\symbols
2009-12-10 11:01 <DIR> --d----- c:\program files\Debugging Tools for Windows (x86)
2009-12-07 06:14 3,255 ac------ c:\windows\system32\wbem\Outlook_01ca772e6a2fa02c.mof
2009-12-05 12:34 118,784 a------- c:\windows\system32\iavlsp.dll
2009-11-26 05:37 <DIR> --d----- c:\program files\MSXML 4.0

==================== Find3M ====================

2009-12-17 00:15 249,856 a------- c:\windows\system32\pdfmona.dll
2009-12-17 00:15 51,716 a------- c:\windows\system32\pdf995mon.dll
2009-12-09 10:52 2,118,568 a------- c:\windows\system32\Incinerator.dll
2009-12-03 16:14 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 16:13 19,160 ac------ c:\windows\system32\drivers\mbam.sys
2009-11-21 10:51 471,552 a------- c:\windows\system32\dllcache\aclayers.dll
2009-11-21 10:51 471,552 a------- c:\windows\apppatch\aclayers.dll
2009-11-10 08:04 360,584 ac------ c:\windows\system32\drivers\avgtdix.sys
2009-11-08 09:45 333,192 ac------ c:\windows\system32\drivers\avgldx86.sys
2009-11-08 09:45 12,464 a------- c:\windows\system32\avgrsstx.dll
2009-10-29 14:08 3,070,976 -------- c:\windows\system32\dllcache\mshtml.dll
2009-10-29 00:38 667,136 a------- c:\windows\system32\wininet.dll
2009-10-29 00:38 667,136 -------- c:\windows\system32\dllcache\wininet.dll
2009-10-29 00:38 1,509,888 -------- c:\windows\system32\dllcache\shdocvw.dll
2009-10-29 00:38 627,712 -------- c:\windows\system32\dllcache\urlmon.dll
2009-10-21 00:38 75,776 a------- c:\windows\system32\strmfilt.dll
2009-10-21 00:38 25,088 a------- c:\windows\system32\httpapi.dll
2009-10-21 00:38 75,776 -------- c:\windows\system32\dllcache\strmfilt.dll
2009-10-21 00:38 25,088 -------- c:\windows\system32\dllcache\httpapi.dll
2009-10-20 11:20 265,728 a------- c:\windows\system32\dllcache\http.sys
2009-10-19 13:17 4,732,319 ac------ c:\docume~1\rosemary\applic~1\family.zip
2009-10-13 05:30 270,336 a------- c:\windows\system32\oakley.dll
2009-10-13 05:30 270,336 -------- c:\windows\system32\dllcache\oakley.dll
2009-10-12 08:38 149,504 a------- c:\windows\system32\rastls.dll
2009-10-12 08:38 149,504 -------- c:\windows\system32\dllcache\rastls.dll
2009-10-12 08:38 79,872 a------- c:\windows\system32\raschap.dll
2009-10-12 08:38 79,872 -------- c:\windows\system32\dllcache\raschap.dll
2009-10-11 04:17 411,368 a------- c:\windows\system32\deploytk.dll
2009-10-08 14:57 611,328 a------- c:\windows\system32\uiautomationcore.dll
2009-10-08 14:57 220,160 a------- c:\windows\system32\oleacc.dll
2009-10-08 14:57 220,160 a------- c:\windows\system32\dllcache\oleacc.dll
2009-10-08 14:56 20,480 a------- c:\windows\system32\oleaccrc.dll
2009-10-08 14:56 20,480 a------- c:\windows\system32\dllcache\oleaccrc.dll
2009-09-25 00:37 81,920 a------- c:\windows\system32\ieencode.dll
2009-09-24 20:23 2,403,528 a------- C:\AOS 18-20.zip
2009-09-24 20:22 3,613,622 a------- C:\AOS 16-18.zip
2009-09-24 20:22 3,810,098 a------- C:\AOS 13 - 15.zip
2009-09-24 20:21 3,725,959 a------- C:\AOS 10-12.zip
2009-09-24 20:21 3,991,357 a------- C:\AOS 7-9.zip
2009-09-24 20:20 3,776,086 a------- C:\AOS 4-6.zip
2009-09-24 20:20 3,459,310 a------- C:\AOS 1-3.zip
2009-09-24 07:28 24,779,828 a------- C:\archive.zip
2009-01-22 11:38 60,744 ac------ c:\documents and settings\rosemary\g2mdlhlpx.exe
2007-06-23 17:04 552 ac------ c:\docume~1\rosemary\applic~1\wklnhst.dat

============= FINISH: 7:47:18.59 ===============

#11 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:59 AM

Posted 21 December 2009 - 08:10 AM

Let's do it without GMER log.
  • Go to start > Run copy/paste the following lines one by one in the run box and click OK after each line.

    cmd /c ftype jsefile=%SystemRoot%\System32\WScript.exe "%1" %*
    cmd /c ftype vbefile=%SystemRoot%\System32\WScript.exe "%1" %*
    sc delete ioloProductUpdate


  • Disable AVG Resident Shield:
    • Double click AVG system tray icon to open AVG.
    • In Overview section double click Resident Shield.
    • Uncheck Resident Shield Active.
    • Press Save Changes.

      Note: It is important to activate the resident shield immediately after ComboFix produced its log.
  • Download ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

    • Disable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools. (Information on A/V control HERE)
    • Double click on ComboFix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

    Posted Image


    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image


    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.


#12 pilotgal8

pilotgal8
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:59 PM

Posted 21 December 2009 - 09:41 AM

Here it is.

ComboFix 09-12-20.08 - Rosemary 12/21/2009 9:31.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2045.1241 [GMT -5:00]
Running from: c:\data\Sysclean Utilities\Combofix\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\recycler\S-1-5-21-1310135482-1916201502-4137776908-500
c:\recycler\S-1-5-21-1362907209-963325489-4064315536-500
c:\recycler\S-1-5-21-742619449-429523240-4277196801-500
c:\windows\EventSystem.log
c:\windows\kb913800.exe
c:\windows\system32\_000005_.tmp.dll

.
((((((((((((((((((((((((( Files Created from 2009-11-21 to 2009-12-21 )))))))))))))))))))))))))))))))
.

2009-12-19 19:50 . 2009-12-19 19:50 4844296 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-12-19 14:02 . 2009-12-12 13:21 2352920 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgresf.dll
2009-12-19 13:50 . 2009-12-19 13:50 -------- d--h--w- c:\windows\PIF
2009-12-17 05:14 . 2009-12-17 05:16 -------- d-----w- c:\program files\pdf995
2009-12-12 13:22 . 2009-11-20 14:38 3963160 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2009-12-12 13:20 . 2009-11-20 14:37 844056 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
2009-12-12 13:20 . 2009-11-20 14:37 1658136 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2009-12-11 14:14 . 2009-12-11 14:14 -------- d-----w- C:\symbols
2009-12-11 14:10 . 2009-12-11 14:14 -------- d-----w- c:\program files\Debugging Tools for Windows
2009-12-10 16:01 . 2009-12-10 18:10 -------- d-----w- c:\program files\Debugging Tools for Windows (x86)
2009-12-05 18:54 . 2009-12-05 18:54 -------- d-----w- c:\documents and settings\IUSR_NMPR\Application Data\iolo
2009-12-05 17:34 . 2009-11-11 23:46 118784 ----a-w- c:\windows\system32\iavlsp.dll
2009-12-05 17:29 . 2009-12-05 17:29 -------- d-----w- c:\documents and settings\NetworkService\Application Data\iolo
2009-11-26 10:37 . 2009-11-26 10:37 -------- d-----w- c:\program files\MSXML 4.0

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-21 14:27 . 2007-06-25 00:48 12375 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2007\qbbackup.sys
2009-12-21 08:00 . 2007-06-23 07:14 -------- d-----w- c:\documents and settings\All Users\Application Data\pdf995
2009-12-20 16:35 . 2008-06-20 07:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-12-20 15:44 . 2008-03-18 16:15 -------- d-----w- c:\documents and settings\All Users\Application Data\iolo
2009-12-19 19:51 . 2009-08-12 14:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-19 19:06 . 2007-07-27 12:03 -------- d-----w- c:\program files\Java
2009-12-19 14:37 . 2007-06-22 18:43 -------- d-----w- c:\program files\RegScrubXP
2009-12-17 05:15 . 2007-06-23 07:14 51716 ----a-w- c:\windows\system32\pdf995mon.dll
2009-12-17 05:15 . 2007-06-23 07:14 249856 ----a-w- c:\windows\system32\pdfmona.dll
2009-12-17 05:15 . 2007-06-23 07:14 142 ----a-w- c:\windows\wpd99.drv
2009-12-17 05:12 . 2009-02-13 14:58 -------- d-----w- c:\program files\TaxCut08
2009-12-17 05:10 . 2009-02-13 14:59 -------- d-----w- c:\documents and settings\Rosemary\Application Data\TaxCut
2009-12-17 04:29 . 2007-06-23 08:01 -------- d-----w- c:\program files\Coupons
2009-12-10 12:03 . 2009-11-10 21:45 152576 -c--a-w- c:\documents and settings\Rosemary\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-12-10 12:03 . 2009-11-10 21:44 79488 -c--a-w- c:\documents and settings\Rosemary\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-12-09 15:52 . 2008-03-18 16:19 2118568 ----a-w- c:\windows\system32\Incinerator.dll
2009-12-09 06:18 . 2007-08-24 09:27 -------- d-----w- c:\documents and settings\Rosemary\Application Data\iolo
2009-12-08 17:56 . 2007-06-23 08:53 -------- d-----w- c:\program files\QuoteTracker
2009-12-06 14:11 . 2007-06-22 18:47 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-12-03 21:14 . 2009-08-12 14:35 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 21:13 . 2009-08-12 14:35 19160 -c--a-w- c:\windows\system32\drivers\mbam.sys
2009-11-26 16:16 . 2009-09-21 15:18 3695616 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\AutoLaunch.exe
2009-11-21 16:17 . 2008-04-07 12:20 1933 -c--a-w- c:\documents and settings\Rosemary\Application Data\iolo\restore.bat
2009-11-21 15:51 . 2006-09-29 17:40 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-10 13:04 . 2008-05-04 12:43 360584 -c--a-w- c:\windows\system32\drivers\avgtdix.sys
2009-11-08 14:45 . 2008-05-04 12:43 333192 -c--a-w- c:\windows\system32\drivers\avgldx86.sys
2009-11-08 14:45 . 2007-06-23 07:55 28424 -c--a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-11-08 14:45 . 2008-05-04 12:43 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-11-08 14:45 . 2009-11-08 14:45 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2009-11-08 14:45 . 2008-05-04 12:43 -------- d-----w- c:\program files\AVG
2009-11-03 03:07 . 2007-06-23 07:28 -------- d-----w- c:\program files\Avery Wizard 3.1
2009-10-29 05:38 . 2006-09-29 17:41 667136 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 05:38 . 2006-09-29 17:41 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2006-09-29 17:40 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 03:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-19 18:17 . 2007-06-23 08:49 4732319 -c--a-w- c:\documents and settings\Rosemary\Application Data\family.zip
2009-10-19 15:16 . 2009-06-18 15:16 2353992 -c--a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Ad-Aware.exe
2009-10-14 13:13 . 2009-10-14 13:13 152576 -c--a-w- c:\documents and settings\Rosemary\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-10-13 10:30 . 2006-09-29 17:41 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2006-09-29 17:41 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2006-09-29 17:41 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-11 09:17 . 2009-10-14 13:14 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-08 19:57 . 2007-10-09 18:03 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2009-10-08 19:57 . 2006-09-29 17:41 220160 ----a-w- c:\windows\system32\oleacc.dll
2009-10-08 19:56 . 2006-09-29 17:41 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2009-10-02 05:13 . 2009-10-02 05:13 816392 -c--a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2007\Components\DownloadQB17\Patch\qbpatch2.exe
2009-09-25 05:37 . 2006-09-29 17:40 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-09-25 01:23 . 2009-09-25 01:23 2403528 ----a-w- C:\AOS 18-20.zip
2009-09-25 01:22 . 2009-09-25 01:22 3613622 ----a-w- C:\AOS 16-18.zip
2009-09-25 01:22 . 2009-09-25 01:22 3810098 ----a-w- C:\AOS 13 - 15.zip
2009-09-25 01:21 . 2009-09-25 01:21 3725959 ----a-w- C:\AOS 10-12.zip
2009-09-25 01:21 . 2009-09-25 01:21 3991357 ----a-w- C:\AOS 7-9.zip
2009-09-25 01:20 . 2009-09-25 01:20 3776086 ----a-w- C:\AOS 4-6.zip
2009-09-25 01:20 . 2009-09-25 01:20 3459310 ----a-w- C:\AOS 1-3.zip
2009-09-24 12:28 . 2009-09-24 12:28 24779828 ----a-w- C:\archive.zip
2009-09-24 11:50 . 2009-09-24 11:50 86016 -c--a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]
@="{95A27763-F62A-4114-9072-E81D87DE3B68}"
[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]
2009-04-29 21:19 583312 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]
@="{E300CD91-100F-4E67-9AF3-1384A6124015}"
[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
2009-04-29 21:19 583312 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]
@="{5E529433-B50E-4bef-A63B-16A6B71B071A}"
[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]
2009-04-29 21:19 583312 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PxDotNetLoader"="c:\program files\Fidelity Investments\Fidelity Active Trader\System\ATPStartupAssistant.exe" [2009-03-25 42336]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-04-13 49152]
"IntelAudioStudio"="c:\program files\Intel Audio Studio\IntelAudioStudio.exe" [2006-04-19 9125888]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-09-29 151552]
"CCUTRAYICON"="c:\program files\Intel\IntelDH\CCU\CCU_TrayIcon.exe" [2006-11-10 309720]
"NMSSupport"="c:\program files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe" [2006-03-29 375296]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-09-21 520024]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2008-09-09 623880]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]
"Carbonite Backup"="c:\program files\Carbonite\Carbonite Backup\CarboniteUI.exe" [2009-04-29 669840]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-12-12 2033432]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-4 258048]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-4 53248]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2009-3-12 984352]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-11-08 14:45 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2007\\QBDBMgrN.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"\\\\H3A5D2\\E\\Program Files\\Mirc\\mirc.exe"=
"c:\\Program Files\\Mirc\\mirc.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2009\\QBDBMgrN.exe"=
"c:\\Program Files\\Fidelity Investments\\Fidelity Active Trader\\System\\atng.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [4/2/2009 10:16 AM 64160]
R0 zmNTMon;zmNTMon;c:\windows\system32\drivers\ZmNTMon.sys [12/3/2007 1:52 PM 5760]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/4/2008 7:43 AM 333192]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/4/2008 7:43 AM 360584]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [11/8/2009 9:45 AM 285392]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 2:06 PM 1028432]
S3 zmNTZip;zmNTZip;c:\program files\Ontrack\ZipMagic\zmNTZip.sys [12/3/2007 1:52 PM 155576]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.goodsearch.com/
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: turbotax.com
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll
DPF: {2703049B-D81D-4763-A3C6-AF8932FCBD8F} - hxxps://am.hrblock.com/ActivexComponent/CheckFileStatus.CAB
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(736)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(792)
c:\windows\system32\iavlsp.dll
.
Completion time: 2009-12-21 09:38:50
ComboFix-quarantined-files.txt 2009-12-21 14:38

Pre-Run: 199,089,344,512 bytes free
Post-Run: 198,953,893,888 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

- - End Of File - - A9DD09A07952C3B6DDD5F5E913325700

#13 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:59 AM

Posted 21 December 2009 - 02:07 PM

Well done. :(
  • Close any open browsers.

    Open notepad (start > All Programs > Accessories > Notepad) and copy/paste the text in the code box below into it:

    DDS::
    uInternet Connection Wizard,ShellNext = iexplore
    mRun: [<NO NAME>] 
    dRun: [braviax] 
    IE: {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE}
    DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7}
    File::
    c:\windows\system32\iavlsp.dll
    Folder::
    c:\program files\Coupons
    c:\program files\iolo
    c:\documents and settings\IUSR_NMPR\Application Data\iolo
    c:\documents and settings\NetworkService\Application Data\iolo
    c:\documents and settings\All Users\Application Data\iolo
    c:\documents and settings\Rosemary\Application Data\iolo

    Save this as CFScript.txt, in the same location as ComboFix.exe


    Posted Image

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it shall produce a log for you ( "C:\ComboFix.txt"). Please copy and paste the log to your reply.

  • Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the code box into a new file:


    @ECHO OFF
    ECHO. Checking Security Center: >log.txt
    ECHO. ------------------------ >>log.txt
    FOR %%g in (
    C:\Windows\system32\wscui.cpl
    c:\windows\system32\wscntfy.exe
    C:\Windows\system32\wscsvc.dll
    ) DO (
    ECHO. %%g >>log.txt
    dir /a %%g >>log.txt 2>&1)
    FOR %%h in (
    Winmgmt
    wscsvc
    ) DO (
    sc query %%h >>log.txt
    sc qc %%h >>log.txt)
    regedit /e look1.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\don't load"
    regedit /e look2.txt HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc
    regedit /e look3.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost"
    type look*.txt >>log.txt
    del look*.txt
    start log.txt
    del %0
  • Go to the File menu at the top of the Notepad and select Save as.
  • Select Save in: desktop
  • Fill in File name: dirlook.bat
  • Save as type: All file types (*.*)
  • Click save.
  • Close the Notepad.
  • Locate and double-click dirlook.bat on the desktop.
  • A notepad opens, copy and paste the content (log.txt) to your reply.


#14 pilotgal8

pilotgal8
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:59 PM

Posted 21 December 2009 - 03:55 PM

ComboFix 09-12-20.08 - Rosemary 12/21/2009 15:37:23.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2045.1220 [GMT -5:00]
Running from: c:\data\Sysclean Utilities\Combofix\ComboFix.exe
Command switches used :: c:\data\Sysclean Utilities\Combofix\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
"c:\windows\system32\iavlsp.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\iolo
c:\documents and settings\IUSR_NMPR\Application Data\iolo
c:\documents and settings\NetworkService\Application Data\iolo
c:\documents and settings\Rosemary\Application Data\iolo
c:\documents and settings\Rosemary\Application Data\iolo\kept_cookies.txt
c:\documents and settings\Rosemary\Application Data\iolo\Registry\command.dat
c:\documents and settings\Rosemary\Application Data\iolo\Registry\Last\default
c:\documents and settings\Rosemary\Application Data\iolo\Registry\Last\restore.bat
c:\documents and settings\Rosemary\Application Data\iolo\Registry\Last\SAM
c:\documents and settings\Rosemary\Application Data\iolo\Registry\Last\SECURITY
c:\documents and settings\Rosemary\Application Data\iolo\Registry\Last\software
c:\documents and settings\Rosemary\Application Data\iolo\Registry\Last\system
c:\documents and settings\Rosemary\Application Data\iolo\restore.bat
c:\documents and settings\Rosemary\Application Data\iolo\SystemAnalyzer.log
c:\program files\Coupons
c:\program files\Coupons\uninstall.exe
c:\windows\system32\iavlsp.dll

.
((((((((((((((((((((((((( Files Created from 2009-11-21 to 2009-12-21 )))))))))))))))))))))))))))))))
.

2009-12-19 19:50 . 2009-12-19 19:50 4844296 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-12-19 14:02 . 2009-12-12 13:21 2352920 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgresf.dll
2009-12-19 13:50 . 2009-12-19 13:50 -------- d--h--w- c:\windows\PIF
2009-12-17 05:14 . 2009-12-17 05:16 -------- d-----w- c:\program files\pdf995
2009-12-11 14:14 . 2009-12-11 14:14 -------- d-----w- C:\symbols
2009-12-11 14:10 . 2009-12-11 14:14 -------- d-----w- c:\program files\Debugging Tools for Windows
2009-12-10 16:01 . 2009-12-10 18:10 -------- d-----w- c:\program files\Debugging Tools for Windows (x86)
2009-11-26 10:37 . 2009-11-26 10:37 -------- d-----w- c:\program files\MSXML 4.0

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-21 20:43 . 2007-06-25 00:48 12375 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2007\qbbackup.sys
2009-12-21 18:26 . 2007-06-23 07:14 -------- d-----w- c:\documents and settings\All Users\Application Data\pdf995
2009-12-20 16:35 . 2008-06-20 07:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-12-19 19:51 . 2009-08-12 14:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-19 19:06 . 2007-07-27 12:03 -------- d-----w- c:\program files\Java
2009-12-19 14:37 . 2007-06-22 18:43 -------- d-----w- c:\program files\RegScrubXP
2009-12-17 05:15 . 2007-06-23 07:14 51716 ----a-w- c:\windows\system32\pdf995mon.dll
2009-12-17 05:15 . 2007-06-23 07:14 249856 ----a-w- c:\windows\system32\pdfmona.dll
2009-12-17 05:15 . 2007-06-23 07:14 142 ----a-w- c:\windows\wpd99.drv
2009-12-17 05:12 . 2009-02-13 14:58 -------- d-----w- c:\program files\TaxCut08
2009-12-17 05:10 . 2009-02-13 14:59 -------- d-----w- c:\documents and settings\Rosemary\Application Data\TaxCut
2009-12-10 12:03 . 2009-11-10 21:45 152576 -c--a-w- c:\documents and settings\Rosemary\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-12-10 12:03 . 2009-11-10 21:44 79488 -c--a-w- c:\documents and settings\Rosemary\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-12-09 15:52 . 2008-03-18 16:19 2118568 ----a-w- c:\windows\system32\Incinerator.dll
2009-12-08 17:56 . 2007-06-23 08:53 -------- d-----w- c:\program files\QuoteTracker
2009-12-06 14:11 . 2007-06-22 18:47 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-12-03 21:14 . 2009-08-12 14:35 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 21:13 . 2009-08-12 14:35 19160 -c--a-w- c:\windows\system32\drivers\mbam.sys
2009-11-26 16:16 . 2009-09-21 15:18 3695616 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\AutoLaunch.exe
2009-11-21 15:51 . 2006-09-29 17:40 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-10 13:04 . 2008-05-04 12:43 360584 -c--a-w- c:\windows\system32\drivers\avgtdix.sys
2009-11-08 14:45 . 2008-05-04 12:43 333192 -c--a-w- c:\windows\system32\drivers\avgldx86.sys
2009-11-08 14:45 . 2007-06-23 07:55 28424 -c--a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-11-08 14:45 . 2008-05-04 12:43 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-11-08 14:45 . 2009-11-08 14:45 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2009-11-08 14:45 . 2008-05-04 12:43 -------- d-----w- c:\program files\AVG
2009-11-03 03:07 . 2007-06-23 07:28 -------- d-----w- c:\program files\Avery Wizard 3.1
2009-10-29 05:38 . 2006-09-29 17:41 667136 ------w- c:\windows\system32\wininet.dll
2009-10-21 05:38 . 2006-09-29 17:41 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2006-09-29 17:40 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 03:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-19 18:17 . 2007-06-23 08:49 4732319 -c--a-w- c:\documents and settings\Rosemary\Application Data\family.zip
2009-10-19 15:16 . 2009-06-18 15:16 2353992 -c--a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Ad-Aware.exe
2009-10-14 13:13 . 2009-10-14 13:13 152576 -c--a-w- c:\documents and settings\Rosemary\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-10-13 10:30 . 2006-09-29 17:41 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2006-09-29 17:41 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2006-09-29 17:41 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-11 09:17 . 2009-10-14 13:14 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-08 19:57 . 2007-10-09 18:03 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2009-10-08 19:57 . 2006-09-29 17:41 220160 ----a-w- c:\windows\system32\oleacc.dll
2009-10-08 19:56 . 2006-09-29 17:41 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2009-10-02 05:13 . 2009-10-02 05:13 816392 -c--a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2007\Components\DownloadQB17\Patch\qbpatch2.exe
2009-09-25 05:37 . 2006-09-29 17:40 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-09-25 01:23 . 2009-09-25 01:23 2403528 ----a-w- C:\AOS 18-20.zip
2009-09-25 01:22 . 2009-09-25 01:22 3613622 ----a-w- C:\AOS 16-18.zip
2009-09-25 01:22 . 2009-09-25 01:22 3810098 ----a-w- C:\AOS 13 - 15.zip
2009-09-25 01:21 . 2009-09-25 01:21 3725959 ----a-w- C:\AOS 10-12.zip
2009-09-25 01:21 . 2009-09-25 01:21 3991357 ----a-w- C:\AOS 7-9.zip
2009-09-25 01:20 . 2009-09-25 01:20 3776086 ----a-w- C:\AOS 4-6.zip
2009-09-25 01:20 . 2009-09-25 01:20 3459310 ----a-w- C:\AOS 1-3.zip
2009-09-24 12:28 . 2009-09-24 12:28 24779828 ----a-w- C:\archive.zip
2009-09-24 11:50 . 2009-09-24 11:50 86016 -c--a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]
@="{95A27763-F62A-4114-9072-E81D87DE3B68}"
[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]
2009-04-29 21:19 583312 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]
@="{E300CD91-100F-4E67-9AF3-1384A6124015}"
[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
2009-04-29 21:19 583312 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]
@="{5E529433-B50E-4bef-A63B-16A6B71B071A}"
[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]
2009-04-29 21:19 583312 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PxDotNetLoader"="c:\program files\Fidelity Investments\Fidelity Active Trader\System\ATPStartupAssistant.exe" [2009-03-25 42336]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-04-13 49152]
"IntelAudioStudio"="c:\program files\Intel Audio Studio\IntelAudioStudio.exe" [2006-04-19 9125888]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-09-29 151552]
"CCUTRAYICON"="c:\program files\Intel\IntelDH\CCU\CCU_TrayIcon.exe" [2006-11-10 309720]
"NMSSupport"="c:\program files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe" [2006-03-29 375296]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-09-21 520024]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2008-09-09 623880]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]
"Carbonite Backup"="c:\program files\Carbonite\Carbonite Backup\CarboniteUI.exe" [2009-04-29 669840]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-12-12 2033432]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-4 258048]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-4 53248]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2009-3-12 984352]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-11-08 14:45 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2007\\QBDBMgrN.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"\\\\H3A5D2\\E\\Program Files\\Mirc\\mirc.exe"=
"c:\\Program Files\\Mirc\\mirc.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2009\\QBDBMgrN.exe"=
"c:\\Program Files\\Fidelity Investments\\Fidelity Active Trader\\System\\atng.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [4/2/2009 10:16 AM 64160]
R0 zmNTMon;zmNTMon;c:\windows\system32\drivers\ZmNTMon.sys [12/3/2007 1:52 PM 5760]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/4/2008 7:43 AM 333192]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/4/2008 7:43 AM 360584]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [11/8/2009 9:45 AM 285392]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 2:06 PM 1028432]
S3 zmNTZip;zmNTZip;c:\program files\Ontrack\ZipMagic\zmNTZip.sys [12/3/2007 1:52 PM 155576]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.goodsearch.com/
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: turbotax.com
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll
DPF: {2703049B-D81D-4763-A3C6-AF8932FCBD8F} - hxxps://am.hrblock.com/ActivexComponent/CheckFileStatus.CAB
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-21 15:45
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(740)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2944)
c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Ontrack\ZipMagic\ZMCopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Intel\IntelDH\CCU\AlertService.exe
c:\windows\system32\drivers\CDAC11BA.EXE
c:\program files\Carbonite\Carbonite Backup\carboniteservice.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\RealVNC\VNC4\WinVNC4.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\fxssvc.exe
c:\program files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
c:\program files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
c:\program files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe
c:\windows\system32\rsvp.exe
c:\program files\Intel\IntelDH\CCU\CCU_Engine.exe
c:\windows\system32\SearchProtocolHost.exe
c:\program files\HP\Digital Imaging\bin\hpqgalry.exe
c:\program files\Internet Explorer\IEXPLORE.EXE
c:\windows\system32\SearchFilterHost.exe
.
**************************************************************************
.
Completion time: 2009-12-21 15:53:58 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-21 20:53
ComboFix2.txt 2009-12-21 14:38

Pre-Run: 199,163,637,760 bytes free
Post-Run: 199,145,844,736 bytes free

- - End Of File - - DDCB53C417508CE3CE9563E17138C1FB

#15 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:59 AM

Posted 21 December 2009 - 04:00 PM

:(




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users